One Core configuration
- Parameters can be put in either
publicorprivate- Public parameters can be seen in the API (
/api/config/v1) - Private parameters are hidden from the API
- Public parameters can be seen in the API (
- Nested parameters are written with periods between levels
For example:
public:
redirectUri: # "redirectUri"
enabled: # "redirectUri.enabled"
Credential formats
Set which credential formats are available and their parameters with
the format object.
The system supports the following credential formats:
type | Resulting credential |
|---|---|
SD_JWT_VC | IETF SD-JWT VC |
MDOC | ISO mdoc |
JSON_LD_BBSPLUS | W3C VCDM 2.0 with BBS+ Data Integrity proof |
JSON_LD_CLASSIC | W3C VCDM 2.0 with Data Integrity proof |
SD_JWT | W3C VCDM 2.0 with enveloping SD-JWT proof |
JWT | W3C VCDM 2.0 with enveloping JWT proof |
PHYSICAL_CARD | W3C VC Barcodes (verification only) |
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
leeway | number | None | Tolerance allowed, in seconds, applied during credential validation to account for clock drift between systems. When set, credentials that are up to this many seconds before their nbf time or after their exp time will be accepted. This prevents valid credentials from being rejected due to minor timing differences between issuer and verifier systems. |
msoExpiresIn | number | None | The time, in seconds, after which an mdoc can no longer be validated; cannot use fractions of a second. |
msoExpectedUpdateIn | number | None | The time, in seconds, after which the issuer expects the wallet to request a new MSO for an mdoc. |
msoMinimumRefreshTime | number | None | The minimum time, in seconds, that a wallet must wait before a new MSO can be returned. |
embedLayoutProperties | boolean | false | If true, credential design properties are embedded in the metadata field of schemas. |
allowedContexts | url | See the list. | The list of allowed @contexts, if one has been specified. |
swiyuMode | boolean | false | If true, credential formatting is adjusted to interoperate with the Swiss e-ID "swiyu" Public Beta. For use with SD_JWT_VC. |
allowedContexts
To protect a JSON-LD Data Integrity proof from post-issuance manipulation via
@context manipulation, Procivis One filters all JSON-LD credentials against
an allow list.
The system checks the contexts during the verification process, only allowing
the context defined by the schema plus any contexts in the allowedContexts
params. If a presentation contains any additional context it will be invalidated.
If no value is entered in the allowedContexts param, the system defaults to
allowing the following contexts:
- https://www.w3.org/ns/credentials/v2
- https://www.w3.org/2018/credentials/v1
- https://w3c.github.io/vc-bitstring-status-list/contexts/v1.jsonld
- https://w3id.org/security/data-integrity/v2
If any value is entered in the allowedContexts param, the default values no
longer apply and must be added to be allowed.
Issuance protocols
Set which issuance protocols are available with the issuanceProtocol
object.
The system supports the following issuance protocols:
type | Description |
|---|---|
OPENID4VCI_FINAL1 | OpenID for Verifiable Credential Issuance 1.0 |
OPENID4VCI_DRAFT13 | OpenID for Verifiable Credential Issuance - draft 13 (ID-1) |
OPENID4VCI_DRAFT13_SWIYU | OID4VCI - draft 13, adjusted to interoperate with the Swiss e-ID "swiyu" Public Beta |
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
preAuthorizedCodeExpiresIn | number | None | The expiration time in seconds for pre-authorized codes used in the pre-authorized code flow. |
tokenExpiresIn | number | None | The expiration time in seconds for access tokens issued by the token endpoint. |
refreshExpiresIn | number | None | The expiration time in seconds for refresh tokens. Refresh tokens allow holders to obtain new access. |
enabled | boolean | true | Set to false to disable issuance via OID4VCI. |
enableCredentialPreview | boolean | true | By default the system includes preview values of credential offers during issuance. Set this to false to disable previews. |
nonce.signingKey | string | None | For OpenID4VCI v1.0: Provide a symmetric key for nonce creation. |
nonce.expiration | number | None | For OpenID4VCI v1.0: Expiration time, in seconds, for nonce validity. |
redirectUri.enabled | boolean | false | Set to false to disable setting a redirect URI during credential creation. |
redirectUri.allowedSchemes | string | None | List of URI schemes (for example https or myapp) allowed for redirect URIs during credential creation. If empty or not configured, all redirect URIs will be rejected. |
urlScheme | string | openid-credential-offer | Use this to set a custom URL scheme for credential offer URIs. |
rejectionIdentifier.didMethod | string | None | For wallets: specify a DID method by configuration instance name to enable generation of temporary identifiers when rejecting an issuance offer. |
rejectionIdentifier.keyAlgorithm | string | None | For wallets: specify a key algorithm by configuration instance name (for example ECDSA) to enable generation of temporary identifiers when rejecting an issuance offer. |
Verification protocols
Set which verification protocols are available with the verificationProtocol
object.
