diff --git a/.env-ui.sample b/.env-ui.sample
index 94b376b66..e6d839ca1 100644
--- a/.env-ui.sample
+++ b/.env-ui.sample
@@ -4,5 +4,5 @@ ISSUER_UI_BUILD_TAG=
 ISSUER_UI_WARNING_MESSAGE=
 ISSUER_UI_IPFS_GATEWAY_URL=https://ipfs-proxy-cache.privado.id
 ISSUER_UI_SCHEMA_EXPLORER_AND_BUILDER_URL=https://tools.privado.id
-ISSUER_UI_SCHEMA_EXPLORER_AND_BUILDER_URL=https://display-method-dev.privado.id
+ISSUER_UI_DISPLAY_METHOD_BUILDER_URL=https://display-method-dev.privado.id
 ISSUER_UI_INSECURE=false
\ No newline at end of file
diff --git a/.github/workflows/delete_testing_env.yml b/.github/workflows/delete_testing_env.yml
index 21718f71b..68f220d18 100644
--- a/.github/workflows/delete_testing_env.yml
+++ b/.github/workflows/delete_testing_env.yml
@@ -1,9 +1,14 @@
 name: Delete Helm Release
 
-on: [delete]
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to target'
+        required: true
 
 env:
-  BRANCH_NAME: ${{ github.event.ref }}
+  BRANCH_NAME: ${{ github.event.inputs.branch }}
 
 jobs:
   delete:
@@ -24,14 +29,14 @@ jobs:
           echo "Extracted URL: $url"
           echo "::set-output name=url::$url"
 
-      - name: Cambiar contexto de kubectl
+      - name: change k3s context
         run: |
           kubectl config use-context k3s
 
-      - name: Verificar conexión al clúster
+      - name: check if the cluster exists
         run: kubectl cluster-info
 
-      - name: Check if helm chart exists
+      - name: check if helm chart exists
         id: helm_check
         run: |
           result=$(helm list --namespace "${{ steps.extract-url.outputs.url }}" -q | grep "^${{ steps.extract-url.outputs.url }}$" || echo 'not_found')
@@ -48,7 +53,7 @@ jobs:
           overrule_existing_kubeconfig: "true"
         if: steps.helm_check.outputs.result != 'not_found'
 
-      - name: "Delete namespace"
+      - name: "delete namespace"
         run: |
           kubectl delete namespace ${{ env.BRANCH_NAME }}
         if: steps.helm_check.outputs.result != 'not_found'
diff --git a/.github/workflows/deploy_testing_env.yml b/.github/workflows/deploy_testing_env.yml
index 499288f23..1a7c75060 100644
--- a/.github/workflows/deploy_testing_env.yml
+++ b/.github/workflows/deploy_testing_env.yml
@@ -114,7 +114,7 @@ jobs:
           exec: helm install "${{ steps.extract-url.outputs.url }}" --create-namespace ./k8s/helm --wait --atomic --timeout 5m --namespace="${{ steps.extract-url.outputs.url }}" --values=./k8s/helm/values.yaml --set apidomain="${{ env.API_DOMAIN }}" --set uidomain="${{ env.UI_DOMAIN }}" --set privateKey=${{ secrets.ISSUER_NODE_TESTING_PRIVATE_KEY }} --set ingressEnabled="true" --set vaultpwd="foo" --set issuerUiInsecure=true --set issuerResolverFile="${{ secrets.ISSUER_NODE_TESTING_ISSUER_RESOLVER_FILE }}" --set issuernode_repository_image="${{ env.ISSUER_NODE_API_IMAGE }}" --set issuernode_repository_tag="${{ steps.version.outputs.VERSION }}" --set issuernode_ui_repository_image="${{ env.ISSUER_NODE_UI_IMAGE }}" --set issuernode_ui_repository_tag="${{ steps.version.outputs.VERSION }}"
           kubeconfig: "${{ secrets.KUBECONFIG }}"
           overrule_existing_kubeconfig: "true"
-        if: steps.helm_check.outputs.result == 'not_found'
+        if: steps.helm_check.outputs.result == 'not_found' && steps.extract-url.outputs.url != ''
 
       - name: "Update helm chart"
         uses: WyriHaximus/github-action-helm3@v3.0
@@ -122,4 +122,4 @@ jobs:
           exec: helm upgrade "${{ steps.extract-url.outputs.url }}" ./k8s/helm/ --wait --atomic --timeout 5m --namespace="${{ steps.extract-url.outputs.url }}" --values=./k8s/helm/values.yaml --set apidomain="${{ env.API_DOMAIN }}" --set uidomain="${{ env.UI_DOMAIN }}" --set privateKey=${{ secrets.ISSUER_NODE_TESTING_PRIVATE_KEY }} --set ingressEnabled="true" --set vaultpwd="foo" --set issuerUiInsecure=true --set issuerResolverFile="${{ secrets.ISSUER_NODE_TESTING_ISSUER_RESOLVER_FILE }}" --set issuernode_repository_image="${{ env.ISSUER_NODE_API_IMAGE }}" --set issuernode_repository_tag="${{ steps.version.outputs.VERSION }}" --set issuernode_ui_repository_image="${{ env.ISSUER_NODE_UI_IMAGE }}" --set issuernode_ui_repository_tag="${{ steps.version.outputs.VERSION }}"
           kubeconfig: "${{ secrets.KUBECONFIG }}"
           overrule_existing_kubeconfig: "true"
-        if: steps.helm_check.outputs.result != 'not_found'
\ No newline at end of file
+        if: steps.helm_check.outputs.result != 'not_found' && steps.extract-url.outputs.url != ''
\ No newline at end of file
diff --git a/api/api.yaml b/api/api.yaml
index 7b293854b..b65a6fbcd 100644
--- a/api/api.yaml
+++ b/api/api.yaml
@@ -26,6 +26,8 @@ tags:
     description: Collection of endpoints related to Mobile
   - name: config
     description: Collection of endpoints related to Config
+  - name: Key Management
+    description: Collection of endpoints related to Key Management
 
 paths:
 
@@ -425,6 +427,51 @@ paths:
         '500':
           $ref: '#/components/responses/500'
 
+  /v2/identities/{identifier}/create-auth-credential:
+    post:
+      summary: Create Auth Credential
+      operationId: CreateAuthCredential
+      description: | 
+                Endpoint to create a new Auth Credential
+                * keyID - only babyjubjub keys supported
+
+      security:
+        - basicAuth: [ ]
+      parameters:
+        - $ref: '#/components/parameters/pathIdentifier2'
+      tags:
+        - Identity
+        - Key Management
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/CreateAuthCredentialRequest'
+      responses:
+        '201':
+          description: Key added successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - id
+                  - credentialStatusType
+                properties:
+                  id:
+                    type: string
+                    description: The ID of the created Auth Credential
+                    x-go-type: uuid.UUID
+                    x-go-type-import:
+                      name: uuid
+                      path: github.com/google/uuid
+                    example: 8edd8112-c415-11ed-b036-debe37e1cbd6
+        '400':
+          $ref: '#/components/responses/400'
+        '500':
+          $ref: '#/components/responses/500'
+
   #connections:
   /v2/identities/{identifier}/connections/{id}:
     get:
@@ -1469,6 +1516,179 @@ paths:
           $ref: '#/components/responses/404'
         '500':
           $ref: '#/components/responses/500'
+  /v2/identities/{identifier}/keys:
+    post:
+      summary: Create a Key
+      operationId: CreateKey
+      description: Endpoint to create a new key.
+      tags:
+        - Key Management
+      security:
+        - basicAuth: [ ]
+      parameters:
+        - $ref: '#/components/parameters/pathIdentifier2'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/CreateKeyRequest'
+      responses:
+        '201':
+          description: Crated Key
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/CreateKeyResponse'
+        '400':
+          $ref: '#/components/responses/400'
+        '401':
+          $ref: '#/components/responses/401'
+        '500':
+          $ref: '#/components/responses/500'
+
+    get:
+      summary: Get Keys
+      operationId: GetKeys
+      description: |
+        Returns a list of Keys for the provided identity.
+      security:
+        - basicAuth: [ ]
+      tags:
+        - Key Management
+      parameters:
+        - $ref: '#/components/parameters/pathIdentifier2'
+        - in: query
+          name: max_results
+          schema:
+            type: integer
+            format: uint
+            example: 50
+            default: 50
+          description: Number of items to fetch on each page. Minimum is 10. Default is 50. No maximum by the moment.
+        - in: query
+          name: page
+          schema:
+            type: integer
+            format: uint
+            minimum: 1
+            example: 1
+          description: Page to fetch. First is one. If omitted, page 1 will be returned.
+        - in: query
+          name: type
+          schema:
+            type: string
+            x-omitempty: false
+            example: "babyjubJub"
+            enum: [ babyjubJub, secp256k1 ]
+          description: If not provided, all keys will be returned.
+      responses:
+        '200':
+          description: Keys collection
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/KeysPaginated'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '500':
+          $ref: '#/components/responses/500'
+
+  /v2/identities/{identifier}/keys/{id}:
+    get:
+      summary: Get a Key
+      operationId: GetKey
+      description: Get a specific key for the provided identity.
+      tags:
+        - Key Management
+      security:
+        - basicAuth: [ ]
+      parameters:
+        - $ref: '#/components/parameters/pathIdentifier2'
+        - $ref: '#/components/parameters/pathKeyID'
+      responses:
+        '200':
+          description: Key found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Key'
+        '400':
+          $ref: '#/components/responses/400'
+        '401':
+          $ref: '#/components/responses/401'
+        '404':
+          $ref: '#/components/responses/404'
+        '500':
+          $ref: '#/components/responses/500'
+    patch:
+      summary: Update a Key
+      operationId: UpdateKey
+      description: Update a specific key.
+      tags:
+        - Key Management
+      security:
+        - basicAuth: [ ]
+      parameters:
+        - $ref: '#/components/parameters/pathIdentifier2'
+        - $ref: '#/components/parameters/pathKeyID'
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - name
+              properties:
+                name:
+                  type: string
+                  example: "New Key Name"
+      responses:
+        '200':
+          description: Key found
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GenericMessage'
+        '400':
+          $ref: '#/components/responses/400'
+        '401':
+          $ref: '#/components/responses/401'
+        '404':
+          $ref: '#/components/responses/404'
+        '500':
+          $ref: '#/components/responses/500'
+    delete:
+      summary: Delete Key
+      operationId: DeleteKey
+      description: Remove a specific key for the provided identity.
+      tags:
+        - Identity
+      security:
+        - basicAuth: [ ]
+      parameters:
+        - $ref: '#/components/parameters/pathIdentifier2'
+        - $ref: '#/components/parameters/pathKeyID'
+      responses:
+        '200':
+          description: Key deleted
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GenericMessage'
+        '400':
+          $ref: '#/components/responses/400'
+        '404':
+          $ref: '#/components/responses/404'
+        '401':
+          $ref: '#/components/responses/401'
+        '500':
+          $ref: '#/components/responses/500'
+
+
 
   /v2/identities/{identifier}/payment-request:
     get:
@@ -1853,6 +2073,7 @@ components:
         - status
         - keyType
         - credentialStatusType
+        - authCredentialsIDs
       properties:
         identifier:
           type: string
@@ -1873,6 +2094,10 @@ components:
           type: string
           example: "Iden3ReverseSparseMerkleTreeProof"
           enum: [ Iden3commRevocationStatusV1.0, Iden3ReverseSparseMerkleTreeProof, Iden3OnchainSparseMerkleTreeProof2023 ]
+        authCredentialsIDs:
+          type: array
+          items:
+            type: string
 
     IdentityState:
       type: object
@@ -2856,7 +3081,7 @@ components:
         issuerDoc:
           type: object
           format: byte
-    
+
     SupportedNetworks:
       type: object
       x-omitempty: false
@@ -2895,22 +3120,113 @@ components:
         path: github.com/iden3/iden3comm/v2/protocol
 
     CreateDisplayMethodRequest:
-        type: object
-        required:
-          - name
-          - url
-        properties:
-          name:
-            type: string
-            example: "My Display Method"
-          url:
-            type: string
-            example: "https://my-display-method.com"
-          type:
-            type: string
-            example: "Iden3BasicDisplayMethodV1"
-            description: "Display method type (Iden3BasicDisplayMethodV1 is default value)"
+      type: object
+      required:
+        - name
+        - url
+      properties:
+        name:
+          type: string
+          example: "My Display Method"
+        url:
+          type: string
+          example: "https://my-display-method.com"
+        type:
+          type: string
+          example: "Iden3BasicDisplayMethodV1"
+          description: "Display method type (Iden3BasicDisplayMethodV1 is default value)"
+
+    CreateKeyRequest:
+      type: object
+      required:
+        - keyType
+        - name
+      properties:
+        keyType:
+          type: string
+          x-omitempty: false
+          example: "babyjubJub"
+          enum: [ babyjubJub, secp256k1 ]
+        name:
+          type: string
+          example: "my key"
+
+    CreateKeyResponse:
+      type: object
+      required:
+        - id
+      properties:
+        id:
+          type: string
+          x-omitempty: false
+          description: base64 encoded keyID
+          example: a2V5cy9kaWQ6aWRlbjM6cG9seWdvbjphbW95OnhKQktvbkJ1dWdKbW1aMkdvS2gzOTM
+
+    Key:
+      type: object
+      required:
+        - id
+        - keyType
+        - publicKey
+        - isAuthCredential
+        - name
+      properties:
+        id:
+          type: string
+          x-omitempty: false
+          example: ZGlkOnBvbHlnb25pZDpwb2x5Z29uOmFtb3k6MnFRNjhKa1JjZjN5cXBYanRqVVQ3WjdVeW1TV0hzYll
+          description: base64 encoded keyID
+        keyType:
+          type: string
+          x-omitempty: false
+          example: "babyjubJub"
+          enum: [ babyjubJub, secp256k1 ]
+        publicKey:
+          type: string
+          x-omitempty: false
+          example: "0x04e3e7e"
+        isAuthCredential:
+          type: boolean
+          x-omitempty: false
+          example: true
+        name:
+          type: string
+          x-omitempty: false
+          example: "my key"
 
+    KeysPaginated:
+      type: object
+      required: [ items, meta ]
+      properties:
+        items:
+          type: array
+          items:
+            $ref: '#/components/schemas/Key'
+        meta:
+          $ref: '#/components/schemas/PaginatedMetadata'
+
+    CreateAuthCredentialRequest:
+      type: object
+      required: [keyID, credentialStatusType]
+      properties:
+        keyID:
+          type: string
+          x-omitempty: false
+          example: ZGlkOnBvbHlnb25pZDpwb2x5Z29uOmFtb3k6MnFRNjhKa1JjZjN5cXBYanRqVVQ3WjdVeW1TV0hzYll
+        expiration:
+          type: integer
+          format: int64
+        version:
+          type: integer
+          format: uint32
+        revNonce:
+          type: integer
+          format: uint64
+        credentialStatusType:
+          type: string
+          x-omitempty: true
+          example: "Iden3ReverseSparseMerkleTreeProof"
+          enum: [ Iden3commRevocationStatusV1.0, Iden3ReverseSparseMerkleTreeProof, Iden3OnchainSparseMerkleTreeProof2023 ]
 
   parameters:
     credentialStatusType:
@@ -2969,6 +3285,18 @@ components:
       schema:
         type: string
 
+    pathIdentifier2:
+      name: identifier
+      in: path
+      required: true
+      description: Issuer identifier
+      schema:
+        type: string
+        x-go-type: Identity
+        x-go-type-import:
+          name: customIdentity
+          path: github.com/polygonid/sh-id-platform/internal/api
+
     pathClaim:
       name: id
       in: path
@@ -2986,6 +3314,15 @@ components:
         type: integer
         format: int64
 
+    pathKeyID:
+      name: id
+      in: path
+      required: true
+      description: Key ID in base64
+      schema:
+        type: string
+
+
   responses:
     '400':
       description: 'Bad Request'
@@ -3059,4 +3396,4 @@ components:
               code:
                 type: integer
               error:
-                type: string
+                type: string
\ No newline at end of file
diff --git a/api/spec.html b/api/spec.html
index f653c5747..ae3fa7a07 100644
--- a/api/spec.html
+++ b/api/spec.html
@@ -9,7 +9,7 @@
 <body>
   <rapi-doc
     id = "the-doc"
-    spec-url="/static/docs/api/api.yaml"
+    spec-url="static/docs/api/api.yaml"
     theme = "light"
     primary-color = "#93f598"
     allow-spec-url-load = false
diff --git a/cmd/notifications/main.go b/cmd/notifications/main.go
index eb71663b2..490014e05 100644
--- a/cmd/notifications/main.go
+++ b/cmd/notifications/main.go
@@ -130,6 +130,7 @@ func newCredentialsService(ctx context.Context, cfg *config.Configuration, stora
 	mtRepository := repositories.NewIdentityMerkleTreeRepository()
 	identityStateRepository := repositories.NewIdentityState()
 	revocationRepository := repositories.NewRevocation()
+	keyRepository := repositories.NewKey(*storage)
 
 	reader, err := network.GetReaderFromConfig(cfg, ctx)
 	if err != nil {
@@ -157,7 +158,7 @@ func newCredentialsService(ctx context.Context, cfg *config.Configuration, stora
 		*cfg.MediaTypeManager.Enabled,
 	)
 
-	identityService := services.NewIdentity(keyStore, identityRepository, mtRepository, identityStateRepository, mtService, qrService, claimsRepository, revocationRepository, nil, storage, nil, nil, ps, *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := services.NewIdentity(keyStore, identityRepository, mtRepository, identityStateRepository, mtService, qrService, claimsRepository, revocationRepository, nil, storage, nil, nil, ps, *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
 	claimsService := services.NewClaim(claimsRepository, identityService, qrService, mtService, identityStateRepository, schemaLoader, storage, cfg.ServerUrl, ps, cfg.IPFS.GatewayURL, revocationStatusResolver, mediaTypeManager, cfg.UniversalLinks)
 
 	return claimsService, nil
diff --git a/cmd/pending_publisher/main.go b/cmd/pending_publisher/main.go
index 5ae3e5c55..667da2034 100644
--- a/cmd/pending_publisher/main.go
+++ b/cmd/pending_publisher/main.go
@@ -104,6 +104,7 @@ func main() {
 	mtRepo := repositories.NewIdentityMerkleTreeRepository()
 	identityStateRepo := repositories.NewIdentityState()
 	revocationRepository := repositories.NewRevocation()
+	keyRepository := repositories.NewKey(*storage)
 	mtService := services.NewIdentityMerkleTrees(mtRepo)
 	qrService := services.NewQrStoreService(cachex)
 
@@ -120,7 +121,7 @@ func main() {
 		*cfg.MediaTypeManager.Enabled,
 	)
 
-	identityService := services.NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, qrService, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := services.NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, qrService, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
 	claimsService := services.NewClaim(claimsRepo, identityService, qrService, mtService, identityStateRepo, schemaLoader, storage, cfg.ServerUrl, ps, cfg.IPFS.GatewayURL, revocationStatusResolver, mediaTypeManager, cfg.UniversalLinks)
 
 	circuitsLoaderService := circuitLoaders.NewCircuits(cfg.Circuit.Path)
diff --git a/cmd/platform/main.go b/cmd/platform/main.go
index e1ba46727..b167b285c 100644
--- a/cmd/platform/main.go
+++ b/cmd/platform/main.go
@@ -113,6 +113,7 @@ func main() {
 	schemaRepository := repositories.NewSchema(*storage)
 	linkRepository := repositories.NewLink(*storage)
 	sessionRepository := repositories.NewSessionCached(cachex)
+	keyRepository := repositories.NewKey(*storage)
 	paymentsRepo := repositories.NewPayment(*storage)
 
 	// services initialization
@@ -154,14 +155,14 @@ func main() {
 	}
 
 	revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-	identityService := services.NewIdentity(keyStore, identityRepository, mtRepository, identityStateRepository, mtService, qrService, claimsRepository, revocationRepository, connectionsRepository, storage, verifier, sessionRepository, ps, *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := services.NewIdentity(keyStore, identityRepository, mtRepository, identityStateRepository, mtService, qrService, claimsRepository, revocationRepository, connectionsRepository, storage, verifier, sessionRepository, ps, *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
 	claimsService := services.NewClaim(claimsRepository, identityService, qrService, mtService, identityStateRepository, schemaLoader, storage, cfg.ServerUrl, ps, cfg.IPFS.GatewayURL, revocationStatusResolver, mediaTypeManager, cfg.UniversalLinks)
 	proofService := services.NewProver(circuitsLoaderService)
 	schemaService := services.NewSchema(schemaRepository, schemaLoader)
 	linkService := services.NewLinkService(storage, claimsService, qrService, claimsRepository, linkRepository, schemaRepository, schemaLoader, sessionRepository, ps, identityService, *networkResolver, cfg.UniversalLinks)
 	paymentService := services.NewPaymentService(paymentsRepo, *networkResolver, schemaService, paymentSettings, keyStore)
 	displayMethodService := services.NewDisplayMethod(repositories.NewDisplayMethod(*storage))
-
+	keyService := services.NewKey(keyStore, claimsService, keyRepository)
 	transactionService, err := gateways.NewTransaction(*networkResolver)
 	if err != nil {
 		log.Error(ctx, "error creating transaction service", "err", err)
@@ -201,9 +202,10 @@ func main() {
 		corsMiddleware.Handler,
 		chiMiddleware.NoCache,
 	)
+
 	api.HandlerWithOptions(
 		api.NewStrictHandlerWithOptions(
-			api.NewServer(cfg, identityService, accountService, connectionsService, claimsService, qrService, publisher, packageManager, *networkResolver, serverHealth, schemaService, linkService, paymentService, displayMethodService),
+			api.NewServer(cfg, identityService, accountService, connectionsService, claimsService, qrService, publisher, packageManager, *networkResolver, serverHealth, schemaService, linkService, displayMethodService, keyService, paymentService),
 			middlewares(ctx, cfg.HTTPBasicAuth),
 			api.StrictHTTPServerOptions{
 				RequestErrorHandlerFunc:  errors.RequestErrorHandlerFunc,
diff --git a/go.mod b/go.mod
index 26ea1e128..34bc08d72 100644
--- a/go.mod
+++ b/go.mod
@@ -36,7 +36,7 @@ require (
 	github.com/iden3/go-rapidsnark/witness/v2 v2.0.0
 	github.com/iden3/go-rapidsnark/witness/wazero v0.0.0-20240914111027-9588ce2d7e1b
 	github.com/iden3/go-schema-processor v1.3.1
-	github.com/iden3/go-schema-processor/v2 v2.5.0
+	github.com/iden3/go-schema-processor/v2 v2.6.1
 	github.com/iden3/iden3comm/v2 v2.9.0
 	github.com/iden3/merkletree-proof v0.3.0
 	github.com/ipfs/go-ipfs-api v0.7.0
@@ -52,7 +52,7 @@ require (
 	github.com/oapi-codegen/oapi-codegen/v2 v2.4.1
 	github.com/oapi-codegen/runtime v1.1.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/piprate/json-gold v0.5.1-0.20230111113000-6ddbe6e6f19f
+	github.com/piprate/json-gold v0.5.1-0.20241210232033-19254b3ec65b
 	github.com/pkg/errors v0.9.1
 	github.com/pressly/goose/v3 v3.23.0
 	github.com/stretchr/testify v1.10.0
diff --git a/go.sum b/go.sum
index 3e13b0a96..a1f484dd6 100644
--- a/go.sum
+++ b/go.sum
@@ -450,8 +450,8 @@ github.com/iden3/go-rapidsnark/witness/wazero v0.0.0-20240914111027-9588ce2d7e1b
 github.com/iden3/go-rapidsnark/witness/wazero v0.0.0-20240914111027-9588ce2d7e1b/go.mod h1:8qNTFId1o6wftaLnvdiprtJ9MoaKO7g7Xh64vnFcnQc=
 github.com/iden3/go-schema-processor v1.3.1 h1:LJfFInfYGMOp0bTKKC17R8q4XI+VtqhFLPTEqnOIvlM=
 github.com/iden3/go-schema-processor v1.3.1/go.mod h1:NwJ1nuGdRlCFaN1/V6mS0AOAdvpLcGf4KKq0mluLG7U=
-github.com/iden3/go-schema-processor/v2 v2.5.0 h1:MX84oFb9kYq0ntKiU4DrPPaRgCDUCKlurtHB6nvPPAs=
-github.com/iden3/go-schema-processor/v2 v2.5.0/go.mod h1:hMqYi4lKOzEGkmCRks/r4Crj8H4G8YaTt8H4jZHzX9Y=
+github.com/iden3/go-schema-processor/v2 v2.6.1 h1:KD33sTAu2xAyG94SmrUAMxI+MREFTmSsavYy70gkTW4=
+github.com/iden3/go-schema-processor/v2 v2.6.1/go.mod h1:MYrkk55aEx3ZBKz0d/0rfxa7lBH4x9TfKGI1T/WBlpw=
 github.com/iden3/iden3comm/v2 v2.9.0 h1:LoD9/1A6L/HO1roWjjzTooka1m1y2SGSgRvcq+UMJS0=
 github.com/iden3/iden3comm/v2 v2.9.0/go.mod h1:l8t+BkbHU3ri7kiExZYc4CTY6erkzkcBbYXw416nwhA=
 github.com/iden3/merkletree-proof v0.3.0 h1:NVlvtUBEgn4Etxxn+RsOmXP/qlI+85BdN8oUDTf3mxI=
@@ -719,8 +719,8 @@ github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNH
 github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/perimeterx/marshmallow v1.1.5 h1:a2LALqQ1BlHM8PZblsDdidgv1mWi1DgC2UmX50IvK2s=
 github.com/perimeterx/marshmallow v1.1.5/go.mod h1:dsXbUu8CRzfYP5a87xpp0xq9S3u0Vchtcl8we9tYaXw=
-github.com/piprate/json-gold v0.5.1-0.20230111113000-6ddbe6e6f19f h1:HlPa7RcxTCrva5izPfTEfvYecO7LTahgmMRD1Qp13xg=
-github.com/piprate/json-gold v0.5.1-0.20230111113000-6ddbe6e6f19f/go.mod h1:WZ501QQMbZZ+3pXFPhQKzNwS1+jls0oqov3uQ2WasLs=
+github.com/piprate/json-gold v0.5.1-0.20241210232033-19254b3ec65b h1:xyh6boGzDR4EpdEDe9ix1KhHNgOSiBjBocahA6FalEQ=
+github.com/piprate/json-gold v0.5.1-0.20241210232033-19254b3ec65b/go.mod h1:RVhE35veDX19r5gfUAR+IYHkAUuPwJO8Ie/qVeFaIzw=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
diff --git a/internal/api/api.gen.go b/internal/api/api.gen.go
index a0d45026b..54c6de635 100644
--- a/internal/api/api.gen.go
+++ b/internal/api/api.gen.go
@@ -26,6 +26,13 @@ const (
 	BasicAuthScopes = "basicAuth.Scopes"
 )
 
