Credential Types Configuration
The Issuer2 Service supports multiple credential formats. This guide explains how to configure the supported credential types for your issuer service.
Supported Formats
| Format | Configuration Key | Description |
|---|---|---|
| SD-JWT VC | dc+sd-jwt | IETF SD-JWT Verifiable Credentials |
| W3C JWT | jwt_vc_json | W3C Verifiable Credentials with JWT signature |
| mDoc | mso_mdoc | ISO 18013-5 Mobile Documents |
Credential Configuration Structure
Credential types are configured in the credentialConfigurations object when creating or updating your issuer service.
Common Properties
All credential configurations share these common properties:
| Property | Required | Description |
|---|---|---|
format | Yes | The credential format (dc+sd-jwt, jwt_vc_json, mso_mdoc) |
scope | No | OAuth scope for requesting this credential type |
cryptographic_binding_methods_supported | No | Supported key binding methods |
credential_signing_alg_values_supported | No | Supported signing algorithms |
proof_types_supported | No | Supported proof types for key binding |
credential_metadata | No | Metadata including claims and display information |
display | No | Credential display configuration for wallets |
When cryptographic_binding_methods_supported is set, proof_types_supported must also be provided, and vice versa.
SD-JWT VC Configuration
SD-JWT VC (Selective Disclosure JWT Verifiable Credentials) is the recommended format for privacy-preserving credentials.
Basic Configuration
{
"identity_credential": {
"format": "dc+sd-jwt",
"vct": "https://example.com/credentials/identity_credential",
"scope": "identity_credential",
"cryptographic_binding_methods_supported": ["jwk"],
"credential_signing_alg_values_supported": ["ES256"],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256"]
}
}
}
}
With Claims Metadata
Claims metadata describes the claims that may be included in the credential. This is used by wallets to display information about the credential to users.
{
"identity_credential": {
"format": "dc+sd-jwt",
"vct": "https://example.com/credentials/identity_credential",
"scope": "identity_credential",
"cryptographic_binding_methods_supported": ["jwk"],
"credential_signing_alg_values_supported": ["ES256"],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256"]
}
},
"credential_metadata": {
"display": [
{
"name": "Identity Credential",
"locale": "en",
"description": "A verifiable identity credential"
}
],
"claims": [
{
"path": ["given_name"],
"mandatory": true,
"display": [{ "name": "First Name", "locale": "en" }]
},
{
"path": ["family_name"],
"mandatory": true,
"display": [{ "name": "Last Name", "locale": "en" }]
},
{
"path": ["birthdate"],
"mandatory": false,
"display": [{ "name": "Date of Birth", "locale": "en" }]
},
{
"path": ["address", "street_address"],
"mandatory": false,
"display": [{ "name": "Street Address", "locale": "en" }]
},
{
"path": ["address", "locality"],
"mandatory": false,
"display": [{ "name": "City", "locale": "en" }]
}
]
},
"display": [
{
"name": "Identity Credential",
"locale": "en",
"description": "Your verified identity",
"background_color": "#12107c",
"text_color": "#FFFFFF",
"logo": {
"uri": "https://example.com/logo.png",
"alt_text": "Issuer Logo"
}
}
]
}
}
SD-JWT VC Specific Properties:
| Property | Required | Description |
|---|---|---|
vct | Yes | Verifiable Credential Type URL - uniquely identifies the credential type |
For SD-JWT VC, the path in claims is an array representing the JSON path to the claim. For nested claims like address.street_address, use ["address", "street_address"].
W3C JWT Configuration
W3C JWT credentials follow the W3C Verifiable Credentials Data Model with JWT encoding.
