Create a Credential Profile
This guide walks you through creating a credential profile, which defines the default configuration for issuing a specific type of credential.
Prerequisites
Before creating a profile, ensure you have:
- Issuer2 Service – A running issuer2 service
- KMS Service – A key for signing credentials
- DID Service – A DID for the issuer (optional for some formats)
Create a Profile
CURL
Endpoint: POST /v2/{target}/issuer-service-api/credentials/profiles | API Reference
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{target}/issuer-service-api/credentials/profiles' \
-H 'accept: application/json' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"name": "University Degree Profile",
"credentialConfigurationId": "UniversityDegree_jwt_vc_json",
"issuerKeyId": "waltid.tenant1.kms1.key1",
"issuerDid": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp",
"credentialData": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"type": [
"VerifiableCredential",
"UniversityDegree"
],
"credentialSubject": {
"degree": {
"type": "BachelorDegree",
"name": "Bachelor of Science and Arts"
}
}
},
"mapping": {
"id": "<uuid>",
"issuer": {
"id": "<issuerDid>"
},
"credentialSubject": {
"id": "<subjectDid>"
},
"issuanceDate": "<timestamp>",
"expirationDate": "<timestamp-in:365d>"
}
}'
Body
{
"name": "University Degree Profile",
"credentialConfigurationId": "UniversityDegree_jwt_vc_json",
"issuerKeyId": "waltid.tenant1.kms1.key1",
"issuerDid": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp",
"credentialData": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"type": [
"VerifiableCredential",
"UniversityDegree"
],
"credentialSubject": {
"degree": {
"type": "BachelorDegree",
"name": "Bachelor of Science and Arts"
}
}
},
"mapping": {
"id": "<uuid>",
"issuer": {
"id": "<issuerDid>"
},
"credentialSubject": {
"id": "<subjectDid>"
},
"issuanceDate": "<timestamp>",
"expirationDate": "<timestamp-in:365d>"
}
}
Path Parameters
orgID– Your organization's Base URL. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.walt.devwhen using the sandbox environment.target– The resource identifier for the issuer2 service ({organizationID}.{tenantID}.{issuerServiceID}), e.g.waltid.tenant1.issuer1
Body Parameters
Required Parameters
name: String – A human-readable name for the profilecredentialConfigurationId: String – The credential configuration ID this profile issues. Must match a supported credential type configured in your issuer service.issuerKeyId: resourceIdentifier – The key ID of a key stored in a KMS service under the same tenant. E.g.waltid.tenant1.kms1.key1credentialData: JSON – The credential data template. Structure depends on the credential format.
Optional Parameters
issuerDid: String – The DID of the issuer. Required for W3C credentials, optional for SD-JWT VC and mDocs.x5Chain: ArrayString – X.509 certificate chain for signing. Required for mDoc credentials.mapping: JSON – Data mapping with data functions for dynamic value insertion at claim time.idTokenClaimsMapping: Object – Maps claims from external IdP tokens to credential data fields using JSONPath. See ID Token Claims Mapping.mDocNameSpacesDataMappingConfig: Object – Type conversion configuration for mDoc credentials. See mDoc Data Mapping.credentialStatus: Object – Configuration for credential status (revocation/suspension). See Credential Status.notifications: Object – Webhook notification settings. See Notifications.
Response
Success Response (201)
{
"profileId": "waltid.tenant1.issuer1.profile-abc123",
"name": "University Degree Profile",
"status": "ACTIVE",
"version": 1,
"credentialConfigurationId": "UniversityDegree_jwt_vc_json",
"issuerKeyId": "waltid.tenant1.kms1.key1",
"issuerDid": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp",
"credentialData": { ... },
"mapping": { ... },
"createdAt": 1704067200000,
"updatedAt": 1704067200000
}
Advanced Configuration
ID Token Claims Mapping
When using the authorization code flow with an external IdP, you can map claims from the ID token to credential data fields:
{
"idTokenClaimsMapping": {
"$.family_name": "$.credentialSubject.familyName",
"$.given_name": "$.credentialSubject.givenName",
"$.email": "$.credentialSubject.email"
}
}
The keys are JSONPath expressions pointing to claims in the ID token, and the values are JSONPath expressions pointing to fields in the credential data.