+// Defines values for CreateAuthCredentialRequestCredentialStatusType.
+const (
+	CreateAuthCredentialRequestCredentialStatusTypeIden3OnchainSparseMerkleTreeProof2023 CreateAuthCredentialRequestCredentialStatusType = "Iden3OnchainSparseMerkleTreeProof2023"
+	CreateAuthCredentialRequestCredentialStatusTypeIden3ReverseSparseMerkleTreeProof     CreateAuthCredentialRequestCredentialStatusType = "Iden3ReverseSparseMerkleTreeProof"
+	CreateAuthCredentialRequestCredentialStatusTypeIden3commRevocationStatusV10          CreateAuthCredentialRequestCredentialStatusType = "Iden3commRevocationStatusV1.0"
+)
+
 // Defines values for CreateCredentialRequestCredentialStatusType.
 const (
 	CreateCredentialRequestCredentialStatusTypeIden3OnchainSparseMerkleTreeProof2023 CreateCredentialRequestCredentialStatusType = "Iden3OnchainSparseMerkleTreeProof2023"
@@ -59,6 +66,12 @@ const (
 	CreateIdentityResponseCredentialStatusTypeIden3commRevocationStatusV10          CreateIdentityResponseCredentialStatusType = "Iden3commRevocationStatusV1.0"
 )
 
+// Defines values for CreateKeyRequestKeyType.
+const (
+	CreateKeyRequestKeyTypeBabyjubJub CreateKeyRequestKeyType = "babyjubJub"
+	CreateKeyRequestKeyTypeSecp256k1  CreateKeyRequestKeyType = "secp256k1"
+)
+
 // Defines values for DisplayMethodType.
 const (
 	Iden3BasicDisplayMethodV1 DisplayMethodType = "Iden3BasicDisplayMethodV1"
@@ -73,9 +86,15 @@ const (
 
 // Defines values for GetIdentityDetailsResponseCredentialStatusType.
 const (
-	Iden3OnchainSparseMerkleTreeProof2023 GetIdentityDetailsResponseCredentialStatusType = "Iden3OnchainSparseMerkleTreeProof2023"
-	Iden3ReverseSparseMerkleTreeProof     GetIdentityDetailsResponseCredentialStatusType = "Iden3ReverseSparseMerkleTreeProof"
-	Iden3commRevocationStatusV10          GetIdentityDetailsResponseCredentialStatusType = "Iden3commRevocationStatusV1.0"
+	GetIdentityDetailsResponseCredentialStatusTypeIden3OnchainSparseMerkleTreeProof2023 GetIdentityDetailsResponseCredentialStatusType = "Iden3OnchainSparseMerkleTreeProof2023"
+	GetIdentityDetailsResponseCredentialStatusTypeIden3ReverseSparseMerkleTreeProof     GetIdentityDetailsResponseCredentialStatusType = "Iden3ReverseSparseMerkleTreeProof"
+	GetIdentityDetailsResponseCredentialStatusTypeIden3commRevocationStatusV10          GetIdentityDetailsResponseCredentialStatusType = "Iden3commRevocationStatusV1.0"
+)
+
+// Defines values for KeyKeyType.
+const (
+	KeyKeyTypeBabyjubJub KeyKeyType = "babyjubJub"
+	KeyKeyTypeSecp256k1  KeyKeyType = "secp256k1"
 )
 
 // Defines values for LinkStatus.
@@ -158,6 +177,12 @@ const (
 	Type           GetAllDisplayMethodsParamsSort = "type"
 )
 
+// Defines values for GetKeysParamsType.
+const (
+	BabyjubJub GetKeysParamsType = "babyjubJub"
+	Secp256k1  GetKeysParamsType = "secp256k1"
+)
+
 // Defines values for GetStateTransactionsParamsFilter.
 const (
 	GetStateTransactionsParamsFilterAll    GetStateTransactionsParamsFilter = "all"
@@ -213,6 +238,18 @@ type ConnectionsPaginated struct {
 	Meta  PaginatedMetadata      `json:"meta"`
 }
 
+// CreateAuthCredentialRequest defines model for CreateAuthCredentialRequest.
+type CreateAuthCredentialRequest struct {
+	CredentialStatusType CreateAuthCredentialRequestCredentialStatusType `json:"credentialStatusType,omitempty"`
+	Expiration           *int64                                          `json:"expiration,omitempty"`
+	KeyID                string                                          `json:"keyID"`
+	RevNonce             *uint64                                         `json:"revNonce,omitempty"`
+	Version              *uint32                                         `json:"version,omitempty"`
+}
+
+// CreateAuthCredentialRequestCredentialStatusType defines model for CreateAuthCredentialRequest.CredentialStatusType.
+type CreateAuthCredentialRequestCredentialStatusType string
+
 // CreateConnectionRequest defines model for CreateConnectionRequest.
 type CreateConnectionRequest struct {
 	IssuerDoc map[string]interface{} `json:"issuerDoc"`
@@ -289,6 +326,21 @@ type CreateIdentityResponse struct {
 // CreateIdentityResponseCredentialStatusType defines model for CreateIdentityResponse.CredentialStatusType.
 type CreateIdentityResponseCredentialStatusType string
 
+// CreateKeyRequest defines model for CreateKeyRequest.
+type CreateKeyRequest struct {
+	KeyType CreateKeyRequestKeyType `json:"keyType"`
+	Name    string                  `json:"name"`
+}
+
+// CreateKeyRequestKeyType defines model for CreateKeyRequest.KeyType.
+type CreateKeyRequestKeyType string
+
+// CreateKeyResponse defines model for CreateKeyResponse.
+type CreateKeyResponse struct {
+	// Id base64 encoded keyID
+	Id string `json:"id"`
+}
+
 // CreateLinkRequest defines model for CreateLinkRequest.
 type CreateLinkRequest struct {
 	CredentialExpiration *time.Time        `json:"credentialExpiration,omitempty"`
@@ -419,6 +471,7 @@ type GetIdentitiesResponseCredentialStatusType string
 // GetIdentityDetailsResponse defines model for GetIdentityDetailsResponse.
 type GetIdentityDetailsResponse struct {
 	Address              *string                                        `json:"address,omitempty"`
+	AuthCredentialsIDs   []string                                       `json:"authCredentialsIDs"`
 	Balance              *string                                        `json:"balance,omitempty"`
 	CredentialStatusType GetIdentityDetailsResponseCredentialStatusType `json:"credentialStatusType"`
 	DisplayName          *string                                        `json:"displayName"`
@@ -468,6 +521,25 @@ type IssuerDescription struct {
 	Logo        string `json:"logo"`
 }
 
+// Key defines model for Key.
+type Key struct {
+	// Id base64 encoded keyID
+	Id               string     `json:"id"`
+	IsAuthCredential bool       `json:"isAuthCredential"`
+	KeyType          KeyKeyType `json:"keyType"`
+	Name             string     `json:"name"`
+	PublicKey        string     `json:"publicKey"`
+}
+
+// KeyKeyType defines model for Key.KeyType.
+type KeyKeyType string
+
+// KeysPaginated defines model for KeysPaginated.
+type KeysPaginated struct {
+	Items []Key             `json:"items"`
+	Meta  PaginatedMetadata `json:"meta"`
+}
+
 // Link defines model for Link.
 type Link struct {
 	Active               bool              `json:"active"`
@@ -691,6 +763,12 @@ type PathClaim = string
 // PathIdentifier defines model for pathIdentifier.
 type PathIdentifier = string
 
+// PathIdentifier2 defines model for pathIdentifier2.
+type PathIdentifier2 = Identity
+
+// PathKeyID defines model for pathKeyID.
+type PathKeyID = string
+
 // PathNonce defines model for pathNonce.
 type PathNonce = int64
 
@@ -863,6 +941,26 @@ type UpdateDisplayMethodJSONBody struct {
 	Url  *string `json:"url,omitempty"`
 }
 
+// GetKeysParams defines parameters for GetKeys.
+type GetKeysParams struct {
+	// MaxResults Number of items to fetch on each page. Minimum is 10. Default is 50. No maximum by the moment.
+	MaxResults *uint `form:"max_results,omitempty" json:"max_results,omitempty"`
+
+	// Page Page to fetch. First is one. If omitted, page 1 will be returned.
+	Page *uint `form:"page,omitempty" json:"page,omitempty"`
+
+	// Type If not provided, all keys will be returned.
+	Type *GetKeysParamsType `form:"type,omitempty" json:"type,omitempty"`
+}
+
+// GetKeysParamsType defines parameters for GetKeys.
+type GetKeysParamsType string
+
+// UpdateKeyJSONBody defines parameters for UpdateKey.
+type UpdateKeyJSONBody struct {
+	Name string `json:"name"`
+}
+
 // GetSchemasParams defines parameters for GetSchemas.
 type GetSchemasParams struct {
 	// Query Query string to do full text search in schema types and attributes.
@@ -922,6 +1020,9 @@ type UpdateIdentityJSONRequestBody UpdateIdentityJSONBody
 // CreateConnectionJSONRequestBody defines body for CreateConnection for application/json ContentType.
 type CreateConnectionJSONRequestBody = CreateConnectionRequest
 
+// CreateAuthCredentialJSONRequestBody defines body for CreateAuthCredential for application/json ContentType.
+type CreateAuthCredentialJSONRequestBody = CreateAuthCredentialRequest
+
 // CreateCredentialJSONRequestBody defines body for CreateCredential for application/json ContentType.
 type CreateCredentialJSONRequestBody = CreateCredentialRequest
 
@@ -940,6 +1041,12 @@ type CreateDisplayMethodJSONRequestBody = CreateDisplayMethodRequest
 // UpdateDisplayMethodJSONRequestBody defines body for UpdateDisplayMethod for application/json ContentType.
 type UpdateDisplayMethodJSONRequestBody UpdateDisplayMethodJSONBody
 
+// CreateKeyJSONRequestBody defines body for CreateKey for application/json ContentType.
+type CreateKeyJSONRequestBody = CreateKeyRequest
+
+// UpdateKeyJSONRequestBody defines body for UpdateKey for application/json ContentType.
+type UpdateKeyJSONRequestBody UpdateKeyJSONBody
+
 // CreatePaymentRequestJSONRequestBody defines body for CreatePaymentRequest for application/json ContentType.
 type CreatePaymentRequestJSONRequestBody = CreatePaymentRequest
 
@@ -1002,6 +1109,9 @@ type ServerInterface interface {
 	// Revoke Connection Credentials
 	// (POST /v2/identities/{identifier}/connections/{id}/credentials/revoke)
 	RevokeConnectionCredentials(w http.ResponseWriter, r *http.Request, identifier PathIdentifier, id Id)
+	// Create Auth Credential
+	// (POST /v2/identities/{identifier}/create-auth-credential)
+	CreateAuthCredential(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2)
 	// Get Credentials
 	// (GET /v2/identities/{identifier}/credentials)
 	GetCredentials(w http.ResponseWriter, r *http.Request, identifier PathIdentifier, params GetCredentialsParams)
@@ -1059,6 +1169,21 @@ type ServerInterface interface {
 	// Update Display Method
 	// (PATCH /v2/identities/{identifier}/display-method/{id})
 	UpdateDisplayMethod(w http.ResponseWriter, r *http.Request, identifier PathIdentifier, id Id)
+	// Get Keys
+	// (GET /v2/identities/{identifier}/keys)
+	GetKeys(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, params GetKeysParams)
+	// Create a Key
+	// (POST /v2/identities/{identifier}/keys)
+	CreateKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2)
+	// Delete Key
+	// (DELETE /v2/identities/{identifier}/keys/{id})
+	DeleteKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, id PathKeyID)
+	// Get a Key
+	// (GET /v2/identities/{identifier}/keys/{id})
+	GetKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, id PathKeyID)
+	// Update a Key
+	// (PATCH /v2/identities/{identifier}/keys/{id})
+	UpdateKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, id PathKeyID)
 	// Get Payment Requests
 	// (GET /v2/identities/{identifier}/payment-request)
 	GetPaymentRequests(w http.ResponseWriter, r *http.Request, identifier PathIdentifier)
@@ -1221,6 +1346,12 @@ func (_ Unimplemented) RevokeConnectionCredentials(w http.ResponseWriter, r *htt
 	w.WriteHeader(http.StatusNotImplemented)
 }
 
+// Create Auth Credential
+// (POST /v2/identities/{identifier}/create-auth-credential)
+func (_ Unimplemented) CreateAuthCredential(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2) {
+	w.WriteHeader(http.StatusNotImplemented)
+}
+
 // Get Credentials
 // (GET /v2/identities/{identifier}/credentials)
 func (_ Unimplemented) GetCredentials(w http.ResponseWriter, r *http.Request, identifier PathIdentifier, params GetCredentialsParams) {
@@ -1335,6 +1466,36 @@ func (_ Unimplemented) UpdateDisplayMethod(w http.ResponseWriter, r *http.Reques
 	w.WriteHeader(http.StatusNotImplemented)
 }
 
+// Get Keys
+// (GET /v2/identities/{identifier}/keys)
+func (_ Unimplemented) GetKeys(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, params GetKeysParams) {
+	w.WriteHeader(http.StatusNotImplemented)
+}
+
+// Create a Key
+// (POST /v2/identities/{identifier}/keys)
+func (_ Unimplemented) CreateKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2) {
+	w.WriteHeader(http.StatusNotImplemented)
+}
+
+// Delete Key
+// (DELETE /v2/identities/{identifier}/keys/{id})
+func (_ Unimplemented) DeleteKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, id PathKeyID) {
+	w.WriteHeader(http.StatusNotImplemented)
+}
+
+// Get a Key
+// (GET /v2/identities/{identifier}/keys/{id})
+func (_ Unimplemented) GetKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, id PathKeyID) {
+	w.WriteHeader(http.StatusNotImplemented)
+}
+
+// Update a Key
+// (PATCH /v2/identities/{identifier}/keys/{id})
+func (_ Unimplemented) UpdateKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, id PathKeyID) {
+	w.WriteHeader(http.StatusNotImplemented)
+}
+
 // Get Payment Requests
 // (GET /v2/identities/{identifier}/payment-request)
 func (_ Unimplemented) GetPaymentRequests(w http.ResponseWriter, r *http.Request, identifier PathIdentifier) {
@@ -1991,6 +2152,37 @@ func (siw *ServerInterfaceWrapper) RevokeConnectionCredentials(w http.ResponseWr
 	handler.ServeHTTP(w, r)
 }
 
+// CreateAuthCredential operation middleware
+func (siw *ServerInterfaceWrapper) CreateAuthCredential(w http.ResponseWriter, r *http.Request) {
+
+	var err error
+
+	// ------------- Path parameter "identifier" -------------
+	var identifier PathIdentifier2
+
+	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "identifier", Err: err})
+		return
+	}
+
+	ctx := r.Context()
+
+	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
+
+	r = r.WithContext(ctx)
+
+	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		siw.Handler.CreateAuthCredential(w, r, identifier)
+	}))
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		handler = middleware(handler)
+	}
+
+	handler.ServeHTTP(w, r)
+}
+
 // GetCredentials operation middleware
 func (siw *ServerInterfaceWrapper) GetCredentials(w http.ResponseWriter, r *http.Request) {
 
@@ -2796,13 +2988,13 @@ func (siw *ServerInterfaceWrapper) UpdateDisplayMethod(w http.ResponseWriter, r
 	handler.ServeHTTP(w, r)
 }
 
-// GetPaymentRequests operation middleware
-func (siw *ServerInterfaceWrapper) GetPaymentRequests(w http.ResponseWriter, r *http.Request) {
+// GetKeys operation middleware
+func (siw *ServerInterfaceWrapper) GetKeys(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
 	// ------------- Path parameter "identifier" -------------
-	var identifier PathIdentifier
+	var identifier PathIdentifier2
 
 	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
@@ -2816,8 +3008,35 @@ func (siw *ServerInterfaceWrapper) GetPaymentRequests(w http.ResponseWriter, r *
 
 	r = r.WithContext(ctx)
 
+	// Parameter object where we will unmarshal all parameters from the context
+	var params GetKeysParams
+
+	// ------------- Optional query parameter "max_results" -------------
+
+	err = runtime.BindQueryParameter("form", true, false, "max_results", r.URL.Query(), &params.MaxResults)
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "max_results", Err: err})
+		return
+	}
+
+	// ------------- Optional query parameter "page" -------------
+
+	err = runtime.BindQueryParameter("form", true, false, "page", r.URL.Query(), &params.Page)
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "page", Err: err})
+		return
+	}
+
+	// ------------- Optional query parameter "type" -------------
+
+	err = runtime.BindQueryParameter("form", true, false, "type", r.URL.Query(), &params.Type)
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "type", Err: err})
+		return
+	}
+
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.GetPaymentRequests(w, r, identifier)
+		siw.Handler.GetKeys(w, r, identifier, params)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -2827,13 +3046,13 @@ func (siw *ServerInterfaceWrapper) GetPaymentRequests(w http.ResponseWriter, r *
 	handler.ServeHTTP(w, r)
 }
 
-// CreatePaymentRequest operation middleware
-func (siw *ServerInterfaceWrapper) CreatePaymentRequest(w http.ResponseWriter, r *http.Request) {
+// CreateKey operation middleware
+func (siw *ServerInterfaceWrapper) CreateKey(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
 	// ------------- Path parameter "identifier" -------------
-	var identifier PathIdentifier
+	var identifier PathIdentifier2
 
 	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
@@ -2848,7 +3067,7 @@ func (siw *ServerInterfaceWrapper) CreatePaymentRequest(w http.ResponseWriter, r
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.CreatePaymentRequest(w, r, identifier)
+		siw.Handler.CreateKey(w, r, identifier)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -2858,13 +3077,13 @@ func (siw *ServerInterfaceWrapper) CreatePaymentRequest(w http.ResponseWriter, r
 	handler.ServeHTTP(w, r)
 }
 
-// DeletePaymentRequest operation middleware
-func (siw *ServerInterfaceWrapper) DeletePaymentRequest(w http.ResponseWriter, r *http.Request) {
+// DeleteKey operation middleware
+func (siw *ServerInterfaceWrapper) DeleteKey(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
 	// ------------- Path parameter "identifier" -------------
-	var identifier PathIdentifier
+	var identifier PathIdentifier2
 
 	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
@@ -2873,7 +3092,7 @@ func (siw *ServerInterfaceWrapper) DeletePaymentRequest(w http.ResponseWriter, r
 	}
 
 	// ------------- Path parameter "id" -------------
-	var id Id
+	var id PathKeyID
 
 	err = runtime.BindStyledParameterWithOptions("simple", "id", chi.URLParam(r, "id"), &id, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
@@ -2888,7 +3107,7 @@ func (siw *ServerInterfaceWrapper) DeletePaymentRequest(w http.ResponseWriter, r
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.DeletePaymentRequest(w, r, identifier, id)
+		siw.Handler.DeleteKey(w, r, identifier, id)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -2898,13 +3117,13 @@ func (siw *ServerInterfaceWrapper) DeletePaymentRequest(w http.ResponseWriter, r
 	handler.ServeHTTP(w, r)
 }
 
-// GetPaymentRequest operation middleware
-func (siw *ServerInterfaceWrapper) GetPaymentRequest(w http.ResponseWriter, r *http.Request) {
+// GetKey operation middleware
+func (siw *ServerInterfaceWrapper) GetKey(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
 	// ------------- Path parameter "identifier" -------------
-	var identifier PathIdentifier
+	var identifier PathIdentifier2
 
 	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
@@ -2913,7 +3132,7 @@ func (siw *ServerInterfaceWrapper) GetPaymentRequest(w http.ResponseWriter, r *h
 	}
 
 	// ------------- Path parameter "id" -------------
-	var id Id
+	var id PathKeyID
 
 	err = runtime.BindStyledParameterWithOptions("simple", "id", chi.URLParam(r, "id"), &id, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
@@ -2928,7 +3147,7 @@ func (siw *ServerInterfaceWrapper) GetPaymentRequest(w http.ResponseWriter, r *h
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.GetPaymentRequest(w, r, identifier, id)
+		siw.Handler.GetKey(w, r, identifier, id)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -2938,13 +3157,13 @@ func (siw *ServerInterfaceWrapper) GetPaymentRequest(w http.ResponseWriter, r *h
 	handler.ServeHTTP(w, r)
 }
 
-// GetPaymentOptions operation middleware
-func (siw *ServerInterfaceWrapper) GetPaymentOptions(w http.ResponseWriter, r *http.Request) {
+// UpdateKey operation middleware
+func (siw *ServerInterfaceWrapper) UpdateKey(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
 	// ------------- Path parameter "identifier" -------------
-	var identifier PathIdentifier
+	var identifier PathIdentifier2
 
 	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
@@ -2952,6 +3171,15 @@ func (siw *ServerInterfaceWrapper) GetPaymentOptions(w http.ResponseWriter, r *h
 		return
 	}
 
+	// ------------- Path parameter "id" -------------
+	var id PathKeyID
+
+	err = runtime.BindStyledParameterWithOptions("simple", "id", chi.URLParam(r, "id"), &id, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "id", Err: err})
+		return
+	}
+
 	ctx := r.Context()
 
 	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
@@ -2959,7 +3187,7 @@ func (siw *ServerInterfaceWrapper) GetPaymentOptions(w http.ResponseWriter, r *h
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.GetPaymentOptions(w, r, identifier)
+		siw.Handler.UpdateKey(w, r, identifier, id)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -2969,8 +3197,8 @@ func (siw *ServerInterfaceWrapper) GetPaymentOptions(w http.ResponseWriter, r *h
 	handler.ServeHTTP(w, r)
 }
 
-// CreatePaymentOption operation middleware
-func (siw *ServerInterfaceWrapper) CreatePaymentOption(w http.ResponseWriter, r *http.Request) {
+// GetPaymentRequests operation middleware
+func (siw *ServerInterfaceWrapper) GetPaymentRequests(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
@@ -2990,7 +3218,7 @@ func (siw *ServerInterfaceWrapper) CreatePaymentOption(w http.ResponseWriter, r
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.CreatePaymentOption(w, r, identifier)
+		siw.Handler.GetPaymentRequests(w, r, identifier)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -3000,8 +3228,8 @@ func (siw *ServerInterfaceWrapper) CreatePaymentOption(w http.ResponseWriter, r
 	handler.ServeHTTP(w, r)
 }
 
