Direct Issue into a Wallet
This guide explains how to issue a verifiable credential directly into a Business Wallet, without the holder having to scan a QR code or tap Accept. The credential simply appears in the wallet.
A typical use case is the direct issuance of a credential by a trusted party you have authorized to add credentials to your wallet, for example the Tax Authority. With the Tax Authority registered as a trusted contact, it can deliver new credentials to your Business Wallet as soon as they become available, without any action on your part.
When to use it
The standard issuance flow is attended: you start an issuance, the holder is redirected to their wallet (or scans a QR code), and they explicitly accept the credential over the OpenID4VCI protocol.
Direct issue is unattended. It is the right choice when:
- You are provisioning a wallet you control or just created (e.g. during onboarding) and there is no human present to accept a QR code.
- The issuer and the wallet belong to the same trust domain, and an explicit accept step adds friction without adding value.
- You want the credential to be present the moment the user first opens their wallet.
A credential can only be pushed into a wallet unattended if the issuer has first been registered in that wallet as a trusted contact with direct issue allowed. Without that, the credential is accepted and then immediately discarded by the wallet. See Trusted Contacts.
The three building blocks
Direct issue combines three pieces. Read them in order:
- Trusted Contacts: register the issuer's DID in the target wallet and flag it as allowed to issue directly. This is the security gate that makes unattended issuance safe. The owner of the holder wallet can add the trusted contact via the UI or with the Create a trusted contact API.
- Issue Directly to a Wallet: the two API calls that
create a credential offer and push it into the wallet with
directIssue=true. - The Inbox: the attended alternative. When you push an offer without
directIssue, it lands in the wallet's inbox for the user to accept later.
How it works end to end
The direct issue flow (directIssue=true)
The key difference from the standard flow is step three: instead of redirecting a browser or
showing a QR code, you post the credential offer to the holder wallet's OIDC offer
endpoint with directIssue=true. The holder wallet then completes the OpenID4VCI exchange
against the issuer on the holder's behalf (resolve offer, token endpoint, credential
endpoint) and applies the trust check: if the issuer is a trusted contact with direct issue
allowed, the credential is created in the wallet; otherwise it is discarded.
Posting the same offer without directIssue=true is the attended path: the offer is
not pulled automatically but stored in the holder wallet's inbox for the user
to accept later.
The diagram above shows the directIssue=true flow only. In the inbox path the wallet does
not run the OpenID4VCI exchange at offer time. It stores just the credential offer URI
and no credential exists yet. The token and credential endpoint calls, and therefore the
trust check, are deferred until the user accepts the offer from the inbox.
The inbox flow (directIssue omitted)
When you post the offer without directIssue=true, the wallet stores the offer and waits.
The pull only happens later, when the user accepts the offer from the inbox.
Because the user explicitly accepts, the inbox flow has no automatic trust check: the user is the gate, applied before the pull rather than after it.