Skip to main content

Direct Issue into a Wallet

This guide explains how to issue a verifiable credential directly into a Business Wallet, without the holder having to scan a QR code or tap Accept. The credential simply appears in the wallet.

A typical use case is the direct issuance of a credential by a trusted party you have authorized to add credentials to your wallet, for example the Tax Authority. With the Tax Authority registered as a trusted contact, it can deliver new credentials to your Business Wallet as soon as they become available, without any action on your part.

When to use it

The standard issuance flow is attended: you start an issuance, the holder is redirected to their wallet (or scans a QR code), and they explicitly accept the credential over the OpenID4VCI protocol.

Direct issue is unattended. It is the right choice when:

  • You are provisioning a wallet you control or just created (e.g. during onboarding) and there is no human present to accept a QR code.
  • The issuer and the wallet belong to the same trust domain, and an explicit accept step adds friction without adding value.
  • You want the credential to be present the moment the user first opens their wallet.
Direct issue requires explicit trust

A credential can only be pushed into a wallet unattended if the issuer has first been registered in that wallet as a trusted contact with direct issue allowed. Without that, the credential is accepted and then immediately discarded by the wallet. See Trusted Contacts.

The three building blocks

Direct issue combines three pieces. Read them in order:

  1. Trusted Contacts: register the issuer's DID in the target wallet and flag it as allowed to issue directly. This is the security gate that makes unattended issuance safe.
  2. Issue Directly to a Wallet: the two API calls that create a credential offer and push it into the wallet with directIssue=true.
  3. The Inbox: the attended alternative. When you push an offer without directIssue, it lands in the wallet's inbox for the user to accept later.

How it works end to end

The key difference from the standard flow is step three: instead of redirecting a browser or showing a QR code, you post the credential offer to the wallet's OIDC offer endpoint with directIssue=true. The wallet completes the OpenID4VCI exchange on the holder's behalf and, only if the issuer is trusted, retains the credential.