#Overview

The Issuer2 Service is walt.id's enterprise solution for creating, signing and distributing verifiable digital credentials based on various formats and standards. It implements the OpenID4VCI 1.0 specification and introduces a profile-based architecture for streamlined credential issuance.

#Supported Standards

#Core Features

#Profile-Based Issuance

The Issuer2 Service introduces a profile-based architecture that simplifies credential issuance:

• Credential Profiles – Define reusable configurations for each credential type, including issuer keys, credential data templates, status configuration, and notification settings.
• Credential Offers – Create offers from profiles with runtime overrides, supporting both pre-authorized and authorization code flows.

#Credential Exchange

The Issuer Service supports credential exchange protocols based on:

• OID4VCI v1.0: Flows such as Pre-Authorized Code Flow (with or without PIN/Transaction Code) and Authorization Code Flow (with ID Token, VP Token, username/password login or integration with external authorization servers like Keycloak).
• mDoc Issuance: Remote issuance of mobile Driver's Licenses (mDL) and other ISO 18013-5 credentials via OID4VCI.

#Credential Data Collection

Flexible data collection options allow populating credentials before or after an offer has been created:

• Before Credential Offer Creation – Provide all subject data upfront when creating the profile or offer.
• After Credential Offer Creation & Before Credential Signing – Enrich credentials dynamically using data functions such as webhooks or timestamps.
• During User Authentication – When using the authorization code flow, the subject can authenticate against an external IdP and the retrieved claims are mapped to credential fields via idTokenClaimsMapping.

#Credential Branding

Credential appearance in wallets can be defined via:

• Issuer Metadata – Branding per credential type ( background color, text color, logo, description).
• Embedded in Credential – Include branding directly in the issued credential for case-specific styling.

#Credential Status & Lifecycle

• Built-in status management through the Credential Status Service, supporting StatusList2021, Bitstring Status List, and Token Status List.
• Different credential formats have different status type compatibility:
  • W3C JWT/SD-JWT: Bitstring Status List, StatusList2021
  • SD-JWT VC (IETF): Token Status List
  • mDoc: Token Status List
• Configure credential status at the profile level or override per offer.
• Credentials can include expiration and "valid from" dates.

#Keys & DIDs

• Issuer Keys – Store and manage keys via the KMS Service. The KMS service can use external KMS providers (e.g. Azure Key Vault, AWS KMS, OCI, Hashicorp Vault, ...) or store the keys in the Enterprise Stack database (only recommended for non-production use-cases).
• DIDs – Create and store DIDs via the DID Service and the DID Registry.
• X.509 Certificates – Support for X.509 certificate chains (x5Chain) for mDL and other certificate-based credentials.

#Notifications

• Webhook-based notification system for real-time updates on issuance events.
• Configure notifications at the profile level or override per offer.
• Supports bearer token authentication for secure webhook delivery.

#Session Data Retention & Auto-Purge

• Issuance sessions can contain personally identifiable information (PII) such as offer payloads, subject data, and interaction logs. Enable the optional data-retention job to define a maximum issuer-session age, purge schedule, and safety guardrails so expired sessions are removed automatically.
• Find out more about the Data Retention configuration options where you can set maxIssuerSessionAge, cron schedule, dry-run behavior, and deletion limits to meet your compliance requirements.

#Real-Time Session Events

• Server-Sent Events (SSE) endpoint for monitoring issuance session progress in real-time.
• Events include: credential offer resolution, token requests, and credential issuance.

#Getting Started

• Setup – Configure an issuer2 service inside your tenant
• Credential Profiles – Create and manage reusable credential configurations
• Credential Offers – Create credential offers from profiles
• Configurations – Manage display metadata and service settings
• Data Functions – Populate credentials with dynamic data
• Notifications – Configure webhook notifications for issuance events
• Full API Reference – Complete Swagger documentation