#Archive Release Notes

This contains an archive of older release notes for versions that are no longer supported.

#0.16

#0.16.2

Minor fix to an underlying opensource dependency. No changes to the Enterprise Stack.

#0.16.1

#Features

• BETA Introduced the X.509 certificate service for IACA/DS issuance with stricter validation and spec-aligned tests, enabling compliant certificate generation workflows.
• BETA Added S3-compatible credential-status storage with SigV4 signing support, container validators and provisioners, and comprehensive s3mock/localstack test coverage for cloud-native deployments.
• Enhanced the Enterprise UI with expanded views for accounts, policies, credentials, and KMS key details, streamlining operator workflows and improving visibility into system configuration.

#Fixes & Improvements

• Fixed MongoDB and DocumentDB persistence issues for mdoc credentials and certificate stores, stabilizing integration tests and ensuring reliable data persistence across cloud database providers.
• Hardened runtime security with improved security context defaults and enhanced CI filtering, while updating Kotlin and Ktor dependencies to align with the latest OSS versions.
• Updated documentation and Swagger headers to accurately reflect product-type and credential-status guidance, ensuring API documentation remains current with implementation changes.

#0.16.0

#Features

OpenID4VP 1.0, Verifier2 and mDoc Support

• Refactored OpenID4VP wallet and verifier logic into shared libraries used by Enterprise Verifier2, providing a unified, mDoc-aware OpenID4VP 1.0 implementation across stacks.
• Added full mDoc parsing, device authentication and presentation validation based on CBOR/COSE libraries, including selective disclosure handling for mDoc presentations.
• Extended Verifier2 controllers to expose richer credential/session metadata and aligned Enterprise Verifier2 with the new OpenID4VP verifier package for consistent routing and session management.
• Migrated Verifier2 DCQL integration tests into the Enterprise repository and expanded DCQL coverage so OpenID4VP/DCQL flows are validated against Enterprise APIs.

Credential Status Service, URLs and mDL/mDoc Status Integration

• Introduced a dedicated Credential Status microservice to manage status entries and expose them via a dedicated API, including an endpoint that returns the public status URL for a given credential.
• Added configurable, signed-URL generation for status endpoints with expiry support and cloud-specific URL providers, and updated registry utilities to work with cloud-native clients.
• Linked stored issuance sessions to credential status indices and refreshed status update APIs so status changes can be automated from issuance flows and traced back to the original session.
• Extended issuer and verifier support for mDL/mDoc credentials using a unified status property backed by TokenStatusList/Credential Status List, including multiple status values per credential.
• Introduced a Credential Status List view in the Enterprise UI and added documentation describing status features and capabilities for operators.

Enterprise Gateway, DID Registries and Certificate Management (VICAL)

• Shipped the walt.id Enterprise Gateway with documentation and deployment manifests to streamline connectivity with DID registries and other trust infrastructure in clustered deployments.
• Finalized documentation for the API Gateway and public DID Web registry so operators can configure public DID hosting consistently between OSS and Enterprise environments.
• Delivered the VICAL Management Service and Registry together with a Certificate Store, providing Enterprise-grade certificate distribution and management aligned with the OSS implementation.
• Enabled external publishing of core cryptographic libraries (including VICAL/COSE) so the same building blocks can be reused across Enterprise and external integrations.

SD-JWT VC Issuance and Verification

• Implemented SD-JWT VC schema validation in the Enterprise Issuer, ensuring issued SD-JWT VCs conform to expected structures before they are returned to clients.
• Fixed missing _sd_alg parameters in SD-JWT payloads and updated x5c handling to support certificate chains (with dedicated X509 parsing utilities), keeping Enterprise aligned with upstream changes.
• Reworked the SD-JWT presentation pipeline for Verifier1 into a single-pass parser with robust error handling and support for multiple matching credentials per presentation.
• Updated issuer responses to include cNonce plus expiry and to transcode uploaded PEM certificate chains into base64 DER for SD-JWT and W3C x5c headers, improving interoperability with external wallets/verifiers.
• Tightened handling of client_id and response_mode for SD-JWT and related flows using stricter enums and validation rules to match current standards.