-// DeletePaymentOption operation middleware
-func (siw *ServerInterfaceWrapper) DeletePaymentOption(w http.ResponseWriter, r *http.Request) {
+// CreatePaymentRequest operation middleware
+func (siw *ServerInterfaceWrapper) CreatePaymentRequest(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
@@ -3014,15 +3242,6 @@ func (siw *ServerInterfaceWrapper) DeletePaymentOption(w http.ResponseWriter, r
 		return
 	}
 
-	// ------------- Path parameter "id" -------------
-	var id Id
-
-	err = runtime.BindStyledParameterWithOptions("simple", "id", chi.URLParam(r, "id"), &id, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
-	if err != nil {
-		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "id", Err: err})
-		return
-	}
-
 	ctx := r.Context()
 
 	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
@@ -3030,7 +3249,7 @@ func (siw *ServerInterfaceWrapper) DeletePaymentOption(w http.ResponseWriter, r
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.DeletePaymentOption(w, r, identifier, id)
+		siw.Handler.CreatePaymentRequest(w, r, identifier)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -3040,8 +3259,8 @@ func (siw *ServerInterfaceWrapper) DeletePaymentOption(w http.ResponseWriter, r
 	handler.ServeHTTP(w, r)
 }
 
-// GetPaymentOption operation middleware
-func (siw *ServerInterfaceWrapper) GetPaymentOption(w http.ResponseWriter, r *http.Request) {
+// DeletePaymentRequest operation middleware
+func (siw *ServerInterfaceWrapper) DeletePaymentRequest(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
@@ -3070,7 +3289,7 @@ func (siw *ServerInterfaceWrapper) GetPaymentOption(w http.ResponseWriter, r *ht
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.GetPaymentOption(w, r, identifier, id)
+		siw.Handler.DeletePaymentRequest(w, r, identifier, id)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -3080,13 +3299,13 @@ func (siw *ServerInterfaceWrapper) GetPaymentOption(w http.ResponseWriter, r *ht
 	handler.ServeHTTP(w, r)
 }
 
-// VerifyPayment operation middleware
-func (siw *ServerInterfaceWrapper) VerifyPayment(w http.ResponseWriter, r *http.Request) {
+// GetPaymentRequest operation middleware
+func (siw *ServerInterfaceWrapper) GetPaymentRequest(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
 	// ------------- Path parameter "identifier" -------------
-	var identifier string
+	var identifier PathIdentifier
 
 	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
@@ -3094,12 +3313,12 @@ func (siw *ServerInterfaceWrapper) VerifyPayment(w http.ResponseWriter, r *http.
 		return
 	}
 
-	// ------------- Path parameter "nonce" -------------
-	var nonce string
+	// ------------- Path parameter "id" -------------
+	var id Id
 
-	err = runtime.BindStyledParameterWithOptions("simple", "nonce", chi.URLParam(r, "nonce"), &nonce, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	err = runtime.BindStyledParameterWithOptions("simple", "id", chi.URLParam(r, "id"), &id, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
-		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "nonce", Err: err})
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "id", Err: err})
 		return
 	}
 
@@ -3110,7 +3329,7 @@ func (siw *ServerInterfaceWrapper) VerifyPayment(w http.ResponseWriter, r *http.
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.VerifyPayment(w, r, identifier, nonce)
+		siw.Handler.GetPaymentRequest(w, r, identifier, id)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -3120,8 +3339,8 @@ func (siw *ServerInterfaceWrapper) VerifyPayment(w http.ResponseWriter, r *http.
 	handler.ServeHTTP(w, r)
 }
 
-// GetSchemas operation middleware
-func (siw *ServerInterfaceWrapper) GetSchemas(w http.ResponseWriter, r *http.Request) {
+// GetPaymentOptions operation middleware
+func (siw *ServerInterfaceWrapper) GetPaymentOptions(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
@@ -3140,19 +3359,8 @@ func (siw *ServerInterfaceWrapper) GetSchemas(w http.ResponseWriter, r *http.Req
 
 	r = r.WithContext(ctx)
 
-	// Parameter object where we will unmarshal all parameters from the context
-	var params GetSchemasParams
-
-	// ------------- Optional query parameter "query" -------------
-
-	err = runtime.BindQueryParameter("form", true, false, "query", r.URL.Query(), &params.Query)
-	if err != nil {
-		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "query", Err: err})
-		return
-	}
-
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.GetSchemas(w, r, identifier, params)
+		siw.Handler.GetPaymentOptions(w, r, identifier)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -3162,8 +3370,8 @@ func (siw *ServerInterfaceWrapper) GetSchemas(w http.ResponseWriter, r *http.Req
 	handler.ServeHTTP(w, r)
 }
 
-// ImportSchema operation middleware
-func (siw *ServerInterfaceWrapper) ImportSchema(w http.ResponseWriter, r *http.Request) {
+// CreatePaymentOption operation middleware
+func (siw *ServerInterfaceWrapper) CreatePaymentOption(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
@@ -3183,7 +3391,7 @@ func (siw *ServerInterfaceWrapper) ImportSchema(w http.ResponseWriter, r *http.R
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.ImportSchema(w, r, identifier)
+		siw.Handler.CreatePaymentOption(w, r, identifier)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -3193,8 +3401,8 @@ func (siw *ServerInterfaceWrapper) ImportSchema(w http.ResponseWriter, r *http.R
 	handler.ServeHTTP(w, r)
 }
 
-// GetSchema operation middleware
-func (siw *ServerInterfaceWrapper) GetSchema(w http.ResponseWriter, r *http.Request) {
+// DeletePaymentOption operation middleware
+func (siw *ServerInterfaceWrapper) DeletePaymentOption(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
@@ -3223,7 +3431,7 @@ func (siw *ServerInterfaceWrapper) GetSchema(w http.ResponseWriter, r *http.Requ
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.GetSchema(w, r, identifier, id)
+		siw.Handler.DeletePaymentOption(w, r, identifier, id)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -3233,8 +3441,8 @@ func (siw *ServerInterfaceWrapper) GetSchema(w http.ResponseWriter, r *http.Requ
 	handler.ServeHTTP(w, r)
 }
 
-// PublishIdentityState operation middleware
-func (siw *ServerInterfaceWrapper) PublishIdentityState(w http.ResponseWriter, r *http.Request) {
+// GetPaymentOption operation middleware
+func (siw *ServerInterfaceWrapper) GetPaymentOption(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
@@ -3247,6 +3455,15 @@ func (siw *ServerInterfaceWrapper) PublishIdentityState(w http.ResponseWriter, r
 		return
 	}
 
+	// ------------- Path parameter "id" -------------
+	var id Id
+
+	err = runtime.BindStyledParameterWithOptions("simple", "id", chi.URLParam(r, "id"), &id, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "id", Err: err})
+		return
+	}
+
 	ctx := r.Context()
 
 	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
@@ -3254,7 +3471,7 @@ func (siw *ServerInterfaceWrapper) PublishIdentityState(w http.ResponseWriter, r
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.PublishIdentityState(w, r, identifier)
+		siw.Handler.GetPaymentOption(w, r, identifier, id)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -3264,13 +3481,13 @@ func (siw *ServerInterfaceWrapper) PublishIdentityState(w http.ResponseWriter, r
 	handler.ServeHTTP(w, r)
 }
 
-// RetryPublishState operation middleware
-func (siw *ServerInterfaceWrapper) RetryPublishState(w http.ResponseWriter, r *http.Request) {
+// VerifyPayment operation middleware
+func (siw *ServerInterfaceWrapper) VerifyPayment(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
 	// ------------- Path parameter "identifier" -------------
-	var identifier PathIdentifier
+	var identifier string
 
 	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
 	if err != nil {
@@ -3278,6 +3495,15 @@ func (siw *ServerInterfaceWrapper) RetryPublishState(w http.ResponseWriter, r *h
 		return
 	}
 
+	// ------------- Path parameter "nonce" -------------
+	var nonce string
+
+	err = runtime.BindStyledParameterWithOptions("simple", "nonce", chi.URLParam(r, "nonce"), &nonce, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "nonce", Err: err})
+		return
+	}
+
 	ctx := r.Context()
 
 	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
@@ -3285,7 +3511,7 @@ func (siw *ServerInterfaceWrapper) RetryPublishState(w http.ResponseWriter, r *h
 	r = r.WithContext(ctx)
 
 	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.RetryPublishState(w, r, identifier)
+		siw.Handler.VerifyPayment(w, r, identifier, nonce)
 	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
@@ -3295,8 +3521,8 @@ func (siw *ServerInterfaceWrapper) RetryPublishState(w http.ResponseWriter, r *h
 	handler.ServeHTTP(w, r)
 }
 
-// GetStateStatus operation middleware
-func (siw *ServerInterfaceWrapper) GetStateStatus(w http.ResponseWriter, r *http.Request) {
+// GetSchemas operation middleware
+func (siw *ServerInterfaceWrapper) GetSchemas(w http.ResponseWriter, r *http.Request) {
 
 	var err error
 
@@ -3315,9 +3541,184 @@ func (siw *ServerInterfaceWrapper) GetStateStatus(w http.ResponseWriter, r *http
 
 	r = r.WithContext(ctx)
 
-	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		siw.Handler.GetStateStatus(w, r, identifier)
-	}))
+	// Parameter object where we will unmarshal all parameters from the context
+	var params GetSchemasParams
+
+	// ------------- Optional query parameter "query" -------------
+
+	err = runtime.BindQueryParameter("form", true, false, "query", r.URL.Query(), &params.Query)
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "query", Err: err})
+		return
+	}
+
+	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		siw.Handler.GetSchemas(w, r, identifier, params)
+	}))
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		handler = middleware(handler)
+	}
+
+	handler.ServeHTTP(w, r)
+}
+
+// ImportSchema operation middleware
+func (siw *ServerInterfaceWrapper) ImportSchema(w http.ResponseWriter, r *http.Request) {
+
+	var err error
+
+	// ------------- Path parameter "identifier" -------------
+	var identifier PathIdentifier
+
+	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "identifier", Err: err})
+		return
+	}
+
+	ctx := r.Context()
+
+	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
+
+	r = r.WithContext(ctx)
+
+	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		siw.Handler.ImportSchema(w, r, identifier)
+	}))
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		handler = middleware(handler)
+	}
+
+	handler.ServeHTTP(w, r)
+}
+
+// GetSchema operation middleware
+func (siw *ServerInterfaceWrapper) GetSchema(w http.ResponseWriter, r *http.Request) {
+
+	var err error
+
+	// ------------- Path parameter "identifier" -------------
+	var identifier PathIdentifier
+
+	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "identifier", Err: err})
+		return
+	}
+
+	// ------------- Path parameter "id" -------------
+	var id Id
+
+	err = runtime.BindStyledParameterWithOptions("simple", "id", chi.URLParam(r, "id"), &id, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "id", Err: err})
+		return
+	}
+
+	ctx := r.Context()
+
+	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
+
+	r = r.WithContext(ctx)
+
+	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		siw.Handler.GetSchema(w, r, identifier, id)
+	}))
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		handler = middleware(handler)
+	}
+
+	handler.ServeHTTP(w, r)
+}
+
+// PublishIdentityState operation middleware
+func (siw *ServerInterfaceWrapper) PublishIdentityState(w http.ResponseWriter, r *http.Request) {
+
+	var err error
+
+	// ------------- Path parameter "identifier" -------------
+	var identifier PathIdentifier
+
+	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "identifier", Err: err})
+		return
+	}
+
+	ctx := r.Context()
+
+	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
+
+	r = r.WithContext(ctx)
+
+	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		siw.Handler.PublishIdentityState(w, r, identifier)
+	}))
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		handler = middleware(handler)
+	}
+
+	handler.ServeHTTP(w, r)
+}
+
+// RetryPublishState operation middleware
+func (siw *ServerInterfaceWrapper) RetryPublishState(w http.ResponseWriter, r *http.Request) {
+
+	var err error
+
+	// ------------- Path parameter "identifier" -------------
+	var identifier PathIdentifier
+
+	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "identifier", Err: err})
+		return
+	}
+
+	ctx := r.Context()
+
+	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
+
+	r = r.WithContext(ctx)
+
+	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		siw.Handler.RetryPublishState(w, r, identifier)
+	}))
+
+	for _, middleware := range siw.HandlerMiddlewares {
+		handler = middleware(handler)
+	}
+
+	handler.ServeHTTP(w, r)
+}
+
+// GetStateStatus operation middleware
+func (siw *ServerInterfaceWrapper) GetStateStatus(w http.ResponseWriter, r *http.Request) {
+
+	var err error
+
+	// ------------- Path parameter "identifier" -------------
+	var identifier PathIdentifier
+
+	err = runtime.BindStyledParameterWithOptions("simple", "identifier", chi.URLParam(r, "identifier"), &identifier, runtime.BindStyledParameterOptions{ParamLocation: runtime.ParamLocationPath, Explode: false, Required: true})
+	if err != nil {
+		siw.ErrorHandlerFunc(w, r, &InvalidParamFormatError{ParamName: "identifier", Err: err})
+		return
+	}
+
+	ctx := r.Context()
+
+	ctx = context.WithValue(ctx, BasicAuthScopes, []string{})
+
+	r = r.WithContext(ctx)
+
+	handler := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		siw.Handler.GetStateStatus(w, r, identifier)
+	}))
 
 	for _, middleware := range siw.HandlerMiddlewares {
 		handler = middleware(handler)
@@ -3664,6 +4065,9 @@ func HandlerWithOptions(si ServerInterface, options ChiServerOptions) http.Handl
 	r.Group(func(r chi.Router) {
 		r.Post(options.BaseURL+"/v2/identities/{identifier}/connections/{id}/credentials/revoke", wrapper.RevokeConnectionCredentials)
 	})
+	r.Group(func(r chi.Router) {
+		r.Post(options.BaseURL+"/v2/identities/{identifier}/create-auth-credential", wrapper.CreateAuthCredential)
+	})
 	r.Group(func(r chi.Router) {
 		r.Get(options.BaseURL+"/v2/identities/{identifier}/credentials", wrapper.GetCredentials)
 	})
@@ -3721,6 +4125,21 @@ func HandlerWithOptions(si ServerInterface, options ChiServerOptions) http.Handl
 	r.Group(func(r chi.Router) {
 		r.Patch(options.BaseURL+"/v2/identities/{identifier}/display-method/{id}", wrapper.UpdateDisplayMethod)
 	})
+	r.Group(func(r chi.Router) {
+		r.Get(options.BaseURL+"/v2/identities/{identifier}/keys", wrapper.GetKeys)
+	})
+	r.Group(func(r chi.Router) {
+		r.Post(options.BaseURL+"/v2/identities/{identifier}/keys", wrapper.CreateKey)
+	})
+	r.Group(func(r chi.Router) {
+		r.Delete(options.BaseURL+"/v2/identities/{identifier}/keys/{id}", wrapper.DeleteKey)
+	})
+	r.Group(func(r chi.Router) {
+		r.Get(options.BaseURL+"/v2/identities/{identifier}/keys/{id}", wrapper.GetKey)
+	})
+	r.Group(func(r chi.Router) {
+		r.Patch(options.BaseURL+"/v2/identities/{identifier}/keys/{id}", wrapper.UpdateKey)
+	})
 	r.Group(func(r chi.Router) {
 		r.Get(options.BaseURL+"/v2/identities/{identifier}/payment-request", wrapper.GetPaymentRequests)
 	})
@@ -4437,6 +4856,45 @@ func (response RevokeConnectionCredentials500JSONResponse) VisitRevokeConnection
 	return json.NewEncoder(w).Encode(response)
 }
 
+type CreateAuthCredentialRequestObject struct {
+	Identifier PathIdentifier2 `json:"identifier"`
+	Body       *CreateAuthCredentialJSONRequestBody
+}
+
+type CreateAuthCredentialResponseObject interface {
+	VisitCreateAuthCredentialResponse(w http.ResponseWriter) error
+}
+
+type CreateAuthCredential201JSONResponse struct {
+	// Id The ID of the created Auth Credential
+	Id uuid.UUID `json:"id"`
+}
+
+func (response CreateAuthCredential201JSONResponse) VisitCreateAuthCredentialResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(201)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type CreateAuthCredential400JSONResponse struct{ N400JSONResponse }
+
+func (response CreateAuthCredential400JSONResponse) VisitCreateAuthCredentialResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(400)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type CreateAuthCredential500JSONResponse struct{ N500JSONResponse }
+
+func (response CreateAuthCredential500JSONResponse) VisitCreateAuthCredentialResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(500)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
 type GetCredentialsRequestObject struct {
 	Identifier PathIdentifier `json:"identifier"`
 	Params     GetCredentialsParams
@@ -5016,262 +5474,515 @@ type GetCredentialOfferResponseObject interface {
 	VisitGetCredentialOfferResponse(w http.ResponseWriter) error
 }
 
-type GetCredentialOffer200JSONResponse CredentialOfferResponse
+type GetCredentialOffer200JSONResponse CredentialOfferResponse
+
+func (response GetCredentialOffer200JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(200)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetCredentialOffer400JSONResponse struct{ N400JSONResponse }
+
+func (response GetCredentialOffer400JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(400)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetCredentialOffer404JSONResponse struct{ N404JSONResponse }
+
+func (response GetCredentialOffer404JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(404)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetCredentialOffer409JSONResponse struct{ N409JSONResponse }
+
+func (response GetCredentialOffer409JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(409)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetCredentialOffer500JSONResponse struct{ N500JSONResponse }
+
+func (response GetCredentialOffer500JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(500)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetAllDisplayMethodsRequestObject struct {
+	Identifier PathIdentifier `json:"identifier"`
+	Params     GetAllDisplayMethodsParams
+}
+
+type GetAllDisplayMethodsResponseObject interface {
+	VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error
+}
+
+type GetAllDisplayMethods200JSONResponse DisplayMethodPaginated
+
+func (response GetAllDisplayMethods200JSONResponse) VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(200)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetAllDisplayMethods400JSONResponse struct{ N400JSONResponse }
+
+func (response GetAllDisplayMethods400JSONResponse) VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(400)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetAllDisplayMethods404JSONResponse struct{ N404JSONResponse }
+
+func (response GetAllDisplayMethods404JSONResponse) VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(404)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetAllDisplayMethods500JSONResponse struct{ N500JSONResponse }
+
+func (response GetAllDisplayMethods500JSONResponse) VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(500)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type CreateDisplayMethodRequestObject struct {
+	Identifier PathIdentifier `json:"identifier"`
+	Body       *CreateDisplayMethodJSONRequestBody
+}
+
+type CreateDisplayMethodResponseObject interface {
+	VisitCreateDisplayMethodResponse(w http.ResponseWriter) error
+}
+
+type CreateDisplayMethod201JSONResponse UUIDResponse
+
+func (response CreateDisplayMethod201JSONResponse) VisitCreateDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(201)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type CreateDisplayMethod400JSONResponse struct{ N400JSONResponse }
+
+func (response CreateDisplayMethod400JSONResponse) VisitCreateDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(400)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type CreateDisplayMethod500JSONResponse struct{ N500JSONResponse }
+
+func (response CreateDisplayMethod500JSONResponse) VisitCreateDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(500)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type DeleteDisplayMethodRequestObject struct {
+	Identifier PathIdentifier `json:"identifier"`
+	Id         Id             `json:"id"`
+}
+
+type DeleteDisplayMethodResponseObject interface {
+	VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error
+}
+
+type DeleteDisplayMethod200JSONResponse GenericMessage
+
+func (response DeleteDisplayMethod200JSONResponse) VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(200)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type DeleteDisplayMethod400JSONResponse struct{ N400JSONResponse }
+
+func (response DeleteDisplayMethod400JSONResponse) VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(400)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type DeleteDisplayMethod404JSONResponse struct{ N404JSONResponse }
+
+func (response DeleteDisplayMethod404JSONResponse) VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(404)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type DeleteDisplayMethod500JSONResponse struct{ N500JSONResponse }
+
+func (response DeleteDisplayMethod500JSONResponse) VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(500)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetDisplayMethodRequestObject struct {
+	Identifier PathIdentifier `json:"identifier"`
+	Id         Id             `json:"id"`
+}
+
+type GetDisplayMethodResponseObject interface {
+	VisitGetDisplayMethodResponse(w http.ResponseWriter) error
+}
+
+type GetDisplayMethod200JSONResponse DisplayMethodEntity
+
+func (response GetDisplayMethod200JSONResponse) VisitGetDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(200)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetDisplayMethod400JSONResponse struct{ N400JSONResponse }
+
+func (response GetDisplayMethod400JSONResponse) VisitGetDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(400)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetDisplayMethod404JSONResponse struct{ N404JSONResponse }
+
+func (response GetDisplayMethod404JSONResponse) VisitGetDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(404)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetDisplayMethod500JSONResponse struct{ N500JSONResponse }
+
+func (response GetDisplayMethod500JSONResponse) VisitGetDisplayMethodResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(500)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type UpdateDisplayMethodRequestObject struct {
+	Identifier PathIdentifier `json:"identifier"`
+	Id         Id             `json:"id"`
+	Body       *UpdateDisplayMethodJSONRequestBody
+}
+
+type UpdateDisplayMethodResponseObject interface {
+	VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error
+}
+
+type UpdateDisplayMethod200JSONResponse GenericMessage
 
-func (response GetCredentialOffer200JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
+func (response UpdateDisplayMethod200JSONResponse) VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(200)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetCredentialOffer400JSONResponse struct{ N400JSONResponse }
+type UpdateDisplayMethod400JSONResponse struct{ N400JSONResponse }
 
-func (response GetCredentialOffer400JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
+func (response UpdateDisplayMethod400JSONResponse) VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(400)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetCredentialOffer404JSONResponse struct{ N404JSONResponse }
+type UpdateDisplayMethod404JSONResponse struct{ N404JSONResponse }
 
-func (response GetCredentialOffer404JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
+func (response UpdateDisplayMethod404JSONResponse) VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(404)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetCredentialOffer409JSONResponse struct{ N409JSONResponse }
-
-func (response GetCredentialOffer409JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(409)
-
-	return json.NewEncoder(w).Encode(response)
-}
-
-type GetCredentialOffer500JSONResponse struct{ N500JSONResponse }
+type UpdateDisplayMethod500JSONResponse struct{ N500JSONResponse }
 
-func (response GetCredentialOffer500JSONResponse) VisitGetCredentialOfferResponse(w http.ResponseWriter) error {
+func (response UpdateDisplayMethod500JSONResponse) VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(500)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetAllDisplayMethodsRequestObject struct {
-	Identifier PathIdentifier `json:"identifier"`
-	Params     GetAllDisplayMethodsParams
+type GetKeysRequestObject struct {
+	Identifier PathIdentifier2 `json:"identifier"`
+	Params     GetKeysParams
 }
 
-type GetAllDisplayMethodsResponseObject interface {
-	VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error
+type GetKeysResponseObject interface {
+	VisitGetKeysResponse(w http.ResponseWriter) error
 }
 
-type GetAllDisplayMethods200JSONResponse DisplayMethodPaginated
+type GetKeys200JSONResponse KeysPaginated
 
-func (response GetAllDisplayMethods200JSONResponse) VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error {
+func (response GetKeys200JSONResponse) VisitGetKeysResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(200)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetAllDisplayMethods400JSONResponse struct{ N400JSONResponse }
+type GetKeys400JSONResponse struct{ N400JSONResponse }
 
-func (response GetAllDisplayMethods400JSONResponse) VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error {
+func (response GetKeys400JSONResponse) VisitGetKeysResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(400)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetAllDisplayMethods404JSONResponse struct{ N404JSONResponse }
+type GetKeys404JSONResponse struct{ N404JSONResponse }
 
-func (response GetAllDisplayMethods404JSONResponse) VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error {
+func (response GetKeys404JSONResponse) VisitGetKeysResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(404)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetAllDisplayMethods500JSONResponse struct{ N500JSONResponse }
+type GetKeys500JSONResponse struct{ N500JSONResponse }
 
-func (response GetAllDisplayMethods500JSONResponse) VisitGetAllDisplayMethodsResponse(w http.ResponseWriter) error {
+func (response GetKeys500JSONResponse) VisitGetKeysResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(500)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type CreateDisplayMethodRequestObject struct {
-	Identifier PathIdentifier `json:"identifier"`
-	Body       *CreateDisplayMethodJSONRequestBody
+type CreateKeyRequestObject struct {
+	Identifier PathIdentifier2 `json:"identifier"`
+	Body       *CreateKeyJSONRequestBody
 }
 
