Release Notes
1.64.0 ⚠️
Breaking changes
Updates to credential holding
We've updated the way the system handles credential offers to align with common OpenID4VCI wallet implementations.
Before:
When wallet implementations used POST /api/interaction/v1/handle-invitation
to parse credential offers, the system would create the credential internally
before accepting. The response to handle-invitation included credentialIds,
allowing for a "credential preview" so users could review and choose whether
to accept.
After:
When wallet implementation use POST /api/interaction/v1/handle-invitation
to parse credential offers, the system no longer returns credentialIds.
Instead, it returns an "interactionType": "ISSUANCE". Wallets now need to
accept the credential directly using the /api/interaction/v1/issuance-accept
endpoint, which returns the credentialId.
Users can then review the accepted credential and, if within the token expiration time, choose to reject the issuance. Rejecting sends a "deleted" notification to issuers who support OpenID4VCI notifications.
What's changed:
| Endpoint | Before | After |
|---|---|---|
handle-invitation | Returns credentialIds array | Returns interactionType: "ISSUANCE" |
issuance-accept | Not required for pre-auth flow | Required for all flows; returns for credentialId |
/api/credential/v1/{id} | Before acceptance | After acceptance |
/api/interaction/v1/issuance-reject | Supported with temporary identifier | Sends a credential_deleted notification to the issuer and sets to REJECTED in your wallet system |
Migration:
Update handle-invitation and issuance-accept logic:
- Remove logic that expects
credentialIdsin the response - Check for
interactionType: "ISSUANCE"instead - Pre-Authorized Code Flow: Call
issuance-acceptimmediately after handling the invitation - Authorization Code Flow: When
handle-invitationreturns anauthorizationUrl, redirect the user to complete authentication. After the user returns to your wallet, callcontinue-issuancewith the redirect URL, then callissuance-accept - When calling
/api/interaction/v1/issuance-accept, pass theinteractionIdfrom handle-invitation (or continue-issuance for Auth Code Flow) - Retrieve the
credentialIdfrom the issuance-accept response - Use this credential ID to fetch and display the credential for user review
See Receiving a credential for flow diagrams and implementation guidance.
Update data types configuration
- The system now automatically extracts credential schemas during issuance
- To enable this extraction, update your data types configuration. For
example:
datatype:
STRING:
display: "datatype.string"
type: "STRING"
order: 100
params:
private:
holder:
valueExtraction: ENABLED_FALLBACK # New required parameterimportantFor complete extraction configuration guidance see Configuring for holder value extraction.
New features
Organization slugs for easier link sharing
You can now assign a URL-friendly slug to each organization in the Enterprise Backend. This improves collaboration when sharing Desk UI links across organizations.
How it works:
When you share a Desk UI link to a resource (credential, proof, etc.) and the recipient has access to multiple organizations:
- If the resource is in a different organization than their currently active one, Desk UI will automatically prompt them to switch
- The switch only occurs if they have permissions to access that organization
- No more confusion about why a shared link shows "not found" – users are guided to the right organization context
Setting up organization slugs:
-
Using the Desk UI:
- Administration --> Organisations --> Edit
-
Using the API: Use the admin organization API endpoints to assign a
slugcontaining only letters, numbers, and hyphens:- New organizations:
POST /api/sts/organisation/v1 - Existing organizations:
PATCH /api/sts/organisation/v1/{organisationId} - Example:
curl -X 'PATCH' \
'api/sts/organisation/v1/ac915dd6-6319-46a2-9777-c5753912a921' \
-H 'accept: */*' \
-H 'Content-Type: application/json' \
-d '{
"slug": "docs-example"
}' - New organizations:
Once configured, shared links will include the organization slug and enable seamless organization switching for authorized users.
See the updated Organizations doc.
Wallet minimum version setting
You can now assign minimum Wallet App versions as an issuer of Wallet App
Attestations. See the appVersion object in the
WAA configuration docs.
1.63.0 ⚠️
Breaking changes
OpenID4VP 1.0: New presentation endpoints
We've enhanced support for OpenID4VP 1.0 for wallet implementations with two new endpoints. These new endpoints reflect DCQL and enable full support of credential sets for wallet implementations.
New endpoints:
GET /api/proof-request/v2/{proofRequestId}/presentation-definition- Parse verifier requestsPOST /api/interaction/v2/presentation-submit- Submit presentations to verifiers
Who is affected:
- Using OpenID4VP 1.0? You must migrate to the new
/v2endpoints (breaking change) - Using only OpenID4VP draft versions? No changes required – continue using
/v1endpoints
Determining which endpoints to use:
Verifiers may send requests using different protocol versions. Your wallet must use the endpoint version that matches the protocol version in each incoming request.
Check the capabilities.supportedPresentationDefinition field in your
configured verification protocols to determine which endpoints to call:
"verificationProtocol": {
"OPENID4VP_DRAFT25": {
"type": "OPENID4VP_DRAFT25",
"display": "exchange.openid4vp25",
"order": 3,
"capabilities": {
"supportedPresentationDefinition": [
"V1"
// Requests from this protocol → Use /v1 endpoints
],
},
},
"OPENID4VP_FINAL1": {
"type": "OPENID4VP_FINAL1",
"display": "exchange.openid4vpFinal1",
"order": 4,
"capabilities": {
"supportedPresentationDefinition": [
"V2"
// Requests from this protocol → Use /v2 endpoints
],
},
},
}
Migration:
Update your wallet integration to call
/v2endpoints for OpenID4VP 1.0 flows.Test thoroughly – the endpoints differ significantly, with
/v2fully incorporating DCQLContinue using
/v1endpoints for any OpenID4VP draft flows (if applicable)
For complete implementation guidance, see our update presentation documentation.