Authentication, Sessions and Login/Logout UX

• Adopted the updated OIDC/AuthNZ stack from the OSS libraries so Enterprise APIs follow the same authentication and session handling behavior as the Community Stack.
• Added a logout endpoint, UI button and supporting Nuxt plugin to clear tokens and redirect users to the login page once sessions expire.
• Implemented session-expiry detection with a modal and client-side handling so token expiry is surfaced clearly and users are guided to re-authenticate.
• Improved the Enterprise login page with clearer error messages and loading states, giving admins better feedback on ongoing authentication operations.
• Allowed additional authentication methods beyond email for account flows, relaxing previous constraints where only email-based methods were accepted.

Idempotent Issuer, Verifier and Resource APIs

• Made resource creation, credential issuance and verification-session endpoints idempotent, so repeated client calls (e.g. retries) do not result in duplicate resources or sessions.
• Added detailed status fields and human-readable reasons to issuance and verification entities in both the backend and UI, making failed operations easier to diagnose.
• Introduced timestamp fields on issuer and verifier resources to support auditing and lifecycle tracking across long-running deployments.

Telemetry, Observability and Security Scanning

• Added a first-class OpenTelemetry plugin with configuration via telemetry.conf, including exporter wiring, instrumentation toggles and feature flags for Enterprise services.
• Hardened the telemetry stack with safer configuration parsing, singleton lifecycle management, deterministic shutdown and reduced log noise, while keeping telemetry opt-in by default.
• Introduced an OWASP ZAP full-scan GitHub workflow so CI runs automated security scans and surfaces regressions early in the pipeline.

Credential Templating and Holder/Policy UX

• Added credential templating support to the Enterprise UI, allowing admins to define reusable credential templates and edit them via an improved JSON editor.
• Introduced policy settings on the wallet “receive VC” screen, enabling per-wallet policy configuration when receiving credentials.
• Provided UI for Verifier2 and holder policies so operators can configure and review holder-related policy behavior directly from the Enterprise console.

Admin Console, Tenant and Wallet UX Improvements

• Added tenant deletion with confirmation flows, improved configuration views and clarified “Danger Zone” messaging for sensitive operations such as credential deletion.
• Updated issuer navigation so flows redirect directly to issuance-session detail pages, reducing clicks and making debugging easier.
• Added API key expiration options to the API key creation form so administrators can enforce key lifetimes without manual rotation.
• Enhanced DID-related screens by displaying dynamic DID Service IDs in headers, fetching dependencies automatically, improving DID store/service dependency checks and making DID formatting consistent.
• Added tenant registry options, dynamic page titles and safer default selection for DID stores, improving overall admin guidance and reducing misconfiguration risk.

Session PII data retention & auto-purge

Configurable issuer/verifier session retention via data-retention.conf and the data-retention feature flag, including scheduled auto-purge, dry-run mode, and logging to limit stored PII. Lear more here.

#Fixes & Improvements

Verification and Standards Compliance

• Improved OpenID4VP verifier and wallet behavior to align with the unified 1.0 implementation and mDoc handling across OSS and Enterprise stacks.
• Fixed multiple SD-JWT and x5c edge cases (including missing _sd_alg, updated x5-chain types and parsing of x5c lists) to stay compatible with evolving community libraries.
• Fixed VCT parsing during presentation and refined ISO/IEC 18013-7 profile handling so mDL/mDoc flows match the profile requirements.
• Extended Verifier2 tests and presented-credential inspection coverage, including migration of DCQL integration tests, to ensure new flows remain stable.

Issuance, Credential Lifecycle and URLs

• Fixed credential-offer URL generation across issuers and cleaned up redundant handlers and tests to prevent broken issuance flows.
• Updated base URL defaults and host-alias handling (including for cloud deployments) to avoid misrouted calls in gateway-based setups.
• Improved logging for the Enterprise Gateway and test environments to make troubleshooting deployment-specific issues easier.
• Disabled a problematic credential schema that caused build failures and added notes to highlight its status until it is fully supported.

Admin UI, Wallet and DID UX

• Fixed the Vue JSON editor onChange handling so edits to credential templates are reliably captured in the UI.
• Corrected the default visibility of policy-store settings so policy configuration is hidden when no policy store is attached to a wallet.
• Improved DID store/service configuration screens with clearer validation messages and UX refinements when dependencies are missing or misconfigured.
• Refined navigation to issuance-session details, adjusted copy where terminology was incorrect or confusing, and clarified dangerous-action confirmations.

