Generated: 2026-03-20
Complete reference for all configuration parameters in the VC system.
- Environment Variables
- Common
- API Gateway (APIGW)
- Issuer
- Verifier
- Registry
- Mock AS
- UI
- Secrets File Reference
These environment variables control service behavior outside of the YAML configuration file.
| Variable | Description | Example |
|---|---|---|
VC_CONFIG_YAML |
Path to the YAML configuration file. Each service reads this on startup. | config.yaml |
SSL_CERT_FILE |
Path to a CA certificate file that Go's crypto/x509 trusts for TLS verification. Required when services use self-signed or private CA certificates for inter-service HTTPS. |
/pki/rootCA.crt |
Shared configuration used across all services.
Path:
.common
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
production |
bool |
Production mode | - | true |
No |
log |
object |
Logging configuration | - | - | No |
mongo |
object |
MongoDB configuration | - | - | No |
tracing |
object |
OpenTelemetry tracing configuration | - | - | No |
kafka |
object |
Kafka message broker configuration | - | - | No |
credential_offer_qr |
object |
Credential offer QR code settings | - | - | No |
secret_file_path |
string |
Path to a separate YAML file containing secrets; when set, secret values in config.yaml are cleared and only non-empty fields from the secrets file are applied. | "/etc/vc/secrets.yaml" |
- | No |
ha |
object |
High-availability mode. When Enable is true, caches use MongoDB (Common.Mongo.URI) instead of in-memory storage so state is shared across instances. | - | - | No |
branding |
object |
Custom branding configuration (logo and favicon paths) | - | - | No |
credential_constructor |
object |
OAuth2 scope values to their constructor configuration, required by apigw, issuer, and verifier Key: OAuth2 scope (e.g., "pid", "ehic", "diploma") - matches AuthorizationContext.Scope The constructor contains the VCT URN and other configuration for issuing that credential type | - | - | No |
Path:
.common.log
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
folder_path |
string |
Path to the log folder | "/var/log/vc" |
- | No |
Path:
.common.mongo
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
uri |
string |
MongoDB connection URI | "mongodb://user:password@mongo:27017/vc" |
- | Yes |
tls |
bool |
TLS for the MongoDB connection. Can also be enabled via the connection URI parameter "tls=true". | - | false |
No |
ca_file_path |
string |
Path to a PEM-encoded CA certificate used to verify the MongoDB server's certificate. When empty, the system root CAs are used. | - | - | No |
cert_file_path |
string |
Path to a PEM-encoded client certificate for mutual TLS (mTLS). Must be set together with KeyFilePath. | - | - | No |
key_file_path |
string |
Path to a PEM-encoded client private key for mutual TLS (mTLS). Must be set together with CertFilePath. | - | - | No |
Path:
.common.tracing
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
Enable activates OpenTelemetry tracing | - | false |
No |
addr |
string |
OTEL collector address | "jaeger:4318" |
- | Yes (if enabled) |
timeout |
int64 |
Timeout in seconds | - | 10 |
No |
Path:
.common.kafka
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
Kafka integration | - | false |
No |
brokers |
[]string |
List of Kafka broker addresses | - | ["kafka0:9092", "kafka1:9092"] |
No |
Path:
.common.credential_offer_qr
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
type |
string |
Credential offer type: "credential_offer" or "credential_offer_uri" | - | credential_offer |
No |
qr |
object |
QR code generation settings | - | - | No |
Path:
.common.credential_offer_qr.qr
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
recovery_level |
int |
Error correction level (0-3) | - | 2 |
No |
size |
int |
QR code size in pixels | - | 256 |
No |
Path:
.common.ha
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
HA mode; when true caches are backed by MongoDB instead of in-memory storage. | - | false |
No |
cache_database_name |
string |
MongoDB database name used for caches. | - | vc_cache |
No |
Path:
.common.branding
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
logo_path |
string |
File path to a custom logo PNG image; when empty, the built-in SUNET logo is used | - | - | No |
favicon_path |
string |
File path to a custom favicon PNG image; when empty, the built-in SUNET favicon is used | - | - | No |
Path:
.common.credential_constructor.<key>
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
vctm_file_path |
string |
Path to a local VCTM JSON file. When set, apigw will publish the VCTM at /type-metadata/:scope. Mutually exclusive with VCTMUrl (one of the two is required). | - | - | Yes (if vctm_url not set) |
vctm_url |
string |
URL where the VCTM is already published externally. When set, the VCTM is fetched from this URL at startup for internal use but NOT re-published by apigw. Mutually exclusive with VCTMFilePath (one of the two is required). | - | - | Yes (if vctm_file_path not set) |
format |
string |
Credential format to issue | "vc+sd-jwt" |
- | Yes |
auth_method |
string |
Authentication method used to verify the holder's identity. Supported values: basic, saml, oidc, openid4vp | - | - | Yes |
auth_scopes |
[]string |
Credential_constructor keys whose VCTs are acceptable for wallet authentication. Required when AuthMethod is "openid4vp". | - | - | No |
auth_claims |
[]string |
Identity claims to extract from the authentication credential. Required when AuthMethod is "openid4vp". | - | - | No |
attributes |
object |
Claim names to their source fields and transformation rules for credential issuance | - | - | Yes |
Configuration for the API Gateway service that handles credential issuance requests.