-type CreateDisplayMethodResponseObject interface {
-	VisitCreateDisplayMethodResponse(w http.ResponseWriter) error
+type CreateKeyResponseObject interface {
+	VisitCreateKeyResponse(w http.ResponseWriter) error
 }
 
-type CreateDisplayMethod201JSONResponse UUIDResponse
+type CreateKey201JSONResponse CreateKeyResponse
 
-func (response CreateDisplayMethod201JSONResponse) VisitCreateDisplayMethodResponse(w http.ResponseWriter) error {
+func (response CreateKey201JSONResponse) VisitCreateKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(201)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type CreateDisplayMethod400JSONResponse struct{ N400JSONResponse }
+type CreateKey400JSONResponse struct{ N400JSONResponse }
 
-func (response CreateDisplayMethod400JSONResponse) VisitCreateDisplayMethodResponse(w http.ResponseWriter) error {
+func (response CreateKey400JSONResponse) VisitCreateKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(400)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type CreateDisplayMethod500JSONResponse struct{ N500JSONResponse }
+type CreateKey401JSONResponse struct{ N401JSONResponse }
 
-func (response CreateDisplayMethod500JSONResponse) VisitCreateDisplayMethodResponse(w http.ResponseWriter) error {
+func (response CreateKey401JSONResponse) VisitCreateKeyResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(401)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type CreateKey500JSONResponse struct{ N500JSONResponse }
+
+func (response CreateKey500JSONResponse) VisitCreateKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(500)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type DeleteDisplayMethodRequestObject struct {
-	Identifier PathIdentifier `json:"identifier"`
-	Id         Id             `json:"id"`
+type DeleteKeyRequestObject struct {
+	Identifier PathIdentifier2 `json:"identifier"`
+	Id         PathKeyID       `json:"id"`
 }
 
-type DeleteDisplayMethodResponseObject interface {
-	VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error
+type DeleteKeyResponseObject interface {
+	VisitDeleteKeyResponse(w http.ResponseWriter) error
 }
 
-type DeleteDisplayMethod200JSONResponse GenericMessage
+type DeleteKey200JSONResponse GenericMessage
 
-func (response DeleteDisplayMethod200JSONResponse) VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error {
+func (response DeleteKey200JSONResponse) VisitDeleteKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(200)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type DeleteDisplayMethod400JSONResponse struct{ N400JSONResponse }
+type DeleteKey400JSONResponse struct{ N400JSONResponse }
 
-func (response DeleteDisplayMethod400JSONResponse) VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error {
+func (response DeleteKey400JSONResponse) VisitDeleteKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(400)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type DeleteDisplayMethod404JSONResponse struct{ N404JSONResponse }
+type DeleteKey401JSONResponse struct{ N401JSONResponse }
 
-func (response DeleteDisplayMethod404JSONResponse) VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error {
+func (response DeleteKey401JSONResponse) VisitDeleteKeyResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(401)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type DeleteKey404JSONResponse struct{ N404JSONResponse }
+
+func (response DeleteKey404JSONResponse) VisitDeleteKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(404)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type DeleteDisplayMethod500JSONResponse struct{ N500JSONResponse }
+type DeleteKey500JSONResponse struct{ N500JSONResponse }
 
-func (response DeleteDisplayMethod500JSONResponse) VisitDeleteDisplayMethodResponse(w http.ResponseWriter) error {
+func (response DeleteKey500JSONResponse) VisitDeleteKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(500)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetDisplayMethodRequestObject struct {
-	Identifier PathIdentifier `json:"identifier"`
-	Id         Id             `json:"id"`
+type GetKeyRequestObject struct {
+	Identifier PathIdentifier2 `json:"identifier"`
+	Id         PathKeyID       `json:"id"`
 }
 
-type GetDisplayMethodResponseObject interface {
-	VisitGetDisplayMethodResponse(w http.ResponseWriter) error
+type GetKeyResponseObject interface {
+	VisitGetKeyResponse(w http.ResponseWriter) error
 }
 
-type GetDisplayMethod200JSONResponse DisplayMethodEntity
+type GetKey200JSONResponse Key
 
-func (response GetDisplayMethod200JSONResponse) VisitGetDisplayMethodResponse(w http.ResponseWriter) error {
+func (response GetKey200JSONResponse) VisitGetKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(200)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetDisplayMethod400JSONResponse struct{ N400JSONResponse }
+type GetKey400JSONResponse struct{ N400JSONResponse }
 
-func (response GetDisplayMethod400JSONResponse) VisitGetDisplayMethodResponse(w http.ResponseWriter) error {
+func (response GetKey400JSONResponse) VisitGetKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(400)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetDisplayMethod404JSONResponse struct{ N404JSONResponse }
+type GetKey401JSONResponse struct{ N401JSONResponse }
 
-func (response GetDisplayMethod404JSONResponse) VisitGetDisplayMethodResponse(w http.ResponseWriter) error {
+func (response GetKey401JSONResponse) VisitGetKeyResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(401)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type GetKey404JSONResponse struct{ N404JSONResponse }
+
+func (response GetKey404JSONResponse) VisitGetKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(404)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type GetDisplayMethod500JSONResponse struct{ N500JSONResponse }
+type GetKey500JSONResponse struct{ N500JSONResponse }
 
-func (response GetDisplayMethod500JSONResponse) VisitGetDisplayMethodResponse(w http.ResponseWriter) error {
+func (response GetKey500JSONResponse) VisitGetKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(500)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type UpdateDisplayMethodRequestObject struct {
-	Identifier PathIdentifier `json:"identifier"`
-	Id         Id             `json:"id"`
-	Body       *UpdateDisplayMethodJSONRequestBody
+type UpdateKeyRequestObject struct {
+	Identifier PathIdentifier2 `json:"identifier"`
+	Id         PathKeyID       `json:"id"`
+	Body       *UpdateKeyJSONRequestBody
 }
 
-type UpdateDisplayMethodResponseObject interface {
-	VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error
+type UpdateKeyResponseObject interface {
+	VisitUpdateKeyResponse(w http.ResponseWriter) error
 }
 
-type UpdateDisplayMethod200JSONResponse GenericMessage
+type UpdateKey200JSONResponse GenericMessage
 
-func (response UpdateDisplayMethod200JSONResponse) VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error {
+func (response UpdateKey200JSONResponse) VisitUpdateKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(200)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type UpdateDisplayMethod400JSONResponse struct{ N400JSONResponse }
+type UpdateKey400JSONResponse struct{ N400JSONResponse }
 
-func (response UpdateDisplayMethod400JSONResponse) VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error {
+func (response UpdateKey400JSONResponse) VisitUpdateKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(400)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type UpdateDisplayMethod404JSONResponse struct{ N404JSONResponse }
+type UpdateKey401JSONResponse struct{ N401JSONResponse }
 
-func (response UpdateDisplayMethod404JSONResponse) VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error {
+func (response UpdateKey401JSONResponse) VisitUpdateKeyResponse(w http.ResponseWriter) error {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(401)
+
+	return json.NewEncoder(w).Encode(response)
+}
+
+type UpdateKey404JSONResponse struct{ N404JSONResponse }
+
+func (response UpdateKey404JSONResponse) VisitUpdateKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(404)
 
 	return json.NewEncoder(w).Encode(response)
 }
 
-type UpdateDisplayMethod500JSONResponse struct{ N500JSONResponse }
+type UpdateKey500JSONResponse struct{ N500JSONResponse }
 
-func (response UpdateDisplayMethod500JSONResponse) VisitUpdateDisplayMethodResponse(w http.ResponseWriter) error {
+func (response UpdateKey500JSONResponse) VisitUpdateKeyResponse(w http.ResponseWriter) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(500)
 
@@ -6147,6 +6858,9 @@ type StrictServerInterface interface {
 	// Revoke Connection Credentials
 	// (POST /v2/identities/{identifier}/connections/{id}/credentials/revoke)
 	RevokeConnectionCredentials(ctx context.Context, request RevokeConnectionCredentialsRequestObject) (RevokeConnectionCredentialsResponseObject, error)
+	// Create Auth Credential
+	// (POST /v2/identities/{identifier}/create-auth-credential)
+	CreateAuthCredential(ctx context.Context, request CreateAuthCredentialRequestObject) (CreateAuthCredentialResponseObject, error)
 	// Get Credentials
 	// (GET /v2/identities/{identifier}/credentials)
 	GetCredentials(ctx context.Context, request GetCredentialsRequestObject) (GetCredentialsResponseObject, error)
@@ -6204,6 +6918,21 @@ type StrictServerInterface interface {
 	// Update Display Method
 	// (PATCH /v2/identities/{identifier}/display-method/{id})
 	UpdateDisplayMethod(ctx context.Context, request UpdateDisplayMethodRequestObject) (UpdateDisplayMethodResponseObject, error)
+	// Get Keys
+	// (GET /v2/identities/{identifier}/keys)
+	GetKeys(ctx context.Context, request GetKeysRequestObject) (GetKeysResponseObject, error)
+	// Create a Key
+	// (POST /v2/identities/{identifier}/keys)
+	CreateKey(ctx context.Context, request CreateKeyRequestObject) (CreateKeyResponseObject, error)
+	// Delete Key
+	// (DELETE /v2/identities/{identifier}/keys/{id})
+	DeleteKey(ctx context.Context, request DeleteKeyRequestObject) (DeleteKeyResponseObject, error)
+	// Get a Key
+	// (GET /v2/identities/{identifier}/keys/{id})
+	GetKey(ctx context.Context, request GetKeyRequestObject) (GetKeyResponseObject, error)
+	// Update a Key
+	// (PATCH /v2/identities/{identifier}/keys/{id})
+	UpdateKey(ctx context.Context, request UpdateKeyRequestObject) (UpdateKeyResponseObject, error)
 	// Get Payment Requests
 	// (GET /v2/identities/{identifier}/payment-request)
 	GetPaymentRequests(ctx context.Context, request GetPaymentRequestsRequestObject) (GetPaymentRequestsResponseObject, error)
@@ -6753,6 +7482,39 @@ func (sh *strictHandler) RevokeConnectionCredentials(w http.ResponseWriter, r *h
 	}
 }
 
+// CreateAuthCredential operation middleware
+func (sh *strictHandler) CreateAuthCredential(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2) {
+	var request CreateAuthCredentialRequestObject
+
+	request.Identifier = identifier
+
+	var body CreateAuthCredentialJSONRequestBody
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		sh.options.RequestErrorHandlerFunc(w, r, fmt.Errorf("can't decode JSON body: %w", err))
+		return
+	}
+	request.Body = &body
+
+	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, request interface{}) (interface{}, error) {
+		return sh.ssi.CreateAuthCredential(ctx, request.(CreateAuthCredentialRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "CreateAuthCredential")
+	}
+
+	response, err := handler(r.Context(), w, r, request)
+
+	if err != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, err)
+	} else if validResponse, ok := response.(CreateAuthCredentialResponseObject); ok {
+		if err := validResponse.VisitCreateAuthCredentialResponse(w); err != nil {
+			sh.options.ResponseErrorHandlerFunc(w, r, err)
+		}
+	} else if response != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
 // GetCredentials operation middleware
 func (sh *strictHandler) GetCredentials(w http.ResponseWriter, r *http.Request, identifier PathIdentifier, params GetCredentialsParams) {
 	var request GetCredentialsRequestObject
@@ -7307,6 +8069,154 @@ func (sh *strictHandler) UpdateDisplayMethod(w http.ResponseWriter, r *http.Requ
 	}
 }
 
+// GetKeys operation middleware
+func (sh *strictHandler) GetKeys(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, params GetKeysParams) {
+	var request GetKeysRequestObject
+
+	request.Identifier = identifier
+	request.Params = params
+
+	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, request interface{}) (interface{}, error) {
+		return sh.ssi.GetKeys(ctx, request.(GetKeysRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "GetKeys")
+	}
+
+	response, err := handler(r.Context(), w, r, request)
+
+	if err != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, err)
+	} else if validResponse, ok := response.(GetKeysResponseObject); ok {
+		if err := validResponse.VisitGetKeysResponse(w); err != nil {
+			sh.options.ResponseErrorHandlerFunc(w, r, err)
+		}
+	} else if response != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
+// CreateKey operation middleware
+func (sh *strictHandler) CreateKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2) {
+	var request CreateKeyRequestObject
+
+	request.Identifier = identifier
+
+	var body CreateKeyJSONRequestBody
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		sh.options.RequestErrorHandlerFunc(w, r, fmt.Errorf("can't decode JSON body: %w", err))
+		return
+	}
+	request.Body = &body
+
+	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, request interface{}) (interface{}, error) {
+		return sh.ssi.CreateKey(ctx, request.(CreateKeyRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "CreateKey")
+	}
+
+	response, err := handler(r.Context(), w, r, request)
+
+	if err != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, err)
+	} else if validResponse, ok := response.(CreateKeyResponseObject); ok {
+		if err := validResponse.VisitCreateKeyResponse(w); err != nil {
+			sh.options.ResponseErrorHandlerFunc(w, r, err)
+		}
+	} else if response != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
+// DeleteKey operation middleware
+func (sh *strictHandler) DeleteKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, id PathKeyID) {
+	var request DeleteKeyRequestObject
+
+	request.Identifier = identifier
+	request.Id = id
+
+	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, request interface{}) (interface{}, error) {
+		return sh.ssi.DeleteKey(ctx, request.(DeleteKeyRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "DeleteKey")
+	}
+
+	response, err := handler(r.Context(), w, r, request)
+
+	if err != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, err)
+	} else if validResponse, ok := response.(DeleteKeyResponseObject); ok {
+		if err := validResponse.VisitDeleteKeyResponse(w); err != nil {
+			sh.options.ResponseErrorHandlerFunc(w, r, err)
+		}
+	} else if response != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
+// GetKey operation middleware
+func (sh *strictHandler) GetKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, id PathKeyID) {
+	var request GetKeyRequestObject
+
+	request.Identifier = identifier
+	request.Id = id
+
+	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, request interface{}) (interface{}, error) {
+		return sh.ssi.GetKey(ctx, request.(GetKeyRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "GetKey")
+	}
+
+	response, err := handler(r.Context(), w, r, request)
+
+	if err != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, err)
+	} else if validResponse, ok := response.(GetKeyResponseObject); ok {
+		if err := validResponse.VisitGetKeyResponse(w); err != nil {
+			sh.options.ResponseErrorHandlerFunc(w, r, err)
+		}
+	} else if response != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
+// UpdateKey operation middleware
+func (sh *strictHandler) UpdateKey(w http.ResponseWriter, r *http.Request, identifier PathIdentifier2, id PathKeyID) {
+	var request UpdateKeyRequestObject
+
+	request.Identifier = identifier
+	request.Id = id
+
+	var body UpdateKeyJSONRequestBody
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		sh.options.RequestErrorHandlerFunc(w, r, fmt.Errorf("can't decode JSON body: %w", err))
+		return
+	}
+	request.Body = &body
+
+	handler := func(ctx context.Context, w http.ResponseWriter, r *http.Request, request interface{}) (interface{}, error) {
+		return sh.ssi.UpdateKey(ctx, request.(UpdateKeyRequestObject))
+	}
+	for _, middleware := range sh.middlewares {
+		handler = middleware(handler, "UpdateKey")
+	}
+
+	response, err := handler(r.Context(), w, r, request)
+
+	if err != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, err)
+	} else if validResponse, ok := response.(UpdateKeyResponseObject); ok {
+		if err := validResponse.VisitUpdateKeyResponse(w); err != nil {
+			sh.options.ResponseErrorHandlerFunc(w, r, err)
+		}
+	} else if response != nil {
+		sh.options.ResponseErrorHandlerFunc(w, r, fmt.Errorf("unexpected response type: %T", response))
+	}
+}
+
 // GetPaymentRequests operation middleware
 func (sh *strictHandler) GetPaymentRequests(w http.ResponseWriter, r *http.Request, identifier PathIdentifier) {
 	var request GetPaymentRequestsRequestObject
diff --git a/internal/api/api_custom_types.go b/internal/api/api_custom_types.go
new file mode 100644
index 000000000..1f4b8b388
--- /dev/null
+++ b/internal/api/api_custom_types.go
@@ -0,0 +1,22 @@
+package api
+
+import "github.com/iden3/go-iden3-core/v2/w3c"
+
+// Identity represents a DID
+type Identity struct {
+	w3cDID *w3c.DID
+}
+
+// UnmarshalText unmarshals a DID from text
+func (c *Identity) UnmarshalText(text []byte) error {
+	did, err := w3c.ParseDID(string(text))
+	if err != nil {
+		return err
+	}
+	c.w3cDID = did
+	return nil
+}
+
+func (c *Identity) did() *w3c.DID {
+	return c.w3cDID
+}
diff --git a/internal/api/connections_test.go b/internal/api/connections_test.go
index f8ac170d7..be1566848 100644
--- a/internal/api/connections_test.go
+++ b/internal/api/connections_test.go
@@ -257,7 +257,7 @@ func TestServer_DeleteConnection(t *testing.T) {
 		OtherIdentifier: userDID2.String(),
 		Expiration:      0,
 		Version:         0,
-		RevNonce:        0,
+		RevNonce:        1,
 		CoreClaim:       domain.CoreClaim{},
 		Status:          nil,
 	})
@@ -475,7 +475,7 @@ func TestServer_RevokeConnectionCredentials(t *testing.T) {
 		OtherIdentifier: userDID.String(),
 		Expiration:      0,
 		Version:         0,
-		RevNonce:        0,
+		RevNonce:        1,
 		CoreClaim:       domain.CoreClaim{},
 		Status:          nil,
 	})
diff --git a/internal/api/credentials.go b/internal/api/credentials.go
index 72ca682d9..ae4137f74 100644
--- a/internal/api/credentials.go
+++ b/internal/api/credentials.go
@@ -22,16 +22,24 @@ import (
 
 // DeleteCredential deletes a credential
 func (s *Server) DeleteCredential(ctx context.Context, request DeleteCredentialRequestObject) (DeleteCredentialResponseObject, error) {
+	did, err := w3c.ParseDID(request.Identifier)
+	if err != nil {
+		return DeleteCredential400JSONResponse{N400JSONResponse{Message: err.Error()}}, nil
+	}
+
 	clID, err := uuid.Parse(request.Id)
 	if err != nil {
 		return DeleteCredential400JSONResponse{N400JSONResponse{"invalid claim id"}}, nil
 	}
 
-	err = s.claimService.Delete(ctx, clID)
+	err = s.claimService.Delete(ctx, did, clID)
 	if err != nil {
 		if errors.Is(err, services.ErrCredentialNotFound) {
 			return DeleteCredential400JSONResponse{N400JSONResponse{"The given credential does not exist"}}, nil
 		}
+		if errors.Is(err, services.ErrAuthCredentialCannotBeRevoked) {
+			return DeleteCredential400JSONResponse{N400JSONResponse{Message: "Cannot delete the only remaining authentication credential. An identity must have at least one credential"}}, nil
+		}
 		return DeleteCredential500JSONResponse{N500JSONResponse{"There was an error deleting the credential"}}, nil
 	}
 
@@ -96,6 +104,9 @@ func (s *Server) CreateCredential(ctx context.Context, request CreateCredentialR
 		if errors.Is(err, services.ErrLoadingSchema) {
 			return CreateCredential422JSONResponse{N422JSONResponse{Message: err.Error()}}, nil
 		}
+		if errors.Is(err, repositories.ErrClaimDoesNotExist) {
+			return CreateCredential500JSONResponse{N500JSONResponse{Message: "if this identity has keyType=ETH you must to publish the state first"}}, nil
+		}
 		errs := []error{
 			services.ErrJSONLdContext,
 			services.ErrProcessSchema,
@@ -136,6 +147,11 @@ func (s *Server) RevokeCredential(ctx context.Context, request RevokeCredentialR
 			}}, nil
 		}
 
+		if errors.Is(err, services.ErrAuthCredentialCannotBeRevoked) {
+			return RevokeCredential400JSONResponse{N400JSONResponse{
+				Message: err.Error(),
+			}}, nil
+		}
 		return RevokeCredential500JSONResponse{N500JSONResponse{Message: err.Error()}}, nil
 	}
 	return RevokeCredential202JSONResponse{
diff --git a/internal/api/credentials_test.go b/internal/api/credentials_test.go
index b8cf8e948..d02b4156e 100644
--- a/internal/api/credentials_test.go
+++ b/internal/api/credentials_test.go
@@ -31,25 +31,22 @@ import (
 
 func TestServer_RevokeClaim(t *testing.T) {
 	server := newTestServer(t, nil)
-
-	idStr := "did:polygonid:polygon:mumbai:2qM77fA6NGGWL9QEeb1dv2VA6wz5svcohgv61LZ7wB"
-	identity := &domain.Identity{
-		Identifier: idStr,
-	}
 	fixture := repositories.NewFixture(storage)
-	fixture.CreateIdentity(t, identity)
+	identity, err := server.Services.identity.Create(context.Background(), "http://privado-test", &ports.DIDCreationOptions{Method: core.DIDMethodIden3, Blockchain: core.Privado, Network: core.Main, KeyType: kms.KeyTypeBabyJubJub})
+	require.NoError(t, err)
 
 	idClaim, err := uuid.NewUUID()
 	require.NoError(t, err)
 	nonce := int64(123)
 	revNonce := domain.RevNonceUint64(nonce)
+
 	fixture.CreateClaim(t, &domain.Claim{
 		ID:              idClaim,
-		Identifier:      &idStr,
-		Issuer:          idStr,
+		Identifier:      &identity.Identifier,
+		Issuer:          identity.Identifier,
 		SchemaHash:      "ca938857241db9451ea329256b9c06e5",
-		SchemaURL:       "https://raw.githubusercontent.com/iden3/claim-schema-vocab/main/schemas/json-ld/auth.json-ld",
-		SchemaType:      "AuthBJJCredential",
+		SchemaURL:       "https://raw.githubusercontent.com/iden3/claim-schema-vocab/main/schemas/json/KYCAgeCredential-v3.json",
+		SchemaType:      "KYCAgeCredential",
 		OtherIdentifier: "",
 		Expiration:      0,
 		Version:         0,
@@ -58,17 +55,6 @@ func TestServer_RevokeClaim(t *testing.T) {
 		Status:          nil,
 	})
 
-	query := repositories.ExecQueryParams{
-		Query: `INSERT INTO identity_mts (identifier, type) VALUES 
-                                                    ($1, 0),
-                                                    ($1, 1),
-                                                    ($1, 2),
-                                                    ($1, 3)`,
-		Arguments: []interface{}{idStr},
-	}
-
-	fixture.ExecQuery(t, query)
-
 	handler := getHandler(context.Background(), server)
 
 	type expected struct {
@@ -88,7 +74,7 @@ func TestServer_RevokeClaim(t *testing.T) {
 		{
 			name:  "No auth header",
 			auth:  authWrong,
-			did:   idStr,
+			did:   identity.Identifier,
 			nonce: nonce,
 			expected: expected{
 				httpCode: http.StatusUnauthorized,
@@ -97,7 +83,7 @@ func TestServer_RevokeClaim(t *testing.T) {
 		{
 			name:  "should revoke the credentials",
 			auth:  authOk,
-			did:   idStr,
+			did:   identity.Identifier,
 			nonce: nonce,
 			expected: expected{
 				httpCode: 202,
@@ -109,7 +95,7 @@ func TestServer_RevokeClaim(t *testing.T) {
 		{
 			name:  "should get an error wrong nonce",
 			auth:  authOk,
-			did:   idStr,
+			did:   identity.Identifier,
 			nonce: int64(1231323),
 			expected: expected{
 				httpCode: 404,
@@ -130,6 +116,18 @@ func TestServer_RevokeClaim(t *testing.T) {
 				}},
 			},
 		},
+		{
+			name:  "should get an error - cannot revoke auth credential",
+			auth:  authOk,
+			did:   identity.Identifier,
+			nonce: 0,
+			expected: expected{
+				httpCode: 400,
+				response: RevokeCredential400JSONResponse{N400JSONResponse{
+					Message: "cannot delete the only remaining authentication credential. An identity must have at least one credential",
+				}},
+			},
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			rr := httptest.NewRecorder()
@@ -145,6 +143,10 @@ func TestServer_RevokeClaim(t *testing.T) {
 				var response RevokeCredential202JSONResponse
 				assert.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
 				assert.Equal(t, v.Message, response.Message)
+			case RevokeCredential400JSONResponse:
+				var response RevokeCredential400JSONResponse
+				assert.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+				assert.Equal(t, v.Message, response.Message)
 			case RevokeCredential404JSONResponse:
 				var response RevokeCredential404JSONResponse
 				assert.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
diff --git a/internal/api/identity.go b/internal/api/identity.go
index ac2720506..e93584c35 100644
--- a/internal/api/identity.go
+++ b/internal/api/identity.go
@@ -2,11 +2,13 @@ package api
 
 import (
 	"context"
+	b64 "encoding/base64"
 	"errors"
 	"fmt"
 	"math/big"
 	"slices"
 	"strings"
+	"time"
 
 	core "github.com/iden3/go-iden3-core/v2"
 	"github.com/iden3/go-iden3-core/v2/w3c"
@@ -228,6 +230,9 @@ func (s *Server) GetIdentities(ctx context.Context, request GetIdentitiesRequest
 		})
 	}
 