The system supports the following verification protocols:
type | Description |
|---|---|
OPENID4VP_DRAFT20 | OpenID for Verifiable Presentations - draft 20 |
OPENID4VP_DRAFT20_SWIYU | OID4VP - draft 20, adjusted to interoperate with the Swiss e-ID "swiyu" Public Beta |
OPENID4VP_DRAFT25 | OpenID for Verifiable Presentations - draft 25 |
OPENID4VP_FINAL1 | OpenID for Verifiable Presentations 1.0 |
ISO_MDL | ISO/IEC 18013-5:2021 |
SCAN_TO_VERIFY | Verifiable Credential Barcodes v0.7 |
Parameters
All parameters apply only to instances of OID4VP:
| Name | Type | Default | Description |
|---|---|---|---|
useRequestUri | boolean | false | If true, the proof requests you make will use request URIs with which the wallet must make HTTP calls to fetch the request. This is recommended if using QR codes. If false, the proof request will be readable from the resulting URL without an HTTP call. |
enabled | boolean | true | Set to false to disable verification via OID4VCP. |
redirectUri.enabled | boolean | true | Set to false to disable setting a redirect URI during proof request creation. |
redirectUri.allowedSchemes | string | None | List of URI schemes (for example https or myapp) allowed for redirect URIs during proof request creation. If empty or not configured, all redirect URIs will be rejected. |
urlScheme | openid4vp | mdoc-openid4vp | eudi-openid4vp | openid4vp-final | openid4vp | For OID4VP 1.0, use openid4vp-final. For an ISO mdoc instance of the OID4VC exchange, use mdoc-openid4vp. For interop with EUDI, use eudi-openid4vp. |
verifier.useDcql | boolean | true | For OPENID4VP_DRAFT25 only, set this to false to use Presentation Exchange as the query language. |
verifier.supportedClientIdSchemes | verifier_attestation | redirect_uri | did | x509_san_dns | verifier_attestation | redirect_uri | did | List of all Client ID Schemes that can be used for verification. If no scheme is specified via the API, the first compatible scheme from the list is used. |
holder.supportedClientIdSchemes | verifier_attestation | redirect_uri | did | x509_san_dns | verifier_attestation | redirect_uri | did | List of all Client ID Schemes that can be used by the wallet during verification. |
Verification engagement types
For mobile configurations, set which types of verification engagement
are available with the verificationEngagement object.
The system supports the following device engagement types:
verificationEngagement:
QR_CODE: # Reference this for QR code device engagement
display: verificationEngagement.qrCode
order: 1
enabled: true
NFC: # Reference this for NFC device engagement
display: verificationEngagement.nfc
order: 2
enabled: true
You will reference these configuration entries when calling "Propose proof" (wallet) or "Create proof request" (verifier).
Revocation methods
Set which revocation methods are available with the revocation object.
The system supports the following revocation methods:
type | Description |
|---|---|
LVVC | Linked Validity Verifiable Credentials |
BITSTRINGSTATUSLIST | Bitstring Status List |
TOKENSTATUSLIST | Token Status List |
MDOC_MSO_UPDATE_SUSPENSION | Suspension for mdoc credentials |
NONE | No revocation method; issued credentials cannot be revoked and remain valid indefinitely |
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
format | JWT | null | For BITSTRINGSTATUSLIST, encode the list as a JWT. |
credentialExpiry | number | null | For LVVC, the time, in seconds, after which an issued LVVC expires. |
minimumRefreshTime | number | null | For LVVC, the time, in seconds, after which a wallet can request a new LVVC. |
Identifiers
Set which types of identifiers are available with the identifiers object.
