Key Management
Every credential a wallet holds is bound to a cryptographic key. The wallet signs proofs of possession (when receiving) and presentations (when presenting) with a key from its key store. This section covers generating, importing, and managing those keys.
The Key Model
- A wallet can have more then one key when using key stores (see Managing Wallets).
- Each key has a key ID (derived from the key itself) and a key type (
Ed25519,secp256r1,secp256k1, orRSA). - Keys are added by generating a new one or importing existing key material.
Default Key
Many endpoints — receiving, presenting, DID creation — accept an optional keyId. When you omit it, the wallet uses its default key.
The default key is simply the first key across the wallet's key stores (or the staticKey, for a store-less wallet). There is no separate "set default" operation at the moment. To control which key is the default, either:
- add your preferred key first (it becomes the default), or
- pass
keyIdexplicitly on each call, or - use a store-less wallet with a single
staticKey.
Generate vs Import
- Generate — the wallet creates a new key of the type you choose.
- Import — you supply existing key material (a JWK) and the wallet stores it.
Keys are currently local only (JWK/Storend in memory or in the chosen DB if persistence is enabled). Support for external KMS backends (AWS KMS, Azure Key Vault, HashiCorp Vault, OCI Vault) is planned.
Next Steps
- Local Keys — generate, import, list, and delete keys.
- DID Management — create DIDs from your keys.