Docs and Developer Experience

• Updated Swagger descriptions, examples and response codes for Enterprise services, including Azure key-generation examples, to better reflect actual behavior.
• Added and refined documentation for credential-status capabilities (including a feature list in the credential-status README) and removed outdated notes that no longer matched implementation.
• Finalized documentation for the Enterprise Gateway, public DID Web registry, mDoc data adaptation layer and authorization-code ID token claim mapping so implementers have end-to-end guidance.
• Removed legacy security-token samples from resource-service examples to avoid confusion and reduce risk in demos and training materials.
• Introduced Prettier-based formatting in UI codebases to keep frontend contributions consistent.

Tests, CI/CD and Operations

• Introduced Enterprise Stack integration tests (including wallet-holder policy tests) and migrated multiple suites to JUnit, improving consistency and coverage across services.
• Added remote-environment integration tests and removed obsolete or overlapping Enterprise e2e suites to reduce runtime and cut noise from brittle paths.
• Temporarily disabled flaky integration tests affected by unresolved external addresses and fixed various test assertions to stabilise CI signal.
• Performed general CI/CD maintenance, including Sonar-related fixes and repository clean-up (e.g. removing stale ignore rules and unnecessary files).

#Breaking Changes

Stricter SD-JWT Verifier Request Validation

• Tightened validation of client_id and response_mode for SD-JWT and related verifier flows by introducing stricter enums and request checks.
• Requests that previously passed with unsupported, malformed or missing values may now be rejected; clients must ensure they send valid client_id and supported response_mode combinations.

PAR Endpoint Disabled for Enterprise Issuer

• Disabled the Pushed Authorization Request (PAR) endpoint for the Enterprise Issuer.
• Integrations that relied on PAR must switch to the standard authorization flow when initiating issuance requests.

Revocation of Credentials

• Previously, revocation of credentials was done via an index parameter in the /v1/{target}/credential-status-service-api/status-credential/status/update endpoint.
• Now it uses session ID instead. The session ID is available:
  • At issuance, by parsing the credential URL offer
  • During issuance, through the callback events
  • Post issuance, via the events exposed at /v1/events/query
• This change was necessary to accomodate new functionality which allows the issuer to use the credential status service as a depencency to automatically update the chosen status list. It also works better with new features we are planning for the issuer such as resuable offers, deferred issuance and batch issuance. In all these cases, the index is not known to the user, whereas the session ID is through the methods described above.

#0.7

#Features

Holder Policies for Silent Wallet Flows

Use holder policies to allow users to set granular sharing rules for credentials, ensuring consent-first data sharing during silent issuance and verification flows.

New Status Policy in Verifier Service

A flexible status policy to validate common status types like revocation or suspension, but also custom reasons based on the BitstringStatusList, StatusList2021, RevocationList2020, TokenStatusList standards.

Support for Non-Expiring Issuance Sessions

The Issuer Service API now allows for the creation of non-expiring issuance sessions. When you call ⁠POST /issuer-service-api/credentials/issue, you can set the session to remain active indefinitely by including the parameter ⁠expiresInSeconds: -1. If you prefer a session with a specific duration, you can specify the desired length in seconds using the ⁠expiresInSeconds parameter. By default, if this parameter is omitted, the session will expire after five minutes.

mDL Issuance Simplified

The mDL issuance request no longer requires the trustedRootCAs field. Also, the OpenAPI examples have been updated.

Credential Branding Extension

Issuers can now provide a secondary image for the credential branding information when setting up an issuer service. See an updated example in the SWAGGER docs.

Enterprise UI Updates

The management of service configuration in JSON format has been implemented for the following services: DID registry, KMS, Status, Credential Store, DID Store, Verifier, and Wallet.

Improved Authorization Request handling when presenting credentials via the wallet service UI.

#Fixes

SD-JWT VC Display Info Loading

When you issue an SD-JWT VC credential using the credentials/issue endpoint of the issuer service, the display information will now be correctly retrieved from the issuer service configuration. This happens if you do not provide any display information directly in your issuance request.

Wallet Service Key Enforcement

The wallet presentation flow no longer enforces that holder keys must be secp256r1. Applications can now present non‑MDOC credentials with other key types.

#Docs

OpenAPI documentation improved

Each endpoint now features clearer descriptions, and the OpenID4VCI specifications include the standardVersion as a path parameter. These updates ensure that clients generated from api.json accurately reflect the API behavior.

