You only need this page if you’re using custom presentation templates. With presets, trust is described in
real-world terms (DIDs, x509 certs) directly inside the preset, and the platform handles tenant-side records for you.
Custom templates work at a lower level: they reference your tenant’s own trusted-entity records by id, which you
create and manage with the API on this page.
What a trusted entity is
A trusted entity is a named bundle of issuer identifiers (DIDs and/or x509 certificates), registered in your tenant under a single record id. It says: “from now on, when a template references entityent-acme, it means any of these issuers”.
cm7d9cq5600pwk3zq3kmpg8uc here) is scoped to your tenant. It’s not portable, not visible to other tenants, and only meaningful inside your own templates.
Two abstraction levels for trust
didx:me lets you express which issuers count as proof at two levels:- In a preset (the default). List issuers as real-world identifiers directly:
{ kind: "did", did: "did:web:..." }or{ kind: "x509", certificate: "-----BEGIN..." }. Presets are tenant-portable, so they can’t reference any tenant’s record ids. When a tenant uses the preset, the platform resolves each entry against that tenant’s own trusted-entity records (reusing existing ones or creating new ones as needed). - In a custom presentation template. List issuers as an array of trusted-entity record ids (
["ent-alpha", "ent-beta"]). The records have to exist in your tenant first. Using them directly is the explicit, lower-level path; presets work at a higher level and consumers of a preset don’t need to manage records themselves.
Create a trusted entity
Request fields
name
Your label for this bundle. Visible only inside your tenant. Choose something operational (“Trusted Government Issuers”, “SARB Test Environment”) rather than a marketing name. The wallet doesn’t show this; it shows the per-identifier name instead.
dids
A list of DID-based issuers. Each entry is { did, name }:
did. The DID the issuer publishes (e.g.did:web:sarb.gov.za).name. The human-readable label the wallet shows end users during consent. Choose a name an end user will recognise: “Department of Home Affairs”, not “doha-prod-1”.
certificates
A list of x509-certificate-based issuers, for issuers that operate via a traditional PKI chain (common for ISO 18013-5 mDLs). Each entry is { certificate, name }:
certificate. PEM-encoded certificate, including the-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----framing.name. Same wallet-visible label rule as for DIDs.
dids and certificates, or only one. At least one identifier must be supplied; an empty bundle trusts nothing.
Response
HTTP 201 Created. The response includes the assignedid. Capture this: it’s what you’ll pass to trustedIssuers in a custom presentation template.
List, fetch, update, delete
Updates replace the bundle entirely with the new payload. Deletes are forbidden if the entity is still referenced by a presentation template; remove or update the template’s
trustedIssuers first.
See the Trusted Entities API reference for full request/response schemas.
Lifecycle
- Key rotation. When an issuer rotates a signing key or certificate, update the trusted-entity record with the new identifier (and optionally remove the old one once you’ve stopped accepting credentials signed under it).
- Onboarding new issuers. Add new entries to an existing entity, or create a new entity if it represents a logically distinct trust group.
- Removing trust. Remove the relevant DID or certificate from the entity. Any pending verifications using the old identifier start failing.