The system supports the following identifiers:
| Type | Description |
|---|---|
DID | DID methods |
CERTIFICATE | X.509 certificates |
KEY | Key algorithms |
Create an instance of each kind and use the enabled flag. For example:
identifier:
DID:
display: 'identifier.did'
enabled: true
order: 0
CERTIFICATE:
display: 'identifier.certificate'
enabled: true
order: 1
KEY:
display: 'identifier.key'
enabled: true
order: 2
DID methods
Set which DID methods are available with the did object.
The system supports the following DID methods:
| Type | Description |
|---|---|
WEB | did:web |
KEY | did:key |
JWK | did:jwk |
WEBVH | did:webvh (formerly did:tdw) |
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
keys.min | number | None | Sets the minimum number of keys that must be specified for a DID. |
keys.max | number | None | Sets the maximum number of keys allowed for a DID. |
keys.authentication | number | None | Use .min and .max to set allowable range of keys for the authentication verification method. |
keys.assertionMethod | number | None | Use .min and .max to set allowable range of keys for the assertion method verification method. |
keys.keyAgreement | number | None | Use .min and .max to set allowable range of keys for the key agreement verification method. |
keys.capabilityInvocation | number | None | Use .min and .max to set allowable range of keys for the capability invocation verification method. |
keys.capabilityDelegation | number | None | Use .min and .max to set allowable range of keys for the capability delegation verification method. |
maxDidLogEntryCheck | number | None | For did:webvh, sets how many log entries the system will check during verification, starting from the most recent. |
externalHostingUrl | string | None | For did:webvh, sets a custom external host for DID documents. Document uploading must still be integrated. |
Key algorithms
Set which key algorithms are available with the keyAlgorithm object.
The system supports the following key algorithms:
| Type | Description |
|---|---|
BBS_PLUS | BBS+ Signature Scheme |
EDDSA | EdDSA (Ed25519) |
ECDSA | ECDSA (ES256) |
DILITHIUM | CRYSTALS-DILITHIUM (CRYDI3) |
When creating your configuration, you must use these values as the instance
name. There is no type for key algorithms.
Parameters
No parameters supported.
Key storage types
Set which key storage types are available with the keyStorage object.
The system supports the following key storage types:
| Type | Description |
|---|---|
INTERNAL | Encrypted internal database. |
AZURE_VAULT | Azure Key Vault. |
SECURE_ELEMENT | Hardware storage for equipped mobile devices. |
REMOTE_SECURE_ELEMENT | Hardware security module (HSM) for mobile devices; uses Ubiqu. |
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
encryption | string | None | For INTERNAL storage, specify the encryption key of the database. |
vaultUrl | url | None | For AZURE_VAULT storage, specify the URL of the vault. |
clientId | string | None | For AZURE_VAULT storage, specify the client ID. |
Holder key storage types
For issuers and verifiers: use the holderKeyStorage object to configure
which wallet key storage types your system accepts. This determines the
wallet requirements you specify when creating credential schemas.
| Value | Description |
|---|---|
SOFTWARE | Allows wallets using software-based key storage. |
HARDWARE | Allows wallets using hardware-based key storage. |
REMOTE_SECURE_ELEMENT | Allows wallets using remote secure element key storage. |
EUDI_COMPLIANT | Allows wallets that meet EUDI compliance requirements: hardware or remote secure element key storage, plus a valid wallet unit attestation. |
How it works
When creating a credential schema, you can optionally set a
walletStorageType to specify wallet requirements for issuance. The options
available in this field are determined by which storage types you have
enabled in holderKeyStorage. The same applies to proof schemas that
reference these credentials schemas.
Example configuration
holderKeyStorage:
SOFTWARE:
display: "holderKeyStorage.software"
order: 10
enabled: false # Disable software storage
HARDWARE:
display: "holderKeyStorage.hardware"
order: 14
REMOTE_SECURE_ELEMENT:
display: "holderKeyStorage.remoteSecureElement"
order: 20
EUDI_COMPLIANT:
display: "holderKeyStorage.eudiCompliant"
order: 30
With this configuration, the system would prevent:
- Creating new credential schemas with
walletStorageTypeset toSOFTWARE - Issuing credentials or requesting proofs using existing schemas with this
walletStorageType
Data types
Set how data types are validated with the datatype object.
