The "Issuer / service provider not verified" notice
While using the iGrant.io Data Wallet you may see an "Issuer not verified" notice when receiving a credential from an issuer, or a "Service provider not verified" notice when responding to a verifier. This page explains what the notice means, when it appears, and what you can do about it.
Recent wallet versions show this trust status as a tappable chip with context-aware wording: "Issuer not verified" during issuance and "Service provider not verified" during presentation. Earlier versions showed a single "Untrusted Service Provider" label. The meaning is identical, the party could not be matched against a recognised trust list.
What it means
The notice is a trust status indicator. It means the credential's issuer (or, during a presentation, the verifier) could not be matched against a recognised trust list that the wallet validates against, primarily the EU Trust List (ETSI TS 119 612).
The notice does not mean the credential is invalid, fake, or cryptographically broken. The signature on the credential can be perfectly valid. The notice only means the wallet cannot independently confirm the party's identity against an authoritative trusted list, so it flags this for the user to make an informed decision.
When it appears
The notice can appear in either direction of a credential exchange, with wording matched to the context:
- During issuance (OpenID4VCI) — "Issuer not verified": when a credential is offered by an issuer that the wallet cannot match to a trust list it validates against. This is common when evaluating credentials from an issuer other than iGrant.io's own issuer.
- During presentation (OpenID4VP) — "Service provider not verified": when a verifier requesting credentials cannot be matched to a trust list.
What you see in the wallet
The trust status is shown as a coloured, tappable chip next to the organisation's name:
- Trusted — a green chip reading "Trusted Service Provider" with a shield-check icon.
- Not verified — a red chip reading "Issuer not verified" (issuance) or "Service provider not verified" (presentation) with a shield-cross icon.
The chip shows a trailing chevron to indicate it is tappable:
- Tapping a trusted chip opens the verified trust service provider details (the entry matched on the trust list).
- Tapping a not-verified chip opens a details sheet that explains the status: the party was not found on a recognised trust list, the organisation name shown is self-declared and unverified, and a "Register your service" action lets an operator start the process of getting listed (see How to resolve it).
Trusted versus untrusted
The wallet's trust check is reflected in the API response for a flow. The two key fields are isVerifiedWithTrustList and trustServiceProvider.
| Wallet display | API state | Meaning |
|---|---|---|
| Trusted Service Provider (verified provider details shown) | isVerifiedWithTrustList: true, trustServiceProvider populated | The issuer or verifier was matched against a configured trust list, and its verified trust service provider details are available. |
| Issuer not verified / Service provider not verified | isVerifiedWithTrustList: false, trustServiceProvider empty | The issuer or verifier was not found on any trust list the wallet validates against. |
How to resolve it
If you are an integrator and want an issuer or verifier to be recognised rather than flagged, the entity needs to become discoverable through a trust mechanism the wallet validates against. The main options are:
- Be listed on an EU member state trusted list. Qualified and non-qualified trust service providers are published on national trusted lists aggregated through the European List of Trusted Lists (LoTL), as per ETSI TS 119 612. This is the primary path for EUDI scenarios.
- Onboard through a trust anchor. For the EBSI trust model, an entity is onboarded through the trust chain (Root Trust Anchor Operator, Trust Anchor Operator, Trusted Issuer). See the Trust Anchor APIs.
- Be added to a configured trust list. A deployment can configure the trust authorities and trust lists it validates against using the trust authority configuration endpoints.
The not-verified details sheet includes a "Register your service" action that opens a direct contact channel to iGrant.io, the quickest way for an operator to start getting listed so users see a verified badge instead of the notice.
Is this the same as a missing Trust Anchor definition?
Not exactly, although the two are related. The Trust Anchor APIs cover onboarding an entity into a trust framework such as EBSI. The not-verified notice is driven specifically by trust list recognition at the time of issuance or presentation. An issuer that has not been onboarded to a framework the wallet recognises, and that is not present on a trusted list the wallet validates against, will surface this notice. For a full explanation of the difference, see Trust in the Wallet Ecosystem.
The exact wording can differ across wallet versions and platforms. Current versions show "Issuer not verified" (issuance) or "Service provider not verified" (presentation); earlier versions showed "Untrusted Service Provider". The underlying meaning, that the party was not matched against a recognised trust list, is the same.