Path:
.apigw
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
api_server |
object |
HTTP API server configuration | - | - | Yes |
key_config |
object |
Signing key configuration | - | - | Yes |
credential_offers |
object |
Credential offer wallet configurations | - | - | No |
oauth_server |
object |
OAuth2 server configuration | - | - | No |
issuer_metadata |
object |
OpenID4VCI issuer metadata | - | - | No |
public_url |
string |
Public URL of this service (must be valid HTTP/HTTPS URL) | "https://issuer.sunet.se" |
- | Yes |
saml |
object |
SAML Service Provider configuration | - | - | No |
oidc_rp |
object |
OIDC Relying Party configuration | - | - | No |
issuer_client |
object |
GRPC client config for issuer | - | - | Yes |
registry_client |
object |
GRPC client config for registry | - | - | Yes |
Path:
.apigw.api_server,.issuer.api_server,.verifier.api_server,.registry.api_server,.mock_as.api_server,.ui.api_server
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
addr |
string |
Listen address for the HTTP server | - | :8080 |
No |
served_by_header |
string |
The X-Served-By response header value for HA troubleshooting. Empty (default): header is not set. "hostname": uses os.Hostname(). Any other value is used as-is. | - | - | No |
tls |
object |
TLS | - | - | No |
api_auth |
object |
API Auth | - | - | No |
cors |
object |
CORS | - | - | No |
Path:
.apigw.api_server.tls,.issuer.api_server.tls,.verifier.api_server.tls,.registry.api_server.tls,.mock_as.api_server.tls,.ui.api_server.tls
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
TLS | - | false |
No |
cert_file_path |
string |
Path to the TLS certificate | - | - | Yes |
key_file_path |
string |
Path to the TLS private key | - | - | Yes |
Path:
.apigw.api_server.api_auth,.issuer.api_server.api_auth,.verifier.api_server.api_auth,.registry.api_server.api_auth,.mock_as.api_server.api_auth,.ui.api_server.api_auth
Exactly one of BasicAuth.Enable or JWT.Enable may be true. If neither is enabled, no authentication is applied (open access).
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
basic_auth |
object |
HTTP Basic authentication configuration. When enabled, requests are allowed or rejected based on username/password only. | - | - | No |
jwt |
object |
JWT Bearer token authentication configuration. When enabled, requests are validated via JWKS and optionally authorized against SPOCP (S-expression) rules for fine-grained per-endpoint control. | - | - | No |
Path:
.apigw.api_server.api_auth.basic_auth,.issuer.api_server.api_auth.basic_auth,.verifier.api_server.api_auth.basic_auth,.registry.api_server.api_auth.basic_auth,.mock_as.api_server.api_auth.basic_auth,.ui.api_server.api_auth.basic_auth
This is a simple allow/deny mechanism – valid credentials grant full access.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
HTTP Basic authentication | - | false |
No |
users |
object |
Username to password mapping | - | - | No |
Path:
.apigw.api_server.api_auth.jwt,.issuer.api_server.api_auth.jwt,.verifier.api_server.api_auth.jwt,.registry.api_server.api_auth.jwt,.mock_as.api_server.api_auth.jwt,.ui.api_server.api_auth.jwt
with optional SPOCP-based authorization.
When Rules (and/or RulesFile) are configured, each request is checked against the SPOCP engine. A query of the form
(api (service )(method <HTTP_METHOD>)(path <REQUEST_PATH>)(subject <JWT_SUBJECT>))
is evaluated; the request is allowed only if a matching rule exists. The value is supplied by the calling service at middleware registration time. When two services share endpoints, rules for one service do not grant access to the other. When no rules are configured, any valid JWT grants access.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
JWT Bearer token authentication | - | false |
No |
jwks_url |
string |
URL of the JSON Web Key Set used to validate token signatures. | "https://auth.example.com/.well-known/jwks.json" |
- | Yes (if enabled) |
issuer |
string |
Expected "iss" claim. Tokens with a different issuer are rejected. | - | - | Yes (if enabled) |
audience |
string |
Expected "aud" claim. Tokens that do not contain this audience are rejected. | - | - | Yes (if enabled) |
rules |
[]string |
SPOCP S-expression authorization rules loaded into an in-process engine. When non-empty the middleware builds a query per request and checks it. | ["(api (service apigw)(method POST)(path /api/v1/upload)(subject alice))"] |
- | No |
rules_file |
string |
Optional path to a file containing SPOCP rules (one per line). Rules from this file are loaded in addition to the inline Rules list. | - | - | No |
Path:
.apigw.api_server.cors,.issuer.api_server.cors,.verifier.api_server.cors,.registry.api_server.cors,.mock_as.api_server.cors,.ui.api_server.cors
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
allowed_origins |
[]string |
List of allowed CORS origins | ["https://wallet.sunet.se", "https://app.sunet.se"] |
[] |
No |
Path:
.apigw.key_config,.issuer.key_config,.verifier.key_config,.registry.token_status_lists.key_config
Supports both file-based and HSM-based keys with explicit control.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
private_key_path |
string |
File-based configuration | - | - | Yes (if pkcs11 not set) |
chain_path |
string |
Path to certificate chain (optional) | - | - | No |
pkcs11 |
object |
HSM-based configuration | - | - | Yes (if private_key_path not set) |
source |
object |
Source selection (determines which config to use) If empty, tries in order: File (if FilePath set), then HSM (if HSM set) | - | - | No |
enable_file |
bool |
File-based key loading (default: true if FilePath set) | - | - | No |
enable_hsm |
bool |
HSM-based key loading (default: true if HSM set) | - | - | No |
priority |
array |
Fallback order when both are enabled If nil, uses Source field or auto-detects based on what's configured | ["hsm", "file"] |
- | No |
Path:
.apigw.key_config.pkcs11,.issuer.key_config.pkcs11,.verifier.key_config.pkcs11,.registry.token_status_lists.key_config.pkcs11
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
