#Trust Source Management

Manage the trust sources loaded into your Trust Registry Service. Each trust source is identified by a unique sourceId and contains entities, services, and certificate identities parsed from a trust list.

#Load a Trust Source

Load a trust list into the Trust Registry from a remote URL or inline content. Each source is identified by a unique sourceId.

#Load from URL

CURL

Endpoint: POST /v1/{target}/trust-registry-api/sources/load | API Reference

#Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/trust-registry-api/sources/load' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "sourceId": "ewc-pilot",
  "url": "https://ewc-consortium.github.io/ewc-trust-list/EWC-TL",
  "validateSignature": false
}'

Path Parameters

orgID: String - Your organization's Base URL prefix, e.g. myorg.enterprise-sandbox.waltid.dev.
target: String - The Trust Registry service path, e.g. myorg.tenant1.trust-registry.

Header Parameters

Authorization: String - Bearer token for your organization.

Body

sourceId: String - Unique identifier for this trust source.
url: String - URL to fetch the trust list from. Either url or content must be provided.
validateSignature: Boolean - Whether to validate the XMLDSig signature. Use true for official production trust lists, false for unsigned pilot lists.

#Example Response

{
  "sourceId": "ewc-pilot",
  "success": true,
  "entitiesLoaded": 19,
  "servicesLoaded": 29,
  "identitiesLoaded": 38
}

If the source could not be loaded (e.g. network failure or signature validation failure), the response is still 200 but with success: false and an error description:

{
  "sourceId": "ewc-pilot",
  "success": false,
  "error": "Failed to fetch from https://ewc-consortium.github.io/ewc-trust-list/EWC-TL: Connection timed out"
}

Status	Description
`200`	Request processed — check `success` field in the response body
`422`	Source could not be loaded — returned when loading fails at the trust list parsing level

#Load from Content

For local or custom trust lists, provide the content directly instead of a URL.

CURL

Endpoint: POST /v1/{target}/trust-registry-api/sources/load | API Reference

#Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/trust-registry-api/sources/load' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "sourceId": "my-custom-list",
  "content": "{\"listMetadata\":{\"listId\":\"my-list\",\"listType\":\"mdl-issuers\",\"territory\":\"US\"},\"trustedEntities\":[...]}",
  "validateSignature": false
}'

Path Parameters

orgID: String - Your organization's Base URL prefix.
target: String - The Trust Registry service path.

Header Parameters

Authorization: String - Bearer token for your organization.

Body

sourceId: String - Unique identifier for this trust source.
content: String - The trust list content as a JSON string (LoTE format) or XML string (TSL format). Either content or url must be provided.
validateSignature: Boolean - Whether to validate the XMLDSig signature.

#Example Response

{
  "sourceId": "my-custom-list",
  "success": true,
  "entitiesLoaded": 4,
  "servicesLoaded": 6,
  "identitiesLoaded": 8
}

If the content cannot be parsed or signature validation fails, the response is still 200 but with success: false and an error description:

{
  "sourceId": "my-custom-list",
  "success": false,
  "error": "XMLDSig signature validation failed: Signature validation failed - digest mismatch"
}

Status	Description
`200`	Request processed — check `success` field in the response body
`422`	Source could not be loaded — returned when loading fails at the trust list parsing level

XMLDSig signature validation provides cryptographic assurance that a trust list has not been tampered with. Always set validateSignature: true when loading official production trust lists. Use validateSignature: false only for unsigned pilot or test lists.

#List Loaded Sources

CURL

Endpoint: GET /v1/{target}/trust-registry-api/sources | API Reference

#Example Request

curl -X 'GET' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/trust-registry-api/sources' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {yourToken}'

Path Parameters

orgID: String - Your organization's Base URL prefix.
target: String - The Trust Registry service path.

Header Parameters

Authorization: String - Bearer token for your organization.

#Example Response

Returns an array of all loaded trust sources and their current state.

