Get ready for production

This guide provides a checklist for deploying the Truvity EUDIW Connector in a production environment. It covers technical configuration, security hardening, and compliance requirements for handling verified credential data.

Prerequisites

• A working development integration with the connector (complete the getting started guide first)
• Access to the internal management API (port 8081)

Technical checklist

• Obtain Relying Party (RP) registration from your member state Registrar
• Acquire a CA-issued X.509 access certificate (see Manage certificates)

Trust list prerequisite

The access certificate must be issued by a Certificate Authority (CA) whose root is included in the member state's List of Trusted Entities (LoTE). RP registration and certificate issuance are linked through the trust infrastructure—the Registrar records your registration, and the Access CA issues a certificate that chains to a trusted root.

• Configure the connector to load certificates from the file system (in Kubernetes, mount them as secret volumes)
• Configure base_url to the public Ingress hostname
• Implement a callback endpoint that accepts POST requests, responds with a 2xx status within two seconds, and parses the PresentedCredentialsEvent JSON payload (see callback events)
• Test presentation flows with both same-device and cross-device patterns
• Implement error handling for all non-success event statuses: REJECTED, EXPIRED, PROCESSING_ERROR, and VERIFICATION_FAILED (see handle verification errors)

Callback endpoint reliability

The connector retries callback delivery with a default of one retry and a two-second timeout per attempt. If your callback endpoint is unavailable or responds too slowly, the connector returns a 503 or 500 error to the wallet, and the user sees a failure on their device.

To avoid this:

• Ensure your callback endpoint is highly available.
• Respond within two seconds. Offload heavy processing to an asynchronous queue.
• Monitor callback endpoint latency and error rates.

Security checklist

• Isolate the public protocol port (8080) from the internal management API port (8081) at the network level so that management API traffic is not reachable from the internet (for example, using network policies in Kubernetes or firewall rules in other environments)
• Enable TLS for the callback endpoint if it is not on the same internal network as the connector
• Establish certificate rotation procedures and monitor expiration dates
• Ensure the callback endpoint responds within the connector's timeout (default two seconds per attempt) to avoid wallet-facing errors
• Conduct a security review of your credential handling code

Compliance checklist

• Define a data retention policy for credential data received through callbacks, specifying how long you store both the credentials (verified data) and credentialsRaw (raw credential data) fields before deletion
• Implement access controls limiting which internal systems can read stored credential data
• Provide a privacy notice to end users explaining what credential data you collect, why you collect it, and how long you retain it
• Document your lawful basis for processing verified credential data under GDPR (for example, contractual necessity or legitimate interest)
• Implement data subject rights procedures so individuals can request access to, erasure of, or portability of their credential data
• Establish logging and audit trails for compliance reporting

Further reading

• Manage certificates—generate test certificates and configure production certificates
• Callback events—Presented Credentials Event statuses and payload fields
• Error codes—wallet-facing HTTP error responses
• Connector architecture—system components, data flow, and security model