Issuer Profiles Configuration
The issuer2-profiles.conf file defines credential profiles that specify how credentials are issued.
File Location
waltid-issuer-api2/config/issuer2-profiles.conf
Configuration Options
defaultIssuerKey
Default signing key used when a profile doesn't specify its own key.
defaultIssuerKey = {
type = "jwk"
jwk = "{\"kty\":\"EC\",\"d\":\"...\",\"crv\":\"P-256\",\"x\":\"...\",\"y\":\"...\"}"
}
defaultIssuerDid
Default issuer DID used when a profile doesn't specify its own DID.
defaultIssuerDid = "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
defaultIssuerX5chain
Default X.509 certificate chain for mDoc signing.
defaultIssuerX5chain = [
"MIIBkTCB+wIJAK..."
]
profiles
Map of credential profiles.
profiles = {
"profile-id" = {
name = "Profile Name"
credentialConfigurationId = "credential_type_id"
issuerKey = { ... }
issuerDid = "did:..."
credentialData = { ... }
mapping = { ... }
selectiveDisclosure = { ... }
idTokenClaimsMapping = { ... }
mDocNameSpacesDataMappingConfig = { ... }
x5Chain = [ ... ]
notifications = { ... }
}
}
Profile Properties
Required Properties
| Property | Type | Description |
|---|---|---|
name | String | Human-readable name for the profile |
credentialConfigurationId | String | Must match a credential type in metadata |
credentialData | Object | Default credential data template |
Optional Properties
| Property | Type | Description |
|---|---|---|
issuerKey | Object | Key configuration (uses default if not specified) |
issuerDid | String | Issuer DID (uses default if not specified) |
mapping | Object | Data functions for dynamic fields |
selectiveDisclosure | Object | SD-JWT selective disclosure config |
idTokenClaimsMapping | Object | Map IdP claims to credential fields |
mDocNameSpacesDataMappingConfig | Object | Type conversions for mDoc |
x5Chain | Array | X.509 certificate chain |
notifications | Object | Webhook notification settings |
Example Configuration
# issuer2-profiles.conf
defaultIssuerKey = {
type = "jwk"
jwk = "{\"kty\":\"EC\",\"d\":\"...\",\"crv\":\"P-256\",\"x\":\"...\",\"y\":\"...\"}"
}
defaultIssuerDid = "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
profiles = {
"identity-credential" = {
name = "Identity Credential"
credentialConfigurationId = "identity_credential_dc+sd-jwt"
credentialData = {
vct = "https://example.com/credentials/identity"
given_name = "John"
family_name = "Doe"
birthdate = "1990-01-01"
}
mapping = {
iat = "<timestamp-seconds>"
nbf = "<timestamp-seconds>"
}
selectiveDisclosure = {
fields = {
given_name = { sd = true }
family_name = { sd = true }
birthdate = { sd = true }
}
}
}
"university-degree" = {
name = "University Degree"
credentialConfigurationId = "UniversityDegree_jwt_vc_json"
credentialData = {
"@context" = [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
]
type = ["VerifiableCredential", "UniversityDegree"]
credentialSubject = {
degree = {
type = "BachelorDegree"
name = "Bachelor of Science"
}
}
}
mapping = {
id = "<uuid>"
"issuer.id" = "<issuerDid>"
"credentialSubject.id" = "<subjectDid>"
issuanceDate = "<timestamp>"
expirationDate = "<timestamp-in:365d>"
}
notifications = {
webhook = {
url = "https://example.com/webhook/issuance"
}
}
}
}
Key Configuration
Keys can be configured in several ways:
JWK Key
issuerKey = {
type = "jwk"
jwk = "{\"kty\":\"EC\",\"d\":\"...\",\"crv\":\"P-256\",\"x\":\"...\",\"y\":\"...\"}"
}
AWS KMS Key
issuerKey = {
type = "aws"
id = "arn:aws:kms:region:account:key/key-id"
region = "us-east-1"
}
Azure Key Vault Key
issuerKey = {
type = "azure"
id = "https://vault.azure.net/keys/key-name/version"
}
Selective Disclosure Configuration
For SD-JWT credentials, configure which fields are selectively disclosable:
selectiveDisclosure = {
fields = {
given_name = { sd = true }
family_name = { sd = true }
address = {
sd = true
children = {
street = { sd = true }
city = { sd = true }
}
}
}
}
ID Token Claims Mapping
For authorization code flow, map IdP claims to credential fields:
idTokenClaimsMapping = {
given_name = "$.given_name"
family_name = "$.family_name"
email = "$.email"
"address.street" = "$.address.street_address"
}
mDoc Data Mapping
For mDoc credentials, configure type conversions:
mDocNameSpacesDataMappingConfig = {
"org.iso.18013.5.1" = {
birth_date = { type = "full-date" }
issue_date = { type = "full-date" }
expiry_date = { type = "full-date" }
portrait = { type = "bytes" }
}
}
Related Configuration
- Credential Issuer Metadata – OID4VCI metadata
- Data Functions – Dynamic data population
Last updated on June 15, 2026