Configuration reference
Learn all available configuration options.
All parameters are public unless otherwise noted. Nested parameters are written with periods between levels. For example, for this entry:
public:
issuance:
enabled:
urlScheme:
The first parameter is issuance.enabled and the second parameter is
issuance.urlScheme.
format
The system supports the following credential formats:
type | Resulting credential |
|---|---|
SD_JWT_VC | IETF SD-JWT VC |
MDOC | ISO mdoc |
JSON_LD_BBSPLUS | W3C VCDM 2.0 with BBS+ Data Integrity proof |
JSON_LD_CLASSIC | W3C VCDM 2.0 with Data Integrity proof |
SD_JWT | W3C VCDM 2.0 with enveloping SD-JWT proof |
JWT | W3C VCDM 2.0 with enveloping JWT proof |
PHYSICAL_CARD | W3C VC Barcodes (verification only) |
format params
| Name | Type | Default | Description |
|---|---|---|---|
leeway | number | undefined | Tolerance allowed, in seconds, in time and date variance between issuer and holder. |
msoExpiresIn | number | undefined | The time, in seconds, after which an mdoc can no longer be validated; cannot use fractions of a second. |
msoExpectedUpdateIn | number | undefined | The time, in seconds, after which the issuer expects the wallet to request a new MSO for an mdoc. |
msoMinimumRefreshTime | number | undefined | The minimum time, in seconds, that a wallet must wait before a new MSO can be returned. |
embedLayoutProperties | boolean | false | If true, credential design properties are embedded in the metadata field of schemas. |
allowedContexts | url | See the list. | The list of allowed @contexts, if one has been specified. |
swiyuMode | boolean | false | If true, credential formatting is adjusted to interoperate with the Swiss e-ID "swiyu" Public Beta. |
allowedContexts
To protect a JSON-LD Data Integrity proof from post-issuance manipulation via
@context manipulation, Procivis One filters all JSON-LD credentials against
an allow list.
The system checks the contexts during the verification process, only allowing
the context defined by the schema plus any contexts in the allowedContexts
params. If a presentation contains any additional context it will be invalidated.
If no value is entered in the allowedContexts param, the system defaults to
allowing the following contexts:
- https://www.w3.org/ns/credentials/v2
- https://www.w3.org/2018/credentials/v1
- https://w3c.github.io/vc-bitstring-status-list/contexts/v1.jsonld
- https://w3id.org/security/data-integrity/v2
If any value is entered in the allowedContexts param, the default values no
longer apply and must be added to be allowed.
issuanceProtocol
The system supports the following issuance protocols:
type | Description |
|---|---|
OPENID4VCI_DRAFT13 | OpenID for Verifiable Credential Issuance - draft 13 (ID-1) |
OPENID4VCI_DRAFT13_SWIYU | OID4VCI - draft 13, adjusted to interoperate with the Swiss e-ID "swiyu" Public Beta |
issuanceProtocol params
| Name | Type | Default | Description |
|---|---|---|---|
preAuthorizedCodeExpiresIn | number | undefined | Expiration time, in seconds, for code authorizing wallet to obtain credentials. |
tokenExpiresIn | number | undefined | Expiration time, in seconds, for an access token issued to a wallet. |
refreshExpiresIn | number | undefined | Expiration time, in seconds, for a refresh token issued to a wallet. |
enabled | boolean | true | Set to false to disable issuance via OID4VCI. |
redirectUri.enabled | boolean | false | Set to false to disable setting a redirect URI during credential creation. |
redirectUri.allowedSchemes | string | undefined | List of URI schemes (for example https or myapp) allowed for redirect URIs during credential creation. If empty or not configured, all redirect URIs will be rejected. |
urlScheme | string | openid-credential-offer | Specify the credential offer URL scheme. |
verificationProtocol
The system supports the following verification protocols:
type | Description |
|---|---|
OPENID4VP_DRAFT20 | OpenID for Verifiable Presentations - draft 20 |
OPENID4VP_DRAFT20_SWIYU | OID4VP - draft 20, adjusted to interoperate with the Swiss e-ID "swiyu" Public Beta |
OPENID4VP_DRAFT25 | OpenID for Verifiable Presentations - draft 25 |
ISO_MDL | ISO/IEC 18013-5:2021 |
SCAN_TO_VERIFY | Verifiable Credential Barcodes v0.7 |
verificationProtocol params
All parameters apply only to instances of OID4VP:
| Name | Type | Default | Description |
|---|---|---|---|
useRequestUri | boolean | false | If true, the proof requests you make will use request URIs with which the wallet must make HTTP calls to fetch the request. This is recommended if using QR codes. If false, the proof request will be readable from the resulting URL without an HTTP call. |
