Create a Credential Profile

This guide walks you through creating a credential profile, which defines the default configuration for issuing a specific type of credential.

Prerequisites

Before creating a profile, ensure you have:

  1. Issuer2 Service – A running issuer2 service
  2. KMS Service – A key for signing credentials
  3. DID Service – A DID for the issuer (optional for some formats)

Create a Profile

CURL

Endpoint: POST /v2/{target}/issuer-service-api/credentials/profiles | API Reference

Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{target}/issuer-service-api/credentials/profiles' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "University Degree Profile",
  "credentialConfigurationId": "UniversityDegree_jwt_vc_json",
  "issuerKeyId": "waltid.tenant1.kms1.key1",
  "w3cVersion": "W3CV2",
  "issuerDid": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp",
  "credentialData": {
    "@context": [
      "https://www.w3.org/ns/credentials/v2",
      "https://www.w3.org/ns/credentials/examples/v2"
    ],
    "type": [
      "VerifiableCredential",
      "UniversityDegree"
    ],
    "credentialSubject": {
      "degree": {
        "type": "BachelorDegree",
        "name": "Bachelor of Science and Arts"
      }
    }
  },
  "mapping": {
    "id": "<uuid>",
    "issuer": {
      "id": "<issuerDid>"
    },
    "credentialSubject": {
      "id": "<subjectDid>"
    },
    "validFrom": "<timestamp>",
    "validUntil": "<timestamp-in:365d>"
  }
}'

Body

{
  "name": "University Degree Profile",
  "credentialConfigurationId": "UniversityDegree_jwt_vc_json",
  "issuerKeyId": "waltid.tenant1.kms1.key1",
  "w3cVersion": "W3CV2",
  "issuerDid": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp",
  "credentialData": {
    "@context": [
      "https://www.w3.org/ns/credentials/v2",
      "https://www.w3.org/ns/credentials/examples/v2"
    ],
    "type": [
      "VerifiableCredential",
      "UniversityDegree"
    ],
    "credentialSubject": {
      "degree": {
        "type": "BachelorDegree",
        "name": "Bachelor of Science and Arts"
      }
    }
  },
  "mapping": {
    "id": "<uuid>",
    "issuer": {
      "id": "<issuerDid>"
    },
    "credentialSubject": {
      "id": "<subjectDid>"
    },
    "validFrom": "<timestamp>",
    "validUntil": "<timestamp-in:365d>"
  }
}

Path Parameters

  • orgID – Your organization's Base URL. For example, if your organization is named test, your default Base URL will be test.enterprise-sandbox.walt.dev when using the sandbox environment.
  • target – The resource identifier for the issuer2 service ({organizationID}.{tenantID}.{issuerServiceID}), e.g. waltid.tenant1.issuer1

Body Parameters

Required Parameters

  • name: String – A human-readable name for the profile
  • credentialConfigurationId: String – The credential configuration ID this profile issues. Must match a supported credential type configured in your issuer service.
  • issuerKeyId: resourceIdentifier – The key ID of a key stored in a KMS service under the same tenant. E.g. waltid.tenant1.kms1.key1
  • credentialData: JSON – The credential data template. Structure depends on the credential format.

Optional Parameters

  • issuerDid: String – The DID of the issuer. Required for W3C credentials, optional for SD-JWT VC and mDocs.
  • x5Chain: ArrayString – X.509 certificate chain for signing. Required for mDoc credentials.
  • mapping: JSON – Data mapping with data functions for dynamic value insertion at claim time.
  • idTokenClaimsMapping: Object – Maps claims from external IdP tokens to credential data fields using JSONPath. See ID Token Claims Mapping.
  • mDocNameSpacesDataMappingConfig: Object – Type conversion configuration for mDoc credentials. See mDoc Data Mapping.
  • credentialStatus: Object – Configuration for credential status (revocation/suspension). See Credential Status.
  • notifications: Object – Webhook notification settings. See Notifications.
  • w3cVersion: String - W3C data model version to use for the credential. Either W3CV1 for VCDM v1.1 or W3CV2 for v2.

The w3cVersion parameter controls the format of the issued credential. When set to W3CV2, the service automatically applies the correct VCDM v2 @context (https://www.w3.org/ns/credentials/v2) and uses validFrom/validUntil in place of issuanceDate/expirationDate, regardless of what is provided in credentialData.

