Configure Wallet Provider

Procivis One supports operating as a wallet provider: an organization that issues and manages wallet apps for end users. This is a defined role in the EU Digital Identity (EUDI) regulatory framework, but the configuration applies equally to non-EUDI deployments. The settings below control how the system handles wallet attestations, app integrity verification, and app version lifecycle management.

To enable wallet providing, you must configure a wallet provider instance with three required sections: wallet instance attestation, wallet unit attestation, and wallet registration policy.

Minimal configuration

Here's the minimum required configuration to enable wallet provider functionality:

walletProvider:
  PROCIVIS_ONE:            # Instance name (choose any name)
    type: PROCIVIS_ONE     # Must be exactly "PROCIVIS_ONE"
    display: walletProvider.procivisOne
    params:
      public:
        walletName: "My Wallet"
        walletLink: "https://example.com"
        walletRegistration: OPTIONAL
        walletInstanceAttestation:
          expirationTime: 86400
          integrityCheck:
            android:
              bundleId: com.example.wallet
              signingCertificateFingerprints:
                - "FA:C6:17:..."
              trustedAttestationCAs:
                - "-----BEGIN CERTIFICATE-----\n..."
            ios:
              bundleId: com.example.wallet
              trustedAttestationCAs:
                - "-----BEGIN CERTIFICATE-----\n..."
              enforceProductionBuild: false
        walletUnitAttestation:
          expirationTime: 2678400
        deviceAuthLeeway: 60

The instance name (PROCIVIS_ONE in this example) can be any identifier you choose. However, the type field must be exactly PROCIVIS_ONE to invoke the correct provider implementation.

Wallet registration policy

The wallet registration policy controls whether wallets must register with the provider to obtain attestations.

walletRegistration: OPTIONAL

Policy options:

DISABLED - Wallets cannot register or obtain attestations
OPTIONAL - Wallets may register to obtain attestations but can function without them
MANDATORY - Wallets must register and obtain attestations to function

This setting is included in the wallet provider metadata retrieved by wallet apps from /ssi/wallet-provider/v1/{walletProvider}, allowing wallets to behave according to your policy.

Wallet Instance Attestation (WIA)

WIAs verify the integrity and authenticity of the wallet application.

Required fields:

walletInstanceAttestation:
  expirationTime: 86400
  integrityCheck:
    android:
      bundleId: com.example.wallet
      signingCertificateFingerprints:
        - "FA:C6:17:..."
      trustedAttestationCAs:
        - "-----BEGIN CERTIFICATE-----\n..."
    ios:
      bundleId: com.example.wallet
      trustedAttestationCAs:
        - "-----BEGIN CERTIFICATE-----\n..."
      enforceProductionBuild: false

note

"Wallet Instance Attestation" (WIA) was previously called "Wallet App Attestation" (WAA) in the EU Architecture Reference Framework (ARF). Our code interfaces have been updated to reflect this terminology change.

Integrity check

The integrityCheck block is required. When configured, the system validates:

Certificate changes against trusted platform certificate authorities
App bundle identifiers match configured values
(iOS) Apps are production builds if enforceProductionBuild is true

Wallet unit attestation

Wallet unit attestation verifies cryptographic keys generated by wallet instances.

Required fields:

walletUnitAttestation:
  expirationTime: 2678400          # Attestation validity in seconds

Revocation support

To enable attestation revocation:

walletUnitAttestation:
  expirationTime: 2678400
  revocationMethod: TOKENSTATUSLIST  # Must match the name of a revocation provider with type `TOKENSTATUSLIST`

Without a revocation method configured, unit attestations cannot be revoked and are valid until they expire.

Optional configurations

EUDI Wallet metadata

Include general_info according to EUDI Wallet technical specifications:

eudiWalletInfo:
  providerName: "Example Provider"
  solutionId: "EXAMPLE_PROVIDER"
  solutionVersion: "1"
  wscdType: HYBRID

App version requirements

Enforce minimum app versions and block specific releases:

appVersion:
  minimum: "v1.50.0"                     # Required minimum version. Earlier versions are blocked
  minimumRecommended: "v1.60.0"          # Recommended minimum version. End users are suggested to update the app
  reject:                                # Explicitly blocked versions
    - "v1.51.3"
    - "v1.51.4"
  updateScreen:
    link: "https://example.com/update"   # URL for version update information

The wallet app retrieves this information from /ssi/wallet-provider/v1/{walletProvider} to enforce version requirements and recommendations.

Trust collections

Trust collections define the trust ecosystems that wallet holders can subscribe to. Each collection provides display information shown to holders when choosing which trust ecosystems to participate in.

Create trust collections then add UI information to the configuration:

trustCollections:
  - id: 00000000-0000-0000-0000-000000000000
    logo: "https://example.com/trust-collection-logo.png"
    displayName:
      en: "Example Trust Ecosystem"
    description:
      en: "Credentials issued by members of this ecosystem meet Example's trust requirements."

Feature flags

featureFlags:
  trustEcosystemsEnabled: true

trustEcosystemsEnabled — enables trust ecosystem functionality for wallet holders, including trust collection subscriptions.

Legacy trust management

legacyTrustManagementEnabled: false

Set to true to enable the legacy trust management implementation. This option exists for backwards compatibility and is disabled by default.

Complete configuration example

Here's a fully configured wallet provider with all features enabled:

walletProvider:
  PROCIVIS_ONE:
    type: PROCIVIS_ONE
    display: walletProvider.procivisOne
    params:
      public:
        walletName: "Example Wallet"
        walletLink: "https://example.com"
        walletClientId: ""
        walletRegistration: OPTIONAL
        walletInstanceAttestation:
          expirationTime: 86400
          integrityCheck:
            android:
              bundleId: com.example.wallet
              signingCertificateFingerprints:
                - "FA:C6:17:45:DC:50:D6:..."
              trustedAttestationCAs:
                - "-----BEGIN CERTIFICATE-----\n..."
            ios:
              bundleId: com.example.wallet
              trustedAttestationCAs:
                - "-----BEGIN CERTIFICATE-----\n..."
              enforceProductionBuild: true
        walletUnitAttestation:
          expirationTime: 2678400
          revocationMethod: TOKENSTATUSLIST
        deviceAuthLeeway: 60
        appVersion:
          minimum: "v1.50.0"
          minimumRecommended: "v1.60.0"
          reject:
            - "v1.51.3"
          updateScreen:
            link: "https://example.com/update"
        eudiWalletInfo:
          providerName: "Example Provider"
          solutionId: "EXAMPLE_PROVIDER"
          solutionVersion: "1"
          wscdType: HYBRID
        featureFlags:
          trustEcosystemsEnabled: true
        trustCollections:
          - id: 00000000-0000-0000-0000-000000000000
            logo: "https://example.com/trust-collection-logo.png"
            displayName:
              en: "Example Trust Ecosystem"
            description:
              en: "Credentials issued by members of this ecosystem meet Example's trust requirements."
        legacyTrustManagementEnabled: false

Minimal configuration​

Wallet registration policy​

Wallet Instance Attestation (WIA)​

Integrity check​

Wallet unit attestation​

Revocation support​

Optional configurations​

EUDI Wallet metadata​

App version requirements​

Trust collections​

Feature flags​

Legacy trust management​

Complete configuration example​