#0.16.0

#Features

OpenID4VP 1.0, Verifier2 and mDoc Support

• Refactored OpenID4VP wallet and verifier logic into shared libraries used by Enterprise Verifier2, providing a unified, mDoc-aware OpenID4VP 1.0 implementation across stacks.
• Added full mDoc parsing, device authentication and presentation validation based on CBOR/COSE libraries, including selective disclosure handling for mDoc presentations.
• Extended Verifier2 controllers to expose richer credential/session metadata and aligned Enterprise Verifier2 with the new OpenID4VP verifier package for consistent routing and session management.
• Migrated Verifier2 DCQL integration tests into the Enterprise repository and expanded DCQL coverage so OpenID4VP/DCQL flows are validated against Enterprise APIs.

Credential Status Service, URLs and mDL/mDoc Status Integration

• Introduced a dedicated Credential Status microservice to manage status entries and expose them via a dedicated API, including an endpoint that returns the public status URL for a given credential.
• Added configurable, signed-URL generation for status endpoints with expiry support and cloud-specific URL providers, and updated registry utilities to work with cloud-native clients.
• Linked stored issuance sessions to credential status indices and refreshed status update APIs so status changes can be automated from issuance flows and traced back to the original session.
• Extended issuer and verifier support for mDL/mDoc credentials using a unified status property backed by TokenStatusList/Credential Status List, including multiple status values per credential.
• Introduced a Credential Status List view in the Enterprise UI and added documentation describing status features and capabilities for operators.

Enterprise Gateway, DID Registries and Certificate Management (VICAL)

• Shipped the walt.id Enterprise Gateway with documentation and deployment manifests to streamline connectivity with DID registries and other trust infrastructure in clustered deployments.
• Finalized documentation for the API Gateway and public DID Web registry so operators can configure public DID hosting consistently between OSS and Enterprise environments.
• Delivered the VICAL Management Service and Registry together with a Certificate Store, providing Enterprise-grade certificate distribution and management aligned with the OSS implementation.
• Enabled external publishing of core cryptographic libraries (including VICAL/COSE) so the same building blocks can be reused across Enterprise and external integrations.

SD-JWT VC Issuance and Verification

• Implemented SD-JWT VC schema validation in the Enterprise Issuer, ensuring issued SD-JWT VCs conform to expected structures before they are returned to clients.
• Fixed missing _sd_alg parameters in SD-JWT payloads and updated x5c handling to support certificate chains (with dedicated X509 parsing utilities), keeping Enterprise aligned with upstream changes.
• Reworked the SD-JWT presentation pipeline for Verifier1 into a single-pass parser with robust error handling and support for multiple matching credentials per presentation.
• Updated issuer responses to include cNonce plus expiry and to transcode uploaded PEM certificate chains into base64 DER for SD-JWT and W3C x5c headers, improving interoperability with external wallets/verifiers.
• Tightened handling of client_id and response_mode for SD-JWT and related flows using stricter enums and validation rules to match current standards.

Authentication, Sessions and Login/Logout UX

• Adopted the updated OIDC/AuthNZ stack from the OSS libraries so Enterprise APIs follow the same authentication and session handling behavior as the Community Stack.
• Added a logout endpoint, UI button and supporting Nuxt plugin to clear tokens and redirect users to the login page once sessions expire.
• Implemented session-expiry detection with a modal and client-side handling so token expiry is surfaced clearly and users are guided to re-authenticate.
• Improved the Enterprise login page with clearer error messages and loading states, giving admins better feedback on ongoing authentication operations.
• Allowed additional authentication methods beyond email for account flows, relaxing previous constraints where only email-based methods were accepted.

Idempotent Issuer, Verifier and Resource APIs

• Made resource creation, credential issuance and verification-session endpoints idempotent, so repeated client calls (e.g. retries) do not result in duplicate resources or sessions.
• Added detailed status fields and human-readable reasons to issuance and verification entities in both the backend and UI, making failed operations easier to diagnose.
• Introduced timestamp fields on issuer and verifier resources to support auditing and lifecycle tracking across long-running deployments.

Telemetry, Observability and Security Scanning

• Added a first-class OpenTelemetry plugin with configuration via telemetry.conf, including exporter wiring, instrumentation toggles and feature flags for Enterprise services.
• Hardened the telemetry stack with safer configuration parsing, singleton lifecycle management, deterministic shutdown and reduced log noise, while keeping telemetry opt-in by default.
• Introduced an OWASP ZAP full-scan GitHub workflow so CI runs automated security scans and surfaces regressions early in the pipeline.