Basic Configuration
{
"UniversityDegree_jwt_vc_json": {
"format": "jwt_vc_json",
"cryptographic_binding_methods_supported": ["did"],
"credential_signing_alg_values_supported": ["ES256", "EdDSA"],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256", "EdDSA"]
}
},
"credential_definition": {
"type": ["VerifiableCredential", "UniversityDegree"]
}
}
}
With Claims Metadata
{
"UniversityDegree_jwt_vc_json": {
"format": "jwt_vc_json",
"scope": "university_degree",
"cryptographic_binding_methods_supported": ["did"],
"credential_signing_alg_values_supported": ["ES256", "EdDSA"],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256", "EdDSA"]
}
},
"credential_definition": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"type": ["VerifiableCredential", "UniversityDegree"]
},
"credential_metadata": {
"display": [
{
"name": "University Degree",
"locale": "en",
"description": "A verified university degree credential"
}
],
"claims": [
{
"path": ["credentialSubject", "degree", "type"],
"mandatory": true,
"display": [{ "name": "Degree Type", "locale": "en" }]
},
{
"path": ["credentialSubject", "degree", "name"],
"mandatory": true,
"display": [{ "name": "Degree Name", "locale": "en" }]
},
{
"path": ["credentialSubject", "givenName"],
"mandatory": true,
"display": [{ "name": "First Name", "locale": "en" }]
},
{
"path": ["credentialSubject", "familyName"],
"mandatory": true,
"display": [{ "name": "Last Name", "locale": "en" }]
},
{
"path": ["credentialSubject", "alumniOf", "name"],
"mandatory": true,
"display": [{ "name": "University Name", "locale": "en" }]
}
]
},
"display": [
{
"name": "University Degree",
"locale": "en",
"description": "Official university degree certificate",
"background_color": "#1a365d",
"text_color": "#FFFFFF",
"logo": {
"uri": "https://university.example.com/logo.png",
"alt_text": "University Logo"
}
}
]
}
}
W3C JWT Specific Properties:
| Property | Required | Description |
|---|---|---|
credential_definition.type | Yes | Array of credential types (must include VerifiableCredential) |
credential_definition.@context | No | JSON-LD context URLs |
For W3C JWT credentials, the path in claims follows the credential structure. Claims in credentialSubject use paths like ["credentialSubject", "givenName"].
mDoc Configuration
mDoc (Mobile Document) credentials follow the ISO 18013-5 standard, commonly used for mobile driving licenses.
Basic Configuration
{
"org.iso.18013.5.1.mDL": {
"format": "mso_mdoc",
"doctype": "org.iso.18013.5.1.mDL",
"cryptographic_binding_methods_supported": ["cose_key"],
"credential_signing_alg_values_supported": ["ES256"]
}
}
With Claims Metadata
For mDoc credentials, claims are organized by namespace. The path array includes the namespace as the first element.
{
"org.iso.18013.5.1.mDL": {
"format": "mso_mdoc",
"doctype": "org.iso.18013.5.1.mDL",
"scope": "mdl_credential",
"cryptographic_binding_methods_supported": ["cose_key"],
"credential_signing_alg_values_supported": ["ES256"],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256"]
}
},
"credential_metadata": {
"display": [
{
"name": "Mobile Driving License",
"locale": "en",
"description": "ISO 18013-5 compliant mobile driving license"
}
],
"claims": [
{
"path": ["org.iso.18013.5.1", "family_name"],
"mandatory": true,
"display": [{ "name": "Family Name", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "given_name"],
"mandatory": true,
"display": [{ "name": "Given Name", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "birth_date"],
"mandatory": true,
"display": [{ "name": "Date of Birth", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "issue_date"],
"mandatory": true,
"display": [{ "name": "Issue Date", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "expiry_date"],
"mandatory": true,
"display": [{ "name": "Expiry Date", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "issuing_country"],
"mandatory": true,
"display": [{ "name": "Issuing Country", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "issuing_authority"],
"mandatory": true,
"display": [{ "name": "Issuing Authority", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "document_number"],
"mandatory": true,
"display": [{ "name": "Document Number", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "portrait"],
"mandatory": false,
"display": [{ "name": "Portrait", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "driving_privileges"],
"mandatory": true,
"display": [{ "name": "Driving Privileges", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "age_over_18"],
"mandatory": false,