module_path |
string |
Path to the PKCS#11 library | "/usr/lib/softhsm/libsofthsm2.so" |
- | No |
slot_id |
uint |
HSM slot ID | 0 |
- | No |
pin |
string |
User PIN for the slot | "1234" |
- | No |
key_label |
string |
Label of the key to use | "my-signing-key" |
- | No |
key_id |
string |
Identifier for the JWT kid header | "key-1" |
- | No |
Path:
.apigw.credential_offers
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
issuer_url |
string |
Issuer URL for credential offers | - | - | Yes |
wallets |
object |
Wallet redirect configurations | - | - | Yes |
Path:
.apigw.credential_offers.wallets.<key>
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
label |
string |
Display label for the wallet | - | - | Yes |
redirect_uri |
string |
Wallet redirect URI | "eudi-wallet://credential-offer" |
- | Yes |
Path:
.apigw.oauth_server,.verifier.oauth_server
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
token_endpoint |
string |
OAuth2 token endpoint URL | "https://verifier.sunet.se/token" |
- | Yes |
clients |
object |
OAuth2 client configurations | - | - | Yes |
Path:
.apigw.oauth_server.clients.<key>,.verifier.oauth_server.clients.<key>
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
type |
string |
Client type per RFC 6749 Section 2.1 ("public" or "confidential"). Defaults to "public" since registered clients are wallets (native/web apps) that cannot securely store credentials and rely on PKCE instead. | - | public |
No |
redirect_uri |
string |
Allowed redirect URI for the client | "https://example.com/callback" |
- | Yes |
scopes |
[]string |
List of OAuth2 scopes allowed for the client | - | - | Yes |
Path:
.apigw.issuer_metadata
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
authorization_servers |
[]string |
The authorization server URLs | - | - | No |
deferred_credential_endpoint |
string |
Deferred credential endpoint | - | - | No |
notification_endpoint |
string |
Notification endpoint | - | - | No |
cryptographic_binding_methods_supported |
[]string |
The supported binding methods | - | - | No |
credential_signing_alg_values_supported |
[]string |
The supported signing algorithms | - | - | No |
proof_signing_alg_values_supported |
[]string |
The supported proof algorithms | - | - | No |
credential_response_encryption |
object |
Response encryption configuration | - | - | No |
batch_credential_issuance |
object |
Batch issuance configuration | - | - | No |
display |
array |
Display metadata | - | - | No |
Path:
.apigw.issuer_metadata.credential_response_encryption
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
alg_values_supported |
[]string |
AlgValuesSupported: REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms (alg values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519]. | - | - | Yes |
enc_values_supported |
[]string |
EncValuesSupported: REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms (enc values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519]. | - | - | Yes |
encryption_required |
bool |
EncryptionRequired: REQUIRED. Boolean value specifying whether the Credential Issuer requires the additional encryption on top of TLS for the Credential Response. If the value is true, the Credential Issuer requires encryption for every Credential Response and therefore the Wallet MUST provide encryption keys in the Credential Request. If the value is false, the Wallet MAY chose whether it provides encryption keys or not. | - | - | No |
Path:
.apigw.issuer_metadata.batch_credential_issuance
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
batch_size |
int |
BatchSize: REQUIRED. Integer value specifying the maximum array size for the proofs parameter in a Credential Request. | - | - | Yes |
Path:
.apigw.issuer_metadata.display[]
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
name |
string |
Name: OPTIONAL. String value of a display name for the Credential Issuer. | - | - | No |
locale |
string |
Locale: OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. There MUST be only one object for each language identifier. | - | - | No |
logo |
object |
Logo: OPTIONAL. Object with information about the logo of the Credential Issuer. Below is a non-exhaustive list of parameters that MAY be included: | - | - | No |
Path:
.apigw.issuer_metadata.display[].logo
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
uri |
string |
URI: REQUIRED. String value that contains a URI where the Wallet can obtain the logo of the Credential Issuer. The Wallet needs to determine the scheme, since the URI value could use the https: scheme, the data: scheme, etc. | - | - | Yes |
alt_text |
string |
AltText: OPTIONAL. String value of the alternative text for the logo image. | - | - | No |
Path:
.apigw.saml
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
SAML support (default: false) | - | false |
No |
entity_id |
string |
SAML SP entity identifier (typically the metadata URL) | "https://issuer.sunet.se/saml/metadata" |
- | Yes (if enabled) |
metadata_url |
string |
Public URL where SP metadata is served (optional, auto-generated if empty) | - | - | No |
mdq_server |
string |
Base URL for MDQ (Metadata Query Protocol) server (must end with /) Mutually exclusive with StaticIDPMetadata | "https://md.sunet.se/entities/" |
- | No |
static_idp_metadata |
object |
A single static IdP as alternative to MDQ Mutually exclusive with MDQServer | - | - | No |
certificate_path |
string |
Path to X.509 certificate for SAML signing/encryption TODO(pki): Migrate to pki.KeyConfig for consistency with other services and to enable HSM-backed SAML signing keys in the future. | - | - | Yes (if enabled) |
private_key_path |
string |
Path to private key for SAML signing/encryption TODO(pki): See CertificatePath TODO — both fields would be replaced by a single KeyConfig. | - | - | Yes (if enabled) |
acs_endpoint |
string |
Assertion Consumer Service URL where IdP sends SAML responses | "https://issuer.sunet.se/saml/acs" |
- | Yes (if enabled) |
session_duration |
int |
