Organisation Wallet Overview
The Organisation Wallet by iGrant.io facilitates the issuer, holder, and verifier of verifiable credentials for legal persons or organisations based on the eIDAS 2.0 framework. It incorporates the European Union’s Regulation (EU) No 910/2014 (eIDAS), amended by EU Regulation 2024/1183, and EU Regulation 2024/2977) and the latest Implementing Acts under the European Digital Identity (EUDI) Framework. The solution is available as both an on-premise solution and a Platform-as-a-Service (PaaS), with multi-tenant capabilities, making it suitable for applications requiring the issuance or verification of credentials. It supports various types of credentials, including PID (Person Identification Data), LPID (Legal Person Identification Data), EAAs (Electronic Attribute Attestations), Payment Wallet Attestations, and QEAAs (Qualified Electronic Attribute Attestations) and more.
Core Capabilities
The key functions like issuer, holder/wallet unit, or verifier/relying party features are summarised as below:
Issuer
Within an enterprise tenant, the iGrant.io Organisation Wallet acts as a credential issuer in line with the OpenID for Verifiable Credential Issuance (OpenID4VCI) protocol. See developer documentation for the exact protocol version supported, etc. The following key workflows are supported:
Intime and Deferred credential issuance: Pre-Authorized (with PIN) and Authorization Code Flow with PKCE. iGrant.io supports this for automated batch or invitation-based credential issuance.
Dynamic credential issuance: enables an organisation to request additional proof before issuing a credential.
Webhook Support during Issuance: The Organisation Wallet supports webhook notifications throughout the credential issuance process, making it easy to integrate with enterprise systems and workflows. These webhooks provide real-time updates at key stages, for example, when a credential offer is sent, received by the wallet, issued, acknowledged by the holder, accepted into storage, or deleted. This event-based model gives organisations greater visibility and control over the full lifecycle of credential issuance, helping to automate actions or trigger business logic as needed. For implementation details and a complete list of supported events, refer to the webhooks documentation, specifically the issuer webhooks section.
Credential definitions for reusable configurations: Organisations can define credential definitions that are reusable across multiple issuances. These definitions follow the JSON Schema specification to enforce constraints on fields within a credential. In addition, organisations can configure visual branding, such as credential name, description, text color, background color, and logo. Credential definitions also allow selection of the output format, including IETF SD-JWT, ISO 18013-7 mdoc/mDL, or W3C VC (JWT), ensuring flexibility in how credentials are structured and delivered. Other configurations such as expiration date can also be defined to suit specific credential lifecycles and policies.
Credential Status Mechanism (Revocation): Organisations can configure the credential status mechanism at the time of defining the credential definition. The iGrant.io Organisation Wallet currently supports the IETF Token Status List (draft 10) and the W3C Verifiable Credentials Status List v2021, enabling effective revocation and status management for issued credentials.
Key and Trust Anchor Configuration: Organisations can configure the keys to be used for signing of credentials via the integrated Key Management Service. Additionally, they can choose the format for representing the trust anchor's public key identifier, such as
did:key
,did:ebsi
,did:web
, orJWK
, ensuring compatibility with various ecosystems and trust frameworks.
Holder or Wallet Unit
Within an enterprise tenant, the iGrant.io Wallet Unit (WU) enables organisations to act as holders of verifiable credentials, much like individuals use personal wallets. As a key component of the iGrant.io Organisation Wallet architecture, the Wallet Unit enables entities, such as companies, institutions, or departments, to securely receive, store, and present digital credentials in a standards-compliant manner.
Organisational Wallet Units are used to:
Receive and store credentials from trusted issuers (e.g. government authorities, regulators, data providers) and store them securely on the cloud.
Receive and resent credentials to relying parties for verification.
Provide role-based access and delegation to users within the organisation.
In addition, iGrant.io Organisation Wallet Unit can be integrated into a Natural Person Wallet that supports such integrations.
Verifier or Relying Party
Within an enterprise tenant, the iGrant.io Organisation Wallet Suite can function as a verifier, or Relying Party, enabling secure and standards-compliant validation of verifiable credentials through the OpenID for Verifiable Presentations (OpenID4VP) protocol. This allows enterprise systems to request and verify credentials held by individuals or organisations in a trusted and interoperable manner. The following key workflows are supported:
Receive and present credentials: Enables holders to securely respond to presentation requests using OpenID4VP, with support for selective disclosure and trusted credential formats.
