#Trust Resolution

Directly query trust status against the loaded trust sources. Use these endpoints to resolve whether a certificate, certificate fingerprint, or provider ID is trusted — for example, when debugging trust decisions, building custom integrations, or calling the Trust Registry from outside the standard Verifier2 flow.

#Resolve by Certificate

Check whether a certificate is trusted by looking it up across all loaded trust sources. Accepts PEM or base64-encoded DER format.

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{trustRegistryTarget}/trust-registry-api/resolve/certificate' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "certificatePemOrDer": "MIIBkTCB+wIJAKHBfpEaYDcxMA0GCSqGSIb3DQEBCwUA...",
  "expectedEntityType": "PID_PROVIDER"
}'

{
  "decision": "TRUSTED",
  "sourceFreshness": "FRESH",
  "authenticity": "VALIDATED",
  "matchedSource": {
    "sourceId": "eu-wallets",
    "sourceFamily": "LOTE",
    "displayName": "EU Wallet Providers",
    "sourceUrl": "https://trust.example.eu/wallet-providers.json",
    "territory": "EU",
    "issueDate": "2026-01-01T00:00:00Z",
    "nextUpdate": "2026-07-01T00:00:00Z",
    "authenticityState": "VALIDATED",
    "freshnessState": "FRESH"
  },
  "matchedEntity": {
    "entityId": "AT-WALLET-001",
    "sourceId": "eu-wallets",
    "entityType": "WALLET_PROVIDER",
    "legalName": "Demo Wallet Provider GmbH",
    "country": "AT"
  },
  "matchedService": {
    "serviceId": "wallet-service",
    "sourceId": "eu-wallets",
    "entityId": "AT-WALLET-001",
    "serviceType": "WALLET_INSTANCE_ATTESTATION",
    "status": "GRANTED",
    "statusStart": "2026-01-01T00:00:00Z"
  },
  "evidence": [],
  "warnings": []
}

#Resolve by Certificate SHA-256

Check trust using only the certificate's SHA-256 fingerprint. Faster than submitting the full certificate when the fingerprint is already available.

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{trustRegistryTarget}/trust-registry-api/resolve/certificate-sha256' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "certificateSha256Hex": "9f3df3b70633c3d23f5ef04d5d1e7f1d715b9683d8744cd38ec1a8114ec99f00",
  "expectedEntityType": "WALLET_PROVIDER"
}'

#Resolve by Provider ID

Check whether an entity is trusted by its provider identifier. Useful when the credential's iss field or a known entity ID is available but the raw certificate is not.

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{trustRegistryTarget}/trust-registry-api/resolve/provider-id' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "providerId": "AT-PID-001",
  "expectedEntityType": "PID_PROVIDER"
}'

#Response Reference

All three endpoints return a TrustDecision object with the following fields:

• decision: The trust resolution outcome. Possible values:

• sourceFreshness: Freshness state of the matched source. Values: FRESH, STALE, EXPIRED, UNKNOWN.
• authenticity: XMLDSig validation state of the matched source. Values: VALIDATED, FAILED, SKIPPED_DEMO, UNKNOWN.
• matchedSource (optional): The trust source that produced the match.
  • sourceId: Unique identifier of the source.
  • sourceFamily: TSL, LOTE, or PILOT.
  • displayName: Human-readable name of the source.
  • sourceUrl (optional): URL the source was loaded from.
  • territory (optional): Territory or country code associated with the source.
  • issueDate (optional): ISO-8601 timestamp when the trust list was issued.
  • nextUpdate (optional): ISO-8601 timestamp when the trust list is due for update.
  • sequenceNumber (optional): Sequence number from the trust list, when present.
  • authenticityState: XMLDSig validation state for this source. Values: VALIDATED, FAILED, SKIPPED_DEMO, UNKNOWN.
  • freshnessState: Freshness state of this source. Values: FRESH, STALE, EXPIRED, UNKNOWN.
  • metadata: Map of additional key-value metadata. Empty by default.
• matchedEntity (optional): The entity whose identity matched.
  • entityId: The entity's identifier within the trust source.
  • sourceId: The source this entity belongs to.
  • entityType: The entity type. Values: PID_PROVIDER, WALLET_PROVIDER, ATTESTATION_PROVIDER, TRUST_SERVICE_PROVIDER, ACCESS_CERTIFICATE_PROVIDER, RELYING_PARTY_PROVIDER, OTHER.
  • legalName: Registered legal name of the entity.
  • tradeName (optional): Trading name of the entity.
  • registrationNumber (optional): Official registration number.
  • country (optional): ISO 3166-1 alpha-2 country code.
  • metadata: Map of additional key-value metadata. Empty by default.
• matchedService (optional): The specific trust service entry that matched.
  • serviceId: The service's identifier within the trust source.
  • sourceId: The source this service belongs to.
  • entityId: The entity this service belongs to.
  • serviceType: The service type URI as defined in the trust list.
  • status: Current trust status. Values: GRANTED, RECOGNIZED, ACCREDITED, SUPERVISED, DEPRECATED, SUSPENDED, REVOKED, WITHDRAWN, EXPIRED, UNKNOWN.
  • statusStart (optional): ISO-8601 timestamp when the current status became effective.
  • metadata: Map of additional key-value metadata. Empty by default.
• evidence (array): Additional trust evidence entries. Each item has type, value, and metadata.
• warnings (array): Non-fatal warnings, e.g. when a source is stale but a match was found.