Fix guide · info · openid_credential_issuer_exposed

OpenID Connect verifiable credentials issuer metadata exposed

Why it matters

The OpenID for Verifiable Credential Issuance (OID4VCI) spec defines /.well-known/openid-credential-issuer as the discovery document for verifiable-credential issuers. It lists the issuer URL, supported credential formats (JWT-VC, SD-JWT, mDoc), and the credential types you can issue (e.g. UniversityDegreeCredential, EmployeeIDCredential, HealthRecordCredential).

This is a relatively new spec (finalised in 2024). Few teams intentionally run a VCI issuer. If this finding fires, two scenarios:

1. You intentionally issue verifiable credentials. Good — confirm the credential types listed match what you intend to issue, and the issuer URL is your canonical one.
2. You didn't know you were running an issuer. Something in your stack (a Microsoft Entra Verified ID integration, an EU digital identity wallet pilot, an IBM/Mattr verifiable-credentials service) configured itself to publish this without you realising. Worth understanding what's running.

How to fix it

1. Identify the subsystem serving this file (likely Microsoft Entra Verified ID, an IBM service, or a self-hosted issuer like Mattr, Walt.id, or Sphereon).
2. If you don't intend to issue verifiable credentials, disable the issuer feature in the subsystem's admin UI.
3. If you do issue credentials, confirm the metadata is accurate:

• The credential_issuer URL is your canonical issuer URL (not a staging URL).
• The credentials_supported list only includes types you actively issue.
• The token_endpoint and credential_endpoint are production endpoints.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.