Response

Success Response (201)

{
  "profileId": "waltid.tenant1.issuer1.profile-abc123",
  "name": "University Degree Profile",
  "status": "ACTIVE",
  "version": 1,
  "credentialConfigurationId": "UniversityDegree_jwt_vc_json",
  "issuerKeyId": "waltid.tenant1.kms1.key1",
  "issuerDid": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp",
  "credentialData": { ... },
  "mapping": { ... },
  "createdAt": 1704067200000,
  "updatedAt": 1704067200000
}

Advanced Configuration

ID Token Claims Mapping

When using the authorization code flow with an external IdP, you can map claims from the ID token to credential data fields:

{
  "idTokenClaimsMapping": {
    "$.family_name": "$.credentialSubject.familyName",
    "$.given_name": "$.credentialSubject.givenName",
    "$.email": "$.credentialSubject.email"
  }
}

The keys are JSONPath expressions pointing to claims in the ID token, and the values are JSONPath expressions pointing to fields in the credential data.

mDoc Data Mapping

For mDoc/mDL credentials, you need to specify type conversions for CBOR encoding:

{
  "mDocNameSpacesDataMappingConfig": {
    "org.iso.18013.5.1": {
      "entriesConfigMap": {
        "birth_date": {
          "type": "string",
          "conversionType": "stringToFullDate"
        },
        "issue_date": {
          "type": "string",
          "conversionType": "stringToFullDate"
        },
        "expiry_date": {
          "type": "string",
          "conversionType": "stringToFullDate"
        },
        "portrait": {
          "type": "string",
          "conversionType": "base64StringToByteString"
        }
      }
    }
  }
}

Available Conversion Types:

Conversion TypeDescription
stringToFullDateConverts ISO date string (e.g., 2024-01-15) to CBOR full-date (tag 1004)
stringToTDateConverts ISO timestamp string to CBOR tdate (tag 0)
base64StringToByteStringConverts standard base64 encoded string to CBOR byte string
base64UrlStringToByteStringConverts base64url encoded string to CBOR byte string

Credential Status

Configure credential status for revocation/suspension support:

{
  "credentialStatus": {
    "statusCredentialConfig": "waltid.tenant1.credentialstatus.config1",
    "initialStatus": "0x0"
  }
}
  • statusCredentialConfig: resourceIdentifier – Reference to a credential status configuration in the Credential Status Service
  • initialStatus: String – Initial status value (e.g., "0x0" for valid)

Different credential formats support different status list types:

  • W3C JWT/SD-JWT: Bitstring Status List, StatusList2021
  • SD-JWT VC (IETF): Token Status List
  • mDoc: Token Status List

Example Profiles

SD-JWT VC Profile

{
  "name": "Identity Credential Profile",
  "credentialConfigurationId": "identity_credential_vc+sd-jwt",
  "issuerKeyId": "waltid.tenant1.kms1.key1",
  "credentialData": {
    "given_name": "John",
    "family_name": "Doe",
    "birthdate": "1990-01-15"
  },
  "mapping": {
    "iat": "<timestamp-seconds>",
    "exp": "<timestamp-in-seconds:365d>"
  }
}

mDoc Profile with X.509 Certificate

{
  "name": "Photo ID Profile",
  "credentialConfigurationId": "org.iso.23220.photoid.1",
  "issuerKeyId": "waltid.tenant1.kms1.key1",
  "x5Chain": [
    "-----BEGIN CERTIFICATE-----\nMIIB...\n-----END CERTIFICATE-----\n"
  ],
  "credentialData": {
    "org.iso.23220.photoid.1": {
      "given_name_unicode": "John",
      "family_name_unicode": "Doe",
      "birth_date": "1990-01-15",
      "issuance_date": "2024-01-01",
      "expiry_date": "2029-01-01",
      "portrait": "base64-encoded-image-data"
    }
  },
  "mDocNameSpacesDataMappingConfig": {
    "org.iso.23220.photoid.1": {
      "entriesConfigMap": {
        "birth_date": {
          "type": "string",
          "conversionType": "stringToFullDate"
        },
        "issuance_date": {
          "type": "string",
          "conversionType": "stringToFullDate"
        },
        "expiry_date": {
          "type": "string",
          "conversionType": "stringToFullDate"
        },
        "portrait": {
          "type": "string",
          "conversionType": "base64StringToByteString"
        }
      }
    }
  }
}

Profile with Notifications

{
  "name": "Notified Credential Profile",
  "credentialConfigurationId": "UniversityDegree_jwt_vc_json",
  "issuerKeyId": "waltid.tenant1.kms1.key1",
  "issuerDid": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp",
  "credentialData": { ... },
  "notifications": {
    "webhook": {
      "url": "https://your-server.com/webhook/issuance",
      "bearerToken": "your-secret-token"
    }
  }
}

Next Steps

Last updated on May 6, 2026
OverviewManage Credential Profiles