0.20.0

Highlights

  • New Trust Registry Service for managing ETSI trust lists (TSL, LoTE) for credential verification against official trust frameworks.
  • New Client Attestation Service for issuing and verifying wallet attestations for secure credential issuance flows.
  • OpenIDVCI 1.0 Support in the Wallet Service marking the completion of our 1.0 support across all services.
  • Improved external IAM integration to connect with external OIDC providers for authentication.
  • External role mapping API with database-backed mappings, RESTful endpoints, and demo app UI for enterprise authentication flows. Supports dynamic redirect URLs and RP-initiated logout.
  • Enterprise Service security refactoring for Issuer 1/2, Verifier 1/2, and Wallet services with interface-based implementations, automatic dependency detection, and granular permission control. Major architectural improvement enabling better testability and security isolation.
  • X.509 Store and VICAL services rebuilt with proper persistence, user-permission proxies, and service-level certificate storage with cross-store linking support. Certificate IDs are now derived from target paths with full delete support.

Features

Enterprise Service Security

  • Secured Issuer 1 and Issuer 2 Enterprise Services with interface-based implementation pattern and automatic KMS dependency detection.
  • Refactored Verifier 1/2 Services to follow the same secure pattern with dedicated interface and implementation classes.
  • Implemented Enterprise Service Wallet split into legacy and new v2 OpenID4VCI flows with mDoc support.
  • Added user permission proxy implementations for credential stores, policy stores, and client attesters.
  • Added comprehensive wallet permission tests to validate the security model.

X.509 Store and VICAL Services

  • Fixed X.509 store persistence with service-side repository logic and proper certificate ID handling.
  • Updated X.509 service certificate creation to accept optional storedCertificateId and store issued certificates across linked X.509 stores.
  • Added delete support and completed user-permission proxy coverage for X.509 store operations.
  • Moved VICAL storage logic into private service-local repository and added VICAL service user-permission proxy support.
  • Adjusted VICAL registry/publication controllers for response status and artifact format parsing.

Issuer2 and OpenID4VCI

  • Added issuanceSessionId to credential offer requests and access tokens for O(1) credential endpoint lookups.
  • Added correlationId (callId) to callback events for session tracking.
  • Enriched issuance session with id, format, and status information.
  • Added support for issuer state forwarding.
  • Improved profile update to ignore certain keys (profileId, status, version, createdAt, updatedAt) for better developer experience.

Client Attestation and EUDI Compatibility

  • Implemented client attestation support with configurable validation.
  • Extended lenient mode to gracefully skip verification when signature validation fails.
  • Added issuer state in redirect for EUDI wallet compatibility.
  • Ensured clientAttestationConfig is properly copied during config updates.
  • Updated swagger example with lenient configuration for EUDI wallet demos.

Credential Status

  • Added test coverage for multiple status values.
  • Resolved hex and binary mixed usage in CWT credentials.
  • Added TSL CWT to the e2e journey.
  • Added support for DID-based header in token status lists.

Trust Registry

  • Added a trust registry service and policy allowing for credential verification against official trust frameworks.
  • Fixed trust registry sourceId handling by moving to target path (consistent with KMS, X.509-store patterns).
  • Fixed Unit body handling in documentedPost for no-body POST endpoints.
  • Added trust registry support aligned with OSS trust registry library.

Auth and External Role Mapping

  • Implemented database-backed external role mappings with RESTful API.
  • Added external role mapping UI to demo app with payload editor and field documentation.
  • Fixed external role mapping resolution during auth.
  • Added allowedRedirectUrls to auth config documentation.
  • Added Keycloak package for Enterprise authentication with setup guides.

Wallet Service

  • Added support for OpenID4VCI 1.0 to the Wallet API.
  • Added DID Service support in wallet creation process.
  • Fixed wallet init to return created resources (keyId and didId).
  • Added swagger examples for new wallet routes.

Platform

  • Migrated HTTP clients to unified web data fetching abstraction with CIO engine.
  • Added load testing scripts and infrastructure improvements.

Fixes and improvements

  • Fixed BSON issue in enterprise services.
  • Fixed credential metadata display.
  • Fixed assignRoleToApiKey double-stringify in demo app.
  • Fixed coroutine context conflict in tenant permissions listing.
  • Fixed old reference in credential status.
  • Added Swagger examples for creating plain KMS and generating keys.
  • Updated OpenAPI docs and examples for X.509 service and VICAL storage behavior.
  • Fixed integration tests workflows.

Breaking changes

  • X.509 Store API: The X.509 store add/update flows now use service-level targets with certificate IDs derived from the target path. Clients using the old certificate store APIs must migrate to the new request models.
Last updated on May 8, 2026
0.19Archive Release Notes