Data Retention and Auto-Purge (PII)

The Enterprise API can automatically purge old issuer and verifier session data to reduce PII retention. This is disabled by default and can be enabled via feature flags and configuration.

Enabling the feature

  1. Ensure the data-retention feature is enabled in the Features configuration file.
  2. Ensure the optional feature data-retention is enabled (defaults to disabled). You can enable it by either:
    • Setting the feature flag at runtime (if supported in your deployment), or
    • Using configuration: add the following to your run configuration or environment to keep default enabled state false and set enabled: true inside the config file below.
  3. Provide the data retention configuration file at waltid-enterprise-api/config/data-retention.conf (mounted into the container or placed in working directory).

Configuration file

File: config/data-retention.conf

Example:

{
  enabled: true,
  maxIssuerSessionAge: "30d",
  maxVerifierSessionAge: "30d",
  schedule: "0 0 * * *",
  dryRun: true,
  maxDeletePerRun: 500,
  logging: {
    enabled: true,
    level: "INFO"
  }
}

Option reference:

  • enabled: Toggles the purge job on/off. When false, nothing is scheduled.
  • maxIssuerSessionAge: Retention window (e.g. 1h, 1d, 1w, 1m) for issuer sessions. Entries older than this cutoff are considered expired.
  • maxVerifierSessionAge: Retention window (e.g. 1h, 1d, 1w, 1m) for verifier sessions (presentation sessions).
  • schedule: Cron-like string.
  • dryRun: When true, the job only logs which entries would be deleted without deleting them.
  • maxDeletePerRun: Safety limit for how many root session entries are deleted per run. Deletion is recursive per session path.
  • logging.enabled: Enables/disables logging for the job.
  • logging.level: Log level for job messages (TRACE, DEBUG, INFO, WARN, ERROR).

How it works

  • The job scans the organization_trees MongoDB collection for expired session entries:
    • Issuer sessions: documents with _t = "stored-issuance-session" and timestamp older than the cutoff.
    • Verifier sessions: documents with _t = "stored-presentation-session" and timestamp older than the cutoff.
  • For each selected session (up to maxDeletePerRun), the job deletes the session document and all child documents under its hierarchical _id path.
  • If MongoDB is not configured/available, the job logs a warning and skips the run.

Timestamps

Issuer and verifier session records include a timestamp set at creation time, which the purge job uses to determine expiry.

Zero-retention mode (maxAge = "0s")

When maxIssuerSessionAge or maxVerifierSessionAge is set to "0s", the system will skip storing PII data entirely:

For Issuance Sessions (maxIssuerSessionAge: "0s"):

  • Credential data (issuanceRequest.credentialData) will not be stored in the database
  • The rest of the session metadata is preserved for revocation tracking purposes
  • This is useful when you want to minimize PII exposure while maintaining revocation capabilities

For Presentation Sessions (maxVerifierSessionAge: "0s"):

  • VP token data (vpToken) will not be stored in the database
  • Users can still receive VP data through:
    • Callback URLs configured in the session
  • The rest of the session metadata is preserved for verification tracking

This mode provides the strongest PII protection by preventing sensitive data from being persisted to the database at all.

Last updated on February 8, 2026
WebView Service Configuration