Update #25
Hey friends,
With the latest release, we added support for the pre-auth transaction pin in the wallet API, added onboarding endpoints for IACA & Document Signers for mDL issuance in the Issuer API, introduced a new status policy and much more.
Community Stack (v0.15.0/0.15.1)
Below are all features available through v0.15.0/0.15.1 of the identity lib. Checkout the full change log here and here. Want to learn more about the identity lib in general? Check out our intro video.
Features
Wallet API
Pre-Auth Flow Transaction Pin Support
Credential issuance now accepts an optional pinOrTxCode parameter when calling POST /exchange/useOfferRequest. Supply a PIN or transaction code from the issuer when required.
Extension of Microsoft Entra ID OIDC Login Handling
The wallet API now attempts to redeem an authorization code for an id_token when a JWT cannot be validated, improving compatibility with providers returning opaque tokens. Trace logging has been added around OIDC login routes and authentication flows to aid debugging. Configuration changes require publicBaseUrl to be set in oidc.conf; keycloakUserApi is now optional.
Support for signing flattened JWS+Json
The wallet API’s /keys/{keyId}/sign endpoint now understands Flattened JWS JSON payloads. More info in this PR here.
Wallet UI
Credential Display
Visual rendering of credential cards was updated to show issuer logos and support background images.
Multiple Matching Credentials Handling
When multiple credentials of the same type match a presentation request, the web wallet now groups them and prompts users to choose one.
Credential Deletion Logic
Deleting a credential from the web-wallet permanently removes it by default (uses permanent=true).
Issuer API
IACA & Document Signer Onboarding for mDL Issuance
New onboarding endpoints to generate a self‑signed Issuing Authority Certification Authority certificate (docu link) and issue Document Signer certificates bound to an IACA (docu link).
Credential Branding
Credential branding capabilities were extended. Issuer metadata can now specify an optional secondary_image alongside existing logo and background fields. Example metadata.
Verifier API
Status Policy
A flexible status policy to validate common status types like revocation or suspension, but also custom reasons based on the BitstringStatusList, StatusList2021, RevocationList2020, TokenStatusList standards. Learn more here.
Fixes & Improvements
EBSI Environment Updates
DID resolution works now with both the conformance & pilot registries. Update to handle nested descriptor objects in presentation verification. Link to PR here and here.
Wallet UI
The wallet interface now truncates long user names with an ellipsis and shows the full name on hover. This prevents layout issues when the user name is unusually long. Link to PR.
Presentation Definition Parsing Improvement
Credentials containing arrays are now correctly matched when the filter specifies a string type. Link to PR.
SD-JWT VC Presentation Handling
The verifier can now process presentations containing SD‑JWT credentials directly or embedded in W3C VPs. Link to PR.
EBSI - Cannot sign IDToken response
Improved key resolution: signing a message now accepts a key ID, DID or verification method ID. Signatures now include the JWT type header by default and support partially formed JWS JSON data. Link to PR.
Multiple Keys Support for DID Resolution
The DID resolution libraries and verifier now handle DID documents containing several keys. Verification of SD‑JWT credentials and general JWS signatures iterates over every resolved key, improving compatibility with multi‑key DID documents. Link to PR.
SD-JWT credential format parsing
The library now handles credential_format values containing spaces (e.g., vc sd-jwt) in addition to the standard vc+sd-jwt representation. Link to PR.
Spec implementation for BitstringStatusList on list encoding
The verification library now properly distinguishes between regular and multibase Base64‑URL status lists. Link to PR
Docs / Docker Compose
mDoc Lib Documentation Expansion
Detailed guidance on encoding revocation status with IETF Status or Identifier Lists, new examples for NFC, BLE, and Wi-Fi Aware to create and parse DeviceEngagement structures, and expanded instructions for signing documents and incorporating revocation data. Find docs here.
Docker Compose
Docker images now reference version and repository settings from the .env file, allowing you to change image sources and host names without editing docker-compose.yaml. Ensure you set the new IMAGE_PREFIX, SERVICE_HOST, and version variables (VERSION_OPA, VERSION_VAULT, VERSION_VC_REPO) when running the services. Link to PR
Breaking Changes
SD-JWT VC Lib
Any code calling SDJwtVC.sign(...), SDJwtVC.doSign(...), or SDJwtVC.defaultPayloadProperties(...) must now provide the status parameter as a JsonObject? instead of a String?.
Enterprise Stack (v0.7.0)
Below are all features available through v0.7.0 of the enterprise stack. Want to learn more about the enterprise stack in general? Check out our intro video.
Features
Holder Policies for Silent Wallet Flows
Use holder policies to allow users to set granular sharing rules for credentials, ensuring consent-first data sharing during silent issuance and verification flows. Learn more here.
New Status Policy in Verifier Service
A flexible status policy to validate common status types like revocation or suspension, but also custom reasons based on the BitstringStatusList, StatusList2021, RevocationList2020, TokenStatusList standards. Learn more here.
Support for Non-Expiring Issuance Sessions
The Issuer Service API now allows for the creation of non-expiring issuance sessions. When you call POST /issuer-service-api/credentials/issue, you can set the session to remain active indefinitely by including the parameter expiresInSeconds: -1. If you prefer a session with a specific duration, you can specify the desired length in seconds using the expiresInSeconds parameter. By default, if this parameter is omitted, the session will expire after five minutes.
mDL Issuance Simplified
The mDL issuance request no longer requires the trustedRootCAs field. Also, the OpenAPI examples have been updated.
Credential Branding Extension
Issuers can now provide a secondary image for the credential branding information when setting up an issuer service. See an updated example in the SWAGGER docs here. Example Name -> [Create Issuer with credential branding information]
Enterprise UI Updates
The management of service configuration in JSON format has been implemented for the following services: DID registry, KMS, Status, Credential Store, DID Store, Verifier, and Wallet.
Improved Authorization Request handling when presenting credentials via the wallet service UI.
Fixes
SD-JWT VC Display Info Loading
When you issue an SD-JWT VC credential using the credentials/issue endpoint of the issuer service, the display information will now be correctly retrieved from the issuer service configuration. This happens if you do not provide any display information directly in your issuance request.
Wallet Service Key Enforcement
The wallet presentation flow no longer enforces that holder keys must be secp256r1. Applications can now present non‑MDOC credentials with other key types.
Docs
OpenAPI documentation improved
Each endpoint now features clearer descriptions, and the OpenID4VCI specifications include the standardVersion as a path parameter. These updates ensure that clients generated from api.json accurately reflect the API behavior.
Community favorites
How To Video Series
Community Stack Tutorial
In our latest video tutorial, learn to build an end-to-end digital ID use-case with the walt.id Community Stack by setting up a custodial wallet, issuing and storing a W3C-compliant University Degree Credential, and securely verifying it using the Issuer, Wallet, and Verifier APIs;
Feature List & Roadmap
Overview - product features today and upcoming
PS: If you enjoy working with our tools, make sure to leave us a ⭐ on GitHub