Maximum time in seconds an in-flight SAML authentication flow (AuthnRequest → Response) may remain active before it expires | - | 300 |
No |
credential_mappings |
object |
How to map external attributes to credential claims Key: credential type identifier (e.g., "pid", "diploma") Maps to credential_constructor keys and OpenID4VCI credential_configuration_ids | - | - | Yes (if enabled) |
metadata_signing_cert_path |
string |
Path to the X.509 certificate used to verify metadata signatures. When set, all fetched metadata (MDQ and static) must carry a valid XML signature from this certificate. | - | - | No |
metadata_cache_ttl |
int |
MetadataCacheTTL in seconds (default: 3600) - how long to cache IdP metadata from MDQ | - | - | No |
Path:
.apigw.saml.static_idp_metadata
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
entity_id |
string |
IdP entity identifier | - | - | Yes |
metadata_path |
string |
File path to IdP metadata XML (mutually exclusive with MetadataURL) | - | - | Yes (if metadata_url not set) |
metadata_url |
string |
HTTP(S) URL to fetch IdP metadata from (mutually exclusive with MetadataPath) | - | - | No |
Path:
.apigw.saml.credential_mappings.<key>,.apigw.oidc_rp.credential_mappings.<key>
The credential type identifier (map key) is used in API requests and session state
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
credential_config_id |
string |
OpenID4VCI credential configuration identifier | "urn:eudi:pid:1" |
- | Yes |
attributes |
object |
SAML attribute OIDs to claim paths with transformation rules | "urn:oid:2.5.4.42": {claim: "identity.given_name", required: true} |
- | Yes |
default_idp |
string |
Optional default IdP entityID for this credential type | - | - | No |
Path:
.apigw.saml.credential_mappings.<key>.attributes.<key>,.apigw.oidc_rp.credential_mappings.<key>.attributes.<key>
Generic across protocols (SAML, OIDC, etc.) - uses protocol-specific identifiers as keys
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
claim |
string |
Target claim name (supports dot-notation for nesting) | "identity.given_name" |
- | Yes |
required |
bool |
Required indicates if this attribute must be present in the assertion/response | - | false |
No |
transform |
string |
Optional transformation to apply Supported: "lowercase", "uppercase", "trim" | - | - | No |
default |
string |
Optional default value if attribute is missing | - | - | No |
Path:
.apigw.oidc_rp
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
OIDC RP support (default: false) | - | false |
No |
registration |
object |
How the client obtains credentials from the OIDC Provider. Exactly one of preconfigured or dynamic must be set: - preconfigured: pre-registered client_id and client_secret - dynamic: RFC 7591 dynamic client registration (credentials obtained at startup) | - | - | Yes (if enabled) |
redirect_uri |
string |
Callback URL where the OIDC Provider sends the authorization response | "https://issuer.sunet.se/oidcrp/callback" |
- | Yes (if enabled) |
issuer_url |
string |
OIDC Provider's issuer URL for discovery Used for .well-known/openid-configuration discovery | "https://accounts.google.com" |
- | Yes (if enabled) |
scopes |
[]string |
OAuth2/OIDC scopes to request (at least one scope is required, e.g. "openid") | - | ["openid", "profile", "email"] |
No |
session_duration |
int |
Maximum time in seconds an in-flight OIDC authorization flow (state, nonce, PKCE verifier) may remain active before it expires | - | 300 |
No |
client_name |
string |
Human-readable name for the OIDC client, shown during dynamic registration or consent | - | - | No |
client_uri |
string |
URL to the client's homepage, used for display during consent | - | - | No |
logo_uri |
string |
URL to the client's logo image, shown during consent screens | - | - | No |
contacts |
[]string |
List of email addresses for responsible parties of this client | - | - | No |
tos_uri |
string |
URL to the client's Terms of Service document | - | - | No |
policy_uri |
string |
URL to the client's Privacy Policy document | - | - | No |
credential_mappings |
object |
How to map OIDC claims to credential claims Key: credential type identifier (e.g., "pid", "diploma") Maps to credential_constructor keys and OpenID4VCI credential_configuration_ids | - | - | Yes (if enabled) |
Path:
.apigw.oidc_rp.registration
Exactly one of Preconfigured or Dynamic must be set.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
preconfigured |
object |
Preconfigured uses pre-registered client credentials. Set this when the client is already registered with the OIDC Provider. | - | - | Yes (if dynamic not set) |
dynamic |
object |
Dynamic uses RFC 7591 dynamic client registration. Set this when the client should register itself at startup. | - | - | Yes (if preconfigured not set) |
Path:
.apigw.oidc_rp.registration.preconfigured
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
Enable activates preconfigured client credentials | - | - | No |
client_id |
string |
OIDC client identifier | - | - | Yes (if enabled) |
client_secret |
string |
OIDC client secret | - | - | Yes (if enabled) |
Path:
.apigw.oidc_rp.registration.dynamic
When set, client credentials are obtained automatically at startup and persisted in the database.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
Enable activates dynamic client registration | - | - | No |
initial_access_token |
string |
Bearer token for registration Required by some OIDC Providers (e.g., Keycloak) | - | - | Yes (if enabled) |
Path:
.apigw.issuer_client,.apigw.registry_client,.issuer.registry_client
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
addr |
string |
GRPC server address | "issuer:8090" |
- | Yes |
tls |
bool |
TLS | - | false |
No |
cert_file_path |
string |
Client certificate for mTLS | - | - | No |
key_file_path |
string |
Client private key for mTLS | - | - | No |
ca_file_path |
string |
CA certificate to verify the server | - | - | No |
server_name |
string |
Server name for TLS verification (optional) | - | - | No |
Configuration for the Issuer service that signs and issues verifiable credentials.