enabled | boolean | true | Set to false to disable verification via OID4VCP. |
redirectUri.enabled | boolean | true | Set to false to disable setting a redirect URI during proof request creation. |
redirectUri.allowedSchemes | string | undefined | List of URI schemes (for example https or myapp) allowed for redirect URIs during proof request creation. If empty or not configured, all redirect URIs will be rejected. |
urlScheme | openid4vp | mdoc-openid4vp | openid4vp | For an ISO mdoc instance of the OID4VC exchange, use mdoc-openid4vp. |
x509CaCertificate | string | undefined | List of Certificate Authority (CA) certificates used to validate verifier authenticity. Any verifier must present a certificate that is signed by one of these trusted CAs. Connection attempts from verifiers with certificates signed by unlisted CAs will be automatically rejected. |
verifier.supportedClientIdSchemes | verifier_attestation | redirect_uri | did | x509_san_dns | verifier_attestation | redirect_uri | did | List of all Client ID Schemes that can be used for verification. If no scheme is specified via the API, the first compatible scheme from the list is used. |
holder.supportedClientIdSchemes | verifier_attestation | redirect_uri | did | x509_san_dns | verifier_attestation | redirect_uri | did | List of all Client ID Schemes that can be used by the wallet during verification. |
revocation
The system supports the following revocation methods:
type | Description |
|---|---|
LVVC | Linked Validity Verifiable Credentials |
BITSTRINGSTATUSLIST | Bitstring Status List |
TOKENSTATUSLIST | Token Status List |
MDOC_MSO_UPDATE_SUSPENSION | Suspension for mdoc credentials |
NONE | No revocation method; issued credentials cannot be revoked and remain valid indefinitely |
revocation params
| Name | Type | Default | Description |
|---|---|---|---|
format | JWT | null | For BITSTRINGSTATUSLIST, encode the list as a JWT. |
private.credentialExpiry | number | null | For LVVC, the time, in seconds, after which an issued LVVC expires. |
private.minimumRefreshTime | number | null | For LVVC, the time, in seconds, after which a wallet can request a new LVVC. |
identifier
Use this object to enable or disable the use of different types of
identifiers. Create an instance of each kind and use the enabled
flag.
| Type | Description |
|---|---|
DID | DID methods |
CERTIFICATE | X.509 certificates |
KEY | Key algorithms |
For example:
identifier:
DID:
display: 'identifier.did'
enabled: true
order: 0
CERTIFICATE:
display: 'identifier.certificate'
enabled: true
order: 1
KEY:
display: 'identifier.key'
enabled: true
order: 2
did
The system supports the following DID methods:
| Type | Description |
|---|---|
WEB | did:web |
KEY | did:key |
JWK | did:jwk |
WEBVH | did:webvh (formerly did:tdw) |
did params
| Name | Type | Default | Description |
|---|---|---|---|
keys.min | number | undefined | Sets the minimum number of keys that must be specified for a DID. |
keys.max | number | undefined | Sets the maximum number of keys allowed for a DID. |
keys.authentication | number | undefined | Use .min and .max to set allowable range of keys for the authentication verification method. |
keys.assertionMethod | number | undefined | Use .min and .max to set allowable range of keys for the assertion method verification method. |
keys.keyAgreement | number | undefined | Use .min and .max to set allowable range of keys for the key agreement verification method. |
keys.capabilityInvocation | number | undefined | Use .min and .max to set allowable range of keys for the capability invocation verification method. |
keys.capabilityDelegation | number | undefined | Use .min and .max to set allowable range of keys for the capability delegation verification method. |
private.maxDidLogEntryCheck | number | undefined | For did:webvh, sets how many log entries the system will check during verification, starting from the most recent. |
private.externalHostingUrl | string | undefined | For did:webvh, sets a custom external host for DID documents. Document uploading must still be integrated. |
keyAlgorithm
The system supports the following key algorithms:
| Type | Description |
|---|---|
BBS_PLUS | BBS+ Signature Scheme |
EDDSA | EdDSA |
ES256 | ECDSA |
DILITHIUM | CRYSTALS-DILITHIUM |
When creating your configuration, you must use these values as the instance
name. There is no type for key algorithms.
