Setup
We will setup a Credential Status service inside of a tenant. If you don't have a tenant yet, you can learn how to create one here.
Currently, status credentials can be stored and made available via three types of external services:
CURL
Endpoint: /v1/{target}/resource-api/services/create | API Reference
AWS
Azure
Google
Configuration options vary based on the bucket's hosting environment and its access method.
AWS domain
CDN (custom domain)
s3-compatible registry
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region",
"accessKeyId": "s3-access-key-id",
"secretKey": "s3-secret-key"
}
}
}'
Body
{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region",
"accessKeyId": "s3-access-key-id",
"secretKey": "s3-secret-key"
}
}
}
Body Parameters
type: credential-status - Specifies the type of service to create. In this case, it iscredential-status.config: object - Storage configurations for status credential service.registry: object - Defines registry & access credentials for chosen registry.type: aws - Indicates the type of registry, which isawsin this context.bucketName: string - The name of the AWS S3 bucket.region: string - The AWS region where the bucket is located.accessKeyId: string - (Optional) The access key ID for accessing the AWS S3 bucket.secretKey: string - (Optional) The secret access key for accessing the AWS S3 bucket.endpointUrl: string - (Optional) The URL of the S3-compatible registry bucket, e.g.https://s3-mock.com.
bucketUrl: string - (Optional) The URL of the registry bucket custom domain, e.g.https://custom-domain.com.
AWS access credentials are optional. If not provided, the default Credential Provider Chain will be executed, relying on AWS environment configuration (e.g. EC2 instance IAM role-provided credentials).
#tab2
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"registry": {
"type": "azure",
"bucketName": "bucket-name",
"connectionString": "connection-string"
}
}
}'
Body
{
"type": "credential-status",
"config": {
"registry": {
"type": "azure",
"bucketName": "bucket-name",
"connectionString": "connection-string"
}
}
}
Body Parameters
type: credential-status - Specifies the type of service to create. In this case, it iscredential-status.config: object - Storage configurations for status credential service.registry: object - Holds the details for the Azure registry configuration.type: azure - Indicates the type of registry, which isazurein this context.bucketName: string - The name of the Azure storage bucket.connectionString: string - The connection string used to access the Azure storage account.
bucketUrl: string - (Optional) The URL of the Azure storage bucket, specified ashttps://storage-name.blob.core.windows.net/bucket-name.
#tab3
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"registry": {
"type": "gcp",
"bucketName": "bucket-name",
"projectId": "project-id",
"serviceAccountKeyJson": {
"type": "service_account",
"project_id": "YOUR_PROJECT_ID",
"private_key_id": "YOUR_PRIVATE_KEY_ID",
"private_key": "-----BEGIN PRIVATE KEY-----
YOUR_PRIVATE_KEY
-----END PRIVATE KEY-----
",
"client_email": "YOUR_SERVICE_ACCOUNT_EMAIL",
"client_id": "YOUR_CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/YOUR_SERVICE_ACCOUNT_EMAIL",
"universe_domain": "googleapis.com"
}
}
}
}'
Body
{
"type": "credential-status",
"config": {
"registry": {
"type": "gcp",
"bucketName": "bucket-name",
"projectId": "project-id",
"serviceAccountKeyJson": {
"type": "service_account",
"project_id": "YOUR_PROJECT_ID",
"private_key_id": "YOUR_PRIVATE_KEY_ID",
"private_key": "-----BEGIN PRIVATE KEY-----
YOUR_PRIVATE_KEY
-----END PRIVATE KEY-----
",
"client_email": "YOUR_SERVICE_ACCOUNT_EMAIL",
"client_id": "YOUR_CLIENT_ID",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/YOUR_SERVICE_ACCOUNT_EMAIL",
"universe_domain": "googleapis.com"
}
}
}
}
Body Parameters
type: credential-status - Specifies the type of service to create. In this case, it iscredential-status.config: object - Storage configurations for status credential service.registry: object - Holds the details for the GCP registry configuration.type: gcp - Indicates the type of registry, which isgcpin this context.bucketName: string - The name of the GCP storage bucket.projectId: string - The ID of the GCP project.serviceAccountKeyJson: object - Contains the service account key details for accessing GCP.type: service_account - Specifies the type of accountproject_id: string - The project ID for the service account.private_key_id: string - The ID of the private key.private_key: string - The private key for the service account, specified in a PEM format.client_email: string - The email associated with the service account.client_id: string - The client ID for the service account.auth_uri: string - The URI for authentication.token_uri: string - The URI for token issuance.auth_provider_x509_cert_url: string - The URL for the authentication provider's certificate.client_x509_cert_url: string - The URL for the client certificate.universe_domain: string - The domain for the universe of the API.
bucketUrl: string - (Optional) The URL of the GCP storage bucket, specified ashttps://storage.cloud.google.com/bucket-name.
#tab4
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"registry": {
"type": "in-memory"
}
}
}'
Body
{
"type": "credential-status",
"config": {
"registry": {
"type": "in-memory"
}
}
}
::
Path Parameters
orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.walt.devwhen using the sandbox environment.target: resourceIdentifier - The target indicates the organization + tenant in which to create the new credential status service and the service's ID ({organizationID}.{tenantID}.[NewCredentialStatusServiceID]), e.g.waltid.tenant1.credential-status-service-id
Response Codes
201- Service created successfully.401- Invalid authentication.
Last updated on December 23, 2025