Portal Community
Flow Studio

Trust Registry

How the engine determines which DIDs to trust as credential issuers — the ITrustRegistry interface, trust list management, and per-credential-type trust rules.

ITrustRegistry

public interface ITrustRegistry
{
    Task<bool> IsTrustedIssuerAsync(
        string issuerDid,
        string credentialType,
        string tenantId,
        CancellationToken ct = default);

    Task<IReadOnlyList<TrustedIssuer>> GetTrustedIssuersAsync(
        string credentialType,
        string tenantId,
        CancellationToken ct = default);
}

public record TrustedIssuer
{
    public string IssuerDid { get; init; } = default!;
    public string[] CredentialTypes { get; init; } = [];
    public string DisplayName { get; init; } = default!;
    public DateTimeOffset AddedAt { get; init; }
}

Managing Trusted Issuers

// Add a trusted issuer:
POST /api/trust-registry/issuers
{
  "issuerDid": "did:web:kyb-registry.example.com",
  "credentialTypes": ["KYBVerificationCredential", "AMLCheckCredential"],
  "displayName": "Example KYB Registry",
  "tenantId": "tenant-acme"
}

// Remove a trusted issuer:
DELETE /api/trust-registry/issuers/did:web:kyb-registry.example.com?tenantId=tenant-acme

Trust is Per-Credential-Type

A DID trusted for one credential type is not automatically trusted for others. This granularity prevents a trusted KYB issuer from issuing financial audit credentials that your workflow also accepts.

Tenant scoping: Trust registries are tenant-scoped. Each tenant maintains its own list of trusted issuers. A DID trusted by Tenant A is not trusted by Tenant B. This is enforced by the ITrustRegistry implementation — always passing tenantId to all queries.
← DID Authentication