walt.id Enterprise Authentication Demo

Connection

How It Works

Configure the connection to your Enterprise Stack instance. The target determines which organization and tenant your API calls will operate on.

Environment — Select a preset or enter a custom base URL
Organization — Your organization identifier (e.g., waltid)
Tenant — Optional tenant within the organization (e.g., tenant1)
CORS Proxy — Enable if running locally to bypass browser CORS restrictions

Environment Base URL Organization Tenant Target (computed) Use CORS Proxy

Authentication

How It Works

Authenticate to the Enterprise Stack using either email/password or OIDC (external IdP like Keycloak, Azure AD).

Email/Password — Direct authentication with Enterprise-managed credentials
OIDC — Redirect to external Identity Provider, then return with tokens

After login, you'll see your account details including any mapped roles from the IdP and your effective permissions.

Documentation: Access & Permissions Overview

Auth Flow

Email Password Endpoint

Not authenticated

Organization Setup

How It Works

Set up your organizational hierarchy. Organizations contain tenants, and tenants contain resources and users.

Create Organization — Top-level container (requires global admin)
Create Tenant — Sub-division within an organization for multi-tenancy
Register Account — Create user accounts that can be assigned roles

Create Organization

Payload

Create Tenant

Tenant Name

Payload

Register Account

Payload

Role Management

How It Works

Roles define what users can do. Create roles with specific permissions, then assign them to accounts.

Create Role — Define a role with a set of permissions at a specific scope (org/tenant)
Assign Role — Grant a role to an account, giving them those permissions
List/View — See available roles and your current permissions

Roles are scoped: waltid.tenant1.BW_ADMIN = organization waltid, tenant tenant1, role BW_ADMIN.

Create Role

Role Name

Payload

Assign Role to Account

Account ID Role ID

View Roles & Permissions

API Keys

How It Works

API keys allow machine-to-machine authentication without user credentials. Each API key is associated with an account and can be assigned roles.

Create API Key — Generate a new API key with optional expiration
Assign Role — Grant permissions to the API key by assigning a role

Expiration format: ISO 8601 duration (e.g., P30D = 30 days, PT1H = 1 hour, P1Y = 1 year). Leave empty for permanent keys.

Create API Key

API Key Name

Payload

Assign Role to API Key

API Key Target Role to Assign

External Role Mapping

How It Works

Map external IdP roles (from Keycloak, Azure AD, etc.) to Enterprise roles. When users log in via OIDC, their IdP roles are automatically mapped to Enterprise permissions.

Example Flow

User logs in via Keycloak with role tenant-admin
Enterprise finds mapping: tenant-admin → waltid.tenant1.BW_ADMIN
User automatically gets BW_ADMIN permissions for that session

Mapping Fields

externalRole — The role name from the IdP token (e.g., tenant-admin)
providerId — (Optional) Scope mapping to a specific IdP
conditions.emailDomains — (Optional) Only apply if user email matches domain

REST API

PUT /{role}/.../external-mappings/{externalRole} — Create/update mapping
DELETE /{role}/.../external-mappings/{externalRole} — Remove mapping
GET /{role}/.../external-mappings — List role's mappings
POST /{scope}/.../external-mappings/resolve — Test resolution

Add/Update Mapping

Target Enterprise Role

Mapping Configuration

View Mappings

Test Resolution

Simulate which Enterprise roles would be assigned for given external roles.

External Roles Test Email (optional)

Delete Mapping

External Role to Delete