#Setup

This guide walks you through setting up a Client Attestation Service inside a tenant. If you don't have a tenant yet, you can learn how to create one here.

#Prerequisites

Before creating a Client Attestation Service, ensure you have:

Tenant – An existing tenant in your organization
KMS Service – A Key Management Service for storing the attestation signing key
Signing Key – A key in the KMS that will be used to sign attestation JWTs

#Create a Signing Key

First, create or import a key in your KMS that will be used to sign attestation JWTs. The key should use an algorithm suitable for JWT signing (e.g., ES256, EdDSA).

CURL

Endpoint: /v1/{target}/kms-api/keys/generate | API Reference

Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/kms-api/keys/generate' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "backend": "jwk",
  "keyType": "secp256r1"
}'

Path Parameters

orgID – Your organization's Base URL
target – The KMS service target with the new key ID ({organizationID}.{tenantID}.{kmsID}.{newKeyID}), e.g. waltid.tenant1.kms1.attester-signing-key

#Create the Client Attestation Service

CURL

Endpoint: /v1/{target}/resource-api/services/create | API Reference

Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "type": "client-attester",
  "signingKeyId": "waltid.tenant1.kms1.attester-signing-key",
  "attestationValiditySeconds": 86400
}'

Body

{
  "type": "client-attester",
  "signingKeyId": "waltid.tenant1.kms1.attester-signing-key",
  "attestationValiditySeconds": 86400
}

Path Parameters

orgID – Your organization's Base URL. For example, if your organization is named test, your default Base URL will be test.enterprise-sandbox.walt.dev when using the sandbox environment.
target – The resource identifier for the new client attester service ({organizationID}.{tenantID}.{newClientAttesterServiceID}), e.g. waltid.tenant1.client-attester1

Body Parameters

type: String – Must be client-attester for the Client Attestation Service
signingKeyId: resourceIdentifier – Reference to a key in the KMS used for signing attestation JWTs. E.g. waltid.tenant1.kms1.attester-signing-key
attestationValiditySeconds: Long – (Optional) How long attestation JWTs remain valid, in seconds. Default: 86400 (24 hours)

Response Codes

201 – Service created successfully
400 – Invalid request body
409 – Service with this ID already exists

#Link the KMS Dependency

After creating the Client Attestation Service, link it to the KMS service that contains the signing key.

CURL

Endpoint: /v1/{target}/resource-api/dependencies/add | API Reference

Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/dependencies/add' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: text/plain' \
  -d 'waltid.tenant1.kms1'

Path Parameters

orgID – Your organization's Base URL
target – The client attester service target ({organizationID}.{tenantID}.{clientAttesterServiceID}), e.g. waltid.tenant1.client-attester1

Body

The resource identifier of the KMS service to link, e.g. waltid.tenant1.kms1

Response Codes

201 – Dependency added successfully

#Configuration Options

Parameter	Type	Default	Description
`signingKeyId`	String	Required	Reference to the KMS key used for signing attestation JWTs
`attestationValiditySeconds`	Long	`86400`	How long attestation JWTs remain valid (in seconds)

#Next Steps

After creating your Client Attestation Service:

Configure Wallet Integration – Set up wallets to obtain attestations
Configure Issuer Integration – Configure issuers to require attestation verification

Last updated on May 8, 2026

Overview Wallet Integration