The system supports the following data types:
| Type | Description |
|---|---|
STRING | Text values of any length. Examples: "Hello", "123abc" |
NUMBER | Numeric values provided as strings. Examples: "123", "-456", "123.456" |
DATE | ISO 8601 formatted dates and/or RFC 3339 formatted datetimes, depending on the mandatory format param. Supports min and max parameters in YYYY-MM-DD format for date range validation. Example: min: 2024-01-01 |
PICTURE | Base64-encoded pictures using Data URL format:data:[MIME type];base64,[encoded data]Example: data:image/png;base64,iVBORw0KGgoAAAA...File types can be restricted using the accept parameter. If not specified, all file types are allowed. |
SWIYU_PICTURE | Similar to PICTURE but adjusted to interop with the Swiss "swiyu" wallet ecosystem. |
BOOLEAN | Case-sensitive boolean values. Only true or false are accepted. |
OBJECT | Container type for nested data structures. Can hold any other supported datatype, including other objects. Used for creating hierarchical claim structures. See the claims object - nested claims guide. |
ARRAY | Modifier that allows multiple values for a single key. Can be applied to any other datatype. See the claims object - arrays guide. |
Parameters by base data type
* UI-only parameters passed to the frontend without backend validation.
note
OBJECT and ARRAY types don't have specific validation parameters as
they serve as structural containers for other data types.
STRING
| Name | Type | Default | Description |
|---|---|---|---|
pattern | string | None | Regular expression pattern for validation. Example: '^[A-Z]{2}[0-9]{6}$' for a passport number |
holder.valueExtraction | ENABLED | ENABLED_FALLBACK | DISABLED | DISABLED | Controls data type extraction and extraction priority when receiving credentials as a holder. ENABLED providers attempt extraction first (unordered); if all fail, ENABLED_FALLBACK providers are used. DISABLED prevents extraction. |
error* | string | None | Custom error message displayed when validation fails. Example: "Please enter a valid passport number" |
autocomplete* | boolean | false | Enables browser autocomplete suggestions for form fields. |
placeholder* | string | None | Placeholder text shown in empty form fields. Example: "Enter your passport number" |
supportedInputMode* | string | None | Specifies the UI input element type to display in the frontend. Example value: TEXT |
NUMBER
| Name | Type | Default | Description |
|---|---|---|---|
min | number | None | Sets the minimum allowed numeric value. |
max | number | None | Sets the maximum allowed numeric value. |
holder.valueExtraction | ENABLED | ENABLED_FALLBACK | DISABLED | DISABLED | Controls data type extraction and extraction priority when receiving credentials as a holder. ENABLED providers attempt extraction first (unordered); if all fail, ENABLED_FALLBACK providers are used. DISABLED prevents extraction. |
error* | string | None | Custom error message displayed when validation fails. |
autocomplete* | boolean | false | Enables browser autocomplete suggestions for form fields. |
placeholder* | string | None | Placeholder text shown in empty form fields. |
supportedInputMode* | string | None | Specifies the UI input element type to display in the frontend. Example value: NUMBER_INPUT |
DATE
| Name | Type | Default | Description |
|---|---|---|---|
formats | date | datetime | None | Choose whether to use and accept date (example: 2024-01-22) or datetime (example: 2024-01-22T15:57:53.123456Z) or both. |
min | date | NOW | None | Sets the earliest allowed date in YYYY-MM-DD format. Use "NOW" to represent the current date or date-time. |
max | date | NOW | None | Sets the latest allowed date in YYYY-MM-DD format. Use "NOW" to represent the current date or date-time. |
holder.valueExtraction | ENABLED | ENABLED_FALLBACK | DISABLED | DISABLED | Controls data type extraction and extraction priority when receiving credentials as a holder. ENABLED providers attempt extraction first (unordered); if all fail, ENABLED_FALLBACK providers are used. DISABLED prevents extraction. |
preferredFormat* | date | datetime | None | Set which format should be used in the frontend. If a value is passed here, it must be in formats. |
error* | string | None | Custom error message displayed when validation fails. |
autocomplete* | boolean | false | Enables browser autocomplete suggestions for form fields. |
placeholder* | string | None | Placeholder text shown in empty form fields. |
supportedInputMode* | string | None | Specifies the UI input element type to display in the frontend. Example value: DATE_PICKER |
PICTURE