mDoc Data Mapping
For mDoc/mDL credentials, you need to specify type conversions for CBOR encoding:
{
"mDocNameSpacesDataMappingConfig": {
"org.iso.18013.5.1": {
"entriesConfigMap": {
"birth_date": {
"type": "string",
"conversionType": "stringToFullDate"
},
"issue_date": {
"type": "string",
"conversionType": "stringToFullDate"
},
"expiry_date": {
"type": "string",
"conversionType": "stringToFullDate"
},
"portrait": {
"type": "string",
"conversionType": "base64StringToByteString"
}
}
}
}
}
Available Conversion Types:
| Conversion Type | Description |
|---|---|
stringToFullDate | Converts ISO date string (e.g., 2024-01-15) to CBOR full-date (tag 1004) |
stringToTDate | Converts ISO timestamp string to CBOR tdate (tag 0) |
base64StringToByteString | Converts standard base64 encoded string to CBOR byte string |
base64UrlStringToByteString | Converts base64url encoded string to CBOR byte string |
Credential Status
Configure credential status for revocation/suspension support:
{
"credentialStatus": {
"statusCredentialConfig": "waltid.tenant1.credentialstatus.config1",
"initialStatus": "0x0"
}
}
statusCredentialConfig: resourceIdentifier – Reference to a credential status configuration in the Credential Status ServiceinitialStatus: String – Initial status value (e.g.,"0x0"for valid)
Different credential formats support different status list types:
- W3C JWT/SD-JWT: Bitstring Status List, StatusList2021
- SD-JWT VC (IETF): Token Status List
- mDoc: Token Status List
Example Profiles
SD-JWT VC Profile
{
"name": "Identity Credential Profile",
"credentialConfigurationId": "identity_credential_vc+sd-jwt",
"issuerKeyId": "waltid.tenant1.kms1.key1",
"credentialData": {
"given_name": "John",
"family_name": "Doe",
"birthdate": "1990-01-15"
},
"mapping": {
"iat": "<timestamp-seconds>",
"exp": "<timestamp-in-seconds:365d>"
}
}
mDoc Profile with X.509 Certificate
{
"name": "Photo ID Profile",
"credentialConfigurationId": "org.iso.23220.photoid.1",
"issuerKeyId": "waltid.tenant1.kms1.key1",
"x5Chain": [
"-----BEGIN CERTIFICATE-----\nMIIB...\n-----END CERTIFICATE-----\n"
],
"credentialData": {
"org.iso.23220.photoid.1": {
"given_name_unicode": "John",
"family_name_unicode": "Doe",
"birth_date": "1990-01-15",
"issuance_date": "2024-01-01",
"expiry_date": "2029-01-01",
"portrait": "base64-encoded-image-data"
}
},
"mDocNameSpacesDataMappingConfig": {
"org.iso.23220.photoid.1": {
"entriesConfigMap": {
"birth_date": {
"type": "string",
"conversionType": "stringToFullDate"
},
"issuance_date": {
"type": "string",
"conversionType": "stringToFullDate"
},
"expiry_date": {
"type": "string",
"conversionType": "stringToFullDate"
},
"portrait": {
"type": "string",
"conversionType": "base64StringToByteString"
}
}
}
}
}
Profile with Notifications
{
"name": "Notified Credential Profile",
"credentialConfigurationId": "UniversityDegree_jwt_vc_json",
"issuerKeyId": "waltid.tenant1.kms1.key1",
"issuerDid": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp",
"credentialData": { ... },
"notifications": {
"webhook": {
"url": "https://your-server.com/webhook/issuance",
"bearerToken": "your-secret-token"
}
}
}
Next Steps
- Manage Profiles – View, update, and deactivate profiles
- Create Credential Offers – Use your profile to create credential offers
Last updated on April 8, 2026