+	if response == nil {
+		response = make(GetIdentities200JSONResponse, 0)
+	}
 	return response, nil
 }
 
@@ -306,7 +311,87 @@ func (s *Server) GetIdentityDetails(ctx context.Context, request GetIdentityDeta
 		Address:              responseAddress,
 		Balance:              responseBalance,
 		CredentialStatusType: GetIdentityDetailsResponseCredentialStatusType(identity.AuthCoreClaimRevocationStatus.Type),
+		AuthCredentialsIDs:   identity.AuthCredentialsIDs,
 	}
 
 	return response, nil
 }
+
+// CreateAuthCredential is the controller to create an auth credential
+func (s *Server) CreateAuthCredential(ctx context.Context, request CreateAuthCredentialRequestObject) (CreateAuthCredentialResponseObject, error) {
+	did := request.Identifier.w3cDID
+	decodedKeyID, err := b64.StdEncoding.DecodeString(request.Body.KeyID)
+	if err != nil {
+		log.Error(ctx, "decoding base64 key id", "err", err)
+		return CreateAuthCredential400JSONResponse{
+			N400JSONResponse{
+				Message: "error decoding base64 key id",
+			},
+		}, nil
+	}
+
+	var credentialStatusType *verifiable.CredentialStatusType
+	credentialStatusType, err = validateStatusType(common.ToPointer(string(request.Body.CredentialStatusType)))
+	if err != nil {
+		return CreateAuthCredential400JSONResponse{N400JSONResponse{Message: err.Error()}}, nil
+	}
+
+	resolverPrefix, err := common.ResolverPrefix(did)
+	if err != nil {
+		return CreateAuthCredential400JSONResponse{N400JSONResponse{Message: "error parsing did"}}, nil
+	}
+
+	rhsSettings, err := s.networkResolver.GetRhsSettings(ctx, resolverPrefix)
+	if err != nil {
+		return CreateAuthCredential400JSONResponse{N400JSONResponse{Message: "error getting reverse hash service settings"}}, nil
+	}
+
+	if !s.networkResolver.IsCredentialStatusTypeSupported(rhsSettings.Mode, *credentialStatusType) {
+		log.Warn(ctx, "unsupported credential status type", "req", request)
+		return CreateAuthCredential400JSONResponse{N400JSONResponse{Message: fmt.Sprintf("Credential Status Type '%s' is not supported by the issuer", *credentialStatusType)}}, nil
+	}
+
+	var expiration *time.Time
+	if request.Body.Expiration != nil {
+		expiration = common.ToPointer(time.Unix(*request.Body.Expiration, 0))
+	}
+
+	autCredentialID, err := s.identityService.CreateAuthCredential(ctx, request.Identifier.w3cDID, string(decodedKeyID), request.Body.RevNonce, expiration, request.Body.Version, *credentialStatusType)
+	if err != nil {
+		log.Error(ctx, "creating auth credential", "err", err)
+		if errors.Is(err, services.ErrDuplicatedHash) {
+			message := fmt.Sprintf("%s. This means an auth credential was already created with this key", err.Error())
+			return CreateAuthCredential400JSONResponse{
+				N400JSONResponse{
+					Message: message,
+				},
+			}, nil
+		}
+
+		if errors.Is(err, services.ErrInvalidKeyType) {
+			return CreateAuthCredential400JSONResponse{
+				N400JSONResponse{
+					Message: "invalid key type. Only BJJ keys are supported",
+				},
+			}, nil
+		}
+
+		if errors.Is(err, services.ErrKeyNotFound) {
+			return CreateAuthCredential400JSONResponse{
+				N400JSONResponse{
+					Message: "key not found",
+				},
+			}, nil
+		}
+
+		return CreateAuthCredential500JSONResponse{
+			N500JSONResponse{
+				Message: err.Error(),
+			},
+		}, nil
+	}
+
+	return CreateAuthCredential201JSONResponse{
+		Id: autCredentialID,
+	}, nil
+}
diff --git a/internal/api/identity_test.go b/internal/api/identity_test.go
index a8b390a8c..27891dc27 100644
--- a/internal/api/identity_test.go
+++ b/internal/api/identity_test.go
@@ -9,7 +9,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/google/uuid"
 	core "github.com/iden3/go-iden3-core/v2"
+	"github.com/iden3/go-iden3-core/v2/w3c"
 	"github.com/iden3/go-schema-processor/v2/verifiable"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -18,6 +20,7 @@ import (
 	"github.com/polygonid/sh-id-platform/internal/core/domain"
 	"github.com/polygonid/sh-id-platform/internal/core/ports"
 	"github.com/polygonid/sh-id-platform/internal/db/tests"
+	"github.com/polygonid/sh-id-platform/internal/kms"
 	"github.com/polygonid/sh-id-platform/internal/repositories"
 )
 
