Wallet Management
The wallet management v2 endpoints provide read access to the resources stored in a wallet — keys, DIDs, and credentials.
Ensure you have set up a wallet service with linked KMS, DID Store, and Credential Store services before proceeding.
List Keys
Retrieve all keys available in the wallet's linked KMS services.
Endpoint: GET /v2/{target}/wallet-service-api/keys
Example Request
curl -X GET \
'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{org}.{tenant}.{wallet-id}/wallet-service-api/keys' \
-H 'Authorization: Bearer {yourToken}'
Response
[
{
"keyId": "waltid.tenant1.kms.key1",
"keyType": "Ed25519"
},
{
"keyId": "waltid.tenant1.kms.wallet_key",
"keyType": "secp256r1"
}
]
keyIdString — The key's identifier — the dotted KMS resource path.keyTypeString — walt.id key-type name, e.g.Ed25519,secp256r1,secp256k1,RSA.algorithm(optional) String — Signing algorithm, when the KMS reports one; omitted otherwise.
List DIDs
Retrieve all DIDs stored in the wallet's linked DID Store.
Endpoint: GET /v2/{target}/wallet-service-api/dids
Example Request
curl -X GET \
'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{org}.{tenant}.{wallet-id}/wallet-service-api/dids' \
-H 'Authorization: Bearer {yourToken}'
Response
[
{
"did": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
"document": {
"@context": [
"https://www.w3.org/ns/did/v1",
"https://w3id.org/security/suites/jws-2020/v1"
],
"id": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
"verificationMethod": [
{
"id": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6#z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
"type": "JsonWebKey2020",
"controller": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
"publicKeyJwk": {
"kty": "OKP",
"crv": "Ed25519",
"x": "..."
}
}
],
"authentication": ["did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6#z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6"],
"assertionMethod": ["did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6#z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6"]
}
}
]
didString — The DID string.documentObject — The full DID document as a JSON object.
List Credentials
Retrieve metadata for all credentials stored in the wallet's linked Credential Store. This endpoint returns lightweight metadata without the full credential payload.
Endpoint: GET /v2/{target}/wallet-service-api/credentials
Example Request
curl -X GET \
'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{org}.{tenant}.{wallet-id}/wallet-service-api/credentials' \
-H 'Authorization: Bearer {yourToken}'
Response
[
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"format": "dc+sd-jwt",
"issuer": "did:web:issuer.example.org",
"subject": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
"label": "Identity Credential",
"addedAt": "2024-01-15T10:30:00Z"
},
{
"id": "6ba7b810-9dad-11d1-80b4-00c04fd430c8",
"format": "jwt_vc_json",
"issuer": "did:web:university.example.org",
"subject": "did:key:z6Mkfriq1MqLBoPWecGoDLjguo1sB9brj6wT3qZ5BxkKpuP6",
"label": "University Diploma",
"addedAt": "2024-02-20T14:45:00Z"
}
]
idString — Wallet-assigned credential identifier (UUID).formatString — Credential format (dc+sd-jwt,jwt_vc_json,mso_mdoc, etc.).issuer(optional) String — The credential issuer's identifier.subject(optional) String — The credential subject's identifier.label(optional) String — Human-readable label (from credential display or user-assigned).addedAtString — Timestamp when the credential was added to the wallet.
Get Credential
Retrieve a specific credential by its ID, including the full credential payload.
Endpoint: GET /v2/{target}/wallet-service-api/credentials/{credentialId}
Example Request
curl -X GET \
'https://{orgID}.enterprise-sandbox.waltid.dev/v2/{org}.{tenant}.{wallet-id}/wallet-service-api/credentials/{credentialId}' \
-H 'Authorization: Bearer {yourToken}'
Path Parameters
orgIDString — Organization host alias.targetresourceIdentifier — The wallet's resource path, e.g.waltid.tenant1.wallet.credentialIdString — The stored credential's ID, e.g.550e8400-e29b-41d4-a716-446655440000— from List Credentials or the receive response'scredentialIds.
Response
The wrapper is always { id, credential, label?, addedAt }. The credential object's shape depends on the credential format — pick the matching tab:
format: dc+sd-jwt · type: vc-sd_jwt — adds disclosures, disclosables, originalCredentialData, signedWithDisclosures.
{
"id": "a2f705c5-7ec9-4113-8091-00982fffccd4",
"credential": {
"type": "vc-sd_jwt",
"format": "dc+sd-jwt",
"issuer": "https://issuer.example.org/.../openid4vci",
"credentialData": {
"given_name": "John",
"family_name": "Doe",
"birthdate": "1990-01-15",
"vct": "https://issuer.example.org/.well-known/vct/.../identity_credential",
"cnf": { "jwk": { "kty": "OKP", "crv": "Ed25519", "x": "Jfch6RO..." } }
},
"disclosures": [
{
"name": "birthdate",
"value": "1990-01-15",
"salt": "XWinP-V3uXnRMfgAZDtbjw",
"encoded": "WyJYV2luUC1WM3VYblJNZmdBWkR0Ymp3IiwiYmlydGhkYXRlIiwiMTk5MC0wMS0xNSJd"
}
],
"signed": "eyJraWQiOiJHMzdKaUdyM3B0bEQ...",
"signature": {
"type": "signature-sd_jwt",
"jwtHeader": { "kid": "G37JiGr3ptlD-YVW2APHZ7i4N43-vcIQZNFEuXzjwZw", "typ": "dc+sd-jwt", "alg": "EdDSA" }
}
},
"addedAt": "2026-07-13T09:40:30Z"
}
idString — Wallet-assigned credential identifier (UUID).credentialObject — The fully-parsed credential (shape varies by format — see tabs above).credential.typeString — Parsed-kind discriminator:vc-sd_jwt,vc-w3c_2, orvc-mdocs.credential.formatString — Wire format:dc+sd-jwt,jwt_vc_json,mso_mdoc, …credential.credentialDataObject — The decoded credential claims/payload.credential.signedString — The original encoded credential string (compact SD-JWT / JWT; base64url-CBOR for mDoc). There is norawCredentialfield.credential.signatureObject — Parsed signature metadata (type, plus JWT header or COSE signer key).label(optional) String — Human-readable label; omitted when not set.addedAtString — Timestamp when the credential was added to the wallet.
Response Codes
200— Credential found and returned.404— Credential not found.
Endpoint Summary
| Endpoint | Method | Description |
|---|---|---|
/v2/{target}/wallet-service-api/keys | GET | List all keys in the wallet |
/v2/{target}/wallet-service-api/dids | GET | List all DIDs in the wallet |
/v2/{target}/wallet-service-api/credentials | GET | List credential metadata |
/v2/{target}/wallet-service-api/credentials/{credentialId} | GET | Get a specific credential |
Related Documentation
- Wallet Setup — Configure a wallet service with linked stores
- Accept Credentials via OID4VCI — Receive credentials into the wallet
- Share Credentials via OID4VP — Present credentials from the wallet
- KMS Service — Key management configuration
- DID Store Service — DID storage configuration
- Credential Store Service — Credential storage configuration