"display": [{ "name": "Age Over 18", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "age_over_21"],
"mandatory": false,
"display": [{ "name": "Age Over 21", "locale": "en" }]
}
]
},
"display": [
{
"name": "Mobile Driving License",
"locale": "en",
"description": "Your digital driving license",
"background_color": "#003366",
"text_color": "#FFFFFF",
"logo": {
"uri": "https://dmv.example.com/logo.png",
"alt_text": "DMV Logo"
}
}
]
}
}
Custom mDoc Document Type
For custom mDoc document types (not mDL), use your own namespace:
{
"com.example.accesscard": {
"format": "mso_mdoc",
"doctype": "com.example.accesscard",
"scope": "access_card",
"cryptographic_binding_methods_supported": ["cose_key"],
"credential_signing_alg_values_supported": ["ES256"],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256"]
}
},
"credential_metadata": {
"display": [
{
"name": "Access Card",
"locale": "en",
"description": "Employee access card credential"
}
],
"claims": [
{
"path": ["com.example.accesscard", "employee_id"],
"mandatory": true,
"display": [{ "name": "Employee ID", "locale": "en" }]
},
{
"path": ["com.example.accesscard", "given_name"],
"mandatory": true,
"display": [{ "name": "First Name", "locale": "en" }]
},
{
"path": ["com.example.accesscard", "family_name"],
"mandatory": true,
"display": [{ "name": "Last Name", "locale": "en" }]
},
{
"path": ["com.example.accesscard", "department"],
"mandatory": false,
"display": [{ "name": "Department", "locale": "en" }]
},
{
"path": ["com.example.accesscard", "access_level"],
"mandatory": true,
"display": [{ "name": "Access Level", "locale": "en" }]
},
{
"path": ["com.example.accesscard", "issue_date"],
"mandatory": true,
"display": [{ "name": "Issue Date", "locale": "en" }]
},
{
"path": ["com.example.accesscard", "expiry_date"],
"mandatory": true,
"display": [{ "name": "Expiry Date", "locale": "en" }]
}
]
},
"display": [
{
"name": "Access Card",
"locale": "en",
"description": "Your employee access card",
"background_color": "#2d3748",
"text_color": "#FFFFFF"
}
]
}
}
mDoc Specific Properties:
| Property | Required | Description |
|---|---|---|
doctype | Yes | The mDoc document type identifier |
For mDoc credentials, the path array must include the namespace as the first element, followed by the claim name. For example: ["org.iso.18013.5.1", "family_name"] or ["com.example.accesscard", "employee_id"].
Claims Metadata
The credential_metadata.claims array describes the claims that may be included in the credential. This metadata is used by wallets to display information about the credential to users before and after issuance.
Claim Description Structure
| Property | Required | Description |
|---|---|---|
path | Yes | Array of strings representing the path to the claim |
mandatory | No | Whether the claim is required (true) or optional (false) |
display | No | Array of display objects for localized claim names |
Path Format by Credential Type
| Format | Path Example | Description |
|---|---|---|
| SD-JWT VC | ["given_name"] | Direct claim name |
| SD-JWT VC | ["address", "city"] | Nested claim |
| W3C JWT | ["credentialSubject", "name"] | Path from credential root |
| mDoc | ["namespace", "claim_name"] | Namespace + claim name |
Claims metadata is optional per the OpenID4VCI specification. It's primarily used for wallet display purposes and does not affect the actual credential content.
Credential Display Configuration
The display array configures how the credential appears in wallets.
Display Properties
| Property | Required | Description |
|---|---|---|
name | Yes | Display name of the credential |
locale | No | Language locale (e.g., en, de, fr) |
description | No | Description of the credential |
background_color | No | Background color in hex format (e.g., #12107c) |
text_color | No | Text color in hex format (e.g., #FFFFFF) |
logo | No | Logo configuration object |
background_image | No | Background image configuration |
Logo Configuration
{
"logo": {
"uri": "https://example.com/logo.png",
"alt_text": "Organization Logo"
}
}
Background Image Configuration
{
"background_image": {
"uri": "https://example.com/background.png"
}
}
Multi-Language Display
{
"display": [
{
"name": "Identity Credential",
"locale": "en",
"description": "Your verified identity"
},
{
"name": "Identitätsnachweis",
"locale": "de",
"description": "Ihr verifizierter Identitätsnachweis"
},
{
"name": "Justificatif d'identité",
"locale": "fr",
"description": "Votre identité vérifiée"
}
]
}
Proof Types Configuration
The proof_types_supported object defines how the wallet proves possession of the key bound to the credential.