@@ -95,8 +98,7 @@ func TestServer_CreateIdentity(t *testing.T) {
 					Method     string                               `json:"method"`
 					Network    string                               `json:"network"`
 					Type       CreateIdentityRequestDidMetadataType `json:"type"`
-				}{Blockchain: blockchain, Method: method, Network: network, Type: BJJ}, DisplayName: common.ToPointer("blockchain display name"),
-				CredentialStatusType: &authBJJCredentialStatus,
+				}{Blockchain: blockchain, Method: method, Network: network, Type: BJJ}, DisplayName: common.ToPointer("blockchain display name"), CredentialStatusType: &authBJJCredentialStatus,
 			},
 			expected: expected{
 				httpCode: 201,
@@ -411,6 +413,7 @@ func TestServer_GetIdentityDetails(t *testing.T) {
 				assert.Equal(t, tc.expected.credentialStatusType, verifiable.CredentialStatusType(response.CredentialStatusType))
 				assert.Equal(t, "", *identity.Address)
 				assert.Nil(t, identity.Balance)
+				assert.Len(t, response.AuthCredentialsIDs, 1)
 			}
 		})
 	}
@@ -481,3 +484,140 @@ func TestServer_UpdateIdentity(t *testing.T) {
 		})
 	}
 }
+
+func TestServer_CreateAuthCredential(t *testing.T) {
+	const (
+		method     = "polygonid"
+		blockchain = "polygon"
+		network    = "amoy"
+		BJJ        = "BJJ"
+	)
+	ctx := context.Background()
+
+	server := newTestServer(t, nil)
+	handler := getHandler(ctx, server)
+
+	iden, err := server.Services.identity.Create(ctx, "http://polygon-test", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: network, KeyType: BJJ})
+	require.NoError(t, err)
+	did := iden.Identifier
+
+	issuerDID, err := w3c.ParseDID(did)
+	require.NoError(t, err)
+
+	t.Run("no auth header", func(t *testing.T) {
+		rr := httptest.NewRecorder()
+		req, err := http.NewRequest("POST", fmt.Sprintf("/v2/identities/%s/create-auth-credential", did), tests.JSONBody(t, nil))
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusUnauthorized, rr.Code)
+	})
+
+	t.Run("should create an auth credential with default values", func(t *testing.T) {
+		key, err := server.keyService.Create(ctx, issuerDID, kms.KeyTypeBabyJubJub, uuid.New().String())
+		require.NoError(t, err)
+
+		body := CreateAuthCredentialRequest{
+			KeyID:                key.ID,
+			CredentialStatusType: CreateAuthCredentialRequestCredentialStatusType(verifiable.Iden3commRevocationStatusV1),
+		}
+		rr := httptest.NewRecorder()
+		req, err := http.NewRequest("POST", fmt.Sprintf("/v2/identities/%s/create-auth-credential", did), tests.JSONBody(t, body))
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusCreated, rr.Code)
+		var response CreateAuthCredential201JSONResponse
+		assert.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.NotNil(t, response.Id)
+	})
+
+	t.Run("should get an error - duplicated auth credential", func(t *testing.T) {
+		key, err := server.keyService.Create(ctx, issuerDID, kms.KeyTypeBabyJubJub, uuid.New().String())
+		require.NoError(t, err)
+
+		body := CreateAuthCredentialRequest{
+			KeyID:                key.ID,
+			CredentialStatusType: CreateAuthCredentialRequestCredentialStatusType(verifiable.Iden3commRevocationStatusV1),
+		}
+		rr := httptest.NewRecorder()
+		req, err := http.NewRequest("POST", fmt.Sprintf("/v2/identities/%s/create-auth-credential", did), tests.JSONBody(t, body))
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusCreated, rr.Code)
+
+		body = CreateAuthCredentialRequest{
+			KeyID:                key.ID,
+			CredentialStatusType: CreateAuthCredentialRequestCredentialStatusType(verifiable.Iden3commRevocationStatusV1),
+		}
+		rr = httptest.NewRecorder()
+		req, err = http.NewRequest("POST", fmt.Sprintf("/v2/identities/%s/create-auth-credential", did), tests.JSONBody(t, body))
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusBadRequest, rr.Code)
+		var response CreateAuthCredential400JSONResponse
+		assert.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, "hash already exists. This means an auth credential was already created with this key", response.Message)
+	})
+
+	t.Run("should get an error - credential status type not supported", func(t *testing.T) {
+		key, err := server.keyService.Create(ctx, issuerDID, kms.KeyTypeBabyJubJub, uuid.New().String())
+		require.NoError(t, err)
+
+		body := CreateAuthCredentialRequest{
+			KeyID:                key.ID,
+			CredentialStatusType: CreateAuthCredentialRequestCredentialStatusType(verifiable.Iden3OnchainSparseMerkleTreeProof2023),
+		}
+		rr := httptest.NewRecorder()
+		req, err := http.NewRequest("POST", fmt.Sprintf("/v2/identities/%s/create-auth-credential", did), tests.JSONBody(t, body))
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusBadRequest, rr.Code)
+		var response CreateAuthCredential400JSONResponse
+		assert.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, "Credential Status Type 'Iden3OnchainSparseMerkleTreeProof2023' is not supported by the issuer", response.Message)
+	})
+
+	t.Run("should create an auth credential", func(t *testing.T) {
+		key, err := server.keyService.Create(ctx, issuerDID, kms.KeyTypeBabyJubJub, uuid.New().String())
+		require.NoError(t, err)
+
+		authCredentialExpiration := time.Now().UTC().Unix()
+
+		revNonce, err := common.RandInt64()
+		require.NoError(t, err)
+		body := CreateAuthCredentialRequest{
+			KeyID:                key.ID,
+			CredentialStatusType: CreateAuthCredentialRequestCredentialStatusType(verifiable.Iden3commRevocationStatusV1),
+			RevNonce:             &revNonce,
+			Version:              common.ToPointer[uint32](1),
+			Expiration:           common.ToPointer[int64](authCredentialExpiration),
+		}
+		rr := httptest.NewRecorder()
+		req, err := http.NewRequest("POST", fmt.Sprintf("/v2/identities/%s/create-auth-credential", did), tests.JSONBody(t, body))
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusCreated, rr.Code)
+		var response CreateAuthCredential201JSONResponse
+		assert.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.NotNil(t, response.Id)
+
+		rr = httptest.NewRecorder()
+		req, err = http.NewRequest("GET", fmt.Sprintf("/v2/identities/%s/credentials/%s", did, response.Id), tests.JSONBody(t, nil))
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusOK, rr.Code)
+		var response2 GetCredential200JSONResponse
+		assert.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response2))
+		assert.NotNil(t, response2.Id)
+		status, ok := response2.Vc.CredentialStatus.(map[string]any)
+		require.True(t, ok)
+		assert.Equal(t, float64(revNonce), status["revocationNonce"])
+		assert.Equal(t, string(verifiable.Iden3commRevocationStatusV1), status["type"])
+		assert.Equal(t, authCredentialExpiration, response2.Vc.Expiration.UTC().Unix())
+	})
+}
diff --git a/internal/api/keys.go b/internal/api/keys.go
new file mode 100644
index 000000000..92b34327a
--- /dev/null
+++ b/internal/api/keys.go
@@ -0,0 +1,293 @@
+package api
+
+import (
+	"context"
+	b64 "encoding/base64"
+	"errors"
+
+	"github.com/polygonid/sh-id-platform/internal/common"
+	"github.com/polygonid/sh-id-platform/internal/core/ports"
+	"github.com/polygonid/sh-id-platform/internal/core/services"
+	"github.com/polygonid/sh-id-platform/internal/kms"
+	"github.com/polygonid/sh-id-platform/internal/log"
+	"github.com/polygonid/sh-id-platform/internal/repositories"
+)
+
+// CreateKey is the handler for the POST /keys endpoint.
+func (s *Server) CreateKey(ctx context.Context, request CreateKeyRequestObject) (CreateKeyResponseObject, error) {
+	if string(request.Body.KeyType) != string(KeyKeyTypeBabyjubJub) && string(request.Body.KeyType) != string(KeyKeyTypeSecp256k1) {
+		log.Error(ctx, "invalid key type. babyjujJub and secp256k1 keys are supported")
+		return CreateKey400JSONResponse{
+			N400JSONResponse{
+				Message: "invalid key type. babyjujJub and secp256k1 keys are supported",
+			},
+		}, nil
+	}
+
+	if request.Body.Name == "" {
+		log.Error(ctx, "name is required")
+		return CreateKey400JSONResponse{
+			N400JSONResponse{
+				Message: "name is required",
+			},
+		}, nil
+	}
+
+	keyID, err := s.keyService.Create(ctx, request.Identifier.did(), convertKeyTypeFromRequest(request.Body.KeyType), request.Body.Name)
+	if err != nil {
+		log.Error(ctx, "creating key", "err", err)
+		if errors.Is(err, repositories.ErrDuplicateKeyName) || errors.Is(err, services.ErrDuplicateKeyName) {
+			log.Error(ctx, "duplicate key name", "err", err)
+			return CreateKey400JSONResponse{
+				N400JSONResponse{
+					Message: "duplicate key name",
+				},
+			}, nil
+		}
+		return CreateKey500JSONResponse{
+			N500JSONResponse{
+				Message: err.Error(),
+			},
+		}, nil
+	}
+	return CreateKey201JSONResponse{
+		Id: keyID.ID,
+	}, nil
+}
+
+// UpdateKey is the handler for the PATCH /keys/{keyID} endpoint.
+func (s *Server) UpdateKey(ctx context.Context, request UpdateKeyRequestObject) (UpdateKeyResponseObject, error) {
+	decodedKeyID, err := b64.StdEncoding.DecodeString(request.Id)
+	if err != nil {
+		log.Error(ctx, "the key id can not be decoded from base64", "err", err)
+		return UpdateKey400JSONResponse{
+			N400JSONResponse{
+				Message: "the key id can not be decoded from base64",
+			},
+		}, nil
+	}
+
+	if request.Body.Name == "" {
+		log.Error(ctx, "name is required")
+		return UpdateKey400JSONResponse{
+			N400JSONResponse{
+				Message: "name is required",
+			},
+		}, nil
+	}
+
+	err = s.keyService.Update(ctx, request.Identifier.did(), string(decodedKeyID), request.Body.Name)
+	if err != nil {
+		log.Error(ctx, "updating key", "err", err)
+		if errors.Is(err, services.ErrKeyNotFound) {
+			log.Error(ctx, "key not found", "err", err)
+			return UpdateKey404JSONResponse{
+				N404JSONResponse{
+					Message: "key not found",
+				},
+			}, nil
+		}
+		if errors.Is(err, repositories.ErrDuplicateKeyName) {
+			log.Error(ctx, "duplicate key name", "err", err)
+			return UpdateKey400JSONResponse{
+				N400JSONResponse{
+					Message: "duplicate key name",
+				},
+			}, nil
+		}
+		return UpdateKey500JSONResponse{
+			N500JSONResponse{
+				Message: err.Error(),
+			},
+		}, nil
+	}
+	return UpdateKey200JSONResponse{
+		Message: "key updated",
+	}, nil
+}
+
+// GetKey is the handler for the GET /keys/{keyID} endpoint.
+func (s *Server) GetKey(ctx context.Context, request GetKeyRequestObject) (GetKeyResponseObject, error) {
+	decodedKeyID, err := b64.StdEncoding.DecodeString(request.Id)
+	if err != nil {
+		log.Error(ctx, "the key id can not be decoded from base64", "err", err)
+		return GetKey400JSONResponse{
+			N400JSONResponse{
+				Message: "the key id can not be decoded from base64",
+			},
+		}, nil
+	}
+
+	key, err := s.keyService.Get(ctx, request.Identifier.did(), string(decodedKeyID))
+	if err != nil {
+		log.Error(ctx, "error getting the key", "err", err)
+		if errors.Is(err, services.ErrInvalidKeyType) {
+			return GetKey400JSONResponse{
+				N400JSONResponse{
+					Message: "invalid key type",
+				},
+			}, nil
+		}
+
+		if errors.Is(err, services.ErrKeyNotFound) {
+			return GetKey404JSONResponse{
+				N404JSONResponse{
+					Message: "key not found",
+				},
+			}, nil
+		}
+
+		return GetKey500JSONResponse{
+			N500JSONResponse{
+				Message: err.Error(),
+			},
+		}, nil
+	}
+	encodedKeyID := b64.StdEncoding.EncodeToString([]byte(key.KeyID))
+	return GetKey200JSONResponse{
+		Id:               encodedKeyID,
+		KeyType:          convertKeyTypeToResponse(key.KeyType),
+		PublicKey:        key.PublicKey,
+		IsAuthCredential: key.HasAssociatedAuthCredential,
+		Name:             key.Name,
+	}, nil
+}
+
+// GetKeys is the handler for the GET /keys endpoint.
+func (s *Server) GetKeys(ctx context.Context, request GetKeysRequestObject) (GetKeysResponseObject, error) {
+	const (
+		defaultMaxResults = 50
+		defaultPage       = 1
+		minimumMaxResults = 10
+	)
+	filter := ports.KeyFilter{
+		MaxResults: defaultMaxResults,
+		Page:       defaultPage,
+	}
+
+	if request.Params.Type != nil {
+		if string(*request.Params.Type) != string(KeyKeyTypeBabyjubJub) && string(*request.Params.Type) != string(KeyKeyTypeSecp256k1) {
+			log.Error(ctx, "invalid key type. babyjubJub and secp256k1 keys are supported")
+			return GetKeys400JSONResponse{
+				N400JSONResponse{
+					Message: "invalid key type. babyjubJub and secp256k1 keys are supported",
+				},
+			}, nil
+		}
+		if string(*request.Params.Type) == string(KeyKeyTypeBabyjubJub) {
+			filter.KeyType = common.ToPointer(kms.KeyTypeBabyJubJub)
+		} else {
+			filter.KeyType = common.ToPointer(kms.KeyTypeEthereum)
+		}
+	}
+
+	if request.Params.MaxResults != nil {
+		if *request.Params.MaxResults < minimumMaxResults {
+			filter.MaxResults = minimumMaxResults
+		} else {
+			filter.MaxResults = *request.Params.MaxResults
+		}
+	}
+
+	if request.Params.Page != nil {
+		filter.Page = *request.Params.Page
+	}
+
+	keys, total, err := s.keyService.GetAll(ctx, request.Identifier.did(), filter)
+	if err != nil {
+		log.Error(ctx, "getting keys", "err", err)
+		return GetKeys500JSONResponse{
+			N500JSONResponse{
+				Message: err.Error(),
+			},
+		}, nil
+	}
+
+	items := make([]Key, 0)
+	for _, key := range keys {
+		encodedKeyID := b64.StdEncoding.EncodeToString([]byte(key.KeyID))
+		items = append(items, Key{
+			Id:               encodedKeyID,
+			KeyType:          convertKeyTypeToResponse(key.KeyType),
+			PublicKey:        key.PublicKey,
+			IsAuthCredential: key.HasAssociatedAuthCredential,
+			Name:             key.Name,
+		})
+	}
+	return GetKeys200JSONResponse{
+		Items: items,
+		Meta: PaginatedMetadata{
+			Page:       filter.Page,
+			MaxResults: filter.MaxResults,
+			Total:      total,
+		},
+	}, nil
+}
+
+// DeleteKey is the handler for the DELETE /keys/{keyID} endpoint.
+func (s *Server) DeleteKey(ctx context.Context, request DeleteKeyRequestObject) (DeleteKeyResponseObject, error) {
+	decodedKeyID, err := b64.StdEncoding.DecodeString(request.Id)
+	if err != nil {
+		log.Error(ctx, "the key id can not be decoded from base64", "err", err)
+		return DeleteKey400JSONResponse{
+			N400JSONResponse{
+				Message: "the key id can not be decoded from base64",
+			},
+		}, nil
+	}
+
+	err = s.keyService.Delete(ctx, request.Identifier.did(), string(decodedKeyID))
+	if err != nil {
+		if errors.Is(err, services.ErrAuthCredentialNotRevoked) {
+			log.Error(ctx, "delete key. Auth credential not revoked", "err", err)
+			return DeleteKey400JSONResponse{
+				N400JSONResponse{
+					Message: "associated auth credential is not revoked",
+				},
+			}, nil
+		}
+
+		if errors.Is(err, services.ErrKeyAssociatedWithIdentity) {
+			log.Error(ctx, "delete key. Key associated with identity", "err", err)
+			return DeleteKey400JSONResponse{
+				N400JSONResponse{
+					Message: "key is associated with an identity",
+				},
+			}, nil
+		}
+
+		if errors.Is(err, services.ErrKeyNotFound) {
+			log.Error(ctx, "key not found", "err", err)
+			return DeleteKey404JSONResponse{
+				N404JSONResponse{
+					Message: "key not found",
+				},
+			}, nil
+		}
+
+		log.Error(ctx, "deleting key", "err", err)
+		return DeleteKey500JSONResponse{
+			N500JSONResponse{
+				Message: err.Error(),
+			},
+		}, nil
+	}
+
+	return DeleteKey200JSONResponse{
+		Message: "key deleted",
+	}, nil
+}
+
+func convertKeyTypeToResponse(keyType kms.KeyType) KeyKeyType {
+	if keyType == "BJJ" {
+		return KeyKeyTypeBabyjubJub
+	}
+	return KeyKeyTypeSecp256k1
+}
+
+func convertKeyTypeFromRequest(keyType CreateKeyRequestKeyType) kms.KeyType {
+	if string(keyType) == string(KeyKeyTypeBabyjubJub) {
+		return "BJJ"
+	}
+	return "ETH"
+}
diff --git a/internal/api/keys_test.go b/internal/api/keys_test.go
new file mode 100644
index 000000000..ab534ff6b
--- /dev/null
+++ b/internal/api/keys_test.go
@@ -0,0 +1,702 @@
+package api
+
+import (
+	"context"
+	b64 "encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/ethereum/go-ethereum/common/hexutil"
+	"github.com/iden3/go-iden3-core/v2/w3c"
+	"github.com/iden3/go-schema-processor/v2/verifiable"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/polygonid/sh-id-platform/internal/core/ports"
+	"github.com/polygonid/sh-id-platform/internal/db/tests"
+	"github.com/polygonid/sh-id-platform/internal/kms"
+)
+
+func TestServer_CreateKey(t *testing.T) {
+	const (
+		method     = "iden3"
+		blockchain = "privado"
+		network    = "main"
+		BJJ        = "BJJ"
+		ETH        = "ETH"
+	)
+	ctx := context.Background()
+	server := newTestServer(t, nil)
+
+	iden, err := server.Services.identity.Create(ctx, "http://issuer-node", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: network, KeyType: BJJ})
+	require.NoError(t, err)
+	did, err := w3c.ParseDID(iden.Identifier)
+	require.NoError(t, err)
+
+	idenETH, err := server.Services.identity.Create(ctx, "http://issuer-node", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: network, KeyType: ETH})
+	require.NoError(t, err)
+	didETH, err := w3c.ParseDID(idenETH.Identifier)
+	require.NoError(t, err)
+
+	handler := getHandler(ctx, server)
+
+	type expected struct {
+		response CreateKeyResponseObject
+		httpCode int
+	}
+
+	type testConfig struct {
+		name     string
+		auth     func() (string, string)
+		did      string
+		body     CreateKeyRequest
+		expected expected
+	}
+
+	for _, tc := range []testConfig{
+		{
+			name: "no auth header",
+			did:  did.String(),
+			auth: authWrong,
+			expected: expected{
+				httpCode: http.StatusUnauthorized,
+			},
+		},
+		{
+			name: "should create a bjj key",
+			auth: authOk,
+			did:  did.String(),
+			body: CreateKeyRequest{
+				KeyType: CreateKeyRequestKeyType(KeyKeyTypeBabyjubJub),
+				Name:    "my-bjj-key",
+			},
+			expected: expected{
+				httpCode: http.StatusCreated,
+			},
+		},
+		{
+			name: "should get an error",
+			auth: authOk,
+			did:  did.String(),
+			body: CreateKeyRequest{
+				KeyType: "wrong type",
+			},
+			expected: expected{
+				httpCode: http.StatusBadRequest,
+				response: CreateKey400JSONResponse{
+					N400JSONResponse: N400JSONResponse{
+						Message: "invalid key type. babyjujJub and secp256k1 keys are supported",
+					},
+				},
+			},
+		},
+		{
+			name: "should get an error - empty name",
+			auth: authOk,
+			did:  did.String(),
+			body: CreateKeyRequest{
+				KeyType: CreateKeyRequestKeyType(KeyKeyTypeBabyjubJub),
+				Name:    "",
+			},
+			expected: expected{
+				httpCode: http.StatusBadRequest,
+				response: CreateKey400JSONResponse{
+					N400JSONResponse: N400JSONResponse{
+						Message: "name is required",
+					},
+				},
+			},
+		},
+		{
+			name: "should create an eth key",
+			auth: authOk,
+			did:  didETH.String(),
+			body: CreateKeyRequest{
+				KeyType: CreateKeyRequestKeyType(KeyKeyTypeSecp256k1),
+				Name:    "my-eth-key",
+			},
+			expected: expected{
+				httpCode: http.StatusCreated,
+			},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			rr := httptest.NewRecorder()
+			url := fmt.Sprintf("/v2/identities/%s/keys", tc.did)
+			req, err := http.NewRequest(http.MethodPost, url, tests.JSONBody(t, tc.body))
+			req.SetBasicAuth(tc.auth())
+			require.NoError(t, err)
+			handler.ServeHTTP(rr, req)
+			require.Equal(t, tc.expected.httpCode, rr.Code)
+
+			switch tc.expected.httpCode {
+			case http.StatusCreated:
+				var response CreateKey201JSONResponse
+				require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+				assert.NotNil(t, response.Id)
+			case http.StatusBadRequest:
+				var response CreateKey400JSONResponse
+				require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+				assert.EqualValues(t, tc.expected.response, response)
+			}
+		})
+	}
+}
+
+func TestServer_GetKey(t *testing.T) {
+	const (
+		method     = "iden3"
+		blockchain = "privado"
+		network    = "main"
+		BJJ        = "BJJ"
+	)
+	ctx := context.Background()
+	server := newTestServer(t, nil)
+
+	iden, err := server.Services.identity.Create(ctx, "polygon-test", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: network, KeyType: BJJ})
+	require.NoError(t, err)
+	did, err := w3c.ParseDID(iden.Identifier)
+	require.NoError(t, err)
+
+	keyID, err := server.keyService.Create(ctx, did, kms.KeyTypeBabyJubJub, "my-key")
+	require.NoError(t, err)
+
+	handler := getHandler(ctx, server)
+
+	type expected struct {
+		response GetKeyResponseObject
+		httpCode int
+	}
+
+	type testConfig struct {
+		name     string
+		auth     func() (string, string)
+		KeyID    string
+		expected expected
+	}
+
+	for _, tc := range []testConfig{
+		{
+			name:  "no auth header",
+			auth:  authWrong,
+			KeyID: keyID.ID,
+			expected: expected{
+				httpCode: http.StatusUnauthorized,
+			},
+		},
+		{
+			name:  "should get a key",
+			auth:  authOk,
+			KeyID: keyID.ID,
+			expected: expected{
+				httpCode: http.StatusOK,
+			},
+		},
+		{
+			name:  "should get an error",
+			auth:  authOk,
+			KeyID: "123",
+			expected: expected{
+				httpCode: http.StatusBadRequest,
+				response: GetKey400JSONResponse{
+					N400JSONResponse: N400JSONResponse{
+						Message: "the key id can not be decoded from base64",
+					},
+				},
+			},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			rr := httptest.NewRecorder()
+			url := fmt.Sprintf("/v2/identities/%s/keys/%s", did, tc.KeyID)
+			req, err := http.NewRequest(http.MethodGet, url, nil)
+			req.SetBasicAuth(tc.auth())
+			require.NoError(t, err)
+			handler.ServeHTTP(rr, req)
+			require.Equal(t, tc.expected.httpCode, rr.Code)
+
+			switch tc.expected.httpCode {
+			case http.StatusCreated:
+				var response GetKey200JSONResponse
+				require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+				assert.NotNil(t, response.Id)
+				assert.Equal(t, keyID, response.Id)
+				assert.NotNil(t, response.PublicKey)
+				assert.Equal(t, KeyKeyTypeBabyjubJub, response.KeyType)
+				assert.False(t, response.IsAuthCredential)
+				assert.True(t, "my-key" == response.Name)
+			case http.StatusBadRequest:
+				var response GetKey400JSONResponse
+				require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+				assert.EqualValues(t, tc.expected.response, response)
+			}
+		})
+	}
+}
+
+func TestServer_GetKeys(t *testing.T) {
+	const (
+		method     = "iden3"
+		blockchain = "privado"
+		network    = "main"
+		BJJ        = "BJJ"
+		ETH        = "ETH"
+	)
+	ctx := context.Background()
+	server := newTestServer(t, nil)
+
+	iden, err := server.Services.identity.Create(ctx, "http://issuer-node", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: network, KeyType: BJJ})
+	require.NoError(t, err)
+	did, err := w3c.ParseDID(iden.Identifier)
+	require.NoError(t, err)
+
+	idenETH, err := server.Services.identity.Create(ctx, "http://issuer-node", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: network, KeyType: ETH})
+	require.NoError(t, err)
+	didETH, err := w3c.ParseDID(idenETH.Identifier)
+	require.NoError(t, err)
+
+	handler := getHandler(ctx, server)
+
+	keys, err := keyStore.KeysByIdentity(ctx, *did)
+	require.NoError(t, err)
+	assert.Len(t, keys, 1)
+	pubKey, err := keyStore.PublicKey(keys[0])
+	require.NoError(t, err)
+	publicKey := hexutil.Encode(pubKey)
+
+	t.Run("should get an error", func(t *testing.T) {
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys", did)
+		req, err := http.NewRequest(http.MethodGet, url, nil)
+		req.SetBasicAuth(authWrong())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusUnauthorized, rr.Code)
+	})
+
+	t.Run("should get the keys for bjj identity", func(t *testing.T) {
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys", did)
+		req, err := http.NewRequest(http.MethodGet, url, nil)
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusOK, rr.Code)
+
+		var response GetKeys200JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, uint(1), response.Meta.Total)
+		assert.Equal(t, uint(50), response.Meta.MaxResults)
+		assert.Equal(t, uint(1), response.Meta.Page)
+		assert.Equal(t, 1, countAuthCredentials(t, response.Items))
+	})
+
+	t.Run("should get the keys for bjj identity with pagination", func(t *testing.T) {
+		for i := 0; i < 20; i++ {
+			name := fmt.Sprintf("z-key-%s", string('A'+rune(i+1)))
+			_, err = server.keyService.Create(ctx, did, kms.KeyTypeBabyJubJub, name)
+			require.NoError(t, err)
+		}
+
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys?max_results=11&page=1", did)
+		req, err := http.NewRequest(http.MethodGet, url, nil)
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusOK, rr.Code)
+
+		var response GetKeys200JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, uint(21), response.Meta.Total)
+		assert.Equal(t, uint(11), response.Meta.MaxResults)
+		assert.Equal(t, uint(1), response.Meta.Page)
+
+		rr = httptest.NewRecorder()
+		url = fmt.Sprintf("/v2/identities/%s/keys?max_results=11&page=2", did)
+		req, err = http.NewRequest(http.MethodGet, url, nil)
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusOK, rr.Code)
+
+		var response1 GetKeys200JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response1))
+		assert.Equal(t, uint(21), response1.Meta.Total)
+		assert.Equal(t, uint(11), response1.Meta.MaxResults)
+		assert.Equal(t, uint(2), response1.Meta.Page)
+
+		all := append(response.Items, response1.Items...)
+		assert.Equal(t, 1, countAuthCredentials(t, all))
+
+		// Check that the keys are sorted by name
+		for i, key := range all {
+			assert.Equal(t, string(KeyKeyTypeBabyjubJub), string(key.KeyType))
+			if i != 0 {
+				assert.Equal(t, fmt.Sprintf("z-key-%s", string('A'+rune(i))), key.Name)
+			} else {
+				assert.Equal(t, publicKey, key.Name)
+			}
+		}
+	})
+
+	t.Run("should get the keys for eth identity", func(t *testing.T) {
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys", didETH)
+		req, err := http.NewRequest(http.MethodGet, url, nil)
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusOK, rr.Code)
+
+		var response GetKeys200JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, uint(2), response.Meta.Total)
+		assert.Equal(t, uint(50), response.Meta.MaxResults)
+		assert.Equal(t, uint(1), response.Meta.Page)
+
+		assert.Equal(t, 2, countAuthCredentials(t, response.Items))
+	})
+
+	t.Run("should get the keys for eth identity with pagination", func(t *testing.T) {
+		for i := 0; i < 20; i++ {
+			_, err = server.keyService.Create(ctx, didETH, kms.KeyTypeBabyJubJub, fmt.Sprintf("my-key-%d", i))
+			require.NoError(t, err)
+		}
+
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys?max_results=15&page=1", didETH)
+		req, err := http.NewRequest(http.MethodGet, url, nil)
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusOK, rr.Code)
+
+		var response GetKeys200JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, uint(22), response.Meta.Total)
+		assert.Equal(t, uint(15), response.Meta.MaxResults)
+		assert.Equal(t, uint(1), response.Meta.Page)
+
+		rr = httptest.NewRecorder()
+		url = fmt.Sprintf("/v2/identities/%s/keys?max_results=15&page=2", didETH)
+		req, err = http.NewRequest(http.MethodGet, url, nil)
+		req.SetBasicAuth(authOk())
+		require.NoError(t, err)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusOK, rr.Code)
+
+		var response1 GetKeys200JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response1))
+		assert.Equal(t, uint(22), response1.Meta.Total)
+		assert.Equal(t, uint(15), response1.Meta.MaxResults)
+		assert.Equal(t, uint(2), response1.Meta.Page)
+
+		all := append(response.Items, response1.Items...)
+		assert.Equal(t, 2, countAuthCredentials(t, all))
+	})
+}
+
+func countAuthCredentials(t *testing.T, keys []Key) int {
+	t.Helper()
+	count := 0
+	for _, key := range keys {
+		if key.IsAuthCredential {
+			count++
+		}
+	}
+	return count
+}
+
+func TestServer_DeleteKey(t *testing.T) {
+	const (
+		method     = "iden3"
+		blockchain = "privado"
+		network    = "main"
+		BJJ        = "BJJ"
+		ETH        = "ETH"
+	)
+	ctx := context.Background()
+	server := newTestServer(t, nil)
+
+	iden, err := server.Services.identity.Create(ctx, "polygon-test", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: network, KeyType: BJJ})
+	require.NoError(t, err)
+	did, err := w3c.ParseDID(iden.Identifier)
+	require.NoError(t, err)
+
+	idenETH, err := server.Services.identity.Create(ctx, "polygon-test", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: network, KeyType: ETH})
+	require.NoError(t, err)
+	didETH, err := w3c.ParseDID(idenETH.Identifier)
+	require.NoError(t, err)
+
+	idenETHKeys, _, err := server.keyService.GetAll(ctx, didETH, ports.KeyFilter{MaxResults: 10, Page: 1})
+	require.NoError(t, err)
+	assert.Equal(t, len(idenETHKeys), 2)
+
+	idenETHBJJKey := ""
+	idenETHETHKey := ""
+	if idenETHKeys[0].KeyType == kms.KeyTypeBabyJubJub {
+		idenETHBJJKey = idenETHKeys[0].KeyID
+		idenETHETHKey = idenETHKeys[1].KeyID
+	} else {
+		idenETHBJJKey = idenETHKeys[1].KeyID
+		idenETHETHKey = idenETHKeys[0].KeyID
+	}
+
+	keyETHIDToDelete, err := server.keyService.Create(ctx, didETH, kms.KeyTypeEthereum, "key-eth-to-delete")
+	require.NoError(t, err)
+
+	keyID, err := server.keyService.Create(ctx, did, kms.KeyTypeBabyJubJub, "key-bjj-to-delete")
+	require.NoError(t, err)
+
+	keyIDForAuthCoreClaimID, err := server.keyService.Create(ctx, did, kms.KeyTypeBabyJubJub, "key-bjj-for-auth-core-claim-id")
+	require.NoError(t, err)
+
+	keyIDForAuthCoreClaimIDASByteArr, err := b64.StdEncoding.DecodeString(keyIDForAuthCoreClaimID.ID)
+	require.NoError(t, err)
+
+	_, err = server.Services.identity.CreateAuthCredential(ctx, did, string(keyIDForAuthCoreClaimIDASByteArr), nil, nil, nil, verifiable.Iden3commRevocationStatusV1)
+	require.NoError(t, err)
+
+	handler := getHandler(ctx, server)
+
+	type expected struct {
+		response DeleteKeyResponseObject
+		httpCode int
+	}
+
+	type testConfig struct {
+		name     string
+		did      string
+		auth     func() (string, string)
+		KeyID    string
+		expected expected
+	}
+
+	for _, tc := range []testConfig{
+		{
+			name:  "no auth header",
+			auth:  authWrong,
+			did:   did.String(),
+			KeyID: keyID.ID,
+			expected: expected{
+				httpCode: http.StatusUnauthorized,
+			},
+		},
+		{
+			name:  "should delete the bjj key",
+			auth:  authOk,
+			did:   did.String(),
+			KeyID: keyID.ID,
+			expected: expected{
+				httpCode: http.StatusOK,
+			},
+		},
+		{
+			name:  "should delete the eth key",
+			auth:  authOk,
+			did:   didETH.String(),
+			KeyID: keyETHIDToDelete.ID,
+			expected: expected{
+				httpCode: http.StatusOK,
+			},
+		},
+		{
+			name:  "should get an error - wrong keyID",
+			auth:  authOk,
+			did:   did.String(),
+			KeyID: "123",
+			expected: expected{
+				httpCode: http.StatusBadRequest,
+				response: DeleteKey400JSONResponse{
+					N400JSONResponse: N400JSONResponse{
+						Message: "the key id can not be decoded from base64",
+					},
+				},
+			},
+		},
+		{
+			name:  "should get an error - associated auth credential is not revoked",
+			auth:  authOk,
+			did:   did.String(),
+			KeyID: keyIDForAuthCoreClaimID.ID,
+			expected: expected{
+				httpCode: http.StatusBadRequest,
+				response: DeleteKey400JSONResponse{
+					N400JSONResponse: N400JSONResponse{
+						Message: "associated auth credential is not revoked",
+					},
+				},
+			},
+		},
+		{
+			name:  "should get an error key is associated with an identity",
+			auth:  authOk,
+			did:   didETH.String(),
+			KeyID: b64.StdEncoding.EncodeToString([]byte(idenETHETHKey)),
+			expected: expected{
+				httpCode: http.StatusBadRequest,
+				response: DeleteKey400JSONResponse{
+					N400JSONResponse: N400JSONResponse{
+						Message: "key is associated with an identity",
+					},
+				},
+			},
+		},
+		{
+			name:  "should get an error associated auth credential is not revoked ",
+			auth:  authOk,
+			did:   didETH.String(),
+			KeyID: b64.StdEncoding.EncodeToString([]byte(idenETHBJJKey)),
+			expected: expected{
+				httpCode: http.StatusBadRequest,
+				response: DeleteKey400JSONResponse{
+					N400JSONResponse: N400JSONResponse{
+						Message: "associated auth credential is not revoked",
+					},
+				},
+			},
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			rr := httptest.NewRecorder()
+			url := fmt.Sprintf("/v2/identities/%s/keys/%s", tc.did, tc.KeyID)
+			req, err := http.NewRequest(http.MethodDelete, url, nil)
+			req.SetBasicAuth(tc.auth())
+			require.NoError(t, err)
+			handler.ServeHTTP(rr, req)
+			require.Equal(t, tc.expected.httpCode, rr.Code)
+
+			switch tc.expected.httpCode {
+			case http.StatusCreated:
+				var response DeleteKey200JSONResponse
+				require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+			case http.StatusBadRequest:
+				var response DeleteKey400JSONResponse
+				require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+				assert.EqualValues(t, tc.expected.response, response)
+			}
+		})
+	}
+}
+
+func TestServer_UpdateKey(t *testing.T) {
+	const (
+		method     = "iden3"
+		blockchain = "privado"
+		network    = "main"
+		BJJ        = "BJJ"
+	)
+	ctx := context.Background()
+	server := newTestServer(t, nil)
+
+	iden, err := server.Services.identity.Create(ctx, "http://issuer-node", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: network, KeyType: BJJ})
+	require.NoError(t, err)
+	did, err := w3c.ParseDID(iden.Identifier)
+	require.NoError(t, err)
+
+	handler := getHandler(ctx, server)
+
+	t.Run("should get an error - no auth header", func(t *testing.T) {
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys/%s", did, "123")
+		req, err := http.NewRequest(http.MethodPatch, url, tests.JSONBody(t, nil))
+		require.NoError(t, err)
+		req.SetBasicAuth(authWrong())
+
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusUnauthorized, rr.Code)
+	})
+
+	t.Run("should get an error - wrong keyID", func(t *testing.T) {
+		url := fmt.Sprintf("/v2/identities/%s/keys/%s", did, "123123")
+		req, err := http.NewRequest(http.MethodPatch, url, tests.JSONBody(t, nil))
+		require.NoError(t, err)
+		req.SetBasicAuth(authOk())
+
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusBadRequest, rr.Code)
+
+		var response UpdateKey400JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, "the key id can not be decoded from base64", response.Message)
+	})
+
+	t.Run("should update a key", func(t *testing.T) {
+		keyID, err := server.keyService.Create(ctx, did, kms.KeyTypeBabyJubJub, "my-key")
+		require.NoError(t, err)
+
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys/%s", did, keyID.ID)
+		req, err := http.NewRequest(http.MethodPatch, url, tests.JSONBody(t, UpdateKeyJSONRequestBody{
+			Name: "new-name",
+		}))
+		require.NoError(t, err)
+		req.SetBasicAuth(authOk())
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusOK, rr.Code)
+		var response UpdateKey200JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, "key updated", response.Message)
+	})
+
+	t.Run("should get an error - duplicate key name", func(t *testing.T) {
+		keyID, err := server.keyService.Create(ctx, did, kms.KeyTypeBabyJubJub, "my-key")
+		require.NoError(t, err)
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys/%s", did, keyID.ID)
+		req, err := http.NewRequest(http.MethodPatch, url, tests.JSONBody(t, UpdateKeyJSONRequestBody{
+			Name: "new-name",
+		}))
+		require.NoError(t, err)
+		req.SetBasicAuth(authOk())
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusBadRequest, rr.Code)
+		var response UpdateKey400JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, "duplicate key name", response.Message)
+	})
+
+	t.Run("should get an error - name is required", func(t *testing.T) {
+		keyID, err := server.keyService.Create(ctx, did, kms.KeyTypeBabyJubJub, "my-key-to-not-update")
+		require.NoError(t, err)
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys/%s", did, keyID.ID)
+		req, err := http.NewRequest(http.MethodPatch, url, tests.JSONBody(t, UpdateKeyJSONRequestBody{
+			Name: "",
+		}))
+		require.NoError(t, err)
+		req.SetBasicAuth(authOk())
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusBadRequest, rr.Code)
+		var response UpdateKey400JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, "name is required", response.Message)
+	})
+
+	t.Run("should get an error - key not found", func(t *testing.T) {
+		keyID, err := server.keyService.Create(ctx, did, kms.KeyTypeBabyJubJub, "my-key-to-not-update-2")
+		require.NoError(t, err)
+
+		decodedKeyID, err := b64.StdEncoding.DecodeString(keyID.ID)
+		require.NoError(t, err)
+
+		require.NoError(t, server.keyService.Delete(ctx, did, string(decodedKeyID)))
+		rr := httptest.NewRecorder()
+		url := fmt.Sprintf("/v2/identities/%s/keys/%s", did, keyID.ID)
+		req, err := http.NewRequest(http.MethodPatch, url, tests.JSONBody(t, UpdateKeyJSONRequestBody{
+			Name: "new-name",
+		}))
+		require.NoError(t, err)
+		req.SetBasicAuth(authOk())
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusNotFound, rr.Code)
+		var response UpdateKey404JSONResponse
+		require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
+		assert.Equal(t, "key not found", response.Message)
+	})
+}
diff --git a/internal/api/main_test.go b/internal/api/main_test.go
index f3d220023..cd247e899 100644
--- a/internal/api/main_test.go
+++ b/internal/api/main_test.go
@@ -229,7 +229,7 @@ func NewLinkMock() ports.LinkService {
 type repos struct {
 	claims         ports.ClaimRepository
 	connection     ports.ConnectionRepository
-	identity       ports.IndentityRepository
+	identity       ports.IdentityRepository
 	idenMerkleTree ports.IdentityMerkleTreeRepository
 	identityState  ports.IdentityStateRepository
 	links          ports.LinkRepository
@@ -238,6 +238,7 @@ type repos struct {
 	sessions       ports.SessionRepository
 	revocation     ports.RevocationRepository
 	displayMethod  ports.DisplayMethodRepository
+	keyRepository  ports.KeyRepository
 }
 
 type servicex struct {
@@ -248,6 +249,7 @@ type servicex struct {
 	payments      ports.PaymentService
 	qrs           ports.QrStoreService
 	displayMethod ports.DisplayMethodService
+	keyService    ports.KeyService
 }
 
 type infra struct {
@@ -279,6 +281,7 @@ func newTestServer(t *testing.T, st *db.Storage) *testServer {
 		schemas:        repositories.NewSchema(*st),
 		revocation:     repositories.NewRevocation(),
 		displayMethod:  repositories.NewDisplayMethod(*st),
+		keyRepository:  repositories.NewKey(*st),
 	}
 
 	pubSub := pubsub.NewMock()
@@ -346,7 +349,7 @@ func newTestServer(t *testing.T, st *db.Storage) *testServer {
 	mtService := services.NewIdentityMerkleTrees(repos.idenMerkleTree)
 	qrService := services.NewQrStoreService(cachex)
 	rhsFactory := reversehash.NewFactory(*networkResolver, reversehash.DefaultRHSTimeOut)
-	identityService := services.NewIdentity(keyStore, repos.identity, repos.idenMerkleTree, repos.identityState, mtService, qrService, repos.claims, repos.revocation, repos.connection, st, nil, repos.sessions, pubSub, *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := services.NewIdentity(keyStore, repos.identity, repos.idenMerkleTree, repos.identityState, mtService, qrService, repos.claims, repos.revocation, repos.connection, st, nil, repos.sessions, pubSub, *networkResolver, rhsFactory, revocationStatusResolver, repos.keyRepository)
 	connectionService := services.NewConnection(repos.connection, repos.claims, st)
 	schemaService := services.NewSchema(repos.schemas, schemaLoader)
 	paymentService := services.NewPaymentService(repos.payments, *networkResolver, schemaService, paymentSettings, keyStore)
@@ -363,7 +366,8 @@ func newTestServer(t *testing.T, st *db.Storage) *testServer {
 	accountService := services.NewAccountService(*networkResolver)
 	linkService := services.NewLinkService(storage, claimsService, qrService, repos.claims, repos.links, repos.schemas, schemaLoader, repos.sessions, pubSub, identityService, *networkResolver, cfg.UniversalLinks)
 	displayMethodService := services.NewDisplayMethod(repos.displayMethod)
-	server := NewServer(&cfg, identityService, accountService, connectionService, claimsService, qrService, NewPublisherMock(), NewPackageManagerMock(), *networkResolver, nil, schemaService, linkService, paymentService, displayMethodService)
+	keyService := services.NewKey(keyStore, claimsService, repos.keyRepository)
+	server := NewServer(&cfg, identityService, accountService, connectionService, claimsService, qrService, NewPublisherMock(), NewPackageManagerMock(), *networkResolver, nil, schemaService, linkService, displayMethodService, keyService, paymentService)
 
 	return &testServer{
 		Server: server,
@@ -376,6 +380,7 @@ func newTestServer(t *testing.T, st *db.Storage) *testServer {
 			qrs:           qrService,
 			schema:        schemaService,
 			displayMethod: displayMethodService,
+			keyService:    keyService,
 		},
 		Infra: infra{
 			db:     st,
diff --git a/internal/api/networks_test.go b/internal/api/networks_test.go
index ccd1e12a9..889f68e20 100644
--- a/internal/api/networks_test.go
+++ b/internal/api/networks_test.go
@@ -43,7 +43,7 @@ func TestServer_GetSupportedNetworks(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			rr := httptest.NewRecorder()
 
