Organisation Wallet Suite Overview
The Organisation Wallet Suite by iGrant.io, recognised as the European Business Wallet, enables organisations to issue, hold, and verify digital credentials for legal persons and organisations. It is available both as an on-premise solution and as a Platform as a Service (PaaS) with multi-tenant capabilities.
The suite is built on the eIDAS 2.0 framework, incorporating Regulation (EU) No 910/2014 together with its amendments in Regulation (EU) 2024/1183 and Regulation (EU) 2024/2977, as well as the latest Implementing Acts under the European Digital Identity (EUDI) Framework.
Learn more about how the European Business Wallets, shaped by real-life merchant-led scenarios that combine payments and data exchange, are enabling trust and scale in the European Digital Identity ecosystem in this article.
Supported Credential Types
| Credential | Description |
|---|---|
| PID (Person Identification Data) | Core identity attributes for natural persons (name, date of birth, nationality) |
| LPID (Legal Person Identification Data) | Identity attributes for legal entities (company name, registration number) |
| EAA (Electronic Attestation of Attributes) | Attributes issued by non-qualified trust service providers |
| QEAA (Qualified Electronic Attestation of Attributes) | Attributes issued by QTSPs with the highest legal standing across all EU Member States |
| PuB-EAA (Public Electronic Attestation of Attributes) | Attributes issued by public sector bodies from authentic sources |
| Payment Wallet Attestations | Attestations enabling payment-related use cases within the EUDI Wallet ecosystem |
Output formats supported: IETF SD-JWT, ISO 18013-7 mdoc/mDL, and W3C VC (JWT).
Core Capabilities
The Organisation Wallet Suite provides three core functions: Issuer, Holder/Wallet Unit, and Verifier/Relying Party, all accessible within an enterprise tenant via the OpenID4VC protocol suite.
Issuer
The Organisation Wallet Suite acts as a credential issuer using the OpenID for Verifiable Credential Issuance (OpenID4VCI) protocol.
Intime and Deferred credential issuance: Pre-Authorised (with PIN) and Authorisation Code Flow with PKCE, supporting automated batch or invitation-based issuance.
Dynamic credential issuance: Request additional proof from the holder before issuing a credential.
Credential definitions: Reusable configurations following JSON Schema, with visual branding (name, description, colours, logo), output format selection, and expiration policies.
Credential revocation: Supports IETF Token Status List (draft 10) and W3C Verifiable Credentials Status List v2021.
Key and trust anchor configuration: Configure signing keys via the integrated Key Management Service. Supported trust anchor formats:
did:key,did:ebsi,did:web, andJWK.Webhook notifications: Real-time updates at key stages of the issuance lifecycle (offer sent, received, issued, acknowledged, stored, deleted).
Holder / Wallet Unit
The Wallet Unit (WU) enables organisations (companies, institutions, or departments) to securely receive, store, and present digital credentials, much like individuals use personal wallets.
Receive and store credentials from trusted issuers (government authorities, regulators, data providers) with secure cloud storage.
Present credentials to relying parties for verification.
Role-based access and delegation for users within the organisation.
The Wallet Unit can also be integrated into a Natural Person Wallet that supports such integrations.
Verifier / Relying Party
The Organisation Wallet Suite functions as a verifier using the OpenID for Verifiable Presentations (OpenID4VP) protocol, enabling secure validation of verifiable credentials held by individuals or organisations.
Receive and present credentials: Holders respond to presentation requests with selective disclosure support.
Send and verify credentials: Define credential requirements, initiate verification, and validate presentations.
Presentation definitions: Reusable verification requests following Presentation Exchange v2.0, with support for multiple input descriptors and visual branding.
Webhook notifications: Real-time updates throughout the verification process (request sent, received, presentation acknowledged, processed).
The Organisation Wallet Suite supports DCQL, which enables granular, multi-credential queries in a single request. This is particularly useful for merchant-led scenarios where payments and data exchange are combined in one flow. See our article on DCQL in business wallet payments for practical examples.
Platform Features
Multi-tenant with self-service: Supports multiple organisations within a single instance with data privacy and segregation, and a self-service interface for credential issuance and verification management.
Interoperability: Integrates with existing systems and supports data portability across platforms using OpenID4VCI/OpenID4VP (JWT/SD-JWT).
