Trusted Contacts
A trusted contact is an issuer that a wallet has explicitly authorised. It is the security gate that makes direct issue safe: a wallet will only keep a credential that was pushed in unattended if it came from an issuer registered as a trusted contact with direct issue allowed.
What a trusted contact is
Each trusted contact records:
| Field | Description |
|---|---|
did | The DID of the issuer that is allowed to issue into this wallet. This is matched against the issuer of every directly-issued credential. |
name | A human-readable name for the issuer, shown in the wallet. |
directIssueAllowed | Whether this issuer may push credentials directly (unattended) into the wallet. Must be true for direct issue to succeed. |
A trusted contact always belongs to a single wallet, it authorises an issuer for that wallet only.
Register a trusted contact
Add a trusted contact to a wallet before issuing directly into it:
POST /api/wallets/{walletExternalKey}/trusted-contacts
Content-Type: application/json
{
"did": "did:web:wallet.credenco.com:issuer:credenco",
"name": "Credenco",
"directIssueAllowed": true
}
The response echoes the stored contact:
{
"id": 42,
"did": "did:web:wallet.credenco.com:issuer:credenco",
"name": "Credenco",
"directIssueAllowed": true,
"createdAt": "2026-06-07T10:15:30",
"lastModifiedAt": "2026-06-07T10:15:30"
}
See the Create Trusted Contact API reference for the full schema and status codes.
Register the issuer DID, the DID configured on the issuer template that mints the
credential, not the holder wallet's DID. When the wallet receives a directly-issued
credential, it reads the credential's issuer (iss) and looks for a matching trusted contact.
How the trust check protects the wallet
The OIDC offer endpoint is reachable by any caller, so direct issue cannot rely on the caller's identity alone. Instead the wallet validates the credential after the unattended OpenID4VCI exchange completes:
- The credential offer is accepted unattended and a credential is issued into the wallet.
- The wallet extracts the issuer DID from the newly issued credential.
- It looks up the trusted contacts for that wallet and checks whether any of them matches the
issuer DID and has
directIssueAllowed = true. - If a match is found, the credential is kept. If not, the credential is immediately deleted and never becomes visible to the holder.
This means the trust decision lives entirely with the receiving wallet. An issuer cannot force a credential into a wallet that has not opted in by registering it as a trusted contact.
Next step
With the issuer registered as a trusted contact, you can issue a credential directly into the wallet.