All posts

Blog

Product Update #31

July 15, 2026

Wallet2 API, OIDC bridge, issuer2 updates and more

On this page

TL;DR

  • New release - Wallet2 API, OIDC bridge, issuer2 updates and more
  • Resources – A 3-minute eIDAS2 explainer video, and notes from dice 2026

Community Stack (0.22.0)


Below are the highlights available through 0.22.0 of the identity lib. Check out the full change log for 0.22.0 here. Want to learn more about the identity lib in general? Check out our intro video.

0.22.0

Features

Wallet API v2

Build digital ID wallets on the latest standards with the new Wallet API v2 in the Community Stack. It implements the finalized OID4VCI 1.0 and OID4VP 1.0 specifications with DCQL for credential matching, supporting SD-JWT VC, W3C VC, and ISO 18013-5 mDL credentials. Persistence and authentication are optional and pluggable, so you can run it stateless or with SQLite-backed storage depending on your setup.

Learn more here

New Issuer/Verifier Portal

We launched a new issuer/verifier portal based on the issuer2 and verifier2.

Checkout the portal here

OpenID4VCI, issuer2, and wallet runtime

  • Added refresh-token support and tests for issuer2 flows, including persistent refresh-token handling in the coordinated enterprise release (#1806).
  • Added authorization_details support to the token request builder for richer OAuth/OIDC token requests (#1803).
  • Advanced pushed authorization request work for issuer2 (WAL-853) (#1774).
  • Added issuer2 JWT VC metadata well-known path coverage for the 0.22 release line (WAL-985) (#1868).
  • Refactored OpenID4VCI base64 handling to use shared crypto utilities (WAL-1091) (#1867).
  • Fixed wallet-api/wallet-api2 routing and local SQLite directory creation issues that affected runtime deployments (#1809#1814#1851).

Verifier, policies, and credential status

  • Added policy exceptions for verifier policy handling (WAL-975) (#1863).
  • Updated conformance and wallet flows, coordinated with the enterprise conformance work (#1746).
  • Improved DID document key resolution when multiple keys are present and added regression coverage (#1857).
  • Updated TSE support and error messaging for clearer verifier/runtime failures (#1855).
  • Accepted additional token status list states and fixed x5c/x5chain protected-header handling for CWT status lists (WAL-1119) (#1848#1854).
  • Fixed broken trust-list examples and issuer2 test profile assumptions to keep examples and regression fixtures aligned (#1801#1847).

Mobile wallet SDK, demo apps, and crypto

  • Added the KMP mobile wallet SDK, mobile/server persistence split, shared wallet server adapter, Android and iOS native demo apps, and platform test utilities for issuance and presentation flows (WAL-1033) (#1748#1766).
  • Added a Compose Multiplatform wallet demo with shared UI/state, Android and iOS targets, EUDI/local enterprise fixtures, and expanded CI diagnostics (WAL-748) (#1800).
  • Reworked mobile crypto onto shared Signum/Supreme plumbing, added mobile software keys, fixed iOS JWK/public-key handling, and enabled Ed25519 and secp256k1 support for mobile wallets (WAL-447) (#1761#1768).
  • Closed iOS implementation gaps for DID JSON canonicalization, async policy verification, and COSE_Sign1 CWT proof verification (WAL-1033) (#1823).
  • Added wallet SDK KDoc and mobile docs CI checks so generated documentation remains part of the release workflow (WAL-1071, WAL-1065) (#1836).

Deployment, docs, and CI

  • Consolidated Helm charts around the api-service/portal setup, added verifier2 and wallet-api2 deployment artifacts, and pulled service Kubernetes configuration into the release workflows (WAL-1101, WAL-1108, WAL-1110) (#1822#1837).
  • Added TLS configuration for OPA ingress and wallet-api OpenAPI path routing (#1788#1814).
  • Refactored Gradle build steps, workflow references, and issuer2 CI wiring for the release branch (#1802#1812).
  • Fixed OpenAPI schema generation for serialized names containing / and JSON element examples (#1824).
  • Moved EBSI tests to the Java HTTP client to satisfy TLS 1.3 requirements (#1805).
  • Temporarily skipped, then re-enabled, EUDI mobile integration tests around the expired backend certificate window (#1856#1865).
  • Fixed protocol-library README rendering (#1872).

Enterprise Stack (0.22.0)

Below are the new feature highlights available through 0.22.0 of the Enterprise Stack. Check out the full change log for 0.22.0 here. Want to learn more about the enterprise stack in general? Check out our intro video.

0.22.0

Features

Wallet Service v2 (OID4VCI / OID4VP 1.0)

The Enterprise Wallet Service OID4VC 1.0 support has been refactored from its earlier, early-stage implementation into a stable v2. It runs alongside v1 on the same wallet resource—sharing the same keys, DIDs, and stored credentials—so you can adopt DCQL-based presentation matching for SD-JWT VC, W3C VC, and mDL credentials without migrating existing integrations off the v1 (Draft 11/13 OID4VCI, Draft 14/20 OID4VP) endpoints.

