Trust anchors, programmable
The trust anchor for every credential your system accepts.
Register the credential issuers you trust. Grant each one the VCTs they can issue. Every time a credential is presented, the verifier calls the registry — if you revoke an issuer, every system in your trust ecosystem stops accepting their credentials within seconds.
What Trust Registry does
Trust Registry is a standalone registry of Verifiable Credential issuers and the credential types (VCTs) each issuer is authorised to issue. Operators register issuers by DID or domain URL and grant them VCT permissions. When the Wallet Broker validates a credential, it queries the registry in real time to confirm the issuer is trusted for that VCT — no static allow-lists shipped with your verifier.
Flow
How a trust query flows
- Step 1
Operator registers an issuer via POST /registry/admin/issuers (DID or URL).
- Step 2
products.trustRegistry.flow.s2
- Step 3
A background poller fetches the issuer's JWKS every 5 minutes.
- Step 4
Broker calls GET /registry/trust?issuer=...&vct=... during credential verification.
- Step 5
products.trustRegistry.flow.s5
Standards
Standards Trust Registry speaks
JWK Set (RFC 7517)
JWKS endpoints for issuer public key distribution. Polled every 5 minutes for rotation.
DID identifiers
W3C DID Core identifiers and did:web for domain-bound issuers.
Trust query REST API
Simple, auditable JSON REST. No special wire format — curl works.
Append-only audit log
Every admin mutation timestamped and keyed to the admin-key fingerprint that made it.
Compliance
Instant revocation, auditable governance
You decide who is trusted. The registry records your decisions, signs them, and publishes them to every verifier in real time — with full audit trail.
- Per-VCT issuer scope — revoke an issuer for one credential type without affecting others
- Real-time revocation propagation — no broker restart, effective within seconds
- JWKS polling every 5 minutes — issuer key rotation is live without manual intervention
- Audit trail on every admin mutation — who, when, and what they changed
Integration
Point your broker at the registry — done
Set the broker's trust_registry_url to your registry instance. Manage issuers via curl or your admin tooling. When a credential arrives, the broker calls the registry — no code change in your verifier when you add or remove issuers.
- Admin API secured by X-Admin-Key header (rotate by revoking the key)
- Redis + database JWKS caching with fail-open on degradation
- Optional TSL (ETSI trust list) batch import for external trust frameworks
FAQ
Frequently asked
- What if the registry is down?
- The broker fails open — it logs a warning and treats the issuer as trusted for that request. This is deliberate: you don't want to lock users out of critical services during a registry outage. If you need fail-closed, switch the broker to a static trusted_issuers_json allow-list managed in your own version control.
- How does the registry know which issuers are legitimate?
- You tell it. The registry is a database with an admin API; it has no magic. An operator with the admin key decides which issuers are trusted. In production, pair this with manual vetting and/or an external trust framework (e.g. a government issuer list) that you import via a batch admin script.
- Can I revoke an issuer without restarting the broker?
- products.trustRegistry.faqs.q3.a
Ready to govern trust?
Request access to stand up your own Trust Registry and connect it to Broker.