We've added two new webhook events, that can serve as an additional way to handle certain alerts that would otherwise be sent by e-mail in an automated fashion:

• certificate.renewal.required for when a certificate is due for renewal.
• trustedEntity.etsiLote.update.failed for when an ETSI LoTE update has failed.

We've added activity analytics to the overview page, giving you better insight into how your project is performing.

• View the total number of transactions across your project
• Monitor the success rate of those transactions
• Get a clear visual breakdown of transaction activity over time

These analytics help you quickly understand usage patterns, monitor performance, and identify potential issues at a glance.

Fixed an issue where removing a CSR would remove the associated signing key, even if the CSR already reached the imported status. It now only removes associated signing key if the CSR has not reached the imported status yet.

With this release, we are adding experimental support for ETSI Lists of Trusted Entities (LoTEs).

A LoTE is a digitally signed list of trusted entities, published as part of the European Digital Identity (EUDI) trust framework. Instead of manually adding individual X.509 certificates for each trusted entity, you can point to a LoTE URL and Paradym will automatically fetch the list, verify its signature, and extract the certificates it contains. Read more about how this feature works on our documentation.

This feature is based on standards that are still in development and is therefore experimental. It is subject to change, so please use it with caution.

Fixed an issue where you could link Trusted Issuers from a different project to a Presentation Template using the API.

There have been no cross-project usages.

OpenID4VC Verification sessions now have a new requestRetrieved state, allowing you to react to the user having retrieved the verification request.

This can be useful if you want to hide the deeplink or QR after is has been clicked/scanned, to prevent the user from scanning it multiple times.

The new state value can be subscribed to through webhooks using the new openid4vc.verification.requestRetrieved event. You can read more in the webhooks documentation. If you want to use the new event but only subscribe to specific events for your webhooks, you should update the webhook to also listen to the new request retrieved event.

You can now import X.509 certificates where the hash algorithm uses a different length than the key size. This means you can import an X.509 certificate with a P-256 that is signed using ECDSA with SHA-384 or SHA-512 hashing algorithms. ECDSA certificates signed by Paradym will still always use ECDSA with SHA-256 when using the P-256 key type.

With this release, we are expanding the OpenID4VC Issuance capabilities when using an Attribute Provider. The Attribute Provider can now defer the issuance of a credential, in case it is not ready yet. For more information, please check the Attribute Providers documentation.

To make getting started with verifications easier, we've added pre-made presentation templates for verifying Person Identification Data (PID) and Mobile Driving Licences (mDL).

You can select these templates directly from the dashboard when creating a presentation template, and adjust the requested attributes to fit your use case.

The default expiration time for OpenID4VC verification requests and issuance offers has been increased from 5 to 15 minutes.

For both cases, you can now optionally provide an expiration time using the new expirationInMinutes field when creating a verification request or credential offer.

When importing an externally signed certificate for a Certificate Signing Request, you can now include intermediate certificates that form part of the certificate chain. This allows you to work with certificate authorities that use multi-level PKI hierarchies, where the leaf certificate is not directly signed by the root certificate.

Intermediate certificates can be provided via the parentCertificates field when importing a certificate throug hthe API. When improting a certificate through the dashboard, it can be provided as a PEM-encoded chain in the certificate field. The certificates should be ordered from leaf-adjacent to root-adjacent. Any root certificate included in this list will be ignored.

To learn more, please check out the Certificates documentation.

With this release, we're introducing two new features that allow you to integrate your OpenID4VC issuance flow with existing systems: Authorization Servers, and Attribute Providers.

Authorization servers are external OAuth 2.0 servers that you can integrate with Paradym to add an additional layer of authentication during the credential issuance process. When an authorization server is configured, users must authenticate with that OAuth 2.0 server before they can receive their credentials. This allows you to gate credential issuance behind your own authentication system or a third-party identity provider.

Attribute providers are external HTTPS endpoints that Paradym can call during OpenID4VC issuance to fetch attribute values for a credential. This lets you keep your source of truth in existing systems and populate credentials dynamically, instead of sending all attribute values when creating an offer. This avoids storing any attribute data in Paradym at all.

To learn more about these features, please check out the Authorization Servers and Attribute Providers documentation.