#0.6.0

#Features

Wallet API Enterprise Stack

Wallet API Enterprise Stack (Skeleton) Phase 1 implementation with default SDK authentication handling.

mDL Support

• mDL verification capabilities
• mDL issuance functionality
• mDoc credential layer integration
• mDoc enterprise UI
• mDL enhancements with removed DID requirement

DID Registry

• DID registry implementation
• DID.json routing improvements

Credential Features

• Credential status compatibility check when processing credential requests
• Credential display functionality
• Relational Constraint support in Presentation Definition

Documentation & Configuration

• Updated Wallet Swagger documentation
• Quality Gate configuration improvements
• Metadata endpoints for resources

Authentication & Security

• Initial auth code flow
• Recommended TLS protocol version implementation

#Fixes

• Minor README.md improvements
• Global log context enhancements
• Conflicting import resolution
• AWS Crypto module registration
• Missing acceptTarget from update config endpoint
• Credential status version updates
• Credential configuration decoding improvements for authorization servers

#0.5.0

#Features

Events & Metrics

Track events like credential issuance and verification with metadata such as exchange protocol, status, session ID and more. You can also aggregate events for metrics.

Learn more

Logging

The enterprise stack logs can now be adjusted to contain tracking IDs. IDs can be provided with the credentials/issue and credentials/verify endpoints.

Enterprise Quickstart CLI

Explore and learn about different Enterprise features with our CLI tool. Execute a single command like "create organization" or use the wizard to get a walkthrough of how to set up the enterprise stack end-to-end.

Learn more

Enterprise Stack UI

Create tenants, manage them, and utilize services such issuer, verifier, or credential status directly from your browser via the Enterprise UI. The user interface is currently designed for admin users (fain-grained access coming later) and does not yet include the complete range of features available via API. However, feature expansion will come in the following months.

Credential Status for SD-JWT VC credentials

Enable credential status for SD-JWT VCs using the Token Status List standard.

Learn more

Presentation Request URL Endpoint in Verifier API

Get the credential presentation request URL with the v1/{target}/verifier-service-api/credentials/sessions/presentation-request-url/view endpoint.

#0.4.0

#Features

Authentication

Login Token Security

• Provide signing and verification keys for login tokens securely stored in an external AWS Key Management Service (KMS). Learn more here

Issuer API

Support for OpenID4VCI Draft 11 & 13

• The Enterprise Issuer API now supports OpenID4VCI Draft 11 and Draft 13, focusing on the PreAuthorized Code Flow. Users can provide an optional standardVersion parameter in the issuance request to specify the required protocol version DRAFT11 or DRAFT13. If omitted, DRAFT13 will be used.

Authorization Code Flow in Issuer API

• The Issuer API now supports the authorization code flow using ID_TOKEN and VP_TOKEN as authentication methods for OpenID4VCI Draft 11 and 13. This new feature introduces an authenticationMethod parameter in the /credentials/issue request, allowing for explicit specification of the desired authentication method.

#Breaking Changes

Verifier API Presentation Definition Policy

• The implementation has been corrected to include the "vc" part in compliance with the Presentation Exchange Specification v2.0.0. The previous implementation was incorrect because the evaluation of JSON paths starts from the root of the JWT claims segment. In the case of JWT VC JSON for the W3C VC Data Model v1.1, this segment contains a vc property where the credential data exists.

#0.3.0

#Features

• Issuer Service OpenID metadata display information - Learn more
• Verifier Service client display information - Learn more
• Login Token Expiration Config Options (Accounts & Super Admins) - Learn more
• API Key Expiration Options - Learn more
• Issuer callback support - Learn more

#Fixes

• Remove MongoDB password from appearing in logs
• Fix double slash issue in OIDC issuer offer URL

#Breaking Changes

• Config file structure for super-admin tokens - Find updated config file here

#0.2.0

#Features

• KMS Service: AWS integration now offers instance Auth Authentication
• API Service: Added List API keys endpoint
• Truststore MongoDB SSL configuration
• Added list accounts for each tenant endpoint
• Added list accounts for each organization endpoint

#Improvements

• Automatically add basic organization endpoint information to OpenAPI docs
• Showcase required permissions on SWAGGER Docs API endpoints
• Import / delete key feature from waltid-crypto keys in KMS service
• Improved error handling & messages

#Fixes

• Fix API key role assign
• Fix edge-case of NullPointer by database when the default admin role is deleted and this was the users only role
• Fix illegal character issue (wrong verifier openapi docs)