List endpoint filter parameters updates
We\ve standardized filter parameters across list endpoints to enable more consistent and powerful filtering. All affected parameters are now arrays (even when filtering by a single value) and have been renamed for consistency.
Affected resources:
- Credentials
- Proofs
- Identifiers
- Trust entities
- Organizations (Admin endpoints in Enterprise Backend)
Parameter changes:
| Old parameter | New parameter | Change |
|---|---|---|
profile | profiles | Now an array, renamed |
proofStates | states | Renamed |
proofRoles | roles | Renamed |
role | roles | Now an array, renamed |
state | states | Now an array, renamed |
status | states | Renamed |
type | types | Now an array, renamed |
Migration
Update your filter parameters:
- GET /api/proof-request/v1?sort=createdDate&role=VERIFIER&sortDirection=DESC
+ GET /api/proof-request/v1?sort=createdDate&roles=VERIFIER&sortDirection=DESC
Key changes to implement:
Rename parameters according to the table above
Values are now treated as arrays — repeat the parameter name for multiple values:
?roles=VERIFIER&roles=HOLDER&states=pending&states=approved
Update any hardcoded query strings or filter builders in your application
Both standard query syntax (?roles=value) and array notation
(?roles[]=values) are supported. Single values work the same as before
– only the parameter names have changed.
1.62.0 ⚠️
Breaking changes
Authentication configuration restructured
The Core authentication configuration has been restructured to support multiple authentication modes. You must update your configuration. See Core service configuration for an explanation of available authentication modes.
For enterprise-grade authentication, see the new STS mode.
To continue using a static token, follow the instructions below:
Before
app:
authToken: "your-token-here"
After
app:
auth:
mode: STATIC
staticToken: "your-token-here"
Migration
Remove authToken from your app configuration and add app.auth.mode and
app.auth.staticToken.
New features
STS authentication mode
STS authentication mode now enabled for one-core, providing enterprise-grade
authentication and authorization for Procivis One services.
The STS architecture acts as a bridge between your organization's IAM provider and Procivis One, enabling:
- Secure multi-tenancy
- Zero trust architecture
- Flexible deployment
- Fine-grained access control for end users and other services
See Core service configuration for guidance on available authentication modes and Authentication and authorization for detailed architecture and integration patterns.
OpenID4VCI 1.0 support
Added support for v1.0. Because of our flexible architecture, you can enable multiple OpenID4VCI drafts simultaneously and use whichever one you need, when you need it.
See the updated OpenID4VC docs for more information.
Wallet unit attestation enhancements
Wallet unit attestation (WUA) has been enhanced with the following improvements:
- Added support for wallet providers to revoke attestations
- Updated implementation to attach WUA to organizations
See the updated WUA docs for more information.
1.61.0
New features
Wallet Unit Attestation (WUA)
- Added support for Wallet Unit Attestations using the OAuth 2.0 Attestation-Based Client Authentication protocol
- The Procivis One Wallet can request an attestation from Procivis One Core
- Platform-specific validation ensures wallet instances are legitimate apps
- Attestations enable wallet instances to prove app integrity to both issuer and verifiers
- See the docs
NFC engagement
- Added NFC engagement support for Android devices using the ISO 18013-5 mdoc flow
- The Procivis One Wallet now supports both QR code and NFC engagement for presentation flows on compatible devices
- See the ISO offline flow for NFC engagement configurations
Wallet App
- Added support for arbitrary QR codes
- Scanning QR codes that do not conform to supported protocols now allow the user to open in their browser
Bugs
- Fixed issue where Desk users could not access removed trust entity detail page
- Fixed issue where GET
/api/credential/v1did not allow filtering by credential schema IDs - Fixed issue where Wallet app was rendering credential and claim selection incorrectly with certain proof request structures
- Fixed issue where non-selectively disclosable claims in SD-JWT credentials were failing to present
- Fixed minor UI issues in apps and Desk UI
1.60.0
New features
Authorization Code Flow
Added two new OpenID4VCI flows for receiving credentials.
-
Issuer-initiated credential offers - Receive credentials from issuer-initiated credential offers (docs)
-
Wallet-initiated credential requests - Initiate credential requests directly from within the wallet (docs)
noteThis feature is not available in the Trial environment.
DCQL enhancements
The wallet can handle metadata queries, matching credentials against
requests on technical fields such as aud or exp.
Procivis One Desk
Improvements to navigation:
- Searchable dropdown menu for organizations
- Date range filters for all list views
1.59.0
New features
DCQL support enhancements
Core wallet and Wallet App now support value matching and multiple flag.
Date filtering by clearer parameters
Sort list endpoints by, for example:
createdDateAftercreatedDateBeforelastModifiedAfterlastModifiedBefore
/api/key/v1
- Filters for key type and key storage are now an array
- Use
keyTypesandkeyStoragesto filter