Path:
.issuer
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
api_server |
object |
HTTP API server configuration | - | - | Yes |
grpc_server |
object |
GRPC server configuration | - | - | Yes |
key_config |
object |
Signing key configuration | - | - | Yes |
jwt_attribute |
object |
JWT credential attribute configuration | - | - | Yes |
issuer_url |
string |
Issuer identifier URL | "https://issuer.sunet.se" |
- | Yes |
registry_client |
object |
Registry gRPC client config | - | - | No |
mdoc |
object |
MDL/mdoc configuration | - | - | No |
audit_log |
object |
Audit log configuration | - | - | No |
Path:
.issuer.grpc_server,.registry.grpc_server
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
addr |
string |
GRPC server listen address | - | :8090 |
No |
tls |
object |
MTLS configuration | - | - | No |
Path:
.issuer.grpc_server.tls,.registry.grpc_server.tls
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
Enable | - | false |
No |
cert_file_path |
string |
Server certificate | - | /pki/grpc_server.crt |
Yes (if enabled) |
key_file_path |
string |
Server private key | - | /pki/grpc_server.key |
Yes (if enabled) |
client_ca_path |
string |
CA to verify client certificates (for mTLS) | - | /pki/client_ca.crt |
Yes (if enabled) |
allowed_client_fingerprints |
object |
SHA256 fingerprint -> friendly name | a1b2c3...: issuer-prod |
- | No |
allowed_client_dns |
object |
Friendly name -> Certificate Subject DN | apigw-prod: CN=apigw,O=SUNET |
- | No |
Path:
.issuer.jwt_attribute
In a later state this should be placed under authentic source in order to issue credentials based on that configuration.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
issuer |
string |
Issuer of the token | https://issuer.sunet.se |
- | Yes |
static_host |
string |
Static host of the issuer, expose static files, like pictures. | - | - | No |
enable_not_before |
bool |
The time not before which the token is valid | - | false |
No |
valid_duration |
int64 |
Valid duration of the token in seconds | - | 3600 |
No |
verifiable_credential_type |
string |
VerifiableCredentialType URL | https://credential.sunet.se/identity_credential |
- | Yes |
status |
string |
Status status of the Verifiable Credential | - | - | No |
kid |
string |
Kid key id of the signing key | - | - | No |
Path:
.issuer.mdoc
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
certificate_chain_path |
string |
Path to the PEM certificate chain TODO(pki): Consider folding into pki.KeyConfig.ChainPath to unify certificate chain loading with the standard key material configuration pattern. | - | - | Yes |
default_validity |
duration |
Default credential validity (default: 365 days) | - | 8760h |
No |
digest_algorithm |
string |
Digest algorithm: "SHA-256", "SHA-384", or "SHA-512" | - | SHA-256 |
No |
Path:
.issuer.audit_log
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
Audit logging | - | false |
No |
destinations |
[]string |
List of log destinations (console/stdout, file path, or HTTP URL) | ["stdout", "/var/log/audit.log", "https://audit.sunet.se/webhook"] |
- | Yes (if enabled) |
file_sync_interval |
duration |
Fsync behavior for file destinations. 0 = fsync after every write (strict durability, lower throughput). >0 = periodic batched fsync at the given interval (better throughput, bounded data-loss window). Has no effect on console or webhook destinations. | - | 5s |
No |
Configuration for the Verifier service that verifies credentials and acts as an OIDC Provider.