[
  {
    "sourceId": "austria-tsl",
    "sourceFamily": "TSL",
    "displayName": "TSL AT (seq 72)",
    "sourceUrl": "https://www.signatur.rtr.at/currenttl.xml",
    "territory": "AT",
    "issueDate": "2026-03-11T15:17:42Z",
    "nextUpdate": "2026-09-11T14:17:42Z",
    "sequenceNumber": "72",
    "authenticityState": "VALIDATED",
    "freshnessState": "FRESH",
    "metadata": {
      "tslVersion": "5",
      "signerSubjectDN": "CN=Trusted List 9,OU=Fachbereich Telekommunikation und Post,O=Rundfunk und Telekom Regulierungs-GmbH,C=AT",
      "signerIssuerDN": "CN=RTR Services 5,O=Rundfunk und Telekom Regulierungs-GmbH,C=AT",
      "signerSerialNumber": "312100091138082272680184838882066682156716496761"
    }
  },
  {
    "sourceId": "ewc-pilot",
    "sourceFamily": "TSL",
    "displayName": "TSL TT (seq 1)",
    "sourceUrl": "https://ewc-consortium.github.io/ewc-trust-list/EWC-TL",
    "territory": "TT",
    "issueDate": "2025-02-13T01:00:00Z",
    "nextUpdate": "2025-08-13T00:00:00Z",
    "sequenceNumber": "1",
    "authenticityState": "SKIPPED_DEMO",
    "freshnessState": "EXPIRED",
    "metadata": {
      "tslVersion": "5"
    }
  }
]

Response Fields

sourceId: String - The identifier assigned when the source was loaded.
sourceFamily: String - The format of the trust list. One of TSL (ETSI TS 119 612 XML), LOTE (ETSI TS 119 602 JSON or XML), or PILOT. Detected automatically from the content.
displayName: String - A human-readable label derived from the list content. For TSL sources: "TSL {territory} (seq {sequenceNumber})". For LoTE sources: the listId from the list's own metadata.
sourceUrl: String (nullable) - The URL the list was fetched from. Null when the source was loaded from inline content and no sourceUrl was provided in the request body.
territory: String (nullable) - The ISO country or territory code taken from the list's own scheme information. Null for LoTE sources that do not declare a territory.
issueDate: String (nullable) - ISO 8601 timestamp from the list's own metadata indicating when the list was issued.
nextUpdate: String (nullable) - ISO 8601 timestamp from the list's own metadata indicating when the list is expected to be updated. Drives the freshnessState calculation. Null when the list does not declare a next-update date.
sequenceNumber: String (nullable) - The revision counter from the list's own metadata. Null when the list does not declare a sequence number.
authenticityState: String - Result of XMLDSig signature validation. One of:
- VALIDATED — signature was present and passed validation.
- FAILED — signature was present but failed validation.
- SKIPPED_DEMO — validation was skipped because validateSignature: false was used, or the list is unsigned and signature is not required.
- UNKNOWN — authenticity state could not be determined.
freshnessState: String - Staleness of the list, computed against nextUpdate at load time. One of:
- FRESH — current time is before nextUpdate.
- STALE — current time is within 24 hours of nextUpdate.
- EXPIRED — current time is past nextUpdate.
- UNKNOWN — nextUpdate was not present in the list.
metadata: Object - Source-family-specific key/value pairs extracted from the list. For TSL sources: always includes tslVersion; includes signerSubjectDN, signerIssuerDN, and signerSerialNumber when signature validation was performed. For LoTE JSON sources: includes listType when present in the list metadata.

Status	Description
`200`	Sources retrieved successfully

#Refresh a Trust Source

Re-fetch and re-parse a previously loaded trust source to pick up updates from the origin URL. Trust sources are persisted to the database and survive service restarts, but the content is not updated automatically — use this endpoint to refresh on demand.

CURL

Endpoint: POST /v1/{target}/trust-registry-api/sources/{sourceId}/refresh | API Reference

#Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/trust-registry-api/sources/{sourceId}/refresh' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer {yourToken}'

Path Parameters

orgID: String - Your organization's Base URL prefix.
target: String - The Trust Registry service path.
sourceId: String - The ID of the trust source to refresh.

Header Parameters

Authorization: String - Bearer token for your organization.

#Example Response

{
  "sourceId": "ewc-pilot",
  "success": true,
  "entitiesLoaded": 19,
  "servicesLoaded": 29,
  "identitiesLoaded": 38
}

If the source cannot be re-fetched (e.g. the origin URL is unreachable), the response is still 200 but with success: false:

{
  "sourceId": "ewc-pilot",
  "success": false,
  "error": "Failed to fetch from https://ewc-consortium.github.io/ewc-trust-list/EWC-TL: Connection timed out"
}

Status	Description
`200`	Request processed — check `success` field in the response body
`422`	Refresh failed at the trust list parsing level

Last updated on May 6, 2026

Setup Trust Resolution