Auto-Generate Keys for Credential Issuance
Configure the system to automatically generate a dedicated key pair for each credential you receive.
Configuration Steps
1. Define security levels
Configure keySecurityLevel to specify which key storage types are
available at each security level.
Configuration requirements:
- Create an instance for each security level you want to support (values
come from OpenID4VCI security levels):
BASICENHANCED_BASICMODERATEHIGH
- Set
params.public.holder.priorityto control which level is preferred (higher = more preferred) - List available key storages in
params.public.holder.keyStoragesin order of preference
Example:
keySecurityLevel:
BASIC:
display: keySecurityLevel.basic
order: 10 # This value is not involved in auto-generation logic
params:
public:
holder:
priority: 10
keyStorages: ["INTERNAL"]
MODERATE:
display: keySecurityLevel.moderate
order: 30
params:
public:
holder:
priority: 30
keyStorages: ["SECURE_ELEMENT"]
HIGH:
display: keySecurityLevel.high
order: 40
params:
public:
holder:
priority: 40
keyStorages: ["REMOTE_SECURE_ELEMENT"]
2. Set key algorithm priorities
Assign a holderPriority to each key algorithm to indicate your preference
(higher = more preferred).
Example:
keyAlgorithm:
EDDSA:
display: "keyAlgorithm.eddsa"
order: 0
params: null
holderPriority: 50
ECDSA:
display: "keyAlgorithm.ecdsa"
order: 1
params: null
holderPriority: 100
How the system generates keys
When you call POST /api/interaction/v1/issuance-accept (or the
corresponding function in the SDK) without specifying an identifierId,
the system automatically generates a new key using this logic:
-
All possible combinations of key storage and key algorithm are ordered according to your configuration
-
The system goes through these in order and uses the first one that meets the issuer's restrictions
-
If no such combination is found, the system returns error
BR_0217