Path:
.verifier
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
api_server |
object |
HTTP API server configuration | - | - | Yes |
public_url |
string |
Public URL of this service (must be valid HTTP/HTTPS URL) | "https://verifier.sunet.se" |
- | Yes |
key_config |
object |
Signing key configuration | - | - | Yes |
oauth_server |
object |
OAuth2 server configuration | - | - | Yes |
preferred_vp_formats |
object |
Informational VP formats and algorithms supported by wallets | - | - | No |
supported_wallets |
object |
Supported wallet configurations | - | - | No |
oidc_op |
object |
OIDC Provider configuration | - | - | No |
openid4vp |
object |
OpenID4VP configuration | - | - | No |
digital_credentials |
object |
W3C Digital Credentials API configuration | - | - | No |
authorization_page_css |
object |
Authorization page styling configuration | - | - | No |
credential_display |
object |
Credential display settings | - | - | No |
trust |
object |
Trust evaluation configuration | - | - | No |
Path:
.verifier.preferred_vp_formats
Used in client_metadata and Wallet metadata to indicate supported formats and algorithms.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
ldp_vc |
object |
Configuration for W3C VC Data Integrity format (ldp_vc) | - | - | No |
jwt_vc_json |
object |
Configuration for JWT-based W3C VC format (jwt_vc_json) | - | - | No |
dc+sd-jwt |
object |
Configuration for SD-JWT VC format (dc+sd-jwt) | - | - | No |
mso_mdoc |
object |
Configuration for ISO mdoc format (mso_mdoc) | - | - | No |
Path:
.verifier.preferred_vp_formats.ldp_vc
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
proof_type_values |
[]string |
Non-empty array containing identifiers of proof types supported. If present, the proof type of the presented VC/VP MUST match one of the array values. | ["DataIntegrityProof", "Ed25519Signature2020"] |
- | No |
cryptosuite_values |
[]string |
Non-empty array containing identifiers of crypto suites supported. Used when one of the algorithms in ProofTypeValues supports multiple crypto suites. | ["ecdsa-rdfc-2019", "ecdsa-sd-2023", "eddsa-rdfc-2022", "bbs-2023"] |
- | No |
Path:
.verifier.preferred_vp_formats.jwt_vc_json
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
alg_values |
[]string |
Non-empty array containing identifiers of cryptographic algorithms supported. If present, the alg JOSE header of the presented VC/VP MUST match one of the array values. | - | - | No |
Path:
.verifier.preferred_vp_formats.dc+sd-jwt
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
sd-jwt_alg_values |
[]string |
Non-empty array containing cryptographic algorithm identifiers supported for the Issuer-signed JWT of an SD-JWT. | - | - | No |
kb-jwt_alg_values |
[]string |
Non-empty array containing cryptographic algorithm identifiers supported for a Key Binding JWT (KB-JWT). | - | - | No |
Path:
.verifier.preferred_vp_formats.mso_mdoc
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
issuerauth_alg_values |
[]int |
Non-empty array containing cryptographic algorithm identifiers supported for IssuerAuth COSE signatures. | - | - | No |
deviceauth_alg_values |
[]int |
Non-empty array containing cryptographic algorithm identifiers supported for DeviceAuth COSE signatures or MACs. | - | - | No |
Path:
.verifier.oidc_op
This configures how the verifier issues ID tokens and access tokens to relying parties. Note: This is NOT related to verifiable credential issuance (see IssuerConfig for VC issuance). The signing key is shared from the parent Verifier.KeyConfig.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
issuer |
string |
OIDC Provider identifier that appears in ID tokens and discovery metadata. This identifies the verifier as an OpenID Provider. Must match the 'iss' claim in all issued ID tokens. | "https://verifier.sunet.se" |
- | Yes |
session_duration |
int |
Session duration in seconds | - | 3600 |
No |
code_duration |
int |
Authorization code duration in seconds | - | 300 |
No |
access_token_duration |
int |
Access token duration in seconds | - | 3600 |
No |
id_token_duration |
int |
ID token duration in seconds | - | 3600 |
No |
refresh_token_duration |
int |
Refresh token duration in seconds | - | 86400 |
No |
subject_type |
string |
Subject type: "public" or "pairwise" | - | - | Yes |
subject_salt |
string |
Salt for pairwise subject generation | - | - | Yes |
static_clients |
array |
List of pre-configured OIDC clients These clients are checked in addition to dynamically registered clients | - | - | No |
Path:
.verifier.oidc_op.static_clients[]
Static clients are configured in YAML and do not require dynamic registration. These clients are checked in addition to dynamically registered clients stored in the database.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
client_id |
string |
Unique identifier for the client | - | - | Yes |
client_secret |
string |
Client secret for authentication. Can be defined in the secrets file under verifier.oidc_op.static_clients as a map of client_id to client_secret. Required unless TokenEndpointAuthMethod is "none" (public client). | - | - | No |
redirect_uris |
[]string |
List of allowed redirect URIs for this client | - | - | Yes |
allowed_scopes |
[]string |
List of scopes this client is allowed to request. If empty, defaults to standard OIDC scopes (openid, profile, email, address, phone). | - | - | No |
token_endpoint_auth_method |
string |
Authentication method for the token endpoint. Supported values: client_secret_basic, client_secret_post, none (public client) Default: "client_secret_basic" | - | client_secret_basic |
No |
grant_types |
[]string |
