Building on Trusted Wallets, you can now require a key attestation when issuing a credential. A key attestation lets the wallet provider vouch for how the credential's key is protected, so you can limit issuance to keys that meet certain security requirements — as long as you trust the wallet provider.
Add a keyAttestations object to an SD-JWT VC or mDoc credential template (or use the new Key Attestation section in the credential template editor). Its presence means a key attestation is required, and you can optionally constrain two ISO 18045 levels:
{
"trustedWallets": ["<trusted-entity-id>"],
"keyAttestations": {
"keyStorage": ["iso_18045_high"],
"userAuthentication": ["iso_18045_moderate"]
}
}
keyStorage— the required attack potential resistance of the key storage.userAuthentication— the required resistance of the user authentication protecting the key.
Both lists are optional (you can require an attestation without constraining the levels), and levels are compared hierarchically so a stronger attested level satisfies a weaker requirement. Because the attestation signer is verified against your trusted wallets, keyAttestations requires at least one trustedWallets entry on the template.
This is non-breaking: templates without keyAttestations are unaffected and do not require a key attestation. See the Key attestations documentation for details.