Setup
This guide walks you through setting up an Issuer2 service inside a tenant. If you don't have a tenant yet, you can learn how to create one here.
Prerequisites
Before creating an Issuer2 service, ensure you have:
- Tenant – An existing tenant in your organization
- KMS Service – A Key Management Service for storing signing keys
- Token Key – A key in the KMS for signing access tokens
Create an Issuer2 Service
CURL
Endpoint: /v1/{target}/resource-api/services/create | API Reference
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "issuer2",
"baseUrl": "https://myorg.enterprise-sandbox.waltid.dev",
"kms": "waltid.tenant1.kms1",
"tokenKeyId": "waltid.tenant1.kms1.tokenKey",
"supportedCredentialTypes": {
"identity_credential_vc+sd-jwt": {
"format": "vc+sd-jwt",
"vct": "https://example.com/credentials/identity_credential",
"cryptographic_binding_methods_supported": ["jwk"],
"credential_signing_alg_values_supported": ["ES256"],
"sdJwtVcTypeMetadata": {
"name": "Identity Credential",
"description": "A verifiable identity credential",
"vct": "https://example.com/credentials/identity_credential"
}
},
"UniversityDegree_jwt_vc_json": {
"format": "jwt_vc_json",
"cryptographic_binding_methods_supported": ["did"],
"credential_signing_alg_values_supported": ["ES256"],
"credential_definition": {
"type": ["VerifiableCredential", "UniversityDegree"]
}
}
},
"displayConfigurations": [
{
"name": "My Organization Issuer",
"locale": "en-US",
"logo": {
"uri": "https://example.com/logo.png",
"alt_text": "Organization logo"
}
}
]
}'
Body
{
"type": "issuer2",
"baseUrl": "https://myorg.enterprise-sandbox.waltid.dev",
"kms": "waltid.tenant1.kms1",
"tokenKeyId": "waltid.tenant1.kms1.tokenKey",
"supportedCredentialTypes": {
"identity_credential_vc+sd-jwt": {
"format": "vc+sd-jwt",
"vct": "https://example.com/credentials/identity_credential",
"cryptographic_binding_methods_supported": ["jwk"],
"credential_signing_alg_values_supported": ["ES256"],
"sdJwtVcTypeMetadata": {
"name": "Identity Credential",
"description": "A verifiable identity credential",
"vct": "https://example.com/credentials/identity_credential"
}
},
"UniversityDegree_jwt_vc_json": {
"format": "jwt_vc_json",
"cryptographic_binding_methods_supported": ["did"],
"credential_signing_alg_values_supported": ["ES256"],
"credential_definition": {
"type": ["VerifiableCredential", "UniversityDegree"]
}
}
},
"displayConfigurations": [
{
"name": "My Organization Issuer",
"locale": "en-US",
"logo": {
"uri": "https://example.com/logo.png",
"alt_text": "Organization logo"
}
}
]
}
Path Parameters
orgID– Your organization's Base URL. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.walt.devwhen using the sandbox environment.target– The resource identifier for the new issuer service ({organizationID}.{tenantID}.{newIssuerServiceID}), e.g.waltid.tenant1.issuer1
Body Parameters
Required Parameters
type: String – Must beissuer2for the Issuer2 ServicebaseUrl: String – The public URL where the issuer service will be accessible. This URL is included in credential offers and OpenID metadata. Format:https://{orgID}.yourEnterpriseStackUrl.comkms: resourceIdentifier – Reference to a KMS service in the same tenant. E.g.waltid.tenant1.kms1tokenKeyId: resourceIdentifier – Reference to a key in the KMS used for signing access tokens. E.g.waltid.tenant1.kms1.tokenKeysupportedCredentialTypes: Object – Map of credential configurations the issuer supports. See Credential Types Configuration for details.
Optional Parameters
displayConfigurations: Array – List of display metadata objects for different locales. See Display Configuration for details.
Response
Success Response (201)
{
"id": "waltid.tenant1.issuer1",
"type": "issuer2",
"baseUrl": "https://myorg.enterprise-sandbox.waltid.dev",
"kms": "waltid.tenant1.kms1",
"tokenKeyId": "waltid.tenant1.kms1.tokenKey",
"supportedCredentialTypes": { ... },
"displayConfigurations": [ ... ]
}
Response Codes
201– Service created successfully400– Invalid request body409– Service with this ID already exists
Credential Type Examples
SD-JWT VC
{
"identity_credential_vc+sd-jwt": {
"format": "vc+sd-jwt",
"vct": "https://example.com/credentials/identity_credential",
"cryptographic_binding_methods_supported": ["jwk"],
"credential_signing_alg_values_supported": ["ES256"],
"sdJwtVcTypeMetadata": {
"name": "Identity Credential",
"description": "A verifiable identity credential",
"vct": "https://example.com/credentials/identity_credential"
}
}
}
W3C JWT
{
"UniversityDegree_jwt_vc_json": {
"format": "jwt_vc_json",
"cryptographic_binding_methods_supported": ["did"],
"credential_signing_alg_values_supported": ["ES256", "EdDSA"],
"credential_definition": {
"type": ["VerifiableCredential", "UniversityDegree"]
}
}
}
mDoc (ISO 18013-5)
{
"org.iso.18013.5.1.mDL": {
"format": "mso_mdoc",
"doctype": "org.iso.18013.5.1.mDL",
"cryptographic_binding_methods_supported": ["cose_key"],
"credential_signing_alg_values_supported": ["ES256"]
}
}
Display Configuration
Configure how your issuer appears in wallet applications:
{
"displayConfigurations": [
{
"name": "My Organization",
"locale": "en-US",
"logo": {
"uri": "https://example.com/logo.png",
"alt_text": "Organization logo"
}
},
{
"name": "Meine Organisation",
"locale": "de-DE",
"logo": {
"uri": "https://example.com/logo.png",
"alt_text": "Organisationslogo"
}
}
]
}
Next Steps
After creating your Issuer2 service:
- Create Credential Profiles – Define reusable configurations for each credential type
- Create Credential Offers – Issue credentials to users
- Configure Display Metadata – Customize how your issuer appears in wallets
Last updated on April 8, 2026