-			req, err := http.NewRequest("GET", "/v2/supported-networks", nil)
+			req, err := http.NewRequest(http.MethodGet, "/v2/supported-networks", nil)
 			req.SetBasicAuth(tc.auth())
 			require.NoError(t, err)
 			handler.ServeHTTP(rr, req)
@@ -52,14 +52,7 @@ func TestServer_GetSupportedNetworks(t *testing.T) {
 			if tc.expected.httpCode == http.StatusOK {
 				var response GetSupportedNetworks200JSONResponse
 				assert.NoError(t, json.Unmarshal(rr.Body.Bytes(), &response))
-				assert.Equal(t, 1, len(response))
-				assert.Equal(t, "polygon", response[0].Blockchain)
-				assert.Equal(t, []NetworkData{
-					{
-						Name:             "amoy",
-						CredentialStatus: []string{"Iden3commRevocationStatusV1.0"},
-					},
-				}, response[0].Networks)
+				assert.Equal(t, 2, len(response))
 			}
 		})
 	}
diff --git a/internal/api/server.go b/internal/api/server.go
index e8d85dc10..ebc41877c 100644
--- a/internal/api/server.go
+++ b/internal/api/server.go
@@ -31,10 +31,11 @@ type Server struct {
 	schemaService        ports.SchemaService
 	paymentService       ports.PaymentService
 	displayMethodService ports.DisplayMethodService
+	keyService           ports.KeyService
 }
 
 // NewServer is a Server constructor
-func NewServer(cfg *config.Configuration, identityService ports.IdentityService, accountService ports.AccountService, connectionsService ports.ConnectionService, claimsService ports.ClaimService, qrService ports.QrStoreService, publisherGateway ports.Publisher, packageManager *iden3comm.PackageManager, networkResolver network.Resolver, health *health.Status, schemaService ports.SchemaService, linkService ports.LinkService, paymentService ports.PaymentService, displayMethodService ports.DisplayMethodService) *Server {
+func NewServer(cfg *config.Configuration, identityService ports.IdentityService, accountService ports.AccountService, connectionsService ports.ConnectionService, claimsService ports.ClaimService, qrService ports.QrStoreService, publisherGateway ports.Publisher, packageManager *iden3comm.PackageManager, networkResolver network.Resolver, health *health.Status, schemaService ports.SchemaService, linkService ports.LinkService, displayMethodService ports.DisplayMethodService, keyService ports.KeyService, paymentService ports.PaymentService) *Server {
 	return &Server{
 		cfg:                  cfg,
 		accountService:       accountService,
@@ -48,8 +49,9 @@ func NewServer(cfg *config.Configuration, identityService ports.IdentityService,
 		packageManager:       packageManager,
 		qrService:            qrService,
 		schemaService:        schemaService,
-		paymentService:       paymentService,
 		displayMethodService: displayMethodService,
+		keyService:           keyService,
+		paymentService:       paymentService,
 	}
 }
 
diff --git a/internal/common/read_file.go b/internal/common/read_file.go
index c5d00344f..bc880f5b3 100644
--- a/internal/common/read_file.go
+++ b/internal/common/read_file.go
@@ -51,6 +51,28 @@ func CreateFile(t *testing.T) *MyYAMLReader {
       contractAddress: 0x3d3763eC0a50CE1AdF83d0b5D99FBE0e3fEB43fb
       chainID: 80002
       publishingKey: pbkey
+
+privado:
+  main:
+    contractAddress: 0x3C9acB2205Aa72A05F6D77d708b5Cf85FCa3a896
+    networkURL: https://rpc-mainnet.privado.id
+    defaultGasLimit: 600000
+    confirmationTimeout: 10s
+    confirmationBlockCount: 5
+    receiptTimeout: 600s
+    minGasPrice: 0
+    maxGasPrice: 1000000
+    rpcResponseTimeout: 5s
+    waitReceiptCycleTime: 30s
+    waitBlockCycleTime: 30s
+    gasLess: false
+    rhsSettings:
+      mode: None
+      contractAddress: 0x7dF78ED37d0B39Ffb6d4D527Bb1865Bf85B60f81
+      rhsUrl: https://rhs-staging.polygonid.me
+      chainID: 21000
+      publishingKey: pbkey
+
 `)
 
 	reader := NewMyYAMLReader(yamlData)
diff --git a/internal/core/domain/claim.go b/internal/core/domain/claim.go
index affff5665..f9c617a69 100644
--- a/internal/core/domain/claim.go
+++ b/internal/core/domain/claim.go
@@ -241,3 +241,8 @@ func (c *Claim) GetCredentialStatus() (*verifiable.CredentialStatus, error) {
 	}
 	return cStatus, nil
 }
+
+// EqualToSchemaHash returns true if the claim has the same schema hash
+func (c *Claim) EqualToSchemaHash(schemaHash string) bool {
+	return c.SchemaHash == schemaHash
+}
diff --git a/internal/core/domain/identity.go b/internal/core/domain/identity.go
index a2c0af758..948549bee 100644
--- a/internal/core/domain/identity.go
+++ b/internal/core/domain/identity.go
@@ -32,6 +32,7 @@ type Identity struct {
 	Address                       *string                       `json:"address"`
 	Balance                       *big.Int                      `json:"balance"`
 	AuthCoreClaimRevocationStatus AuthCoreClaimRevocationStatus `json:"authCoreClaimRevocationStatus"`
+	AuthCredentialsIDs            []string                      `json:"authCredentialsIDs"`
 }
 
 // IdentityDisplayName struct
diff --git a/internal/core/domain/key.go b/internal/core/domain/key.go
new file mode 100644
index 000000000..ca23add9b
--- /dev/null
+++ b/internal/core/domain/key.go
@@ -0,0 +1,53 @@
+package domain
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/iden3/go-iden3-core/v2/w3c"
+
+	"github.com/polygonid/sh-id-platform/internal/common"
+)
+
+// KeyCoreDID is a DID type for keys
+type KeyCoreDID w3c.DID
+
+// Key is a key domain model
+type Key struct {
+	ID        uuid.UUID  `json:"id"`
+	IssuerDID KeyCoreDID `json:"issuer_did"`
+	PublicKey string     `json:"public_key"`
+	Name      string     `json:"name"`
+	CreatedAt time.Time  `json:"created_at"`
+}
+
+// NewKey creates a new Key
+func NewKey(issuerDID w3c.DID, publicKey, name string) *Key {
+	return &Key{
+		ID:        uuid.New(),
+		IssuerDID: KeyCoreDID(issuerDID),
+		PublicKey: publicKey,
+		Name:      name,
+		CreatedAt: time.Now(),
+	}
+}
+
+// IssuerCoreDID returns the issuer DID as a w3c.DID pointer
+func (key *Key) IssuerCoreDID() *w3c.DID {
+	return common.ToPointer(w3c.DID(key.IssuerDID))
+}
+
+// Scan implements the sql.Scanner interface
+func (keydid *KeyCoreDID) Scan(value interface{}) error {
+	didStr, ok := value.(string)
+	if !ok {
+		return fmt.Errorf("invalid value type, expected string")
+	}
+	did, err := w3c.ParseDID(didStr)
+	if err != nil {
+		return err
+	}
+	*keydid = KeyCoreDID(*did)
+	return nil
+}
diff --git a/internal/core/ports/claim_repository.go b/internal/core/ports/claim_repository.go
index 8b5ec454a..bbd2f6f8a 100644
--- a/internal/core/ports/claim_repository.go
+++ b/internal/core/ports/claim_repository.go
@@ -20,6 +20,7 @@ type ClaimRepository interface {
 	GetByRevocationNonce(ctx context.Context, conn db.Querier, identifier *w3c.DID, revocationNonce domain.RevNonceUint64) ([]*domain.Claim, error)
 	GetByIdAndIssuer(ctx context.Context, conn db.Querier, identifier *w3c.DID, claimID uuid.UUID) (*domain.Claim, error)
 	FindOneClaimBySchemaHash(ctx context.Context, conn db.Querier, subject *w3c.DID, schemaHash string) (*domain.Claim, error)
+	FindClaimsBySchemaHash(ctx context.Context, conn db.Querier, subject *w3c.DID, schemaHash string) ([]*domain.Claim, error)
 	GetAllByIssuerID(ctx context.Context, conn db.Querier, identifier w3c.DID, filter *ClaimsFilter) ([]*domain.Claim, uint, error)
 	GetNonRevokedByConnectionAndIssuerID(ctx context.Context, conn db.Querier, connID uuid.UUID, issuerID w3c.DID) ([]*domain.Claim, error)
 	GetAllByState(ctx context.Context, conn db.Querier, did *w3c.DID, state *merkletree.Hash) (claims []domain.Claim, err error)
@@ -31,4 +32,5 @@ type ClaimRepository interface {
 	GetClaimsIssuedForUser(ctx context.Context, conn db.Querier, identifier w3c.DID, userDID w3c.DID, linkID uuid.UUID) ([]*domain.Claim, error)
 	GetClaimsOfAConnection(ctx context.Context, conn db.Querier, identifier w3c.DID, userDID w3c.DID) ([]*domain.Claim, error)
 	GetByStateIDWithMTPProof(ctx context.Context, conn db.Querier, did *w3c.DID, state string) (claims []*domain.Claim, err error)
+	GetAuthCoreClaims(ctx context.Context, conn db.Querier, identifier *w3c.DID, schemaHash string) ([]*domain.Claim, error)
 }
diff --git a/internal/core/ports/claim_service.go b/internal/core/ports/claim_service.go
index 73264e40f..eed92d523 100644
--- a/internal/core/ports/claim_service.go
+++ b/internal/core/ports/claim_service.go
@@ -225,6 +225,8 @@ type ClaimService interface {
 	GetAuthClaim(ctx context.Context, did *w3c.DID) (*domain.Claim, error)
 	GetAuthClaimForPublishing(ctx context.Context, did *w3c.DID, state string) (*domain.Claim, error)
 	UpdateClaimsMTPAndState(ctx context.Context, currentState *domain.IdentityState) error
-	Delete(ctx context.Context, id uuid.UUID) error
+	Delete(ctx context.Context, issuerDID *w3c.DID, id uuid.UUID) error
 	GetByStateIDWithMTPProof(ctx context.Context, did *w3c.DID, state string) ([]*domain.Claim, error)
+	GetAuthCredentials(ctx context.Context, identifier *w3c.DID) ([]*domain.Claim, error)
+	GetAuthCredentialByPublicKey(ctx context.Context, identifier *w3c.DID, pubKey []byte) (*domain.Claim, error)
 }
diff --git a/internal/core/ports/identity_repository.go b/internal/core/ports/identity_repository.go
index 85558cdc2..a1d4beafe 100644
--- a/internal/core/ports/identity_repository.go
+++ b/internal/core/ports/identity_repository.go
@@ -9,8 +9,8 @@ import (
 	"github.com/polygonid/sh-id-platform/internal/db"
 )
 
-// IndentityRepository is the interface implemented by the identity service
-type IndentityRepository interface {
+// IdentityRepository is the interface implemented by the identity service
+type IdentityRepository interface {
 	Save(ctx context.Context, conn db.Querier, identity *domain.Identity) error
 	GetByID(ctx context.Context, conn db.Querier, identifier w3c.DID) (*domain.Identity, error)
 	Get(ctx context.Context, conn db.Querier) (identities []domain.IdentityDisplayName, err error)
diff --git a/internal/core/ports/identity_service.go b/internal/core/ports/identity_service.go
index b3372baa2..c0d179858 100644
--- a/internal/core/ports/identity_service.go
+++ b/internal/core/ports/identity_service.go
@@ -2,6 +2,7 @@ package ports
 
 import (
 	"context"
+	"time"
 
 	"github.com/google/uuid"
 	core "github.com/iden3/go-iden3-core/v2"
@@ -58,4 +59,5 @@ type IdentityService interface {
 	GetFailedState(ctx context.Context, identifier w3c.DID) (*domain.IdentityState, error)
 	PublishGenesisStateToRHS(ctx context.Context, did *w3c.DID) error
 	UpdateIdentityDisplayName(ctx context.Context, did w3c.DID, displayName string) error
+	CreateAuthCredential(ctx context.Context, did *w3c.DID, keyID string, revNonce *uint64, expiration *time.Time, version *uint32, credentialStatusType verifiable.CredentialStatusType) (uuid.UUID, error)
 }
diff --git a/internal/core/ports/key_repository.go b/internal/core/ports/key_repository.go
new file mode 100644
index 000000000..4d11b089e
--- /dev/null
+++ b/internal/core/ports/key_repository.go
@@ -0,0 +1,19 @@
+package ports
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/iden3/go-iden3-core/v2/w3c"
+
+	"github.com/polygonid/sh-id-platform/internal/core/domain"
+	"github.com/polygonid/sh-id-platform/internal/db"
+)
+
+// KeyRepository key repository interface
+type KeyRepository interface {
+	Save(ctx context.Context, conn db.Querier, key *domain.Key) (uuid.UUID, error)
+	GetByPublicKey(ctx context.Context, issuerDID w3c.DID, publicKey string) (*domain.Key, error)
+	Delete(ctx context.Context, issuerDID w3c.DID, publicKey string) error
+	GetByName(ctx context.Context, issuerDID w3c.DID, name string) (*domain.Key, error)
+}
diff --git a/internal/core/ports/key_service.go b/internal/core/ports/key_service.go
new file mode 100644
index 000000000..9cb206eeb
--- /dev/null
+++ b/internal/core/ports/key_service.go
@@ -0,0 +1,34 @@
+package ports
+
+import (
+	"context"
+
+	"github.com/iden3/go-iden3-core/v2/w3c"
+
+	"github.com/polygonid/sh-id-platform/internal/kms"
+)
+
+// KMSKey is the struct that represents a key
+type KMSKey struct {
+	KeyID                       string
+	KeyType                     kms.KeyType
+	PublicKey                   string
+	HasAssociatedAuthCredential bool
+	Name                        string
+}
+
+// KeyFilter is the filter to use when getting keys
+type KeyFilter struct {
+	MaxResults uint // Max number of results to return on each call.
+	Page       uint // Page number to return. First is 1.
+	KeyType    *kms.KeyType
+}
+
+// KeyService is the service that manages keys
+type KeyService interface {
+	Create(ctx context.Context, did *w3c.DID, keyType kms.KeyType, name string) (kms.KeyID, error)
+	Update(ctx context.Context, did *w3c.DID, keyID string, name string) error
+	Get(ctx context.Context, did *w3c.DID, keyID string) (*KMSKey, error)
+	GetAll(ctx context.Context, did *w3c.DID, filter KeyFilter) ([]*KMSKey, uint, error)
+	Delete(ctx context.Context, did *w3c.DID, keyID string) error
+}
diff --git a/internal/core/ports/mediatype_manager.go b/internal/core/ports/mediatype_manager.go
index fc8c83405..391a9ed24 100644
--- a/internal/core/ports/mediatype_manager.go
+++ b/internal/core/ports/mediatype_manager.go
@@ -2,7 +2,7 @@ package ports
 
 import "github.com/iden3/iden3comm/v2"
 
-// MediatypeManager - Define the interface for media type manager
-type MediatypeManager interface {
-	AllowMediaType(protoclMessage iden3comm.ProtocolMessage, mediaType iden3comm.MediaType) bool
+// MediaTypeManager - Define the interface for media type manager
+type MediaTypeManager interface {
+	AllowMediaType(protocolMessage iden3comm.ProtocolMessage, mediaType iden3comm.MediaType) bool
 }
diff --git a/internal/core/services/claims.go b/internal/core/services/claims.go
index a1b44a7c7..78cca5dff 100644
--- a/internal/core/services/claims.go
+++ b/internal/core/services/claims.go
@@ -38,6 +38,7 @@ import (
 	"github.com/polygonid/sh-id-platform/internal/revocationstatus"
 	schemaPkg "github.com/polygonid/sh-id-platform/internal/schema"
 	"github.com/polygonid/sh-id-platform/internal/urn"
+	"github.com/polygonid/sh-id-platform/internal/utils"
 )
 
 var (
@@ -57,6 +58,8 @@ var (
 	ErrUnsupportedDisplayMethodType      = errors.New("unsupported display method type")                               // ErrUnsupportedDisplayMethodType means the display method type is not supported
 	ErrUnsupportedRefreshServiceType     = errors.New("unsupported refresh service type")                              // ErrUnsupportedRefreshServiceType means the refresh service type is not supported
 	ErrWrongCredentialSubjectID          = errors.New("wrong format for credential subject ID")                        // ErrWrongCredentialSubjectID means the credential subject ID is wrong
+	ErrAuthCredentialCannotBeRevoked     = errors.New("cannot delete the only remaining authentication credential. " +
+		"An identity must have at least one credential") // ErrAuthCredentialCannotBeRevoked means the credential cannot be revoked
 )
 
 type claim struct {
@@ -73,11 +76,11 @@ type claim struct {
 	publisher                pubsub.Publisher
 	ipfsClient               *shell.Shell
 	revocationStatusResolver *revocationstatus.Resolver
-	mediatypeManager         ports.MediatypeManager
+	mediatypeManager         ports.MediaTypeManager
 }
 
 // NewClaim creates a new claim service
-func NewClaim(repo ports.ClaimRepository, idenSrv ports.IdentityService, qrService ports.QrStoreService, mtService ports.MtService, identityStateRepository ports.IdentityStateRepository, ld loader.DocumentLoader, storage *db.Storage, host string, ps pubsub.Publisher, ipfsGatewayURL string, revocationStatusResolver *revocationstatus.Resolver, mediatypeManager ports.MediatypeManager, cfg config.UniversalLinks) ports.ClaimService {
+func NewClaim(repo ports.ClaimRepository, idenSrv ports.IdentityService, qrService ports.QrStoreService, mtService ports.MtService, identityStateRepository ports.IdentityStateRepository, ld loader.DocumentLoader, storage *db.Storage, host string, ps pubsub.Publisher, ipfsGatewayURL string, revocationStatusResolver *revocationstatus.Resolver, mediatypeManager ports.MediaTypeManager, cfg config.UniversalLinks) ports.ClaimService {
 	s := &claim{
 		host:                     host,
 		icRepo:                   repo,
@@ -301,8 +304,33 @@ func (c *claim) RevokeAllFromConnection(ctx context.Context, connID uuid.UUID, i
 		})
 }
 
-func (c *claim) Delete(ctx context.Context, id uuid.UUID) error {
-	err := c.icRepo.Delete(ctx, c.storage.Pgx, id)
+func (c *claim) Delete(ctx context.Context, issuerDID *w3c.DID, id uuid.UUID) error {
+	claim, err := c.icRepo.GetByIdAndIssuer(ctx, c.storage.Pgx, issuerDID, id)
+	if err != nil {
+		if errors.Is(err, repositories.ErrClaimDoesNotExist) {
+			return ErrCredentialNotFound
+		}
+		return err
+	}
+
+	claims := make([]*domain.Claim, 1)
+	claims[0] = claim
+
+	authHash, err := core.AuthSchemaHash.MarshalText()
+	if err != nil {
+		return err
+	}
+
+	// check if the nonce can be deleted
+	canBeRevoked, err := c.canRevokeNonce(ctx, issuerDID, c.storage.Pgx, claims, uint64(claim.RevNonce), string(authHash))
+	if err != nil {
+		return fmt.Errorf("error checking if the nonce can be revoked: %w", err)
+	}
+	if !canBeRevoked {
+		return ErrAuthCredentialCannotBeRevoked
+	}
+
+	err = c.icRepo.Delete(ctx, c.storage.Pgx, id)
 	if err != nil {
 		if errors.Is(err, repositories.ErrClaimDoesNotExist) {
 			return ErrCredentialNotFound
@@ -587,7 +615,54 @@ func (c *claim) GetByStateIDWithMTPProof(ctx context.Context, did *w3c.DID, stat
 	return c.icRepo.GetByStateIDWithMTPProof(ctx, c.storage.Pgx, did, state)
 }
 
+// GetAuthCredentials returns the auth credentials for the given identifier
+// The auth credentials are the credentials that are used to sign other credentials
+// The credentials can have mtp proof or not.
+// The credentials are not revoked
+func (c *claim) GetAuthCredentials(ctx context.Context, identifier *w3c.DID) ([]*domain.Claim, error) {
+	authHash, err := core.AuthSchemaHash.MarshalText()
+	if err != nil {
+		return nil, err
+	}
+	return c.icRepo.GetAuthCoreClaims(ctx, c.storage.Pgx, identifier, string(authHash))
+}
+
+// GetAuthCredentialByPublicKey returns the auth credential with the given public key
+func (c *claim) GetAuthCredentialByPublicKey(ctx context.Context, identifier *w3c.DID, publicKey []byte) (*domain.Claim, error) {
+	authCredentials, err := c.GetAuthCredentials(ctx, identifier)
+	if err != nil {
+		log.Error(ctx, "failed to get auth credentials", "err", err)
+		return nil, err
+	}
+	for _, authCredential := range authCredentials {
+		if utils.GetPublicKeyFromClaim(authCredential).Equal(publicKey) {
+			return authCredential, nil
+		}
+	}
+	return nil, nil
+}
+
 func (c *claim) revoke(ctx context.Context, did *w3c.DID, nonce uint64, description string, querier db.Querier) error {
+	authHash, err := core.AuthSchemaHash.MarshalText()
+	if err != nil {
+		return err
+	}
+
+	// get the claims to revoke by nonce
+	claimsToRevoke, err := c.icRepo.GetByRevocationNonce(ctx, querier, did, domain.RevNonceUint64(nonce))
+	if err != nil {
+		log.Error(ctx, "error getting the claim by revocation nonce", "err", err)
+	}
+
+	// check if the nonce can be revoked
+	canBeRevoked, err := c.canRevokeNonce(ctx, did, querier, claimsToRevoke, nonce, string(authHash))
+	if err != nil {
+		return fmt.Errorf("error checking if the nonce can be revoked: %w", err)
+	}
+	if !canBeRevoked {
+		return ErrAuthCredentialCannotBeRevoked
+	}
+
 	rID := new(big.Int).SetUint64(nonce)
 	revocation := domain.Revocation{
 		Identifier:  did.String(),
@@ -637,6 +712,35 @@ func (c *claim) revoke(ctx context.Context, did *w3c.DID, nonce uint64, descript
 	return nil
 }
 
+// canRevokeNonce checks if the nonce can be revoked
+func (c *claim) canRevokeNonce(ctx context.Context, did *w3c.DID, querier db.Querier, claimsToRevoke []*domain.Claim, nonce uint64, authHash string) (bool, error) {
+	checkAuthCredentials := false
+	for _, claim := range claimsToRevoke {
+		if claim.EqualToSchemaHash(authHash) {
+			checkAuthCredentials = true
+			break
+		}
+	}
+
+	canBeRevoked := true
+	if checkAuthCredentials {
+		authCredentials, err := c.icRepo.FindClaimsBySchemaHash(ctx, querier, did, authHash)
+		if err != nil {
+			return false, fmt.Errorf("error getting the auth credentials: %w", err)
+		}
+		if len(authCredentials) == 1 {
+			return false, nil
+		}
+		canBeRevoked = false
+		for _, authCredential := range authCredentials {
+			if authCredential.RevNonce != domain.RevNonceUint64(nonce) {
+				canBeRevoked = true
+			}
+		}
+	}
+	return canBeRevoked, nil
+}
+
 func (c *claim) getRevocationStatus(ctx context.Context, basicMessage *ports.AgentRequest) (*domain.Agent, error) {
 	revData := &protocol.RevocationStatusRequestMessageBody{}
 	err := json.Unmarshal(basicMessage.Body, revData)
diff --git a/internal/core/services/identity.go b/internal/core/services/identity.go
index 0c70dfc91..ba880aeee 100644
--- a/internal/core/services/identity.go
+++ b/internal/core/services/identity.go
@@ -1,7 +1,6 @@
 package services
 
 import (
-	"bytes"
 	"context"
 	"crypto/ecdsa"
 	"encoding/hex"
@@ -12,6 +11,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/ethereum/go-ethereum/common/hexutil"
 	"github.com/ethereum/go-ethereum/crypto"
 	"github.com/google/uuid"
 	auth "github.com/iden3/go-iden3-auth/v2"
@@ -41,6 +41,7 @@ import (
 	"github.com/polygonid/sh-id-platform/internal/reversehash"
 	"github.com/polygonid/sh-id-platform/internal/revocationstatus"
 	"github.com/polygonid/sh-id-platform/internal/urn"
+	"github.com/polygonid/sh-id-platform/internal/utils"
 	"github.com/polygonid/sh-id-platform/pkg/credentials/signature/circuit/signer"
 	"github.com/polygonid/sh-id-platform/pkg/credentials/signature/suite"
 	"github.com/polygonid/sh-id-platform/pkg/credentials/signature/suite/babyjubjub"
@@ -52,7 +53,6 @@ const (
 	authReason      = "authentication"
 )
 
