Skip to main content

Core Verifier Settings

The verifier section configures the core functionality of the VCVerifier.

Identity Configuration

verifier.did
string
required
Decentralized Identifier (DID) to be used by the verifier. This is the verifier’s identity in the SIOP-2/OIDC4VP flow.
verifier:
  did: did:key:z6MkigCEnopwujz8Ten2dzq91nvMjqbKQYcifuZhqBsEkH7g

Client Identification

For byReference and byValue request modes, configure how the verifier identifies itself:
verifier.clientIdentification.id
string
Identification used when requesting authorization. Can be a DID or other methods like x509_san_dns.
verifier:
  clientIdentification:
    id: did:key:myverifier
verifier.clientIdentification.keyPath
string
Path to the signing key in PEM format for request objects. Must correspond with the configured id.
verifier.clientIdentification.requestKeyAlgorithm
string
Algorithm to be used for signing the request. Must match the signing key type (e.g., RS256, ES256).
verifier.clientIdentification.certificatePath
string
Path to the certificate chain to include in the request object. Required when using x509_san_dns identification.
verifier.clientIdentification.kid
string
Key ID to use when the certificate doesn’t include one. If both certificate and kid are missing, the id is used.

Request Modes

verifier.supportedModes
string[]
default:"[\"urlEncoded\"]"
Supported modes for requesting authentication. Multiple modes can be enabled simultaneously.Available modes:
  • urlEncoded - Parameters passed directly in the URL
  • byValue - Request object passed as a signed JWT value
  • byReference - Request object passed by reference URL
verifier:
  supportedModes: ["urlEncoded", "byReference", "byValue"]
For byReference and byValue modes, the clientIdentification section must be properly configured with signing keys.
urlEncoded: Simple mode where all parameters are in the URL. Suitable for testing but can create large QR codes.byValue: Request parameters are encoded as a signed JWT and passed in the URL. More secure but still creates large QR codes.byReference: Request object is hosted by the verifier and referenced by URL. Recommended for production as it creates smaller QR codes.

Trust and Validation

verifier.tirAddress
string
Address of the EBSI-compliant Trusted Issuers Registry for verifying credential issuers.
verifier:
  tirAddress: https://tir-pdc.ebsi.fiware.dev
verifier.tirCacheExpiry
integer
default:"30"
Expiry time in seconds for Trusted Issuers Registry cache entries.
verifier.tilCacheExpiry
integer
default:"30"
Expiry time in seconds for Trusted Issuers List cache entries.
verifier.validationMode
string
default:"none"
Validation mode for credential content validation (not verification).Available modes:
  • none - No validation, accept all credentials
  • combined - JSON-LD and schema validation
  • jsonLd - JSON-LD parser validation
  • baseContext - Validates only expected fields are present
verifier:
  validationMode: "combined"
The default validationMode: "none" is set for backwards compatibility. For production, consider using combined or jsonLd for stronger validation.

Session Configuration

verifier.sessionExpiry
integer
default:"30"
Expiry time in seconds for authentication sessions. After this time, a new flow must be initiated.
verifier:
  sessionExpiry: 60
verifier.requestScope
string
Default scope (credential type) to request from the wallet if not configured per-service.

Key Configuration

verifier.keyAlgorithm
string
default:"RS256"
Algorithm for JWT signature generation. Supported values:
  • RS256 - RSA with SHA-256
  • ES256 - ECDSA with SHA-256
verifier:
  keyAlgorithm: "ES256"
verifier.generateKey
boolean
default:"true"
When true, generates a private key on startup. The key is kept in memory and not persisted.Set to false to use a key from keyPath instead.
verifier:
  generateKey: false
  keyPath: "/etc/keys/verifier-key.pem"
verifier.keyPath
string
Path to the private key in PEM format for JWT signatures. Only used when generateKey: false.
verifier.jwtExpiration
integer
default:"30"
Expiration time in minutes for generated JWT tokens.
verifier:
  jwtExpiration: 60  # 1 hour
For development and testing:
  • Use generateKey: true for quick setup
  • Keys are regenerated on each restart
For production:
  • Set generateKey: false
  • Provide a persistent key via keyPath
  • Store keys securely (e.g., Kubernetes secrets, HashiCorp Vault)
  • Rotate keys periodically
  • Use ES256 for better performance and smaller signatures

Authorization Endpoint

verifier.authorizationEndpoint
string
Path of the authorization endpoint to be provided in the .well-known/openid-configuration response.
verifier:
  authorizationEndpoint: "/api/v1/authorize"

Complete Example

verifier:
  did: did:key:z6MkigCEnopwujz8Ten2dzq91nvMjqbKQYcifuZhqBsEkH7g
  
  clientIdentification:
    id: did:key:z6MkigCEnopwujz8Ten2dzq91nvMjqbKQYcifuZhqBsEkH7g
    keyPath: "/etc/keys/request-signing-key.pem"
    requestKeyAlgorithm: "ES256"
  
  supportedModes: ["urlEncoded", "byReference", "byValue"]
  
  tirAddress: https://tir-pdc.ebsi.fiware.dev
  tirCacheExpiry: 60
  tilCacheExpiry: 60
  
  sessionExpiry: 30
  validationMode: "combined"
  
  keyAlgorithm: "ES256"
  generateKey: false
  keyPath: "/etc/keys/jwt-signing-key.pem"
  jwtExpiration: 60
  
  authorizationEndpoint: "/api/v1/authorize"

M2M Configuration

For Machine-to-Machine authentication scenarios:
m2m.authEnabled
boolean
default:"false"
Enable authentication for M2M interactions.
m2m.keyPath
string
Path to the signing key in PEM format for M2M authentication.
m2m.credentialPath
string
Path to the credential to be used for M2M authentication.
m2m.clientId
string
Client ID of the verifier when retrieving M2M tokens.
m2m.verificationMethod
string
default:"JsonWebKey2020"
Verification method for the linked data proof.
m2m.signatureType
string
default:"JsonWebSignature2020"
Signature type for the linked data proof.
m2m.keyType
string
default:"RSAPS256"
Type of the provided M2M key.

ELSI Support

For did:elsi support with JAdES signatures:
elsi.enabled
boolean
default:"false"
Enable support for did:elsi identifiers.
elsi:
  enabled: true
elsi.validationEndpoint.host
string
Host of the validation service for JAdES signatures.
elsi.validationEndpoint.validationPath
string
default:"/validateSignature"
Path to the signature validation endpoint.
elsi.validationEndpoint.healthPath
string
default:"/q/health/ready"
Path to the health check endpoint of the validation service.

Next Steps

Credentials Configuration

Configure trust anchors and credential scopes

Server Configuration

Configure HTTP server and logging

Build docs developers (and LLMs) love

Get started for freeTalk to us