Setup

This guide walks you through setting up an Issuer2 service inside a tenant. If you don't have a tenant yet, you can learn how to create one here.

Prerequisites

Before creating an Issuer2 service, ensure you have:

  1. Tenant – An existing tenant in your organization
  2. KMS Service – A Key Management Service for storing signing keys
  3. Token Key – A key in the KMS for signing access tokens

Create an Issuer2 Service

CURL

Endpoint: /v1/{target}/resource-api/services/create | API Reference

Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "type": "issuer2",
  "baseUrl": "https://myorg.enterprise-sandbox.waltid.dev",
  "kms": "waltid.tenant1.kms1",
  "tokenKeyId": "waltid.tenant1.kms1.tokenKey",
  "supportedCredentialTypes": {
    "identity_credential_vc+sd-jwt": {
      "format": "vc+sd-jwt",
      "vct": "https://example.com/credentials/identity_credential",
      "cryptographic_binding_methods_supported": ["jwk"],
      "credential_signing_alg_values_supported": ["ES256"],
      "sdJwtVcTypeMetadata": {
        "name": "Identity Credential",
        "description": "A verifiable identity credential",
        "vct": "https://example.com/credentials/identity_credential"
      }
    },
    "UniversityDegree_jwt_vc_json": {
      "format": "jwt_vc_json",
      "cryptographic_binding_methods_supported": ["did"],
      "credential_signing_alg_values_supported": ["ES256"],
      "credential_definition": {
        "type": ["VerifiableCredential", "UniversityDegree"]
      }
    }
  },
  "displayConfigurations": [
    {
      "name": "My Organization Issuer",
      "locale": "en-US",
      "logo": {
        "uri": "https://example.com/logo.png",
        "alt_text": "Organization logo"
      }
    }
  ]
}'

Body

{
  "type": "issuer2",
  "baseUrl": "https://myorg.enterprise-sandbox.waltid.dev",
  "kms": "waltid.tenant1.kms1",
  "tokenKeyId": "waltid.tenant1.kms1.tokenKey",
  "supportedCredentialTypes": {
    "identity_credential_vc+sd-jwt": {
      "format": "vc+sd-jwt",
      "vct": "https://example.com/credentials/identity_credential",
      "cryptographic_binding_methods_supported": ["jwk"],
      "credential_signing_alg_values_supported": ["ES256"],
      "sdJwtVcTypeMetadata": {
        "name": "Identity Credential",
        "description": "A verifiable identity credential",
        "vct": "https://example.com/credentials/identity_credential"
      }
    },
    "UniversityDegree_jwt_vc_json": {
      "format": "jwt_vc_json",
      "cryptographic_binding_methods_supported": ["did"],
      "credential_signing_alg_values_supported": ["ES256"],
      "credential_definition": {
        "type": ["VerifiableCredential", "UniversityDegree"]
      }
    }
  },
  "displayConfigurations": [
    {
      "name": "My Organization Issuer",
      "locale": "en-US",
      "logo": {
        "uri": "https://example.com/logo.png",
        "alt_text": "Organization logo"
      }
    }
  ]
}

Path Parameters

  • orgID – Your organization's Base URL. For example, if your organization is named test, your default Base URL will be test.enterprise-sandbox.walt.dev when using the sandbox environment.
  • target – The resource identifier for the new issuer service ({organizationID}.{tenantID}.{newIssuerServiceID}), e.g. waltid.tenant1.issuer1

Body Parameters

Required Parameters

  • type: String – Must be issuer2 for the Issuer2 Service
  • baseUrl: String – The public URL where the issuer service will be accessible. This URL is included in credential offers and OpenID metadata. Format: https://{orgID}.yourEnterpriseStackUrl.com
  • kms: resourceIdentifier – Reference to a KMS service in the same tenant. E.g. waltid.tenant1.kms1
  • tokenKeyId: resourceIdentifier – Reference to a key in the KMS used for signing access tokens. E.g. waltid.tenant1.kms1.tokenKey
  • supportedCredentialTypes: Object – Map of credential configurations the issuer supports. See Credential Types Configuration for details.

Optional Parameters

  • displayConfigurations: Array – List of display metadata objects for different locales. See Display Configuration for details.
  • clientAuthenticationConfig: Object – Declares which client authentication methods the issuer supports (for example anonymous pre-authorized code access and/or attestation-based wallet authentication). When a client-attestation method is included, token requests must include valid OAuth-Client-Attestation and OAuth-Client-Attestation-PoP headers. See Client Attestation — Issuer Integration for JSON shape, examples, and how this maps to authorization server metadata.

Omit clientAuthenticationConfig entirely, or set supportedMethods to an empty list, to keep the previous issuer2 behavior where this layer does not enforce client authentication. Use supportedMethods with only preauth-anonymous when you want OID4VCI pre-authorized token requests without client_id but no wallet attestation.

Response

Success Response (201)

{
  "id": "waltid.tenant1.issuer1",
  "type": "issuer2",
  "baseUrl": "https://myorg.enterprise-sandbox.waltid.dev",
  "kms": "waltid.tenant1.kms1",
  "tokenKeyId": "waltid.tenant1.kms1.tokenKey",
  "supportedCredentialTypes": { ... },
  "displayConfigurations": [ ... ]
}

Response Codes

  • 201 – Service created successfully
  • 400 – Invalid request body
  • 409 – Service with this ID already exists

Credential Type Examples

SD-JWT VC

{
  "identity_credential_vc+sd-jwt": {
    "format": "vc+sd-jwt",
    "vct": "https://example.com/credentials/identity_credential",
    "cryptographic_binding_methods_supported": ["jwk"],
    "credential_signing_alg_values_supported": ["ES256"],
    "sdJwtVcTypeMetadata": {
      "name": "Identity Credential",
      "description": "A verifiable identity credential",
      "vct": "https://example.com/credentials/identity_credential"
    }
  }
}

W3C JWT

{
  "UniversityDegree_jwt_vc_json": {
    "format": "jwt_vc_json",
    "cryptographic_binding_methods_supported": ["did"],
    "credential_signing_alg_values_supported": ["ES256", "EdDSA"],
    "credential_definition": {
      "type": ["VerifiableCredential", "UniversityDegree"]
    }
  }
}

mDoc (ISO 18013-5)

{
  "org.iso.18013.5.1.mDL": {
    "format": "mso_mdoc",
    "doctype": "org.iso.18013.5.1.mDL",
    "cryptographic_binding_methods_supported": ["cose_key"],
    "credential_signing_alg_values_supported": ["ES256"]
  }
}

Display Configuration

Configure how your issuer appears in wallet applications:

{
  "displayConfigurations": [
    {
      "name": "My Organization",
      "locale": "en-US",
      "logo": {
        "uri": "https://example.com/logo.png",
        "alt_text": "Organization logo"
      }
    },
    {
      "name": "Meine Organisation",
      "locale": "de-DE",
      "logo": {
        "uri": "https://example.com/logo.png",
        "alt_text": "Organisationslogo"
      }
    }
  ]
}

Next Steps

After creating your Issuer2 service:

  1. Create Credential Profiles – Define reusable configurations for each credential type
  2. Create Credential Offers – Issue credentials to users
  3. Configure Display Metadata – Customize how your issuer appears in wallets
Last updated on May 15, 2026
OverviewNotifications