NEXIEL
Loading...
Menu

For Relying Parties

OverviewAPISDKPricingUse casesAgeCheck for ClubsAge verificationEUDI guide

For Issuers

OverviewCredential typesNFCAPIDashboardPricingIndustries (Issuers)Use cases

Docs

Docs hubVerify docsIssue docsEducation docsWebhooksWallet architectureRunbooksDeveloper hub
About EUDIPricingBlogContact

Docs · Wallet

White-label EUDI wallet architecture

Phase 4 of the Nexiel programme delivers tenant-ready mobile wallets that mirror the official EU reference implementations while integrating tightly with our licensing, pricing, and NFC infrastructure. This page replaces the internal Markdown playbook so partners can review the plan in one place.

Scope

Nexiel must ship native apps (iOS + Android) built on the EUDI Wallet Core/Kit, backed by secure key storage, NFC-first UX, and automated build distribution. The backend orchestrates tenant licensing, branding, artifact storage, and audit-ready logs.

  • Reusable module for trust list sync + cryptography (Secure Enclave / Hardware Keystore).
  • NFC tap verification aligned with ETSI TS 119 476 and OpenID4VP/VCI.
  • Build automation that reflects licence status so unapproved tenants can't ship binaries.

Architecture overview

LayerDescriptionNotes
nexiel-api-gatewayIssues scoped tokens, enforces licence/feature flags, and fans out to wallet services.All `/v1/wallet/*` and `/v1/nfc/*` paths require OAuth2 client credentials.
wallet-serviceStores tenant themes, build requests, and pushes configuration to the mobile CI pipeline.Backed by Prisma models (`WalletTenant`, `WalletTheme`, `WalletBuildRequest`).
wallet-build-runnerGitHub Actions + Fastlane lanes for iOS/Android signing and artifact delivery.Uses tenant-provided assets; emits signed artifacts into S3 for dashboard download.
nexiel-wallet-appReact Native shell embedding the official EUDI Wallet Core (Android) / Kit (iOS).NFC-first UX via `react-native-nfc-manager`, with QR fallback.
wallet-sdkThin JS/TS client institutions use for deep links, provisioning, and callback handling.Builds atop `@nexiel/eudi-sdk` transports.

Security controls

  • Hardware security modules: keys live in Secure Enclave / StrongBox; apps attest integrity on startup.
  • Zero-trust APIs: every wallet build action sits behind `services.wallet.enabled` and the current `LICENCE_MODE`.
  • Trust list parity: mobile apps fetch the same EU Trust List bundles as the backend.
  • NFC privacy: reader sessions rotate ephemeral tokens (`c_nonce`), logs redact PII.
  • Distribution hygiene: signed binaries uploaded to private TestFlight / Play Console tracks; tenants receive manifest + checksum.

Delivery plan (Stage 4)

1. Foundation

  • Add wallet tenant/theming models & admin endpoints (done).
  • Scaffold mobile repos, configure Fastlane + CI secrets (iOS Swift package + Android module targeting the official EUDI Wallet Kit/Core).
  • Document native stack, licensing guardrails, and reference GitHub links.

2. NFC credential flows

  • `/v1/nfc/verify` proxies to `eudi-gateway-service`, enforces `wallet:nfc` scopes, and emits audit-safe hashes.
  • Next up: ship reference reader SDKs (Swift/Kotlin) and sample firmware payloads.

3. Whitelabel automation

  • `wallet/scripts/fetch-wallet-theme.mjs` + Fastlane lanes download tenant theme JSON using `WALLET_BUILD_TOKEN`.
  • `wallet/scripts/upload-wallet-artifact.mjs` streams `.ipa/.aab` bundles to S3 via `/v1/wallet/admin/build-requests/:id/artifacts`; `wallet/scripts/update-build-request.mjs` patches distribution status + store links.
  • Fastlane now pushes directly to TestFlight/Google Play when `WALLET_AUTO_DISTRIBUTE=true`, keeping dashboard build cards in sync.
  • `.github/workflows/wallet-ci.yml` gates Swift + Kotlin builds on every PR.

4. Compliance & docs

  • Map wallet logs into GDPR/PSD2 controls (retention, export, DPIA).
  • Expand `/docs/issue` + `/docs/verify` with wallet provisioning + NFC reader guides.
  • Expose this architecture guide for partners and auditors.

Dependencies

  • EU EUDI Wallet reference implementations: https://github.com/eu-digital-identity-wallet
  • CoreNFC (iOS 17+) and Android NFC APIs (API Level 24+).
  • Secure storage primitives: `SecureEnclave`, Android `EncryptedFileSystem` / Hardware Keystore.
  • Fastlane, App Store Connect API, Google Play Developer API for distribution.

Success criteria

  • Tenants configure branding and request signed builds directly inside the dashboard.
  • Builds embed the Nexiel EUDI SDK, pass conformance suites, and enforce hardware-backed keys.
  • NFC tap flows verified end-to-end in sandbox with audit tokens + hashed subject IDs.
  • Licensing + pricing model documented and linked from `/issue/*`, `/docs/*`, and pricing consoles.