The "Untrusted Service Provider" notice
While using the iGrant.io Data Wallet you may see an "Untrusted Service Provider" notice when receiving a credential from an issuer, or when responding to a verifier. This page explains what the notice means, when it appears, and what you can do about it.
What it means
The "Untrusted Service Provider" notice is a trust status indicator. It means the credential's issuer (or, during a presentation, the verifier) could not be matched against a recognised trust list that the wallet validates against, primarily the EU Trust List (ETSI TS 119 612).
The notice does not mean the credential is invalid, fake, or cryptographically broken. The signature on the credential can be perfectly valid. The notice only means the wallet cannot independently confirm the party's identity against an authoritative trusted list, so it flags this for the user to make an informed decision.
When it appears
The notice can appear in either direction of a credential exchange:
- During issuance (OpenID4VCI): when a credential is offered by an issuer that the wallet cannot match to a trust list it validates against. This is common when evaluating credentials from an issuer other than iGrant.io's own issuer.
- During presentation (OpenID4VP): when a verifier requesting credentials cannot be matched to a trust list.
Trusted versus untrusted
The wallet's trust check is reflected in the API response for a flow. The two key fields are isVerifiedWithTrustList and trustServiceProvider.
| Wallet display | API state | Meaning |
|---|---|---|
| Trusted (verified provider details shown) | isVerifiedWithTrustList: true, trustServiceProvider populated | The issuer or verifier was matched against a configured trust list, and its verified trust service provider details are available. |
| Untrusted Service Provider | isVerifiedWithTrustList: false, trustServiceProvider empty | The issuer or verifier was not found on any trust list the wallet validates against. |
How to resolve it
If you are an integrator and want an issuer or verifier to be recognised rather than flagged, the entity needs to become discoverable through a trust mechanism the wallet validates against. The main options are:
- Be listed on an EU member state trusted list. Qualified and non-qualified trust service providers are published on national trusted lists aggregated through the European List of Trusted Lists (LoTL), as per ETSI TS 119 612. This is the primary path for EUDI scenarios.
- Onboard through a trust anchor. For the EBSI trust model, an entity is onboarded through the trust chain (Root Trust Anchor Operator, Trust Anchor Operator, Trusted Issuer). See the Trust Anchor APIs.
- Be added to a configured trust list. A deployment can configure the trust authorities and trust lists it validates against using the trust authority configuration endpoints.
Is this the same as a missing Trust Anchor definition?
Not exactly, although the two are related. The Trust Anchor APIs cover onboarding an entity into a trust framework such as EBSI. The "Untrusted Service Provider" notice is driven specifically by trust list recognition at the time of issuance or presentation. An issuer that has not been onboarded to a framework the wallet recognises, and that is not present on a trusted list the wallet validates against, will surface this notice. For a full explanation of the difference, see Trust in the Wallet Ecosystem.
The exact wording shown can differ slightly across wallet versions and platforms. The underlying meaning, that the party was not matched against a recognised trust list, is the same.