Learn more here

OIDC Bridge Service

Integrate Verifiable Credentials into existing IAM systems with our new OIDC Bridge service in the Enterprise Stack. Enable passwordless authentication using mDL, SD-JWT VC, or W3C credentials in Keycloak and Ory as well as other OIDC-compliant platforms—supporting cross-device QR flows, browser-native Digital Credentials API, and flexible claim mapping with zero custom integration required.

Learn more here

List Pagination & Sorting Across the Enterprise Stack

Query large result sets efficiently across every list endpoint in the Enterprise Stack—including resources, credentials, DIDs, keys, X.509 certificates, issuer and verifier sessions, policies, and status lists. Control page size and offset via limit/offset query parameters, with configurable default and maximum limits, and sort supported endpoints by creation or update time in ascending or descending order.

Learn more here

Multi-Region KMS Keys with Automatic Failover for AWS

Use high-availability signing keys in the Enterprise Stack KMS service using AWS KMS multi-region keys. Create a primary key with replicas across additional AWS regions, and enable automatic failover so signing operations transparently retry in a replica region if the primary becomes unavailable.

Learn more here

Issuer2 Updates

  • Added issuer2 refresh-token persistence and enterprise/keycloak refresh-grant coverage
  • Added PAR flow support for issuer2, aligned with RFC 9126
  • Added hard delete of credential profiles
  • Added issuer2 resource migrations and regression tests
  • Added custom session-id handling and issuer-state callback resolution for issuer2 pre-authorized and auth-code flows
  • Added JWT VC issuer metadata well-known path coverage for tenant-scoped issuer services

Explore the issuer2 docs here

Mobile Wallet SDK

  • Aligned enterprise tests and service adapters with the OSS mobile wallet SDK release, including Android/iOS mobile test coverage and enterprise companion work.
  • Enables the building of hybrid wallets using both the Enterprise Stack Wallet API as well as the wallet SDK.

Service Initialization

Added OpenBadgeCredential examples, OpenBadge ecosystem init configuration, and service/resource initialization improvements used by enterprise setup flows.

Credential Status, KMS, and Database Operations

  • Fixed AWS DocumentDB migration behavior and default-port issuer URL handling.
  • Fixed MongoDB clustered access, collation settings for the AWS DocumentDB 8 profile, recreate-database handling, docker-compose startup, and migration 0006 gaps.
  • Added profile configuration for AWS DocumentDB in deployment/config files and updated Helm values for AWS DocumentDB environments.
  • Accepted additional token status list states and moved x5chain to protected COSE headers for ISO 18013-5 compliance.
  • Fixed credential status full database scans and clarified expiresIn naming.
  • Added AWS multi-region KMS Swagger documentation and Azure key rotation test coverage.

Fixes an improvements

  • Refactored enterprise wallet2 adapters and controller routes to align with OSS API changes and conformance updates.
  • Reduced duplicate Keycloak test code and updated Keycloak tests for credential issuer and nonce endpoint metadata.
  • Removed obsolete issuer initialization models and stale submodule references while keeping the new init/resource APIs current.
  • Updated deployment workflow references, Helm values, and Kubernetes service configuration for the 0.22 branch.
  • Improved status-list and issuer2 regression coverage with test vectors, custom session tests, and well-known metadata tests.
  • Pinned Vue/reka-ui dependencies to stabilize the enterprise UI build.

Breaking Changes

Some v2 routes for the wallet api (specifically the isolated receive endpoints) have been deprecated in favor of our finalized versions which work similarly but have different paths and slightly different payloads. You can find more details in the Swagger regarding these changes


eIDAS2 in 3 Minutes

Our eIDAS2 video breaks down the European Digital Identity Wallet (EUDI Wallet) and what eIDAS 2 requires. You will learn: What eIDAS2 is, Who has to comply and by when, the three roles in the ecosystem and how to become compliant.

Watch the Video

Notes from dice 2026

Charalampos from our engineering team attended dice 2026 — the Digital Identity unConference Europe — in Copenhagen.

A few highlights from the sessions:

  • DC API was one of the hottest topics, alongside strong interest in EUDI, trusted issuers and verifiers
  • OpenID4VP/VCI updates (HPKE, IAE, nested flows, credential metadata after issuance) are nearing completion.
  • The conversation has clearly shifted from defining standards to deploying production-ready EUDI Wallet ecosystems, with interoperability, governance, and certification now the central challenges
  • Business wallets and delegated AI agent identities came up repeatedly as open questions/emerging topics not yet answered.


PS: If you enjoy working with our tools, make sure to leave us a ⭐ on GitHub