Skip to main content

Organisation Wallet Overview

The Organisation Wallet by iGrant.io facilitates the issuer, holder, and verifier of verifiable credentials for legal persons or organisations based on the eIDAS 2.0 framework. It incorporates the European Union’s Regulation (EU) No 910/2014 (eIDAS), amended by EU Regulation 2024/1183, and EU Regulation 2024/2977) and the latest Implementing Acts under the European Digital Identity (EUDI) Framework. The solution is available as both an on-premise solution and a Platform-as-a-Service (PaaS), with multi-tenant capabilities, making it suitable for applications requiring the issuance or verification of credentials. It supports various types of credentials, including PID (Person Identification Data), LPID (Legal Person Identification Data), EAAs (Electronic Attribute Attestations), Payment Wallet Attestations, and QEAAs (Qualified Electronic Attribute Attestations) and more.

Core Capabilities

The key functions like issuer, holder/wallet unit, or verifier/relying party features are summarised as below:

Issuer

Within an enterprise tenant, the iGrant.io Organisation Wallet acts as a credential issuer in line with the OpenID for Verifiable Credential Issuance (OpenID4VCI) protocol. See developer documentation for the exact protocol version supported, etc. The following key workflows are supported:

  • Intime and Deferred credential issuance: Pre-Authorized (with PIN) and Authorization Code Flow with PKCE. iGrant.io supports this for automated batch or invitation-based credential issuance.

  • Dynamic credential issuance: enables an organisation to request additional proof before issuing a credential.

  • Webhook Support during Issuance: The Organisation Wallet supports webhook notifications throughout the credential issuance process, making it easy to integrate with enterprise systems and workflows. These webhooks provide real-time updates at key stages, for example, when a credential offer is sent, received by the wallet, issued, acknowledged by the holder, accepted into storage, or deleted. This event-based model gives organisations greater visibility and control over the full lifecycle of credential issuance, helping to automate actions or trigger business logic as needed. For implementation details and a complete list of supported events, refer to the webhooks documentation, specifically the issuer webhooks section.

  • Credential definitions for reusable configurations: Organisations can define credential definitions that are reusable across multiple issuances. These definitions follow the JSON Schema specification to enforce constraints on fields within a credential. In addition, organisations can configure visual branding, such as credential name, description, text color, background color, and logo. Credential definitions also allow selection of the output format, including IETF SD-JWT, ISO 18013-7 mdoc/mDL, or W3C VC (JWT), ensuring flexibility in how credentials are structured and delivered. Other configurations such as expiration date can also be defined to suit specific credential lifecycles and policies.

  • Credential Status Mechanism (Revocation): Organisations can configure the credential status mechanism at the time of defining the credential definition. The iGrant.io Organisation Wallet currently supports the IETF Token Status List (draft 10) and the W3C Verifiable Credentials Status List v2021, enabling effective revocation and status management for issued credentials.

  • Key and Trust Anchor Configuration: Organisations can configure the keys to be used for signing of credentials via the integrated Key Management Service. Additionally, they can choose the format for representing the trust anchor's public key identifier, such as did:key, did:ebsi, did:web, or JWK, ensuring compatibility with various ecosystems and trust frameworks.

Holder or Wallet Unit

Within an enterprise tenant, the iGrant.io Wallet Unit (WU) enables organisations to act as holders of verifiable credentials, much like individuals use personal wallets. As a key component of the iGrant.io Organisation Wallet architecture, the Wallet Unit enables entities, such as companies, institutions, or departments, to securely receive, store, and present digital credentials in a standards-compliant manner.

Organisational Wallet Units are used to:

In addition, iGrant.io Organisation Wallet Unit can be integrated into a Natural Person Wallet that supports such integrations.

Verifier or Relying Party

Within an enterprise tenant, the iGrant.io Organisation Wallet Suite can function as a verifier, or Relying Party, enabling secure and standards-compliant validation of verifiable credentials through the OpenID for Verifiable Presentations (OpenID4VP) protocol. This allows enterprise systems to request and verify credentials held by individuals or organisations in a trusted and interoperable manner. The following key workflows are supported:

  • Receive and present credentials: Enables holders to securely respond to presentation requests using OpenID4VP, with support for selective disclosure and trusted credential formats.

