Changelog

See the most recent changes in Paradym.

Revocation no longer re-signs status lists with an expired certificate

June 24, 2026

Bug fix

When you revoke a credential, Paradym updates and re-signs the status list that tracks its revocation state. Previously this could happen even when the status list was signed by an expired certificate, producing a status list with an invalid signature. Revocation now validates the issuer certificate first and ensures its not expired.


Automatic hosting of SD-JWT VC Type Metadata

June 24, 2026

New feature

Paradym now automatically generates and hosts an SD-JWT VC Type Metadata document for your SD-JWT VC credential templates. Wallets and verifiers can dereference a credential's vct (type) URL to retrieve a JSON document describing the credential's display information and claim structure, so they can render and validate credentials without relying on the OpenID4VCI issuance flow.

When you create or update an SD-JWT VC template with a Paradym-generated vct URL, Paradym builds the Type Metadata document from the template (name, description, branding, attributes and localization) and serves it at the vct URL. The document is re-published every time the template is saved, so it always stays in sync — including localization, which now flows into the metadata's display arrays.

If you supply your own custom vct, Paradym does not publish the document for you, but you can still retrieve the generated metadata to self-host it — either from the new Type Metadata section on the template detail page in the dashboard, or via the new API endpoint GET /v1/projects/{projectId}/templates/credentials/sd-jwt-vc/{credentialTemplateId}/type-metadata (see the API Reference).

Learn more in the new Credential Metadata guide.


Profile logos and credential backgrounds are now hosted on Paradym infrastructure

June 22, 2026

Enhancement

Profile logos and credential template background images are now automatically downloaded and re-hosted on Paradym's own infrastructure instead of being served directly from external URLs. This eliminates requests to arbitrary third-party domains when wallets render your credentials, improving both security and reliability.

What changed

  • When you set a project profile logo or a credential template background image via URL, Paradym fetches the image, validates it (JPEG and PNG only, max 1 MB), and stores a stable copy in the Paradym bucket.
  • The stored URL is immutable from the wallet's perspective — updating an image overwrites the same path, so existing deep links keep working.
  • Images are validated on upload: unsupported formats (SVG, GIF, WebP) and oversized files are rejected with a clear error.
  • Existing images up to 10 MB are downloaded, validated (JPEG/PNG only) and re-hosted by Paradym. If an image is larger than the regular 1 MB limit, it is compressed and re-encoded down to fit, so it keeps working without any action from you. Images larger than 10 MB cannot be migrated: their URL is unset, so you will need to upload a new image for your project profile or the credential template's background image.

No action is required unless one of your images was larger than 10 MB, in which case re-upload it from the dashboard.

Custom wallet settings moved to their own tab

The settings for the wallet shown on your invitation page, its display name and the Apple/Android application IDs used to render the App Store and Play Store buttons, have moved out of the Profile tab into a dedicated Custom Wallet tab under Settings.


Invitation links now use protocol deep links for better wallet interoperability

June 19, 2026

Enhancement

The QR code and Open in Wallet button on the invitation page now use the protocol deep link (openid-credential-offer://, openid4vp:// and didcomm://) instead of the Paradym universal link. This means an invitation can be opened by any wallet that supports the underlying protocol, rather than only the Paradym wallet, improving interoperability with third-party holder wallets.

If a recipient doesn't have a compatible wallet yet, the invitation page still links to the configured wallet's app store pages so they can download one.


New example templates for Age Verification and Photo ID

June 16, 2026

New feature

We've added new ready-to-use example templates to the documentation, complete with issuance and verification payloads:

  • Proof of Age as mDoc, based on the EU Digital Identity Wallet Age Verification specification (issuance / verification).
  • ISO 23220-4 Photo ID as mDoc, based on the ISO/IEC TS 23220-4 Photo ID profile (issuance / verification).

Open dashboard links from the docs without picking a project

June 16, 2026

Enhancement
The project selector shown after opening a dashboard link that contains a projectId placeholder.

Links to the dashboard in the documentation now use a __projectId__ placeholder instead of a fixed project. When you open such a link, Paradym shows a project selector that resolves the placeholder to the project you choose and takes you straight to the right page. If you only have a single project, the placeholder is resolved automatically and you're redirected without any extra step.


Open example payloads directly in the API Reference

June 16, 2026

Enhancement
A documentation code block showing the new "Open in Reference" button next to an example certificate payload.

The example payloads throughout the documentation now include an Open in Reference button. With one click you can open the corresponding endpoint in the API Reference with the example payload pre-filled, making it easier to try out the examples without copying anything by hand.


Revocable mDoc credentials

June 15, 2026

New feature

Paradym now supports revocable mDoc credentials. This allows you to invalidate an mDoc credential after is has been issued, as well as check the status of an mDoc credential during verification. To allow revocation on an mDoc credential, you must enable the revocable configuration option (in the dashboard or through the API). You can revoke a credential (or multiple) using the Batch Revocation endpoint.

You can read more about revocation in the new Revocation guide


Certificate revocation checks during verification

June 10, 2026

Enhancement

When verifying a credential, Paradym now checks the revocation status of the issuer's X.509 certificate chain against its Certificate Revocation List (CRL). If any certificate in the chain has been revoked, the verification fails and the credential is rejected, adding an extra layer of trust on top of the existent signature and validity checks.

If a certificate's CRL is temporarily unreachable, verification is not blocked, so transient network issues won't cause otherwise valid credentials to be rejected.


DPoP algorithm support in OpenID4VCI authorization server metadata

June 7, 2026

Enhancement

The OpenID4VCI authorization server metadata now advertises the supported DPoP signing algorithms: ES256, Ed25519, and EdDSA. This allows wallets to discover which algorithms are accepted before initiating a DPoP-protected credential issuance flow.