#Azure Key Vault

Azure Key Vault is a cloud service for securely storing and managing cryptographic keys, secrets, and certificates. It provides a secure and reliable way to protect sensitive information and control access to keys used by cloud applications and services.

#Prerequisites

An Azure account with an active subscription. Create an account.
An Azure Key Vault instance. Create a Key Vault.
An Azure AD application with access to the Key Vault. Create an Azure AD application.

#Setup

Create an Azure AD application with access to the Key Vault. Note down the Application (client) ID and Directory (tenant) ID.
Create a client secret for the Azure AD application. Note down the Client Secret.
Assign permissions to the Azure AD application to access the Key Vault. Grant the Key permissions and Secret permissions to the application.
Get the Key Vault URL. Note down the Key Vault URL from the Azure portal.
Configure the issuer API to use the Azure Key Vault. Provide the Key Vault URL, Application ID, Tenant ID, and Client Secret in the issuer API configuration.
Generate a key in the Key Vault. Use the issuer API to generate a key in the Azure Key Vault.
Sign and issue credentials using the key stored in the Azure Key Vault.

#Key Generation

Request

Response

Endpoint:/v1/{target}/kms-service-api/keys/generate | API Reference

Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/kms-service-api/keys/generate' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "backend": "azure",
  "keyType": "secp256r1",
  "config": {
    "auth": {
      "clientId": "your-client-id",
      "clientSecret": "your-client-secret",
      "tenantId": "your-tenant-id",
      "keyVaultUrl": "https://your-key-vault-name.vault.azure.net/"
    }
  }
}'

Body

{
  "backend": "azure",
  "keyType": "secp256r1",
  "config": {
    "auth": {
      "clientId": "your-client-id",
      "clientSecret": "your-client-secret",
      "tenantId": "your-tenant-id",
      "keyVaultUrl": "https://your-key-vault-name.vault.azure.net/"
    }
  }
}

Body Parameters

backend: String - Specifies the storage type of key. It can be jwk (manged by you), azure (managed by Azure Key Vault using Rest api requests ) and others. Learn more about different types here.
keyType: String - the algorithm used to generate the key. For Vault only ed25519 is possible.
config
- keyVaultUrl: String - The URL of the Azure Key Vault.
- clientId: String - The client ID of the Azure AD application.
- tenantId: String - The tenant ID of the Azure AD application.
- clientSecret: String - The client secret of the Azure AD application.

Last updated on August 19, 2025

Local Hashicorp Vault