Send and verify credentials: Allows verifiers or relying parties to define credential requirements, initiate verification requests, and validate received verifiable presentations in compliance with OpenID4VP standards.
Webhook Support during Verification: The Organisation Wallet also supports webhook notifications throughout the credential verification process, enabling seamless integration with enterprise systems acting as verifiers or relying parties. These webhooks provide real-time updates at key points, such as when a presentation request is sent, received by the holder, and when a presentation is acknowledged and processed. This event-driven approach provides enhanced visibility and automation throughout the verification workflow. For implementation details and a complete list of supported events, refer to the webhooks documentation, specifically the verifier webhooks section.
Presentation definitions for reusable verification requests: Organisations can define presentation definitions that are reusable across multiple verifications. These definitions follow the Presentation Exchange v2.0 specification to express the rules or constraints that must be satisfied by the credentials presented by the holder. Presentation definitions can include multiple input descriptors to request verification of several credentials in a single interaction. Additionally, organisations can configure branding such as name, description, text color, background color, and logo to tailor the user experience during the presentation request flow.
Deployment Options
Deployment Option: On-Premise
In the on-premise option, you can deploy the dockerised images on your local server or your own cloud.
Feature | Default | Configurability |
---|---|---|
Key Storage |
|
|
Credential Storage | Encrypted Storage (SQLite Cypher) | Bring your own credential storage |
Metadata Storage | MongoDB / PostgreSQL | Not Configurable |
Identity Management | Pre-Built IDAM (KeyCloak) | OpenID Connect or SAML |
Infrastructure | Any K8s Cluster: RedPill Linpro (Sweden), GCP, AWS or Azure |
Deployment Option: PaaS
In the platform-as-a-service option, the service is managed by iGrant.io with certain level of configurability.
Feature | Default | Configurability |
---|---|---|
Key Storage | iGrant.io Secure Vault | Configure own HSM-as-a-service |
Credential Storage | Encrypted Storage (SQLite Cypher) | Not Configurable |
Metadata Storage | MongoDB / PostgreSQL | Not Configurable |
Identity Management | Pre-Built IDAM (KeyCloak) | OpenID Connect or SAML |
Infrastructure | K8s Cluster w/ Region Selection | Any K8s Cluster: RedPill Linpro (Sweden), GCP, AWS, or Azure |
Additional Features
The additional capabilities of iGrant.io Organisation Wallet include:
Support Multi-Tenant with Self-Service Capability: The wallet supports multiple organisations within a single instance while ensuring data privacy and segregation. It provides a user-friendly self-service interface for credential issuance and verification management.
Interoperability: Seamlessly integrates with existing systems and supports data portability across different platforms supporting OpenID4VCI/OpenID4VP (JWT/SD-JWT) and Aries RFCs.
Support for Multiple EAAs: The wallet features a modular architecture that integrates various EAAs, seamlessly incorporating new types without significant system overhauls.
Support for Multiple Trust Anchors: The wallet supports multiple trust registries, both ledgers and non-ledger ones. The ledger-based trust registry support includes European Blockchain Service Infrastructure, EU Trust List (as per ETSI TS 119 612), IDUnion, Sovrin, NordXDataspace (Indy) etc.)
Webhook Support: This enables real-time notifications and automatic updates within digital wallet workflows, enhancing efficiency and user experience by instantly syncing transaction events.
Security and Data Privacy: All EAAs will be protected through cryptographic functions that comply with SOG-IS/BSI CSP2 security standards, ensuring user data remains secure in transit and at rest. The privacy considerations will adhere to the eIDAS2 requirements, addressing critical issues of unobservability and unlinkability.
Flexible Key Management Options
iGrant.io Secure Vault: A default option where iGrant.io manages key storage and liability, ensuring a fully hosted and secure solution. Future support for a QTSP service is under consideration.
HashiCorp Secure Vault: Allows customers to integrate their own key management systems, with or without an HSM, offloading key storage liability to the organisation.
Use of QTSPs: Offers third-party QTSP integration via a value-added reseller (VAR) model, where key management and signing liabilities are transferred to the external provider chosen by the organisation.
Try out
To explore our Organisation Wallet by iGrant.io, please contact support@igrant.io to gain access. Our team will assist you in setting up and navigating the features tailored for enterprise use.