Skip to main content
European CommissionEBSI European Blockchain
Get Help

Providers and Wallets Metadata

Last updated on

Organisational Wallets

Server based Client's Entity Identifiers must always be in the format of HTTPS URL. The metadata can be found by concatenating the Entity Identifier client_id with /.well-known/x-y-z. Any terminating / must be removed before joining.

Credential Issuer Metadata

Configuration location: /.well-known/openid-credential-issuer

FieldRequirementNotes
authorization_serverOPTIONALIdentifier of the OAuth 2.0 Authorization Server (as defined in RFC 8414) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per RFC 8414.
credential_issuerREQUIREDThe Credential Issuer's identifier.
credential_endpointREQUIREDURL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.
deferred_credential_endpointREQUIREDURL of the Credential Issuer's Deferred Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.
displayOPTIONALA JSON array containing a list of JSON objects, each of them representing display properties of a Credential Issuer for a certain language.
display[]
.name		OPTIONALString value of a display name for the Credential Issuer.
display[]
.locale		OPTIONALString value that identifies the language of this object represented as a language tag taken from values defined in BCP47 RFC 5646. There MUST be only one object with the same language identifier.
credentials_supportedREQUIREDA JSON array containing a list of JSON objects, each of them representing metadata about a separate credential type that the Credential Issuer can issue.
credentials_supported[]
.format		REQUIREDA JSON string identifying the format of this credential, e.g. jwt_vc.
credentials_supported[]
.types		REQUIREDA JSON array designating the types a certain credential type supports according to VC_DATA, Section 4.3.
credentials_supported[]
.trust_framework		OPTIONALA JSON object defining the Trust Framework details.
credentials_supported[]
.trust_framework
.name		REQUIREDA JSON string defining the Trust Framework name the credential will be issued under.
credentials_supported[]
.trust_framework
.type		REQUIREDA JSON string designating the behaviour and properties bound to the type. Types may include extra properties.
credentials_supported[]
.trust_framework
.uri		OPTIONALA JSON string belonging to type with value of Accreditation, pointing towards the Verifiable Accreditation, which will be the basis for the issuance of the Verifiable Credential.
credentials_supported[]
.display		OPTIONALA JSON array of objects, where each object contains display properties of a certain claim in the Credential for a certain language.
credentials_supported[]
.display[]
.name		OPTIONALA JSON string value of a display name for the claim
credentials_supported[]
.display[]
.locale		OPTIONALString value that identifies the language of this object represented as a language tag taken from values defined in BCP47 RFC 5646. There MUST be only one object with the same language identifier.

Example metadata

{
  "authorization_server": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock",
  "credential_issuer": "https://api-conformance.ebsi.eu/conformance/v3/issuer-mock",
  "credential_endpoint": "https://api-conformance.ebsi.eu/conformance/v3/issuer-mock/credential",
  "deferred_credential_endpoint": "https://api-conformance.ebsi.eu/conformance/v3/issuer-mock/deferred_credential",
  "credentials_supported": [
    {
      "format": "jwt_vc",
      "types": [
        "VerifiableCredential",
        "VerifiableAttestation",
        "VerifiableAuthorisationToOnboard"
      ],
      "trust_framework": {
        "name": "ebsi",
        "type": "Accreditation",
        "uri": "TIR link towards accreditation"
      },
      "display": [
        {
          "name": "Verifiable Authorisation to onboard",
          "locale": "en-GB"
        }
      ]
    },
    {
      "format": "jwt_vc",
      "types": [
        "VerifiableCredential",
        "VerifiableAttestation",
        "VerifiableAccreditation",
        "VerifiableAccreditationToAttest"
      ],
      "trust_framework": {
        "name": "ebsi",
        "type": "Accreditation",
        "accreditation_uri": "TIR link towards accreditation"
      },
      "display": [
        {
          "name": "Verifiable Accreditation to attest",
          "locale": "en-GB"
        }
      ]
    }
  ]
}