| Name | Type | Default | Description |
|---|---|---|---|
accept | string | None | Array of allowed MIME types. Example: - image/jpeg- image/png |
fileSize | number | None | Maximum allowed file size in bytes. |
encodeAsMdlPortrait | boolean | false | When true, encodes uploaded images according to ISO 18013-5 Mobile Driving License portrait specifications. |
holder.valueExtraction | ENABLED | ENABLED_FALLBACK | DISABLED | DISABLED | Controls data type extraction and extraction priority when receiving credentials as a holder. ENABLED providers attempt extraction first (unordered); if all fail, ENABLED_FALLBACK providers are used. DISABLED prevents extraction. |
showAs* | string | None | UI display mode. Supported values: IMAGE |
error* | string | None | Custom error message displayed when validation fails. |
supportedInputMode* | string | None | Specifies the UI input element type to display in the frontend. Example value: FILE_UPLOAD |
SWIYU_PICTURE
| Name | Type | Default | Description |
|---|---|---|---|
accept | string | None | Array of allowed MIME types. Example: - image/jpeg- image/png |
fileSize | number | None | Maximum allowed file size in bytes. |
holder.valueExtraction | ENABLED | ENABLED_FALLBACK | DISABLED | DISABLED | Controls data type extraction and extraction priority when receiving credentials as a holder. ENABLED providers attempt extraction first (unordered); if all fail, ENABLED_FALLBACK providers are used. DISABLED prevents extraction. |
showAs* | string | None | UI display mode. Supported values: IMAGE |
error* | string | None | Custom error message displayed when validation fails. |
supportedInputMode* | string | None | Specifies the UI input element type to display in the frontend. Example value: FILE_UPLOAD |
BOOLEAN
| Name | Type | Default | Description |
|---|---|---|---|
holder.valueExtraction | ENABLED | ENABLED_FALLBACK | DISABLED | DISABLED | Controls data type extraction and extraction priority when receiving credentials as a holder. ENABLED providers attempt extraction first (unordered); if all fail, ENABLED_FALLBACK providers are used. DISABLED prevents extraction. |
supportedInputMode | string | None | Specifies the UI input element type to display in the frontend. Example value: CHECKBOX |
error* | string | None | Custom error message displayed when validation fails. |
Regular tasks
Set which tasks can be run at /api/task/v1/run with the task object.
The system supports the following tasks:
| Type | Description |
|---|---|
HOLDER_CHECK_CREDENTIAL_STATUS | Runs a check on the status of held credentials, and updates accordingly. Pass organisationId: UUID in the params to specify the organization to check. |
RETAIN_PROOF_CHECK | Runs a check on claims data against its expireDuration. If the claims data has expired, the system deletes it. |
SUSPEND_CHECK | Runs a check on suspensions with a defined duration. If the duration has passed, the credential is reactivated. |
CERTIFICATE_CHECK | Runs a check on certificates in the system and updates their state accordingly. |
Trust management
Set which trust management models are available with the trustManagement
object.
The system supports the following trust management models:
| Type | Description |
|---|---|
SIMPLE_TRUST_LIST | Procivis Trust Registry |
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
enablePublishing | boolean | false | If true the Core instance is a publisher of trust anchors. If false it only consumes or updates a trust anchor managed by the Core instance that publishes. |
Transport protocols
Set which protocols are available for exchanging credentials with the
transport object.
The system supports the following transport protocols:
| Type | Description |
|---|---|
HTTP | Hypertext Transfer Protocol is the request-response protocol for the World Wide Web. |
BLE | Bluetooth Low Energy can be used by mobile wallets and mobile verifiers to send, request and receive proofs. |
MQTT | MQTT is a publish-subscribe network protocol for device communication, and can be used by mobile wallets and mobile verifiers to send, request and receive proofs. |
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
brokerUrl | url | None | For MQTT, specify the broker server for publishing and subscribing. |
Transport order
For systems with multiple transport protocols enabled, use the order to set
fallback preferences for which transport protocol to use.
The transport protocol to use in any given interaction can be specified
at the beginning of the interaction. When this is not fully specified, the order of
protocols in the configuration becomes a fallback value for determining which to use.