keyAlgorithm params
| Name | Type | Default | Description |
|---|---|---|---|
algorithm | Ed25519 | undefined | For EDDSA, specify the Ed25519 implementation. |
algorithm | ES256 | undefined | For ES256, specify the P-256 curve with SHA-256 as the hashing algorithm. |
algorithm | CRYDI3 | undefined | For DILITHIUM, specify the CRYDI3 algorithm. |
keyStorage
The system supports the following key storage types:
| Type | Description |
|---|---|
INTERNAL | Encrypted internal database. |
AZURE_VAULT | Azure Key Vault. |
SECURE_ELEMENT | Hardware storage for equipped mobile devices. |
REMOTE_SECURE_ELEMENT | Hardware security module (HSM) for mobile devices; uses Ubiqu. |
keyStorage params
| Name | Type | Default | Description |
|---|---|---|---|
private.encryption | string | undefined | For INTERNAL storage, specify the encryption key of the database. |
private.vaultUrl | url | undefined | For AZURE_VAULT storage, specify the URL of the vault. |
private.clientId | string | undefined | For AZURE_VAULT storage, specify the client ID. |
datatype
The system supports the following data types:
| Type | Description |
|---|---|
STRING | Text values of any length. Examples: "Hello", "123abc" |
NUMBER | Numeric values provided as strings. Examples: "123", "-456", "123.456" |
DATE | ISO 8601 formatted dates and/or RFC 3339 formatted datetimes, depending on the mandatory format param. Supports min and max parameters in YYYY-MM-DD format for date range validation. Example: min: 2024-01-01 |
FILE | Base64-encoded files using Data URL format:data:[MIME type];base64,[encoded data]Example: data:image/png;base64,iVBORw0KGgoAAAA...File types can be restricted using the accept parameter. If not specified, all file types are allowed. |
BOOLEAN | Case-sensitive boolean values. Only true or false are accepted. |
OBJECT | Container type for nested data structures. Can hold any other supported datatype, including other objects. Used for creating hierarchical claim structures. See the claims object - nested claims guide. |
ARRAY | Modifier that allows multiple values for a single key. Can be applied to any other datatype. See the claims object - arrays guide. |
datatype params
| Name | Type | Default | Description |
|---|---|---|---|
min/max | number | date | NOW | undefined | For NUMBER: Sets the minimum/maximum allowed numeric valueFor DATE: Sets the earliest/latest allowed date. Use "NOW" to represent the current date or date-time. |
pattern | string | undefined | Regular expression pattern for STRING validation.Example: '^[A-Z]{2}[0-9]{6}$' for a passport number |
accept | string | undefined | Array of allowed MIME types for FILE.Example: - image/jpeg- image/png |
fileSize | number | undefined | Maximum allowed file size in bytes for FILE type. |
encodeAsMdlPortrait | boolean | false | When true, encodes uploaded images according to ISO 18013-5 Mobile Driving License portrait specifications. |
format | date | datetime | undefined | For DATE: choose whether to use and accept date (example: 2024-01-22) or datetime (example: "2024-01-22T15:57:53.123456Z") or both. |
preferredFormat* | date | datetime | undefined | Set which format should be used in the frontend. If a value is passed here, it must be in format. |
error* | string | undefined | Custom error message displayed when validation fails. Example: "Please enter a valid passport number" |
autocomplete* | boolean | false | Enables browser autocomplete suggestions for form fields. |
placeholder* | string | undefined | Placeholder text shown in empty form fields. Example: "Enter your passport number" |
showAs* | string | undefined | UI display mode for FILE type. Supported values: IMAGE, PDF, DOCUMENT |
* UI-only parameters passed to the frontend without backend validation.
task
The system supports the following tasks:
| Type | Description |
|---|---|
HOLDER_CHECK_CREDENTIAL_STATUS | Runs a check on the status of held credentials, and updates accordingly. Pass organisationId: UUID in the params to specify the organization to check. |
RETAIN_PROOF_CHECK | Runs a check on claims data against its expireDuration. If the claims data has expired, the system deletes it. |
SUSPEND_CHECK | Runs a check on suspensions with a defined duration. If the duration has passed, the credential is reactivated. |
task params
No parameters supported.
