Setup

We will setup an Issuer service inside of a tenant. If you don't have a tenant yet, you can learn how to create one here.

CURL

Endpoint: /v1/{target}/resource-api/services/create | API Reference

Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "type": "issuer",
  "baseUrl": "http://waltid.enterprise.localhost:3000",
  "kms": "waltid.tenant1.kms1",
  "tokenKeyId": "waltid.tenant1.kms1.key1",
  "supportedCredentialTypes": {
    "identity_credential_vc+sd-jwt": {
      "format": "vc+sd-jwt",
      "vct": "{vctBaseURL}/identity_credential",
      "cryptographic_binding_methods_supported": [
        "jwk"
      ],
      "credential_signing_alg_values_supported": [
        "ES256"
      ],
      "sdJwtVcTypeMetadata": {
        "name": "Identity Credential",
        "description": "The Identity Verifiable Credential",
        "vct": "{vctBaseURL}/identity_credential"
      }
    },
    "OpenBadgeCredential_jwt_vc_json": {
      "format": "jwt_vc_json",
      "cryptographic_binding_methods_supported": [
        "did"
      ],
      "credential_signing_alg_values_supported": [
        "ES256"
      ],
      "credential_definition": {
        "type": [
          "VerifiableCredential",
          "OpenBadgeCredential"
        ]
      }
    }
  },
  "displayConfigurations": [
    {
      "name": "walt.id Enterprise Issuer Service",
      "locale": "en-US",
      "logo": {
        "uri": "http://cdn.walt.id/issuer/logo.png",
        "alt_text": "logo specific text goes here"
      }
    }
  ]
}'

Body

{
  "type": "issuer",
  "baseUrl": "http://waltid.enterprise.localhost:3000",
  "kms": "waltid.tenant1.kms1",
  "tokenKeyId": "waltid.tenant1.kms1.key1",
  "supportedCredentialTypes": {
    "identity_credential_vc+sd-jwt": {
      "format": "vc+sd-jwt",
      "vct": "{vctBaseURL}/identity_credential",
      "cryptographic_binding_methods_supported": [
        "jwk"
      ],
      "credential_signing_alg_values_supported": [
        "ES256"
      ],
      "sdJwtVcTypeMetadata": {
        "name": "Identity Credential",
        "description": "The Identity Verifiable Credential",
        "vct": "{vctBaseURL}/identity_credential"
      }
    },
    "OpenBadgeCredential_jwt_vc_json": {
      "format": "jwt_vc_json",
      "cryptographic_binding_methods_supported": [
        "did"
      ],
      "credential_signing_alg_values_supported": [
        "ES256"
      ],
      "credential_definition": {
        "type": [
          "VerifiableCredential",
          "OpenBadgeCredential"
        ]
      }
    }
  },
  "displayConfigurations": [
    {
      "name": "walt.id Enterprise Issuer Service",
      "locale": "en-US",
      "logo": {
        "uri": "http://cdn.walt.id/issuer/logo.png",
        "alt_text": "logo specific text goes here"
      }
    }
  ]
}

Path Parameters

  • orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is named test, your default Base URL will be test.enterprise-sandbox.walt.dev when using the sandbox environment.
  • target: resourceIdentifier - The target indicates the organization + tenant in which to create the new Issuer service and the service's ID ({organizationID}.{tenantID}.[NewIssuerServiceID]), e.g. waltid.tenant1.issuer1

Body Parameters

  • type: serviceType - Specifies the type of service to create. In our case issuer
  • baseUrl: String - This URL will be included in the generated OIDC4VC offer, allowing the wallet to know how to reach the issuer. It should reflect your organization's base URL. The general format for this URL is https://{orgID}.yourEnterpriseStackUrl.com. For example, if your organization is named myorg and the Enterprise Stack is hosted at the domain enterprise-stack.com, your base URL would be: https://myorg.enterprise-stack.com.
  • kms: - resourceIdentifier - A KMS service you want to connect with the to be created Issuer service. It should be setup under the same tenant.
  • tokenKeyId: - resourceIdentifier - A key in the connected KMS service used to sign the access token, which is used to get the credential from the credential endpoint
  • supportedCredentialTypes: Object - A map of credentials the issuer supports. This list will be used to generate the issuer metadata. This list of supported credentials can be updated also after the initial setup. For detailed configuration options for each credential type (W3C JWT, SD-JWT VC, ISO mDocs), see Credential Types Configuration.
  • displayConfigurations (optional) - an optional list of objects, where each object contains specific display information for different languages. Including the local option is not mandatory; you can simply provide one object if localization is not required. For detailed information about display configuration properties and examples, see Issuer Display Configuration.

Response Codes

  • 201 - Service created successfully.
Last updated on December 12, 2025
OverviewIssuer Service