See the relevant transport object guide for how the system determines which protocol to use:
- Verification - Proof request - transport array
- Holding - Handle invitation - transport array
Wallet Unit Attestation
Use the walletProvider object to configure Wallet Providing.
The system supports the following WUA models:
| Type | Description |
|---|---|
PROCIVIS_ONE | Implementation of wallet attestation according to OpenID4VCI and the ARF |
Parameters
| Name | Type | Default | Description |
|---|---|---|---|
walletName | string | None | The name of the wallet, to be included in the attestation. |
walletLink | url | None | A link for the wallet, to be included in the attestation. |
android.bundleId | string | None | The app bundle ID against which the Core checks Android wallet instances. |
android.signingCertificateFingerprints | string | None | The hashes of signing certificates used for the Android app. |
android.trustedAttestationCAs | PEM | None | The CAs used to sign the allowed Android apps. |
ios.bundleId | string | None | The app bundle ID against which the Core checks iOS wallet instances. |
ios.trustedAttestationCAs | PEM | None | The CAs used to sign the allowed iOS apps. |
ios.enforceProductionBuild | boolean | None | If true, wallet apps must be a production build. Set to false to allow debug builds. |
lifetime.expirationTime | number | None | In seconds, sets how long attestations are valid before expiring. |
lifetime.minimumRefreshTime | number | None | In seconds, sets how much time must elapse after issuance before wallet units can request a new attestation. |
integrityCheck.enabled | boolean | true | If true, enforces an app integrity check on wallet units requesting an attestation. |
integrityCheck.timeout | number | 300 | In seconds, sets how much time can elapse between the wallet calling the register and activate endpoints. |
The ios and Android blocks are optional, but all parameters are mandatory.
System cache
Set which entities are stored and the system cache and how memory is handled
with the cacheEntities object.
Cache entry format:
cacheEntities:
ENTITY_TYPE:
cacheType: DB
refreshAfter: 86400
cacheRefreshTimeout: 172800
cacheSize: 1000
| Parameter | Type | Description |
|---|---|---|
cacheType | DB | IN_MEMORY | DB: Stores cached entities in the configured database for persistence.IN_MEMORY: Stores cached entities in RAM for faster access. |
refreshAfter | number | Time, in seconds, after which the cache provider automatically refreshes an entry when it's retrieved. |
cacheRefreshTimeout | number | Maximum time, in seconds, the system will wait when refreshing an entry before returning an error. |
cacheSize | number | Maximum number of entries that can be stored in the cache at one time. |
Cached entities
| Type | Description |
|---|---|
STATUS_LIST_CREDENTIAL | Status of credentials with a status list type of revocation, including BITSTRINGSTATUSLIST and TOKENSTATUSLIST. When the signed list is accessed from the list URL, it is saved in the cache. Force a refresh to force external retrieval. |
DID_DOCUMENT | DID documents for DIDs resolved with a web call, such as did:web. This provides public keys for verifying signed tokens. Force a refresh to force external retrieval. |
JSON_LD_CONTEXT | For W3C VCs, the context describes the structure and fields expected of credentials of that type and is used in calculating proofs. These documents are not expected to change often, if at all. |
VCT_METADATA | SD-JWT VCs carry Type Metadata in the vct claim which can include human-readable information about the type of credential, a schema defining the structure of the credential and information on how to display the credential in the holder's wallet.For vcts not retrievable via the HTTP GET method, type metadata can be saved as a static resource. Add a vct to the /resource/sd_jwt_vc_vcts.json file in the system repository. When the Core is initialized, the types in the file are loaded into the cache as persistent entities. |
JSON_SCHEMA | SD-JWT VCs carry schema information, used for data validation, in schema or retrievable via the resource in schema_uri. These schemas are stored in the cache layer.JSON schemas can be saved as a static resource. Add schemas to the /resource/sd_jwt_vc_schemas.json file in the system repository. When the Core is initialized, the types in the file are loaded into the cache as persistent entities. |
TRUST_LIST | For the Procivis One Trust Registry, subscribed trust anchors are cached and incoming issuer and verifier DIDs are checked against this list to determine whether they are trusted. |
OPENID_METADATA | For wallets using OpenID4VCI, enable this to store issuer metadata. |
Blob storage
To improve database efficiency, some data objects are stored in a separate table in the database; this increases the speed of common queries. Stored entities include:
- Credentials
- Proofs
- Wallet unit attestations
Enable blob storage in the configuration:
blobStorage:
DB:
enabled: true
note
Disabling blob storage will cause application errors.
