Configure Wallet Provider

To enable wallet providing, you must configure a wallet provider instance with three required sections: wallet instance attestation (or wallet app attestation), wallet unit attestation, and wallet registration policy.

Minimal configuration

Here's the minimum required configuration to enable wallet provider functionality:

walletProvider:
  PROCIVIS_ONE:                    # Instance name (choose any name)
    type: PROCIVIS_ONE             # Must be exactly "PROCIVIS_ONE"
    display: walletProvider.procivisOne
    params:
      public:
        walletName: "My Wallet"
        walletLink: "https://example.com"
        walletRegistration: OPTIONAL
        walletAppAttestation:
          expirationTime: 86400
          integrityCheck:
            enabled: false
        walletUnitAttestation:
          expirationTime: 2678400
        deviceAuthLeeway: 60

The instance name (PROCIVIS_ONE in this example) can be any identifier you choose. However, the type field must be exactly PROCIVIS_ONE to invoke the correct provider implementation.

Wallet registration policy

The wallet registration policy controls whether wallets must register with the provider to obtain attestations.

walletRegistration: OPTIONAL

Policy options:

DISABLED - Wallets cannot register or obtain attestations
OPTIONAL - Wallets may register to obtain attestations but can function without them
MANDATORY - Wallets must register and obtain attestations to function

This setting is included in the wallet provider metadata retrieved by wallet apps from /ssi/wallet-provider/v1/{walletProvider}, allowing wallets to behave according to your policy.

Wallet Instance Attestation (WIA)

WIAs verify the integrity and authenticity of the wallet application.

Required fields:

walletAppAttestation:
  expirationTime: 86400             # Attestation validity in seconds
  integrityCheck:
    enabled: false                  # Set to true to enable platform verification

note

"Wallet App Attestation" (WAA) was renamed to "Wallet Instance Attestation" (WIA) by the EU Architecture Reference Framework (ARF). Configuration values maintain the original term.

Integrity check

The integrityCheck block is required and integrity check is enabled by default. To disable integrity check, set walletAppAttestation.integrityCheck.enabled: false.

walletAppAttestation:
  expirationTime: 86400
  integrityCheck:
    enabled: true
    android:
      bundleId: com.example.wallet
      signingCertificateFingerprints:
        - "FA:C6:17:..."
        - "G9:45:B1:..."
      trustedAttestationCAs:
        - "-----BEGIN CERTIFICATE-----\n..."
    ios:
      bundleId: com.example.wallet
      trustedAttestationCAs:
        - "-----BEGIN CERTIFICATE-----\n..."
      enforceProductionBuild: true   # Excludes debug / development builds

When enabled, the system validates:

Certificate changes against trusted platform certificate authorities
App bundle identifiers match configured values
(iOS) Apps are production builds if enforceProductionBuild is true

Wallet unit attestation

Wallet unit attestation verifies cryptographic keys generated by wallet instances.

Required fields:

walletUnitAttestation:
  expirationTime: 2678400          # Attestation validity in seconds

Revocation support

To enable attestation revocation:

walletUnitAttestation:
  expirationTime: 2678400
  revocationMethod: TOKENSTATUSLIST  # Must match the name of a revocation provider with type `TOKENSTATUSLIST`

Without a revocation method configured, unit attestations cannot be revoked and are valid until they expire.

Optional configurations

EUDI Wallet metadata

Include general_info according to EUDI Wallet technical specifications:

eudiWalletInfo:
  providerName: "Example Provider"
  solutionId: "EXAMPLE_PROVIDER"
  solutionVersion: "1"
  wscdType: HYBRID

App version requirements

Enforce minimum app versions and block specific releases:

appVersion:
  minimum: "v1.50.0"                     # Required minimum version. Earlier versions are blocked
  minimumRecommended: "v1.60.0"          # Recommended minimum version. End users are suggested to update the app
  reject:                                # Explicitly blocked versions. This is useful if, for example, a version has a known security issue
    - "v1.51.3"
    - "v1.51.4"
  updateScreen:
    link: "https://example.com/update"   # URL for version update information

The wallet app retrieves this information from /ssi/wallet-provider/v1/{walletProvider} to enforce version requirements and recommendations.

Complete configuration example

Here's a fully configured wallet provider with all features enabled:

walletProvider:
  PROCIVIS_ONE:
    type: PROCIVIS_ONE
    display: walletProvider.procivisOne
    params:
      public:
        walletAppAttestation:
          walletName: "Example Wallet"
          walletLink: "https://example.com"
          integrityCheck:
            enabled: true
          expirationTime: 86400
          android:
            bundleId: com.example.wallet
            signingCertificateFingerprints:
              - "FA:C6:17:45:DC:50:D6:..."
            trustedAttestationCAs:
              - "-----BEGIN CERTIFICATE-----\n..."
          ios:
            bundleId: com.example.wallet
            trustedAttestationCAs:
              - "-----BEGIN CERTIFICATE-----\n..."
            enforceProductionBuild: true
        walletUnitAttestation:
          expirationTime: 2678400
          revocationMethod: TOKENSTATUSLIST
        eudiWalletInfo:
          # EUDI wallet metadata
        appVersion:
          minimum: "v1.50.0"
          minimumRecommended: "v1.60.0"
          reject:
            - "v1.51.3"
          updateScreen:
            link: "https://example.com/update"

Minimal configuration​

Wallet registration policy​

Wallet Instance Attestation (WIA)​

Integrity check​

Wallet unit attestation​

Revocation support​

Optional configurations​

EUDI Wallet metadata​

App version requirements​

Complete configuration example​