News

2025-10: Onboarding the Swiyu Trust Infrastructure as a Verifier

We are pleased to announce the availability of comprehensive documentation for integrating GNU Taler with the Swiyu trust infrastructure for digital identity verification. This guide enables developers to onboard as credential verifiers in the Swiss digital identity ecosystem.

About Swiyu

Swiyu is Switzerland's decentralized trust infrastructure for digital identity management, currently in public beta. The public beta allows organizations to act as credential issuers or verifiers, with the Generic Verifier component enabling registered third-party entities to request and verify identity attributes from Swiyu eID credentials.

Important: The current system is in Public Beta and is provided on a best-effort basis. The system will continue to evolve over time.

Prerequisites

Before starting the generic verifier onboarding process, it is necessary to onboard the Swiyu Base Registry. Ensure you have:

  • An AGOV or CH-Login account for accessing the ePortal
  • Java Runtime Environment (JRE) 21 or higher installed
  • Sufficient disk space (approximately 100 MB)
  • Internet connection
  • Operating system: Linux x64/AArch64, macOS (AArch64), or Windows (x64)

Onboarding Process

The onboarding process consists of the following steps:

  1. Sign-in or sign-up to the Swiss Confederacy ePortal
  2. Register as Business Partner
  3. Get API keys from the self-service portal
  4. Allocate DID space on the Swiyu Base Registry
  5. Generate cryptographic keys and DID log using the Swiyu DID Toolbox
  6. Create and upload the DID log
  7. (Optional) Become a trusted participant

The official Swiyu technical documentation offers detailed guides—cookbooks—that guide you through this process in a detailed manner. Follow this cookbook to complete the necessary steps to onboard the Swiyu Base Registry.

Configuring the Swiyu Generic Verifier

With the Base Registry onboarding process complete, it is necessary to configure the Swiyu Generic Verifier with the generated keys and DID.

Locate the Configuration File

The Generic Verifier uses a YAML configuration file, located in /swiyu-verifier/verifier-application/src/main/resources/application.yml.

Understanding the Required Configuration Parameters

All required parameters can be found in the DID log generated by the DID toolbox in the Base Regsitry onboarding process:

  • client_id: The DID found in the value of the value.id field
  • signing-key-verification-method: Your DID with the authentication key reference appended. Its value is found in the value.assertionMethod entry in the DID log. The format is: <your-did>#auth-key-01
  • signing-key: The private EC authentication key from the file .didtoolbox/auth-key-01. Copy the entire content including the BEGIN and END markers

Example Configuration

After replacing with your specific values, the application.yaml file will look similar to this: 

application:
  signing-key: |
    -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu
    oAoGCCqGSM49AwEHoUQDQgAE5cice+6ILYCD2gFEVFMLPt3HPf5n/Oef
    zOOoP+3SLDAlh/YkKQvF/1xv0uYuvy1t6wpDM7au1dMEg2L1I9wDxE==
    -----END EC PRIVATE KEY-----
  signing-key-verification-method: "did:tdw:
    Qmd9bwsodZ1GAz4h8D7Vy6qRio78voXifDrnXokSTsMVQK:
    identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:
    did:18fa7c77-9dd1-4e20-a147-fb1bec146085#auth-key-01"
  external-url: "https://yourdomain.com"
  client_id: "did:tdw:
    Qmd9bwsodZ1GAz4h8D7Vy6qRio78voXifDrnXokSTsMVQK:
    identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:
    did:18fa7c77-9dd1-4e20-a147-fb1bec146085"
  client_id_scheme: "did"
  client-metadata-file: "classpath:/client_metadata.json"

To make sure the Generic Verifier uses your configuration, specify your this .yaml run profile when booting the server: 

./mvnw spring-boot:run -pl verifier-application -Dspring-boot.run.profiles=application

Where 'application' is the name of your configuration .yaml file.

HTTPS Configuration for Swiyu Wallet

HTTPS Requirement

The Swiyu wallet only accepts HTTPS connections. To verify BetaID credentials, you must use a valid TLS/SSL certificate and ensure your verifier is accessible via HTTPS.

Option 1: Public URL with Trusted Certificate

For easier setup, especially during development and testing, you can use a tunneling service like ngrok to forward a public HTTPS URL to your local verifier:

  1. Install ngrok: https://ngrok.com/download
  2. Start your Generic Verifier locally (e.g., on port 8080)
  3. Create an ngrok tunnel: ngrok http 8080
  4. ngrok will provide a public HTTPS URL with a trusted certificate (e.g., https://abc123.ngrok-free.app)
  5. Use this URL in the .yaml configuration file under the 'external-url' field

Note: ngrok free tier URLs can change with each session.

Option 2: Local Network with Valid Certificate

Another somewhat more cumbersome approach, if running the verifier on the same network as the Swiyu wallet:

  1. Obtain a valid TLS/SSL certificate (e.g., from a trusted Certificate Authority)
  2. Configure the Generic Verifier application to use the certificate