Credential lifecycle

The Enterprise Stack let's you issue credentials across major standards (W3C VC, SD-JWT VC, ISO mdoc) with revocation, suspension, or custom status using globally adopted mechanisms like TokenStatusList. Host status lists on external registries like S3 or control credential lifetime via static validFrom and validUntil fields.

What's included

  • Standardized status credentials

Define and sign status credentials using standard formats (Bitstring Status List v1.0, TokenStatusList, StatusList2021) to support revocation, suspension, or custom states across credential types (W3C VC, SD-JWT VC, ISO mdoc).

  • Hosted & auto-published status credentials
    Host and auto-publish status credentials to your preferred registry (AWS S3, Azure Blob Storage, GCS) so verifiers and wallets can reliably consume them.
  • Secure KMS-backed signing keys
    Sign status credentials with keys stored in an external KMS (AWS KMS, Azure Key Vault, OCI Vault, …) so private keys never leave your KMS/HSM.
  • One-call status updates for issued credentials
    Suspend, resume, or revoke issued credentials with a single API call—the system flips the relevant bit in the status credential, re-signs it, and republishes it to your configured registry.
  • Configure validFrom / validUntil on issuance Set validFrom and validUntil per credential—statically or via data functions—to control when a credential becomes valid and when it expires. This doesn’t require a status credential, as it’s stored directly in the issued/signed credential.

FAQs

  • Do verifiers need online connectivity? — They typically fetch or cache the referenced status list. Offline verification works as long as the verifier has a fresh copy of the list; otherwise, it should treat status as unknown until it can refresh.

Get Started

Last updated on December 15, 2025
Credential BrandingCredential Templates, Types, and Schemas