#Status List Aggregation

The Issuer2 Service provides a status list aggregation feature that allows verifiers and wallets to discover and cache all status lists used by an issuer. This enables efficient offline verification of credential status.

This is based on the mechanism described in the TokenStatusList standard.

#Overview

When credentials are issued with status (revocation/suspension), the status information is stored in status list credentials. The status list aggregation endpoint provides a single location where verifiers can discover all status lists used by an issuer, making it easier to:

• Pre-fetch status lists for offline verification
• Cache status lists to reduce network requests during verification
• Monitor status lists for changes

#Discovery via Authorization Server Metadata

The status list aggregation endpoint is advertised in the OAuth 2.0 Authorization Server Metadata, which is available at the standard well-known endpoint:

GET /.well-known/oauth-authorization-server/v2/openid4vci

#Example Response

{
  "issuer": "https://myorg.enterprise-sandbox.waltid.dev/v2/waltid.tenant1.issuer1/issuer-service-api/openid4vci",
  "authorization_endpoint": "https://myorg.enterprise-sandbox.waltid.dev/v2/waltid.tenant1.issuer1/issuer-service-api/openid4vci/authorize",
  "token_endpoint": "https://myorg.enterprise-sandbox.waltid.dev/v2/waltid.tenant1.issuer1/issuer-service-api/openid4vci/token",
  "jwks_uri": "https://myorg.enterprise-sandbox.waltid.dev/v2/waltid.tenant1.issuer1/issuer-service-api/openid4vci/jwks",
  "status_list_aggregation_endpoint": "https://myorg.enterprise-sandbox.waltid.dev/v2/waltid.tenant1.issuer1/issuer-service-api/openid4vci/status-list-aggregation",
  "code_challenge_methods_supported": ["S256"]
}

The status_list_aggregation_endpoint field contains the URL where verifiers can fetch the list of all status list URLs.

#Status List Aggregation Endpoint

The aggregation endpoint returns a JSON array of URLs pointing to all status list credentials used by the issuer.

curl -X 'GET' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{target}/issuer-service-api/openid4vci/status-list-aggregation' \
  -H 'accept: application/json'

[
  "https://myorg.enterprise-sandbox.waltid.dev/v1/waltid.tenant1.credentialstatus/credential-status-api/status-list/revocation-config",
  "https://myorg.enterprise-sandbox.waltid.dev/v1/waltid.tenant1.credentialstatus/credential-status-api/status-list/suspension-config"
]

#Response Format

The response is a JSON array of strings, where each string is a URL to a status list credential. The URLs are:

• Sorted alphabetically for consistent ordering
• Deduplicated – each unique status list URL appears only once
• Filtered – only includes status lists from active credential profiles for SD-JWT VC and mDoc formats

#How Status Lists Are Aggregated

The aggregation endpoint collects status list URLs by:

1. Listing active credential profiles – Only profiles with ACTIVE status are included
2. Filtering by format – Only SD-JWT VC (vc+sd-jwt) and mDoc (mso_mdoc) profiles are included (W3C JWT credentials use different status mechanisms)
3. Extracting status configurations – Each profile's credentialStatus configuration is examined
4. Resolving URLs – The status credential configuration references are resolved to their public URLs
5. Deduplicating – Multiple profiles may reference the same status list; duplicates are removed

#Limitations

• TokenStatusList only – The aggregation endpoint only supports TokenStatusList
• Active profiles only – Status lists from deactivated profiles are not included
• No change notifications – The endpoint must be polled; there's no push notification mechanism

#Related Documentation

• Credential Profiles – Configure credential status in profiles
• Credential Status Service – Manage status lists