Authorisation Server Metadata

Configuration location: /.well-known/openid-configuration

FieldRequirementNotes
issuerOPTIONALAuthorization server's issuer identifier URL
authorization_endpointOPTIONALURL of the authorization server's authorization endpoint
token_endpointOPTIONALURL of the authorization server's token endpoint
userinfo_endpointOPTIONALURL of the authorization server's UserInfo endpoint
presentation_definition_endpointOPTIONALURL of the authorization server's Presentation Definitions endpoint
jwks_uriOPTIONALURL of the authorization server's JWK Set document
scopes_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "scope" values that this authorization server supports
response_types_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports
response_modes_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports
grant_types_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "grant type" values that this authorization server supports
subject_types_supportedOPTIONALA JSON array containing a list of the Subject Identifier types that this OP supports
id_token_signing_alg_values_supportedOPTIONALA JSON array containing a list of the JWS "alg" values supported by the OP for the ID Token
request_object_signing_alg_values_supportedOPTIONALA JSON array containing a list of the JWS "alg" values supported by the OP for Request Objects
request_parameter_supportedOPTIONALA Boolean value specifying whether the OP supports use of the "request" parameter
request_uri_parameter_supportedOPTIONALA Boolean value specifying whether the OP supports use of the "request_uri" parameter
token_endpoint_auth_methods_supportedOPTIONALA JSON array containing a list of client authentication methods supported by this token endpoint
vp_formats_supportedREQUIREDA JSON Object containing a list of key value pairs, where the key is a string identifying a Credential format supported by the Wallet
vp_formats_supported
.jwt_vp		OPTIONALA JSON Object, defining support for Verifiable Presentations in JWT format
vp_formats_supported
.jwt_vp
.alg_values_supported		OPTIONALA JSON Array of case sensitive strings that identify the cryptographic suites that are supported
vp_formats_supported
.jwt_vc		OPTIONALA JSON Object, defining support for Verifiable Credentials in JWT format
vp_formats_supported
.jwt_vc
.alg_values_supported		OPTIONALA JSON Array of case sensitive strings that identify the cryptographic suites that are supported
subject_syntax_types_supportedOPTIONALA JSON Array of supported DID methods and their possible sub types
subject_trust_frameworks_supportedOPTIONALA JSON Array of supported Trust Frameworks
id_token_types_supportedOPTIONALA JSON array of strings containing the list of ID Token types supported by the OP
{
  "issuer": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock",
  "authorization_endpoint": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock/authorize",
  "token_endpoint": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock/token",
  "jwks_uri": "https://api-conformance.ebsi.eu/conformance/v3/auth-mock/jwks",
  "scopes_supported": ["openid"],
  "response_types_supported": ["vp_token", "id_token"],
  "response_modes_supported": ["query"],
  "grant_types_supported": ["authorization_code"],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["ES256"],
  "request_object_signing_alg_values_supported": ["ES256"],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "token_endpoint_auth_methods_supported": ["private_key_jwt"],
  "vp_formats_supported": {
    "jwt_vp": {
      "alg_values_supported": ["ES256"]
    },
    "jwt_vc": {
      "alg_values_supported": ["ES256"]
    }
  },
  "subject_syntax_types_supported": ["did:key", "did:ebsi"],
  "subject_trust_frameworks_supported": ["ebsi"],
  "id_token_types_supported": [
    "subject_signed_id_token",
    "attester_signed_id_token"
  ]
}

Service Wallet Metadata

Service Wallet is a decoupled construct, having a composite relationship with an Issuer or a Verifier, with purpose of requesting, signing and managing Verifiable Credentials. These share the same client_id as the main functionality (verification or issuance), but expose own configuration through client_metadata in Authorisation Request. The configuration contains all fields from Holder Wallet Metadata, and the following extension.

FieldRequirementNotes
jwks_uriREQUIREDURL of the authorization server's JWK Set document. Must start with client_id.
{
  "authorization_endpoint": "openid:",
  "jwks_uri": "https://my-issuer.rocks/jwks"
}

Holder Wallet Metadata

Holder Wallets are non-reachable, and they can use the client_metadata field in the initial Authorisation Request to deliver the configuration, the default configuration will be used if not explicitly provided. All provided fields in client_metadata will fully replace the default properties.

FieldRequirementNotes
authorization_endpointOPTIONALURL of the authorization server's authorization endpoint
scopes_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "scope" values that this authorization server supports
response_types_supportedOPTIONALA JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports
subject_types_supportedOPTIONALA JSON array containing a list of the Subject Identifier types that this OP supports
id_token_signing_alg_values_supportedOPTIONALA JSON array containing a list of the JWS "alg" values supported by the OP for the ID Token
request_object_signing_alg_values_supportedOPTIONALA JSON array containing a list of the JWS "alg" values supported by the OP for Request Objects
vp_formats_supportedREQUIREDA JSON Object containing a list of key value pairs, where the key is a string identifying a Credential format supported by the Wallet
vp_formats_supported
.jwt_vp		OPTIONALA JSON Object, defining support for Verifiable Presentations in JWT format
vp_formats_supported
.jwt_vp
.alg_values_supported		OPTIONALA JSON Array of case sensitive strings that identify the cryptographic suites that are supported
vp_formats_supported
.jwt_vc		OPTIONALA JSON Object, defining support for Verifiable Credentials in JWT format
vp_formats_supported
.jwt_vc
.alg_values_supported		OPTIONALA JSON Array of case sensitive strings that identify the cryptographic suites that are supported
subject_syntax_types_supportedOPTIONALA JSON Array of supported DID methods and their possible sub types.
id_token_types_supportedOPTIONALA JSON array of strings containing the list of ID Token types supported by the OP

Defaulted properties are the following

{
  "authorization_endpoint": "openid:",
  "response_types_supported": ["vp_token", "id_token"],
  "vp_formats_supported": {
    "jwt_vp": {
      "alg_values_supported": ["ES256"]
    },
    "jwt_vc": {
      "alg_values_supported": ["ES256"]
    }
  },
  "scopes_supported": ["openid"],
  "subject_types_supported": ["public"],
  "id_token_signing_alg_values_supported": ["ES256"],
  "request_object_signing_alg_values_supported": ["ES256"],
  "subject_syntax_types_supported": [
    "urn:ietf:params:oauth:jwk-thumbprint",
    "did:key:jwk_jcs-pub"
  ],
  "id_token_types_supported": ["subject_signed_id_token"]
}