Credential Templating and Holder/Policy UX

• Added credential templating support to the Enterprise UI, allowing admins to define reusable credential templates and edit them via an improved JSON editor.
• Introduced policy settings on the wallet “receive VC” screen, enabling per-wallet policy configuration when receiving credentials.
• Provided UI for Verifier2 and holder policies so operators can configure and review holder-related policy behavior directly from the Enterprise console.

Admin Console, Tenant and Wallet UX Improvements

• Added tenant deletion with confirmation flows, improved configuration views and clarified “Danger Zone” messaging for sensitive operations such as credential deletion.
• Updated issuer navigation so flows redirect directly to issuance-session detail pages, reducing clicks and making debugging easier.
• Added API key expiration options to the API key creation form so administrators can enforce key lifetimes without manual rotation.
• Enhanced DID-related screens by displaying dynamic DID Service IDs in headers, fetching dependencies automatically, improving DID store/service dependency checks and making DID formatting consistent.
• Added tenant registry options, dynamic page titles and safer default selection for DID stores, improving overall admin guidance and reducing misconfiguration risk.

Session PII data retention & auto-purge

Configurable issuer/verifier session retention via data-retention.conf and the data-retention feature flag, including scheduled auto-purge, dry-run mode, and logging to limit stored PII. Lear more here.

#Fixes & Improvements

Verification and Standards Compliance

• Improved OpenID4VP verifier and wallet behavior to align with the unified 1.0 implementation and mDoc handling across OSS and Enterprise stacks.
• Fixed multiple SD-JWT and x5c edge cases (including missing _sd_alg, updated x5-chain types and parsing of x5c lists) to stay compatible with evolving community libraries.
• Fixed VCT parsing during presentation and refined ISO/IEC 18013-7 profile handling so mDL/mDoc flows match the profile requirements.
• Extended Verifier2 tests and presented-credential inspection coverage, including migration of DCQL integration tests, to ensure new flows remain stable.

Issuance, Credential Lifecycle and URLs

• Fixed credential-offer URL generation across issuers and cleaned up redundant handlers and tests to prevent broken issuance flows.
• Updated base URL defaults and host-alias handling (including for cloud deployments) to avoid misrouted calls in gateway-based setups.
• Improved logging for the Enterprise Gateway and test environments to make troubleshooting deployment-specific issues easier.
• Disabled a problematic credential schema that caused build failures and added notes to highlight its status until it is fully supported.

Admin UI, Wallet and DID UX

• Fixed the Vue JSON editor onChange handling so edits to credential templates are reliably captured in the UI.
• Corrected the default visibility of policy-store settings so policy configuration is hidden when no policy store is attached to a wallet.
• Improved DID store/service configuration screens with clearer validation messages and UX refinements when dependencies are missing or misconfigured.
• Refined navigation to issuance-session details, adjusted copy where terminology was incorrect or confusing, and clarified dangerous-action confirmations.

Docs and Developer Experience

• Updated Swagger descriptions, examples and response codes for Enterprise services, including Azure key-generation examples, to better reflect actual behavior.
• Added and refined documentation for credential-status capabilities (including a feature list in the credential-status README) and removed outdated notes that no longer matched implementation.
• Finalized documentation for the Enterprise Gateway, public DID Web registry, mDoc data adaptation layer and authorization-code ID token claim mapping so implementers have end-to-end guidance.
• Removed legacy security-token samples from resource-service examples to avoid confusion and reduce risk in demos and training materials.
• Introduced Prettier-based formatting in UI codebases to keep frontend contributions consistent.

Tests, CI/CD and Operations

• Introduced Enterprise Stack integration tests (including wallet-holder policy tests) and migrated multiple suites to JUnit, improving consistency and coverage across services.
• Added remote-environment integration tests and removed obsolete or overlapping Enterprise e2e suites to reduce runtime and cut noise from brittle paths.
• Temporarily disabled flaky integration tests affected by unresolved external addresses and fixed various test assertions to stabilise CI signal.
• Performed general CI/CD maintenance, including Sonar-related fixes and repository clean-up (e.g. removing stale ignore rules and unnecessary files).

#Breaking Changes

Stricter SD-JWT Verifier Request Validation

• Tightened validation of client_id and response_mode for SD-JWT and related verifier flows by introducing stricter enums and request checks.
• Requests that previously passed with unsupported, malformed or missing values may now be rejected; clients must ensure they send valid client_id and supported response_mode combinations.

PAR Endpoint Disabled for Enterprise Issuer

• Disabled the Pushed Authorization Request (PAR) endpoint for the Enterprise Issuer.
• Integrations that relied on PAR must switch to the standard authorization flow when initiating issuance requests.