  • Send and verify credentials: Allows verifiers or relying parties to define credential requirements, initiate verification requests, and validate received verifiable presentations in compliance with OpenID4VP standards.

  • Webhook Support during Verification: The Organisation Wallet also supports webhook notifications throughout the credential verification process, enabling seamless integration with enterprise systems acting as verifiers or relying parties. These webhooks provide real-time updates at key points, such as when a presentation request is sent, received by the holder, and when a presentation is acknowledged and processed. This event-driven approach provides enhanced visibility and automation throughout the verification workflow. For implementation details and a complete list of supported events, refer to the webhooks documentation, specifically the verifier webhooks section.

  • Presentation definitions for reusable verification requests: Organisations can define presentation definitions that are reusable across multiple verifications. These definitions follow the Presentation Exchange v2.0 specification to express the rules or constraints that must be satisfied by the credentials presented by the holder. Presentation definitions can include multiple input descriptors to request verification of several credentials in a single interaction. Additionally, organisations can configure branding such as name, description, text color, background color, and logo to tailor the user experience during the presentation request flow.

Deployment Options

Deployment Option: On-Premise

In the on-premise option, you can deploy the dockerised images on your local server or your own cloud.

FeatureDefaultConfigurability
Key Storage
  • iGrant.io Secure Vault
  • Configure own HSM-as-a-service
  • Bring your own HSM
  • Custom Security Key like FIDO2
Credential StorageEncrypted Storage (SQLite Cypher)Bring your own credential storage
Metadata StorageMongoDB / PostgreSQLNot Configurable
Identity ManagementPre-Built IDAM (KeyCloak)OpenID Connect or SAML
InfrastructureAny K8s Cluster: RedPill Linpro (Sweden), GCP, AWS or Azure

Deployment Option: PaaS

In the platform-as-a-service option, the service is managed by iGrant.io with certain level of configurability.

FeatureDefaultConfigurability
Key StorageiGrant.io Secure VaultConfigure own HSM-as-a-service
Credential StorageEncrypted Storage (SQLite Cypher)Not Configurable
Metadata StorageMongoDB / PostgreSQLNot Configurable
Identity ManagementPre-Built IDAM (KeyCloak)OpenID Connect or SAML
InfrastructureK8s Cluster w/ Region SelectionAny K8s Cluster: RedPill Linpro (Sweden),
GCP, AWS, or Azure

Additional Features

The additional capabilities of iGrant.io Organisation Wallet include:

  • Support Multi-Tenant with Self-Service Capability: The wallet supports multiple organisations within a single instance while ensuring data privacy and segregation. It provides a user-friendly self-service interface for credential issuance and verification management.

  • Interoperability: Seamlessly integrates with existing systems and supports data portability across different platforms supporting OpenID4VCI/OpenID4VP (JWT/SD-JWT) and Aries RFCs.

  • Support for Multiple EAAs: The wallet features a modular architecture that integrates various EAAs, seamlessly incorporating new types without significant system overhauls.

  • Support for Multiple Trust Anchors: The wallet supports multiple trust registries, both ledgers and non-ledger ones. The ledger-based trust registry support includes European Blockchain Service Infrastructure, EU Trust List (as per ETSI TS 119 612), IDUnion, Sovrin, NordXDataspace (Indy) etc.)

  • Webhook Support: This enables real-time notifications and automatic updates within digital wallet workflows, enhancing efficiency and user experience by instantly syncing transaction events.

Security and Data Privacy: All EAAs will be protected through cryptographic functions that comply with SOG-IS/BSI CSP2 security standards, ensuring user data remains secure in transit and at rest. The privacy considerations will adhere to the eIDAS2 requirements, addressing critical issues of unobservability and unlinkability.

Flexible Key Management Options

  • iGrant.io Secure Vault: A default option where iGrant.io manages key storage and liability, ensuring a fully hosted and secure solution. Future support for a QTSP service is under consideration.

  • HashiCorp Secure Vault: Allows customers to integrate their own key management systems, with or without an HSM, offloading key storage liability to the organisation.

  • Use of QTSPs: Offers third-party QTSP integration via a value-added reseller (VAR) model, where key management and signing liabilities are transferred to the external provider chosen by the organisation.

Try out

To explore our Organisation Wallet by iGrant.io, please contact support@igrant.io to gain access. Our team will assist you in setting up and navigating the features tailored for enterprise use.