List of allowed grant types. Supported values: authorization_code, refresh_token Default: ["authorization_code"] | - | ["authorization_code"] |
No |
response_types |
[]string |
List of allowed response types. Supported values: code Default: ["code"] | - | ["code"] |
No |
client_name |
string |
Optional human-readable name for the client | - | - | No |
Path:
.verifier.openid4vp
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
presentation_timeout |
int |
Presentation timeout in seconds | - | 300 |
No |
supported_credentials |
array |
Supported credential configurations | - | - | Yes |
presentation_requests_dir |
string |
Optional directory with presentation request templates | - | - | No |
Path:
.verifier.openid4vp.supported_credentials[]
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
vct |
string |
Verifiable credential type | "urn:eudi:pid:1" |
- | Yes |
scopes |
[]string |
OIDC scopes that grant access to this credential | - | - | Yes |
Path:
.verifier.digital_credentials
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
W3C Digital Credentials API support in browser | - | false |
No |
use_jar |
bool |
JWT Authorization Request (JAR) for wallet communication When true, request objects are signed JWTs instead of plain JSON | - | false |
No |
preferred_formats |
[]string |
The order of preference for credential formats Supported values: "vc+sd-jwt", "dc+sd-jwt", "mso_mdoc" Default: ["vc+sd-jwt", "dc+sd-jwt", "mso_mdoc"] | - | ["vc+sd-jwt", "dc+sd-jwt", "mso_mdoc"] |
No |
response_mode |
string |
The OpenID4VP response mode for DC API flows Supported values: "dc_api.jwt" (encrypted), "direct_post.jwt" (signed), "direct_post" Default: "dc_api.jwt" | - | dc_api.jwt |
No |
allow_qr_fallback |
bool |
Automatic fallback to QR code if DC API is unavailable Default: true | - | true |
No |
deep_link_scheme |
string |
DeepLinkScheme for mobile wallet integration | "eudi-wallet://" |
- | No |
Path:
.verifier.authorization_page_css
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
custom_css |
string |
Inline CSS that will be injected into the authorization page Allows deployers to override default styling without modifying templates | - | - | No |
css_file |
string |
Path to an external CSS file to include If both CustomCSS and CSSFile are provided, both are included | - | - | No |
theme |
string |
Predefined color scheme: "light" (default), "dark", "blue", "purple" | - | light |
No |
primary_color |
string |
PrimaryColor overrides the primary brand color | "#667eea" |
- | No |
secondary_color |
string |
SecondaryColor overrides the secondary brand color | "#764ba2" |
- | No |
logo_url |
string |
A URL to a custom logo image | - | - | No |
title |
string |
Title overrides the page title (default: "Wallet Authorization") | - | - | No |
subtitle |
string |
Subtitle overrides the page subtitle | - | - | No |
Path:
.verifier.credential_display
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
Users to optionally view credential details before completing authorization When enabled, a checkbox appears on the authorization page | - | false |
No |
require_confirmation |
bool |
Users to review credentials before proceeding When true, the credential display step is mandatory (checkbox is pre-checked and disabled) | - | false |
No |
show_raw_credential |
bool |
The raw VP token/credential in the display page Useful for debugging and technical users | - | false |
No |
show_claims |
bool |
The parsed claims that will be sent to the RP Recommended for transparency and user consent | - | true |
No |
allow_edit |
bool |
Users to redact certain claims before sending to RP (future feature) Currently not implemented | - | false |
No |
Path:
.verifier.trust
This is used for validating W3C VC Data Integrity proofs and other trust-related operations.
Trust evaluation operates in one of two modes:
- When PDPURL is configured: "default deny" mode - all trust decisions go through the PDP
- When PDPURL is empty: "allow all" mode - keys are resolved but always considered trusted
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
pdp_url |
string |
URL of the AuthZEN PDP (Policy Decision Point) service for trust evaluation. When set, operates in "default deny" mode - trust decisions require PDP approval. When empty, operates in "allow all" mode - resolved keys are always considered trusted. | "https://trust.sunet.se/pdp" |
- | No |
local_did_methods |
[]string |
Which DID methods can be resolved locally without go-trust. Self-contained methods like "did:key" and "did:jwk" are always resolved locally. | - | ["did:key", "did:jwk"] |
No |
trust_policies |
object |
Per-role trust evaluation policies. The key is the role (e.g., "issuer", "verifier") and the value contains policy settings. | - | - | No |
allowed_signature_algorithms |
[]string |
AllowedSignatureAlgorithms restricts which JWT signature algorithms are accepted. If empty, defaults to a secure set: ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384, PS512, EdDSA. The "none" algorithm is NEVER allowed regardless of configuration. | ["ES256", "ES384", "ES512", "EdDSA"] |
- | No |
Path:
.verifier.trust.trust_policies.<key>
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
trust_frameworks |
[]string |
The accepted trust frameworks for this role. | ["did:web", "did:ebsi", "etsi-tl", "openid-federation", "x509"] |
- | No |
trust_anchors |
[]string |
Trusted root entities for this role. Format depends on the trust framework (e.g., DID for did:web, federation entity for OpenID Fed). | - | - | No |
require_revocation_check |
bool |
RequireRevocationCheck enforces revocation status checking for this role. Default: false | - | false |
No |
Configuration for the Registry service that manages credential status.