JWT Proof Type
{
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256", "EdDSA"]
}
}
}
Credential Configuration ID
The key used for each credential type in credentialConfigurations becomes the credentialConfigurationId. This ID is used when:
- Creating credential profiles
- Referencing credentials in the OpenID4VCI metadata
- Requesting specific credential types
Naming Convention:
{credentialType}_{format}
Examples:
UniversityDegree_jwt_vc_jsonidentity_credential(for SD-JWT VC)org.iso.18013.5.1.mDL(for mDoc)
Complete Example
Here's a complete example of an issuer service configuration with multiple credential types:
{
"type": "issuer2",
"baseUrl": "https://myorg.enterprise-sandbox.waltid.dev",
"kms": "waltid.tenant1.kms1",
"tokenKeyId": "waltid.tenant1.kms1.tokenKey",
"credentialConfigurations": {
"identity_credential": {
"format": "dc+sd-jwt",
"vct": "https://myorg.example.com/credentials/identity",
"scope": "identity_credential",
"cryptographic_binding_methods_supported": ["jwk"],
"credential_signing_alg_values_supported": ["ES256"],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256"]
}
},
"credential_metadata": {
"claims": [
{
"path": ["given_name"],
"mandatory": true,
"display": [{ "name": "First Name", "locale": "en" }]
},
{
"path": ["family_name"],
"mandatory": true,
"display": [{ "name": "Last Name", "locale": "en" }]
}
]
},
"display": [
{
"name": "Identity Credential",
"locale": "en",
"background_color": "#12107c",
"text_color": "#FFFFFF"
}
]
},
"UniversityDegree_jwt_vc_json": {
"format": "jwt_vc_json",
"scope": "university_degree",
"cryptographic_binding_methods_supported": ["did"],
"credential_signing_alg_values_supported": ["ES256", "EdDSA"],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256", "EdDSA"]
}
},
"credential_definition": {
"type": ["VerifiableCredential", "UniversityDegree"]
},
"credential_metadata": {
"claims": [
{
"path": ["credentialSubject", "degree", "name"],
"mandatory": true,
"display": [{ "name": "Degree Name", "locale": "en" }]
}
]
},
"display": [
{
"name": "University Degree",
"locale": "en",
"background_color": "#1a365d",
"text_color": "#FFFFFF"
}
]
},
"org.iso.18013.5.1.mDL": {
"format": "mso_mdoc",
"doctype": "org.iso.18013.5.1.mDL",
"scope": "mdl_credential",
"cryptographic_binding_methods_supported": ["cose_key"],
"credential_signing_alg_values_supported": ["ES256"],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": ["ES256"]
}
},
"credential_metadata": {
"claims": [
{
"path": ["org.iso.18013.5.1", "family_name"],
"mandatory": true,
"display": [{ "name": "Family Name", "locale": "en" }]
},
{
"path": ["org.iso.18013.5.1", "given_name"],
"mandatory": true,
"display": [{ "name": "Given Name", "locale": "en" }]
}
]
},
"display": [
{
"name": "Mobile Driving License",
"locale": "en",
"background_color": "#003366",
"text_color": "#FFFFFF"
}
]
}
},
"issuerDisplayConfiguration": [
{
"name": "My Organization",
"locale": "en"
}
]
}
Signing Algorithms
The following signing algorithms are supported:
| Algorithm | Key Type | Format | Description |
|---|---|---|---|
ES256 | P-256 (secp256r1) | JWT, mDoc | ECDSA with SHA-256 |
ES384 | P-384 | JWT | ECDSA with SHA-384 |
ES512 | P-521 | JWT | ECDSA with SHA-512 |
EdDSA | Ed25519 | JWT | Edwards-curve Digital Signature Algorithm |
RS256 | RSA | JWT | RSASSA-PKCS1-v1_5 with SHA-256 |
PS256 | RSA | JWT | RSASSA-PSS with SHA-256 |
For mDoc credentials, use COSE algorithm identifiers. ES256 maps to COSE algorithm -7.
Binding Methods
| Method | Description | Use Case |
|---|---|---|
did | DID-based binding | W3C credentials with DID subjects |
jwk | JWK-based binding | SD-JWT VC with key binding |
cose_key | COSE key binding | mDoc credentials |
Next Steps
- Create a Profile – Create profiles for your credential types
- Display Configuration – Configure issuer branding
Last updated on May 6, 2026