OpenID providers
Configure OpenID Connect providers for OpenID Bridge-enabled instances
of the Desk API with the openidProvider object.
| Name | Type | Default | Description |
|---|---|---|---|
enabled | boolean | true | If false, Bridge is disabled and OpenID providers cannot be added or managed. If true, Bridge is enabled and OpenID providers can be added and managed. |
credentialLoginDisabled | boolean | false | If true, login to Desk with a credential is disabled. If false, users can log in to Desk with a credential. |
Enabled OID4VCI issuers
For wallets using the issuer-initiated Authorization Code Flow of OpenID4VCI, set:
- Which issuers are enabled to offer credentials
- The Client ID to use with each enabled issuer
with the credentialIssuer object. All parameters are required:
| Name | Type | Default | Description |
|---|---|---|---|
issuer | URL | None | Specify the URL of the issuer to accept credential offers from. |
clientId | string | None | Specify which client ID to use with this issuer. |
For example:
credentialIssuer:
EXAMPLE_FLOW:
display:
en: Example Issuer
order: 1
enabled: true
params:
public:
issuer: https://example-issuer.com
private:
clientId: MY-WALLET
Server settings
Configure your server with the app object.
The system supports the following server settings:
| Name | Type | Default | Description |
|---|---|---|---|
databaseUrl | string | None | URL for server database. |
coreBaseUrl | string | None | Base URL of the Core instance. |
auth.mode | INSECURE_NONE | STATIC | STS | None | Authentication mode. Set whether no authentication is required, a static token is used, or the Secure Token Service (STS) of the one-bff service is used. |
auth.staticToken | string | None | Static bearer token used for authentication when auth.mode is set to STATIC. Required when using static mode, otherwise ignored. |
auth.stsTokenValidation.aud | string | None | Expected audience claim (aud) for STS-issued tokens. The Core validates that incoming tokens contain this audience value. Required when auth.mode is sts. |
auth.stsTokenValidation.iss | string | None | Expected issuer claim (iss) for STS-issued tokens. The Core validates that incoming tokens wwere issued by this authority. Required when auth.mode is sts. |
auth.stsTokenValidation.ttlJwks | number | None | Time-to-live (TTL), in seconds, for cached JWKS data. Controls how frequently the service refreshes the signing keys from the JWKS endpoint. |
auth.stsTokenValidation.jwksUri | string | None | URI endpoint for retrieving the JWKS containing public keys used to verify STS token signatures. Required when auth.mode is sts. |
serverIp | string | None | Server address of the Core instance. |
serverPort | string | None | Port number of the Core instance. |
traceJson | boolean | None | Whether to enable JSON tracing information for debugging API calls. |
enableExternalEndpoints | boolean | true | When enabled, allows the usage of all /ssi endpoints. In a segregated network zone environment, set this to true for the public zone deployment. |
enableManagementEndpoints | boolean | false | When enabled, allows the usage of all /api endpoints. In a segregated network zone environment, set this to true for the internal zone deployment and false for the public zone deployment. |
traceLevel | string | None | Controls the logging verbosity for different components using a comma-separated list of namespace=level pairs. |
sentryDsn | string | None | DSN for Sentry error tracking integration. |
sentryEnvironment | string | None | Specifies the environment name to attach to error reports sent to Sentry. |
hideErrorResponseCause | boolean | false | When enabled, strips internal error details from API error responses sent to clients. This should typically be enabled in production to avoid exposing sensitive implementation details in error messages, while disabled in development for easier debugging. |
allowInsecureHttpTransport | boolean | false | When enabled, allows HTTP communication without TLS/SSL encryption. This should only be enabled in development environments or controlled internal networks. |
enableServerInfo | boolean | false | When enabled, allows the /health and /build-info endpoints. |
enableMetrics | boolean | false | When enabled, allows the /metrics endpoint. |
insecureVcApiEndpointsEnabled | boolean | false | When enabled, allows /vc-api endpoints benchmarking with canivc.com. |