3. Architecture Overview

The IT-Wallet System is a federated ecosystem that enables secure Digital Identity management and Digital Credential exchange for citizens and organizations. The IT-Wallet ecosystem is built on a multi-layered architecture, where governance bodies establish and maintain the trust infrastructure, Primary Actors implement and operate the technical solutions, and external systems provide additional services.

The following diagrams depict the IT-Wallet architecture overview.

The image illustrates the IT-Wallet architecture overvew - governance.

Fig. 3.1 IT-Wallet architecture overview - Governance.

The governance level requires all participants in the ecosystem to comply with security and technical standards and requirements.

The image illustrates the IT-Wallet architecture overvew - primary.

Fig. 3.2 IT-Wallet architecture overview - Primary Actors.

The primary operational layer implements the core Digital Credential lifecycle through coordinated interactions among specialized technical solutions, so that all credential operations maintain security and privacy standards while enabling seamless user experiences.

The image illustrates the IT-Wallet architecture overvew - external.

Fig. 3.3 IT-Wallet architecture overview - external Actors.

External systems provide services that connect the IT-Wallet ecosystem to the national digital infrastructure, enabling interoperability with existing government services and data sources.

These three architectural layers work together to enable secure Digital Credential operations. The federated nature of this architecture require systematic onboarding processes to establish trust relationships between participants and standardise Credential semantics through the centralised Claims Registry and Taxonomy components, as detailed in Registry Infrastructure.

The architecture enables the following core interaction processes:

  1. Entity Onboarding and Federation: Only qualified entities can participate in the federation through systematic onboarding that ensures compliance and establishes cryptographic trust relationships. The onboarding system includes a Claims Registry and Taxonomy that standardize semantic definitions for all Credentials, enabling interoperability and governance. Entity authorization follows policy-based approach that grants specific operational scopes based on organizational characteristics and regulatory compliance. See Section Onboarding System and Registry Infrastructure.

  2. Credential Discovery and Catalog Management: The ecosystem supports dual Credential discovery mechanisms - public discovery through the Digital Credentials Catalog for general-purpose Credentials, and private discovery via direct Credential Offers for specific use cases. The catalog is automatically populated based on Supervisory Body policies from registered Claims Registry and Taxonomy definitions.

  3. Credential Issuance: Credential Issuers coordinate with Authentic Sources via standardised APIs to request verified User attributes, creating Digital Credentials based on authoritative data. Issuance can proceed for both Credentials discovered within the Credential Catalog and Credential provided through Credential offer flows.

  4. Credential Storage and Management: IT-Wallet Solutions receive and manage Digital Credentials on User devices, enabling secure Credential lifecycle management.

  5. Credential Presentation and Verification: Users present Digital Credentials to Relying Parties, which verify claims through cryptographic validation and status verification. Relying Parties operate within authorized scopes that define which Credential types and purposes they can request, with validation against the Claims Registry for schema verification.