Wallet Management

The wallet management v2 endpoints provide read access to the resources stored in a wallet — keys, DIDs, and credentials.

Ensure you have set up a wallet service with linked KMS, DID Store, and Credential Store services before proceeding.


List Keys

Retrieve all keys available in the wallet's linked KMS services.

CURL

Endpoint: GET /v2/{target}/wallet-service-api/keys

Example Request

curl -X GET \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{org}.{tenant}.{wallet-id}/wallet-service-api/keys' \
  -H 'Authorization: Bearer {yourToken}'

Response

[
  {
    "keyId": "waltid.tenant1.kms.key1",
    "keyType": "Ed25519"
  },
  {
    "keyId": "waltid.tenant1.kms.wallet_key",
    "keyType": "secp256r1"
  }
]
  • keyId String — The key's identifier — the dotted KMS resource path.
  • keyType String — walt.id key-type name, e.g. Ed25519, secp256r1, secp256k1, RSA.
  • algorithm (optional) String — Signing algorithm, when the KMS reports one; omitted otherwise.

List DIDs

Retrieve all DIDs stored in the wallet's linked DID Store.

CURL

Endpoint: GET /v2/{target}/wallet-service-api/dids

Example Request

curl -X GET \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{org}.{tenant}.{wallet-id}/wallet-service-api/dids' \
  -H 'Authorization: Bearer {yourToken}'

Response

[
  {
    "did": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
    "document": {
      "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1"
      ],
      "id": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
      "verificationMethod": [
        {
          "id": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6#z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
          "type": "JsonWebKey2020",
          "controller": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
          "publicKeyJwk": {
            "kty": "OKP",
            "crv": "Ed25519",
            "x": "..."
          }
        }
      ],
      "authentication": ["did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6#z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6"],
      "assertionMethod": ["did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6#z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6"]
    }
  }
]
  • did String — The DID string.
  • document Object — The full DID document as a JSON object.

List Credentials

Retrieve metadata for all credentials stored in the wallet's linked Credential Store. This endpoint returns lightweight metadata without the full credential payload.

CURL

Endpoint: GET /v2/{target}/wallet-service-api/credentials

Example Request

curl -X GET \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{org}.{tenant}.{wallet-id}/wallet-service-api/credentials' \
  -H 'Authorization: Bearer {yourToken}'

Response

[
  {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "format": "dc+sd-jwt",
    "issuer": "did:web:issuer.example.org",
    "subject": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
    "label": "Identity Credential",
    "addedAt": "2024-01-15T10:30:00Z"
  },
  {
    "id": "6ba7b810-9dad-11d1-80b4-00c04fd430c8",
    "format": "jwt_vc_json",
    "issuer": "did:web:university.example.org",
    "subject": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
    "label": "University Diploma",
    "addedAt": "2024-02-20T14:45:00Z"
  }
]
  • id String — Wallet-assigned credential identifier (UUID).
  • format String — Credential format (dc+sd-jwt, jwt_vc_json, mso_mdoc, etc.).
  • issuer (optional) String — The credential issuer's identifier.
  • subject (optional) String — The credential subject's identifier.
  • label (optional) String — Human-readable label (from credential display or user-assigned).
  • addedAt String — Timestamp when the credential was added to the wallet.

Get Credential

Retrieve a specific credential by its ID, including the full credential payload.

CURL

Endpoint: GET /v2/{target}/wallet-service-api/credentials/{credentialId}

Example Request

curl -X GET \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{org}.{tenant}.{wallet-id}/wallet-service-api/credentials/{credentialId}' \
  -H 'Authorization: Bearer {yourToken}'

Path Parameters

  • orgID String — Organization host alias.
  • target resourceIdentifier — The wallet's resource path, e.g. waltid.tenant1.wallet.
  • credentialId String — The stored credential's ID, e.g. 550e8400-e29b-41d4-a716-446655440000 — from List Credentials or the receive response's credentialIds.

Response

The wrapper is always { id, credential, label?, addedAt }. The credential object's shape depends on the credential format — pick the matching tab:

SD-JWT VC
W3C VC
mDoc

format: dc+sd-jwt · type: vc-sd_jwt — adds disclosures, disclosables, originalCredentialData, signedWithDisclosures.

{
  "id": "a2f705c5-7ec9-4113-8091-00982fffccd4",
  "credential": {
    "type": "vc-sd_jwt",
    "format": "dc+sd-jwt",
    "issuer": "https://issuer.example.org/.../openid4vci",
    "credentialData": {
      "given_name": "John",
      "family_name": "Doe",
      "birthdate": "1990-01-15",
      "vct": "https://issuer.example.org/.well-known/vct/.../identity_credential",
      "cnf": { "jwk": { "kty": "OKP", "crv": "Ed25519", "x": "Jfch6RO..." } }
    },
    "disclosures": [
      {
        "name": "birthdate",
        "value": "1990-01-15",
        "salt": "XWinP-V3uXnRMfgAZDtbjw",
        "encoded": "WyJYV2luUC1WM3VYblJNZmdBWkR0Ymp3IiwiYmlydGhkYXRlIiwiMTk5MC0wMS0xNSJd"
      }
    ],
    "signed": "eyJraWQiOiJHMzdKaUdyM3B0bEQ...",
    "signature": {
      "type": "signature-sd_jwt",
      "jwtHeader": { "kid": "G37JiGr3ptlD-YVW2APHZ7i4N43-vcIQZNFEuXzjwZw", "typ": "dc+sd-jwt", "alg": "EdDSA" }
    }
  },
  "addedAt": "2026-07-13T09:40:30Z"
}
  • id String — Wallet-assigned credential identifier (UUID).
  • credential Object — The fully-parsed credential (shape varies by format — see tabs above).
  • credential.type String — Parsed-kind discriminator: vc-sd_jwt, vc-w3c_2, or vc-mdocs.
  • credential.format String — Wire format: dc+sd-jwt, jwt_vc_json, mso_mdoc, …
  • credential.credentialData Object — The decoded credential claims/payload.
  • credential.signed String — The original encoded credential string (compact SD-JWT / JWT; base64url-CBOR for mDoc). There is no rawCredential field.
  • credential.signature Object — Parsed signature metadata (type, plus JWT header or COSE signer key).
  • label (optional) String — Human-readable label; omitted when not set.
  • addedAt String — Timestamp when the credential was added to the wallet.

Response Codes

  • 200 — Credential found and returned.
  • 404 — Credential not found.

Endpoint Summary

EndpointMethodDescription
/v2/{target}/wallet-service-api/keysGETList all keys in the wallet
/v2/{target}/wallet-service-api/didsGETList all DIDs in the wallet
/v2/{target}/wallet-service-api/credentialsGETList credential metadata
/v2/{target}/wallet-service-api/credentials/{credentialId}GETGet a specific credential

Last updated on July 13, 2026