Path:
.registry
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
api_server |
object |
HTTP API server configuration | - | - | Yes |
public_url |
string |
Public URL of this service (must be valid HTTP/HTTPS URL) | "https://registry.sunet.se" |
- | Yes |
grpc_server |
object |
GRPC server configuration | - | - | Yes |
token_status_lists |
object |
Token Status List configuration | - | - | Yes |
admin_gui |
object |
Admin GUI configuration | - | - | No |
Path:
.registry.token_status_lists
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
key_config |
object |
Key configuration for signing Token Status List tokens. | - | - | Yes |
token_refresh_interval |
int64 |
How often (in seconds) new Token Status List tokens are generated. Default: 43200 (12 hours). Min: 301 (>5 minutes), Max: 86400 (24 hours) | - | 43200 |
No |
section_size |
int64 |
Number of entries (decoys) per section. Default: 1000000 (1 million) | - | 1000000 |
No |
rate_limit_requests_per_minute |
int |
Maximum requests per minute per IP for token status list endpoints. Default: 60 | - | 60 |
No |
Path:
.registry.admin_gui
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
enable |
bool |
The admin GUI | - | false |
No |
username |
string |
Admin username | - | admin |
Yes (if enabled) |
password |
string |
Admin password | - | - | Yes (if enabled) |
Configuration for the Mock Authentic Source service used for testing.
Path:
.mock_as
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
api_server |
object |
HTTP API server configuration | - | - | Yes |
datastore_url |
string |
Datastore service URL | "http://datastore:8080" |
- | Yes |
bootstrap_users |
[]string |
List of user IDs to bootstrap on startup | - | ["100", "102"] |
No |
Configuration for the User Interface service.
Path:
.ui
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
api_server |
object |
HTTP API server configuration | - | - | Yes |
username |
string |
UI login username | - | admin |
No |
password |
string |
UI login password | - | - | Yes |
session_inactivity_timeout_in_seconds |
int |
Session inactivity timeout in seconds | - | 1800 |
No |
services |
object |
Services | - | - | No |
Path:
.ui.services
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
apigw |
object |
APIGW | - | - | No |
mockas |
object |
Mock AS | - | - | No |
verifier |
object |
Verifier | - | - | No |
Path:
.ui.services.apigw
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
base_url |
string |
Base URL | - | - | No |
Path:
.ui.services.mockas
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
base_url |
string |
Base URL | - | - | No |
Path:
.ui.services.verifier
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
base_url |
string |
Base URL | - | - | No |
The structure of the separate secrets file.
Path:
(root)
When Common.SecretFilePath is set, secret values in config.yaml are cleared; only non-empty fields from this file are applied. Fields omitted or left empty here remain at their zero value.
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
common |
object |
Common | - | - | No |
apigw |
object |
APIGW | - | - | No |
registry |
object |
Registry | - | - | No |
verifier |
object |
Verifier | - | - | No |
ui |
object |
UI | - | - | No |
Path:
.common
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
mongo |
object |
Mongo | - | - | No |
Path:
.common.mongo
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
uri |
string |
MongoDB connection string, which may include authentication credentials | - | - | No |
Path:
.apigw
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
api_server |
object |
API Server | - | - | No |
oidc_rp |
object |
OIDCRP | - | - | No |
Path:
.apigw.api_server
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
api_auth |
object |
API Auth | - | - | No |
Path:
.apigw.api_server.api_auth
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
basic_auth |
object |
Basic Auth | - | - | No |
Path:
.apigw.api_server.api_auth.basic_auth
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
users |
object |
Usernames to passwords for HTTP Basic Authentication | <username>: "<password>" |
- | No |
Path:
.apigw.oidc_rp
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
registration |
object |
Registration | - | - | No |
Path:
.apigw.oidc_rp.registration
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
preconfigured |
object |
Preconfigured | - | - | No |
dynamic |
object |
Dynamic | - | - | No |
Path:
.apigw.oidc_rp.registration.preconfigured
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
client_secret |
string |
Shared secret for the pre-configured OIDC RP client | - | - | No |
Path:
.apigw.oidc_rp.registration.dynamic
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
initial_access_token |
string |
Bearer token required by the OP for dynamic client registration | - | - | No |
Path:
.registry
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
admin_gui |
object |
Admin GUI | - | - | No |
Path:
.registry.admin_gui
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
password |
string |
Admin GUI login password | - | - | No |
Path:
.verifier
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
oidc_op |
object |
OIDCOP | - | - | No |
Path:
.verifier.oidc_op
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
subject_salt |
string |
Secret value used to derive pairwise subject identifiers for OIDC clients | - | - | No |
static_clients |
object |
Client_id to client_secret for static OIDC clients. Only clients listed here will have their secrets applied; clients not present in this map keep whatever value the main config provides (which will be empty after ClearSecrets). | <client_id>: "<client_secret>" |
- | No |
Path:
.ui
| Field | Type | Description | Example | Default | Required |
|---|---|---|---|---|---|
password |
string |
UI login password | - | - | No |
Path:
file referenced by .common.secret_file_path
common:
mongo:
uri: "mongodb://user:password@mongo:27017/vc"
apigw:
api_server:
api_auth:
basic_auth:
users:
<username>: "<password>"
oidc_rp:
registration:
preconfigured:
client_secret: "your-oidc-client-secret"
dynamic:
initial_access_token: "<secret-value>"
registry:
admin_gui:
password: "change-me-in-production"
verifier:
oidc_op:
subject_salt: "random-salt-for-pairwise-subjects"
static_clients:
<client_id>: "<client_secret>"
ui:
password: "change-me-in-production"