trustManagement
The system supports the following trust management models:
| Type | Description |
|---|---|
SIMPLE_TRUST_LIST | Procivis Trust Registry |
trustManagement params
| Name | Type | Default | Description |
|---|---|---|---|
enablePublishing | boolean | false | If true the Core instance is a publisher of trust anchors. If false it only consumes or updates a trust anchor managed by the Core instance that publishes. |
transport
The system supports the following transport protocols:
| Type | Description |
|---|---|
HTTP | Hypertext Transfer Protocol is the request-response protocol for the World Wide Web. |
BLE | Bluetooth Low Energy can be used by mobile wallets and mobile verifiers to send, request and receive proofs. |
MQTT | MQTT is a publish-subscribe network protocol for device communication, and can be used by mobile wallets and mobile verifiers to send, request and receive proofs. |
transport params
| Name | Type | Default | Description |
|---|---|---|---|
private.brokerUrl | url | undefined | For MQTT, specify the broker server for publishing and subscribing. |
transport order
For systems with multiple transport protocols enabled, use the order to set
fallback preferences for which transport protocol to use.
The transport protocol to use in any given interaction can be specified
at the beginning of the interaction. When this is not fully specified, the order of
protocols in the configuration becomes a fallback value for determining which to use.
See the relevant transport object guide for how the system determines which protocol to use:
- Verification - Proof request - transport array
- Holding - Handle invitation - transport array
cacheEntities
The following entities are managed through the cache:
| Type | Description |
|---|---|
STATUS_LIST_CREDENTIAL | Status of credentials with a status list type of revocation. |
DID_DOCUMENT | DID documents for DIDs resolved with a web call. |
JSON_LD_CONTEXT | @contexts for JSON-LD credentials. |
VCT_METADATA | Type metadata for SD-JWT VCs. |
JSON_SCHEMA | Schemas for data validation of SD-JWT VCs. |
TRUST_LIST | Trust lists for trust management. |
See the caching guide for cache configuration options.
cacheEntities params
No parameters supported.
openidProvider
This object configures OpenID Connect providers for OpenID Bridge-enabled instances of the Desk API.
| Name | Type | Default | Description |
|---|---|---|---|
enabled | boolean | true | If false, Bridge is disabled and OpenID providers cannot be added or managed. If true, Bridge is enabled and OpenID providers can be added and managed. |
credentialLoginDisabled | boolean | false | If true, login to Desk with a credential is disabled. If false, users can log in to Desk with a credential. |
openidProvider params
No parameters supported.
app
The system supports the following server settings:
| Name | Type | Default | Description |
|---|---|---|---|
databaseUrl | string | undefined | URL for server database. |
coreBaseUrl | string | undefined | Base URL of the Core instance. |
authToken | string | undefined | Authorization token for the Core API. This should be updated for security. |
serverIp | string | undefined | Server address of the Core instance. |
serverPort | string | undefined | Port number of the Core instance. |
traceJson | boolean | undefined | Whether to enable JSON tracing information for debugging API calls. |
enableExternalEndpoints | boolean | true | When enabled, allows the usage of all /ssi endpoints. In a segregated network zone environment, set this to true for the public zone deployment. |
enableManagementEndpoints | boolean | false | When enabled, allows the usage of all /api endpoints. In a segregated network zone environment, set this to true for the internal zone deployment and false for the public zone deployment. |
traceLevel | string | undefined | Controls the logging verbosity for different components using a comma-separated list of namespace=level pairs. |
sentryDsn | string | undefined | DSN for Sentry error tracking integration. |
sentryEnvironment | string | undefined | Specifies the environment name to attach to error reports sent to Sentry. |
hideErrorResponseCause | boolean | false | When enabled, strips internal error details from API error responses sent to clients. This should typically be enabled in production to avoid exposing sensitive implementation details in error messages, while disabled in development for easier debugging. |
allowInsecureHttpTransport | boolean | false | When enabled, allows HTTP communication without TLS/SSL encryption. This should only be enabled in development environments or controlled internal networks. |
insecureVcApiEndpointsEnabled | boolean | false | When enabled, allows /vc-api endpoints benchmarking with canivc.com. |