Issuer Verticals
The mwen.io issuer is designed for four types of credential-issuing organisations, each called a vertical. Each vertical has a distinct issuerCategory value, a set of credential schema templates, and a corresponding trust level that the wallet displays to users.
Overview
| Vertical | issuerCategory | trust_level | Wallet badge | Typical deployer |
|---|---|---|---|---|
| Government | "government" | "government" | Blue "Government" | Government agencies |
| Employer | "employer" | "verified-issuer" | Green "Employer Verified" | Enterprises, HR departments |
| Academic | "academic" | "verified-issuer" | Green "Accredited Institution" | Universities, colleges |
| Learning Platform | "learning-platform" | "verified-issuer" | Green "Verified Platform" | Online learning platforms |
The issuerCategory is set via the ISSUER_CATEGORY environment variable (or identity.category in issuer.config.yaml). It is embedded in every credential issued by your deployment.
Government
Government issuers hold the highest trust level in the mwen.io ecosystem. Credentials from a government issuer are displayed with a blue "Government" badge in the wallet and take priority over all other credential types when a relying party requests an identity proof.
Typical credentials:
| Schema | What it attests | Key claims |
|---|---|---|
| National ID | Legal identity, nationality | given_name, family_name, birth_date, national_id_number, nationality |
| Passport | International travel document | given_name, family_name, birth_date, passport_number, expiry_date, nationality |
| Driver's Licence | Authorisation to drive | given_name, family_name, birth_date, licence_number, categories, expiry_date |
| Residence Permit | Right to reside | given_name, family_name, birth_date, permit_number, valid_from, valid_until, permit_type |
Recommended identity adapter: MockGovernmentDBAdapter for development; connect a real government identity directory (e.g. national ID database, civil registry) in production via a custom adapter implementing IdentityVerificationAdapter.
Typical deployment model: Self-hosted. A government agency deploys one instance with their own did:web signing key tied to a government-controlled domain.
Employer
Employer credentials verify employment status, role, and access rights within an organisation. They carry the "verified-issuer" trust level and display a green "Employer Verified" badge.
Typical credentials:
| Schema | What it attests | Key claims |
|---|---|---|
| Employee Identity | Active employment | given_name, family_name, employee_id, department, job_title, start_date |
| Department Access | Physical or system access entitlement | employee_id, department, access_level, valid_until |
| Role Credential | Job role for SSO replacement | employee_id, job_title, department, permissions |
Recommended identity adapter: LDAPAdapter (Active Directory / OpenLDAP) or SCIMAdapter (Workday, Okta, any SCIM 2.0 HR system).
Typical deployment model: Self-hosted or SaaS. A large enterprise deploys self-hosted; a managed HR platform deploys SaaS to serve multiple employers.
Issuance pattern: Triggered by an LDAP/SCIM directory sync. The issuer diffs the directory state against currently-issued credentials and creates offers for new or updated employees. Each employee receives an offer by email and scans the QR code with their wallet.
Revocation: When an employee is offboarded, the issuer revokes their credentials via BitstringStatusList. The wallet detects the revocation status at next presentation.
Academic
Academic credentials verify educational achievements. They carry the "verified-issuer" trust level and display a green "Accredited Institution" badge.
Typical credentials:
| Schema | What it attests | Key claims |
|---|---|---|
| University Diploma | Degree award | given_name, family_name, student_id, degree, major, graduation_date, institution |
| Academic Transcript | Grade record | given_name, family_name, student_id, institution, courses, gpa, graduation_date |
Recommended identity adapter: StudentRegistryAdapter (connect your student information system in production).
Typical deployment model: Self-hosted. A university deploys one instance per institution.
Issuance pattern: Batch issuance. The registrar uploads a graduate list. The issuer creates one credential offer per graduate, distributes via email. Credentials are gated on StudentRegistryAdapter.verifyGraduation() — the adapter verifies eligibility before the issuer signs.
Learning Platform
Learning platform credentials verify course completions and professional certifications from online education providers. They carry the "verified-issuer" trust level and display a green "Verified Platform" badge.
Typical credentials:
| Schema | What it attests | Key claims |
|---|---|---|
| Course Completion | Completion of a specific course | learner_id, course_id, course_title, completion_date, score, issuer_platform |
| Professional Certification | Certification by a learning platform | learner_id, certification_id, certification_title, awarded_date, expiry_date |
Recommended integration pattern: API key. The learning platform calls POST /api/offers with a scoped API key (offers:write scope) after a learner completes a course. The issuer returns a QR code URL that the platform renders in its completion page. The learner scans it with their wallet to claim the credential.
Typical deployment model: SaaS. Multiple learning platforms share one deployment as tenants.
See API Key Management for the full integration pattern.
Setting your issuer category
Set ISSUER_CATEGORY in your environment file or in issuer.config.yaml:
# issuer.config.yaml
identity:
category: employer # "government" | "employer" | "academic" | "learning-platform"
Or via environment variable (takes priority over the YAML value):
ISSUER_CATEGORY=government
The category is embedded in the issuerCategory claim of every credential your deployment issues and is used by the wallet trust registry to determine the display badge.
Related pages
- Credential Schemas — the 11 built-in schema templates in detail
- API Key Management — learning platform integration pattern
- Configuration — full configuration reference