Paradym now supports full localization for credential templates, attributes, and issuer/verifier profiles. You can provide translations in multiple locales to improve the user experience across different regions.

With localization support, you can translate:

• Credential template names and descriptions: Display credential types in the user's preferred language (e.g., "University Degree" / "Universitair Diploma")
• Credential attributes: Translate individual claim names (e.g., "First Name" / "Voornaam")
• Issuer and verifier display names: Show your organization's name in multiple languages

All localized metadata is automatically included in OpenID4VCI issuer and OpenID4VP verifier metadata, allowing wallets to detect and display content in the user's language without additional configuration.

Localization is supported for SD-JWT VC and mDoc credentials. You can configure a default locale on your profile, and add translations for over 80 supported languages using BCP47 language tags (e.g., "nl-NL", "de-DE", "fr-FR").

To start using localization, check out the Localization documentation or configure it through the API or dashboard when creating or updating credential templates and profiles.

The deprecated did property has been removed from the project profile API response. This property was deprecated over a year ago.

All DIDs associated with your project can be queried through the DIDs API.

OpenID4VC Issuance sessions now have a new offerRetrieved state, allowing you to react to the user having retrieved the credential offer.

This can be useful if you want to hide the deeplink or QR after is has been clicked/scanned, to prevent the user from scanning it multiple times.

The new state value can be subscribed to through webhooks using the new openid4vc.issuance.offerRetrieved event. You can read more in the webhooks documentation. If you want to use the new event but only subscribe to specific events for you webhooks, you should update the webhook to also listen to the new offer retrieved event.

A few issues have been fixed that were preventing users from creating and revoking API Keys.

Encryption keys in OpenID4VP authorization requests client_metadata.jwks.keys array now contain the alg parameter (ECDH-ES) when encryption is enabled on a request. This helps wallet implementations find the correct key for encryption.

An issue has been resolved where mediator events were not correctly delivered from the mediator instance to the Paradym webhook sender, which resulted in mediated didcomm messages not correctly being delivered.

To better integrate with external certificate authorities Paradym now supports defining the required capabilities when creating a certificate signing request. The certificate signing request will be adjusted based on capabilities, and validated against the requested capabilities when the certificate is imported.

Currently one a single signMdl capability is supported, which can only be used for issuerSignCredential certificates and is enabled by default for this certificate type.

The signMdl capability enables signing ISO 18013-5 mDLs, and ensures the mdlDS extended key usage is present in the certificate signing request and imported certificate. When this capability is enabled, the imported certificate must adhere to Document Signer Certificate requirements as defined in ISO 18013-5 Table B.3.

This capability only covers signing mDLs. Without this capability on the certificate, you cannot issue mDLs. ISO 23220-4 is a pending standard that defines generic mDoc signing capabilities, and introduces a new mdocDS extended key usage. In the future an additional capability will be added for this, which will impact non-mDL signing.

Paradym now supports version 1 of the OpenID for Verifiable Credentials suite of specifications.

Existing projects will keep using the existent version (from now on called "legacy"), which is based on draft 21 of the OpenID for Verifiable Presentations specification, and drafts 11 through 14 of the OpenID for Verifiable Credential Issuance specification.

New projects will automatically be configured to use version 1. The OpenID4VC version can be changed on a per project basis in the dashboard under Settings → Profile. Old projects can also be upgraded by updating the configuration.

Upgrading to V1 of OpenID4VC is a one-time operation, and cannot be reverted. If migration is not possible but already want to use V1 you can create a new project. In the future all legacy projects will be migrated to V1.

Some notable changes when updating to V1 of OpenID4VC:

• Response encryption is enabled by default for OpenID4VP. Previously, this was only the case for when requesting mDOCs.
• SD-JWT VCs and associated Token Status Lists signed with X509 certificates do not include an iss field anymore.
• SD-JWT VCs, associated Token Status Lists, and OpenID4VP requests signed with an X509 certificate do not include the root certificate in the x5c header anymore to adhere to HAIP requirements.
• OpenID4VP requests signed with an X509 certificate now use the x509_hash client id prefix instead of the x509_san_dns to adhere to HAIP requirements.