Multiple attestation types: Modular architecture supporting various EAAs, QEAAs, and PuB-EAAs, with the ability to incorporate new credential types without system overhauls.
Multiple trust anchors: Supports both ledger and non-ledger trust registries including EBSI, EU Trust List (ETSI TS 119 612), and others.
Webhook support: Real-time notifications throughout issuance and verification workflows for enterprise system integration. See the webhooks documentation.
Security and data privacy: Cryptographic functions complying with SOG-IS/BSI CSP2 security standards, with data protected in transit and at rest. Privacy considerations adhere to eIDAS 2.0 requirements, addressing unobservability and unlinkability.
Deployment Options
The Organisation Wallet Suite is available in two deployment models. Deployable containers are published via the Artefact Hub. See the on-premise deployment guide for setup instructions.
Both deployment models share the following defaults:
| Feature | Default | Configurable options |
|---|---|---|
| Key Storage | iGrant.io Secure Vault, own HSM-as-a-service, QTSP (CSC v1.04.0) | Bring your HSMs via HashiCorp Vault, FIDO2, external QTSP |
| Credential and Metadata Storage | MongoDB / PostgreSQL | Not configurable |
| Identity Management | Pre-built IDAM (Keycloak). Customer IDAM integration available as an additional offering. | OpenID Connect |
The key difference between the two models is infrastructure:
| Model | Infrastructure |
|---|---|
| On-Premise | Any Kubernetes Cluster: RedPill Linpro (Sweden), GCP, AWS, or Azure |
| PaaS | Kubernetes Cluster with region selection: RedPill Linpro (Sweden), GCP, AWS, or Azure |
Key Management Options
| Option | Description |
|---|---|
| iGrant.io Secure Vault | Default option where iGrant.io manages key storage and liability. |
| HashiCorp Vault | Bring your own key management systems (with or without HSM), offloading key storage liability to your organisation. |
| External QTSP | Third-party QTSP integration via a value-added reseller (VAR) model, transferring key management and signing liabilities to the external provider. |
EUDI Wallet Ecosystem Roles
The following roles are defined by the EU Architecture Reference Framework (ARF) under Regulation (EU) 2024/1183 (eIDAS 2.0):
| Role | Definition |
|---|---|
| Wallet Provider | A natural or legal person who provides Wallet Solutions. Member States either mandate or recognise Wallet Providers to make a Wallet Solution available to Users. |
| PID Provider | A natural or legal person responsible for issuing and revoking Person Identification Data (PID) and ensuring that the PID of a user is cryptographically bound to a Wallet Unit. PID Providers are appointed by Member States. |
| Attestation Provider | A collective term for QEAA Provider, PuB-EAA Provider, or (non-qualified) EAA Provider. |
| QEAA Provider | A Qualified Trust Service Provider (QTSP) that issues QEAAs meeting the requirements laid down in Annex V of the eIDAS Regulation. QEAAs carry the highest legal standing with a presumption of accuracy across all EU Member States. |
| PuB-EAA Provider | A public sector body responsible for an authentic source, or designated by a Member State, that issues electronic attestations of attributes in accordance with Article 45f and Annex VII of the eIDAS Regulation. |
| EAA Provider | A non-qualified Trust Service Provider that issues EAAs, governed by sectoral rules rather than the eIDAS QTSP trust framework. |
| Relying Party | A natural or legal person that relies upon electronic identification, European Digital Identity Wallets or other electronic identification means, or upon a trust service. |
| QTSP | A Qualified Trust Service Provider who provides one or more qualified trust services and is granted qualified status by the supervisory body. |
For the full list of definitions, see ARF Annex 1 - Definitions.
Getting Started
Ready to explore the Organisation Wallet Suite? Here are your next steps:
- Developer documentation: Protocol versions, API references, and supported features.
- On-premise deployment guide: Set up the suite on your own infrastructure using Helm charts.
- Issuance workflow: Issue your first credential using the OpenID4VCI protocol.
- Verification workflow: Verify credentials using the OpenID4VP protocol.
- Webhooks: Integrate real-time event notifications into your enterprise systems.
For access to the hosted platform or to discuss enterprise requirements, contact [email protected].