-// ErrWrongDIDMetada - represents an error in the identity metadata
 var (
 	// ErrAssigningMTPProof - represents an error in the identity metadata
 	ErrAssigningMTPProof = errors.New("error assigning the MTP Proof from Auth Claim. If this identity has keyType=ETH you must to publish the state first")
@@ -65,10 +65,19 @@ var (
 
 	// ErrWrongDIDMetada - represents an error in the identity metadata
 	ErrWrongDIDMetada = errors.New("wrong DID Metadata")
+
+	// ErrDuplicatedHash - represents an error saving the claim
+	ErrDuplicatedHash = errors.New("hash already exists")
+
+	// ErrInvalidKeyType - represents an error in the key type
+	ErrInvalidKeyType = errors.New("invalid key type. Only BJJ keys are supported")
+
+	// ErrKeyNotFound - represents an error when the key is not found
+	ErrKeyNotFound = errors.New("key not found")
 )
 
 type identity struct {
-	identityRepository      ports.IndentityRepository
+	identityRepository      ports.IdentityRepository
 	imtRepository           ports.IdentityMerkleTreeRepository
 	identityStateRepository ports.IdentityStateRepository
 	claimsRepository        ports.ClaimRepository
@@ -86,11 +95,12 @@ type identity struct {
 	revocationStatusResolver *revocationstatus.Resolver
 	networkResolver          network.Resolver
 	rhsFactory               reversehash.Factory
+	keyRepository            ports.KeyRepository
 }
 
 // NewIdentity creates a new identity
 // nolint
-func NewIdentity(kms kms.KMSType, identityRepository ports.IndentityRepository, imtRepository ports.IdentityMerkleTreeRepository, identityStateRepository ports.IdentityStateRepository, mtservice ports.MtService, qrService ports.QrStoreService, claimsRepository ports.ClaimRepository, revocationRepository ports.RevocationRepository, connectionsRepository ports.ConnectionRepository, storage *db.Storage, verifier *auth.Verifier, sessionRepository ports.SessionRepository, ps pubsub.Client, networkResolver network.Resolver, rhsFactory reversehash.Factory, revocationStatusResolver *revocationstatus.Resolver) ports.IdentityService {
+func NewIdentity(kms kms.KMSType, identityRepository ports.IdentityRepository, imtRepository ports.IdentityMerkleTreeRepository, identityStateRepository ports.IdentityStateRepository, mtservice ports.MtService, qrService ports.QrStoreService, claimsRepository ports.ClaimRepository, revocationRepository ports.RevocationRepository, connectionsRepository ports.ConnectionRepository, storage *db.Storage, verifier *auth.Verifier, sessionRepository ports.SessionRepository, ps pubsub.Client, networkResolver network.Resolver, rhsFactory reversehash.Factory, revocationStatusResolver *revocationstatus.Resolver, keyRepository ports.KeyRepository) ports.IdentityService {
 	return &identity{
 		identityRepository:       identityRepository,
 		imtRepository:            imtRepository,
@@ -109,11 +119,30 @@ func NewIdentity(kms kms.KMSType, identityRepository ports.IndentityRepository,
 		networkResolver:          networkResolver,
 		rhsFactory:               rhsFactory,
 		revocationStatusResolver: revocationStatusResolver,
+		keyRepository:            keyRepository,
 	}
 }
 
 func (i *identity) GetByDID(ctx context.Context, identifier w3c.DID) (*domain.Identity, error) {
-	return i.identityRepository.GetByID(ctx, i.storage.Pgx, identifier)
+	authHash, err := core.AuthSchemaHash.MarshalText()
+	if err != nil {
+		return nil, err
+	}
+	authCredentials, err := i.claimsRepository.GetAuthCoreClaims(ctx, i.storage.Pgx, &identifier, string(authHash))
+	if err != nil {
+		return nil, err
+	}
+
+	identity, err := i.identityRepository.GetByID(ctx, i.storage.Pgx, identifier)
+	if err != nil {
+		return nil, err
+	}
+
+	identity.AuthCredentialsIDs = make([]string, len(authCredentials))
+	for i, authCredential := range authCredentials {
+		identity.AuthCredentialsIDs[i] = authCredential.ID.String()
+	}
+	return identity, nil
 }
 
 func (i *identity) Create(ctx context.Context, hostURL string, didOptions *ports.DIDCreationOptions) (*domain.Identity, error) {
@@ -152,7 +181,7 @@ func (i *identity) Create(ctx context.Context, hostURL string, didOptions *ports
 }
 
 func (i *identity) SignClaimEntry(ctx context.Context, authClaim *domain.Claim, claimEntry *core.Claim) (*verifiable.BJJSignatureProof2021, error) {
-	keyID, err := i.getKeyIDFromAuthClaim(ctx, authClaim)
+	keyID, err := i.GetKeyIDFromAuthClaim(ctx, authClaim)
 	if err != nil {
 		return nil, err
 	}
@@ -209,50 +238,6 @@ func (i *identity) Exists(ctx context.Context, identifier w3c.DID) (bool, error)
 	return identity != nil, nil
 }
 
-// getKeyIDFromAuthClaim finds BJJ KeyID of auth claim
-// in registered key providers
-func (i *identity) getKeyIDFromAuthClaim(ctx context.Context, authClaim *domain.Claim) (kms.KeyID, error) {
-	var keyID kms.KeyID
-
-	if authClaim.Identifier == nil {
-		return keyID, errors.New("identifier is empty in auth claim")
-	}
-
-	identity, err := w3c.ParseDID(*authClaim.Identifier)
-	if err != nil {
-		return keyID, err
-	}
-
-	entry := authClaim.CoreClaim.Get()
-	bjjClaim := entry.RawSlotsAsInts()
-
-	var publicKey babyjub.PublicKey
-	publicKey.X, publicKey.Y = bjjClaim[2], bjjClaim[3]
-
-	compPubKey := publicKey.Compress()
-
-	keyIDs, err := i.kms.KeysByIdentity(ctx, *identity)
-	if err != nil {
-		return keyID, err
-	}
-
-	for _, keyID = range keyIDs {
-		if keyID.Type != kms.KeyTypeBabyJubJub {
-			continue
-		}
-
-		pubKeyBytes, err := i.kms.PublicKey(keyID)
-		if err != nil {
-			return keyID, err
-		}
-		if bytes.Equal(pubKeyBytes, compPubKey[:]) {
-			return keyID, nil
-		}
-	}
-
-	return keyID, errors.New("private key not found")
-}
-
 // Get - returns all the identities
 func (i *identity) Get(ctx context.Context) (identities []domain.IdentityDisplayName, err error) {
 	return i.identityRepository.Get(ctx, i.storage.Pgx)
@@ -289,15 +274,6 @@ func (i *identity) GetKeyIDFromAuthClaim(ctx context.Context, authClaim *domain.
 		return keyID, err
 	}
 
-	entry := authClaim.CoreClaim.Get()
-	bjjClaim := entry.RawSlotsAsInts()
-
-	var publicKey babyjub.PublicKey
-	publicKey.X = bjjClaim[2]
-	publicKey.Y = bjjClaim[3]
-
-	compPubKey := publicKey.Compress()
-
 	keyIDs, err := i.kms.KeysByIdentity(ctx, *identity)
 	if err != nil {
 		return keyID, err
@@ -312,12 +288,14 @@ func (i *identity) GetKeyIDFromAuthClaim(ctx context.Context, authClaim *domain.
 		if err != nil {
 			return keyID, err
 		}
-		if bytes.Equal(pubKeyBytes, compPubKey[:]) {
+
+		if utils.GetPublicKeyFromClaim(authClaim).Equal(pubKeyBytes) {
+			log.Info(ctx, "key found", "keyID", keyID)
 			return keyID, nil
 		}
 	}
 
-	return keyID, errors.New("private key not found")
+	return keyID, errors.New("keyID not found")
 }
 
 func (i *identity) UpdateState(ctx context.Context, did w3c.DID) (*domain.IdentityState, error) {
@@ -674,6 +652,12 @@ func (i *identity) createEthIdentity(ctx context.Context, tx db.Querier, hostURL
 		return nil, nil, err
 	}
 
+	ethPublicKey, err := i.kms.PublicKey(key)
+	if err != nil {
+		log.Error(ctx, "getting eth public key", "err", err)
+		return nil, nil, err
+	}
+
 	identity, did, err := i.createEthIdentityFromKeyID(ctx, mts, &key, didOptions, tx)
 	if err != nil {
 		return nil, nil, err
@@ -719,7 +703,7 @@ func (i *identity) createEthIdentity(ctx context.Context, tx db.Querier, hostURL
 		return nil, nil, err
 	}
 
-	authClaimModel, err := i.authClaimToModel(ctx, did, identity, authClaim, claimsTree, bjjPubKey, hostURL, didOptions.AuthCredentialStatus, false)
+	authClaimModel, err := i.authClaimToModel(ctx, did, identity, authClaim, claimsTree, bjjPubKey, didOptions.AuthCredentialStatus, false)
 	if err != nil {
 		log.Error(ctx, "auth claim to model", "err", err)
 		return nil, nil, err
@@ -730,6 +714,19 @@ func (i *identity) createEthIdentity(ctx context.Context, tx db.Querier, hostURL
 		return nil, nil, errors.Join(err, errors.New("can't save auth claim"))
 	}
 
+	defaultBJJKey := domain.NewKey(*did, utils.GetPublicKeyFromClaim(authClaimModel).String(), utils.GetPublicKeyFromClaim(authClaimModel).String())
+	_, err = i.keyRepository.Save(ctx, tx, defaultBJJKey)
+	if err != nil {
+		return nil, nil, fmt.Errorf("can't save default key: %w", err)
+	}
+
+	defaultETHKey := domain.NewKey(*did, hexutil.Encode(ethPublicKey), hexutil.Encode(ethPublicKey))
+	_, err = i.keyRepository.Save(ctx, tx, defaultETHKey)
+	if err != nil {
+		log.Error(ctx, "saving default eth key", "err", err)
+		return nil, nil, fmt.Errorf("can't save default eth key: %w", err)
+	}
+
 	return did, identity.State.TreeState().State.BigInt(), nil
 }
 
@@ -781,7 +778,7 @@ func (i *identity) createIdentity(ctx context.Context, tx db.Querier, hostURL st
 		return nil, nil, err
 	}
 
-	authClaimModel, err := i.authClaimToModel(ctx, did, identity, authClaim, claimsTree, pubKey, hostURL, didOptions.AuthCredentialStatus, true)
+	authClaimModel, err := i.authClaimToModel(ctx, did, identity, authClaim, claimsTree, pubKey, didOptions.AuthCredentialStatus, true)
 	if err != nil {
 		log.Error(ctx, "auth claim to model", "err", err)
 		return nil, nil, err
@@ -799,6 +796,12 @@ func (i *identity) createIdentity(ctx context.Context, tx db.Querier, hostURL st
 		return nil, nil, fmt.Errorf("can't save identity: %w", err)
 	}
 
+	defaultKey := domain.NewKey(*did, utils.GetPublicKeyFromClaim(authClaimModel).String(), utils.GetPublicKeyFromClaim(authClaimModel).String())
+	_, err = i.keyRepository.Save(ctx, tx, defaultKey)
+	if err != nil {
+		return nil, nil, fmt.Errorf("can't save default key: %w", err)
+	}
+
 	resolverPrefix, err := common.ResolverPrefix(did)
 	if err != nil {
 		log.Error(ctx, "getting resolver prefix", "err", err)
@@ -851,6 +854,99 @@ func (i *identity) createIdentity(ctx context.Context, tx db.Querier, hostURL st
 	return did, identity.State.TreeState().State.BigInt(), nil
 }
 
+// CreateAuthCredential creates a new auth credential
+func (i *identity) CreateAuthCredential(ctx context.Context, did *w3c.DID, keyID string, revNonce *uint64, expiration *time.Time, version *uint32, credentialStatusType verifiable.CredentialStatusType) (uuid.UUID, error) {
+	var err error
+	if revNonce == nil {
+		generatedRevNonce, err := common.RandInt64()
+		if err != nil {
+			log.Error(ctx, "generating revocation nonce", "err", err)
+			return uuid.Nil, fmt.Errorf("can't generate revocation nonce: %w", err)
+		}
+		revNonce = &generatedRevNonce
+	}
+
+	if version == nil {
+		version = common.ToPointer[uint32](0)
+	}
+
+	var newAuthCoreClaimID uuid.UUID
+
+	var keyType kms.KeyType
+	if strings.Contains(keyID, "BJJ") {
+		keyType = kms.KeyTypeBabyJubJub
+	} else {
+		return uuid.Nil, ErrInvalidKeyType
+	}
+
+	kmsKeyID := kms.KeyID{
+		ID:   keyID,
+		Type: keyType,
+	}
+	err = i.storage.Pgx.BeginFunc(ctx,
+		func(tx pgx.Tx) error {
+			identity, err := i.identityRepository.GetByID(ctx, tx, *did)
+			if err != nil {
+				return err
+			}
+
+			exists, err := i.kms.Exists(ctx, kmsKeyID)
+			if err != nil {
+				return err
+			}
+			if !exists {
+				return ErrKeyNotFound
+			}
+
+			bjjPubKey, err := bjjPubKey(i.kms, kmsKeyID)
+			if err != nil {
+				return err
+			}
+
+			authClaim, err := newAuthClaim(bjjPubKey)
+			if err != nil {
+				return errors.Join(err, errors.New("can't create auth claim"))
+			}
+
+			authClaim.SetRevocationNonce(*revNonce)
+			authClaim.SetVersion(*version)
+			if expiration != nil {
+				authClaim.SetExpirationDate(*expiration)
+			}
+
+			// get identity merkle trees
+			mts, err := i.mtService.GetIdentityMerkleTrees(ctx, tx, did)
+			if err != nil {
+				return fmt.Errorf("can't create identity markle tree: %w", err)
+			}
+
+			claimsTree, err := mts.ClaimsTree()
+			if err != nil {
+				return err
+			}
+
+			authClaimModel, err := i.authClaimToModel(ctx, did, identity, authClaim, claimsTree, bjjPubKey, credentialStatusType, false)
+			if err != nil {
+				log.Error(ctx, "auth claim to model", "err", err)
+				return err
+			}
+
+			newAuthCoreClaimID, err = i.claimsRepository.Save(ctx, tx, authClaimModel)
+			if err != nil {
+				if strings.Contains(err.Error(), "claims_identifier_issuer_index_hash_key") {
+					return ErrDuplicatedHash
+				}
+				return errors.Join(err, errors.New("can't save auth claim"))
+			}
+			return nil
+		})
+	if err != nil {
+		return uuid.Nil, err
+	}
+
+	return newAuthCoreClaimID, nil
+}
+
 func (i *identity) createEthIdentityFromKeyID(ctx context.Context, mts *domain.IdentityMerkleTrees, key *kms.KeyID, didOptions *ports.DIDCreationOptions, tx db.Querier) (*domain.Identity, *w3c.DID, error) {
 	pubKey, err := ethPubKey(ctx, i.kms, *key)
 	if err != nil {
@@ -995,6 +1091,7 @@ func (i *identity) GetFailedState(ctx context.Context, identifier w3c.DID) (*dom
 	return nil, nil
 }
 
+// TODO: remove this method. is not used
 func (i *identity) PublishGenesisStateToRHS(ctx context.Context, did *w3c.DID) error {
 	identity, err := i.identityRepository.GetByID(ctx, i.storage.Pgx, *did)
 	if err != nil {
@@ -1125,7 +1222,7 @@ func (i *identity) addGenesisClaimsToTree(ctx context.Context,
 	return identity, did, nil
 }
 
-func (i *identity) authClaimToModel(ctx context.Context, did *w3c.DID, identity *domain.Identity, authClaim *core.Claim, claimsTree *merkletree.MerkleTree, pubKey *babyjub.PublicKey, hostURL string, status verifiable.CredentialStatusType, isAuthInGenesis bool) (*domain.Claim, error) {
+func (i *identity) authClaimToModel(ctx context.Context, did *w3c.DID, identity *domain.Identity, authClaim *core.Claim, claimsTree *merkletree.MerkleTree, pubKey *babyjub.PublicKey, status verifiable.CredentialStatusType, isAuthInGenesis bool) (*domain.Claim, error) {
 	authClaimData := make(map[string]interface{})
 	authClaimData["x"] = pubKey.X.String()
 	authClaimData["y"] = pubKey.Y.String()
diff --git a/internal/core/services/identity_test.go b/internal/core/services/identity_test.go
index 850f994ec..30d529edb 100644
--- a/internal/core/services/identity_test.go
+++ b/internal/core/services/identity_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 
+	core "github.com/iden3/go-iden3-core/v2"
 	"github.com/iden3/go-iden3-core/v2/w3c"
 	"github.com/iden3/go-schema-processor/v2/verifiable"
 	"github.com/iden3/iden3comm/v2"
@@ -44,6 +45,10 @@ func Test_identity_CreateIdentity(t *testing.T) {
 	revocationRepository := repositories.NewRevocation()
 	mtService := NewIdentityMerkleTrees(mtRepo)
 	connectionsRepository := repositories.NewConnection()
+	keyRepository := repositories.NewKey(*storage)
+
+	claimService := NewClaim(claimsRepo, nil, nil, mtService, identityStateRepo, docLoader, storage, cfg.ServerUrl, pubsub.NewMock(), ipfsGateway, nil, nil, cfg.UniversalLinks)
+	keyService := NewKey(keyStore, claimService, keyRepository)
 
 	reader := common.CreateFile(t)
 	networkResolver, err := network.NewResolver(ctx, cfg, keyStore, reader)
@@ -51,7 +56,7 @@ func Test_identity_CreateIdentity(t *testing.T) {
 
 	rhsFactory := reversehash.NewFactory(*networkResolver, reversehash.DefaultRHSTimeOut)
 	revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
 
 	type testConfig struct {
 		name            string
@@ -99,6 +104,27 @@ func Test_identity_CreateIdentity(t *testing.T) {
 				} else {
 					t.Errorf("invalid key type")
 				}
+
+				DID, err := w3c.ParseDID(identity.Identifier)
+				require.NoError(t, err)
+				isEthID, address, err := common.CheckEthIdentityByDID(DID)
+				require.NoError(t, err)
+				if tc.options.KeyType == ETH {
+					assert.True(t, isEthID)
+					assert.Equal(t, address, *identity.Address)
+				} else {
+					assert.False(t, isEthID)
+				}
+
+				allKeys, total, err := keyService.GetAll(ctx, DID, ports.KeyFilter{MaxResults: 10, Page: 1})
+				require.NoError(t, err)
+				if tc.options.KeyType == ETH {
+					assert.Equal(t, uint(2), total)
+					assert.Equal(t, 2, len(allKeys))
+				} else {
+					assert.Equal(t, uint(1), total)
+					assert.Equal(t, 1, len(allKeys))
+				}
 			}
 		})
 	}
@@ -113,6 +139,7 @@ func Test_identity_CreateIdentityWithRHSNone(t *testing.T) {
 	revocationRepository := repositories.NewRevocation()
 	mtService := NewIdentityMerkleTrees(mtRepo)
 	connectionsRepository := repositories.NewConnection()
+	keyRepository := repositories.NewKey(*storage)
 
 	reader := common.CreateFile(t)
 	networkResolver, err := network.NewResolver(ctx, cfg, keyStore, reader)
@@ -131,7 +158,7 @@ func Test_identity_CreateIdentityWithRHSNone(t *testing.T) {
 		}).Return(rhsPublishers, nil)
 
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		identity, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ})
 		assert.NoError(t, err)
 		assert.NotNil(t, identity.Identifier)
@@ -158,7 +185,7 @@ func Test_identity_CreateIdentityWithRHSNone(t *testing.T) {
 		}).Return(rhsPublishers, nil)
 
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		_, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ})
 		assert.Error(t, err)
 		rhsPublisherReverseHashServiceMock.AssertNumberOfCalls(t, "PublishNodesToRHS", 1)
@@ -167,7 +194,7 @@ func Test_identity_CreateIdentityWithRHSNone(t *testing.T) {
 	t.Run("should create ETH identity with RHS", func(t *testing.T) {
 		rhsFactoryMock := reversehash.NewMockFactory(t)
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		identity, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: ETH})
 		assert.NoError(t, err)
 		assert.NotNil(t, identity.Identifier)
@@ -195,7 +222,7 @@ func Test_identity_CreateIdentityWithRHSNone(t *testing.T) {
 		}).Return(rhsPublishers, nil)
 
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		identity, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ})
 		assert.NoError(t, err)
 		assert.NotNil(t, identity.Identifier)
@@ -223,7 +250,7 @@ func Test_identity_CreateIdentityWithRHSNone(t *testing.T) {
 		}).Return(rhsPublishers, nil)
 
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		identity, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ, AuthCredentialStatus: verifiable.Iden3commRevocationStatusV1})
 		assert.NoError(t, err)
 		assert.NotNil(t, identity.Identifier)
@@ -247,6 +274,7 @@ func Test_identity_CreateIdentityWithRHSOffChain(t *testing.T) {
 	revocationRepository := repositories.NewRevocation()
 	mtService := NewIdentityMerkleTrees(mtRepo)
 	connectionsRepository := repositories.NewConnection()
+	keyRepository := repositories.NewKey(*storage)
 
 	reader := common.CreateFileWithRHSOffChain(t)
 	networkResolver, err := network.NewResolver(ctx, cfg, keyStore, reader)
@@ -265,7 +293,7 @@ func Test_identity_CreateIdentityWithRHSOffChain(t *testing.T) {
 		}).Return(rhsPublishers, nil)
 
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		identity, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ})
 		assert.NoError(t, err)
 		assert.NotNil(t, identity.Identifier)
@@ -292,7 +320,7 @@ func Test_identity_CreateIdentityWithRHSOffChain(t *testing.T) {
 		}).Return(rhsPublishers, nil)
 
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		_, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ})
 		assert.Error(t, err)
 		rhsPublisherReverseHashServiceMock.AssertNumberOfCalls(t, "PublishNodesToRHS", 1)
@@ -301,7 +329,7 @@ func Test_identity_CreateIdentityWithRHSOffChain(t *testing.T) {
 	t.Run("should create ETH identity with RHS", func(t *testing.T) {
 		rhsFactoryMock := reversehash.NewMockFactory(t)
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		identity, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: ETH})
 		assert.NoError(t, err)
 		assert.NotNil(t, identity.Identifier)
@@ -329,7 +357,7 @@ func Test_identity_CreateIdentityWithRHSOffChain(t *testing.T) {
 		}).Return(rhsPublishers, nil)
 
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		identity, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ})
 		assert.NoError(t, err)
 		assert.NotNil(t, identity.Identifier)
@@ -357,7 +385,7 @@ func Test_identity_CreateIdentityWithRHSOffChain(t *testing.T) {
 		}).Return(rhsPublishers, nil)
 
 		revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver)
+		identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactoryMock, revocationStatusResolver, keyRepository)
 		identity, err := identityService.Create(ctx, cfg.ServerUrl, &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ, AuthCredentialStatus: verifiable.Iden3ReverseSparseMerkleTreeProof})
 		assert.NoError(t, err)
 		assert.NotNil(t, identity.Identifier)
@@ -381,6 +409,7 @@ func Test_identity_UpdateState(t *testing.T) {
 	revocationRepository := repositories.NewRevocation()
 	mtService := NewIdentityMerkleTrees(mtRepo)
 	connectionsRepository := repositories.NewConnection()
+	keyRepository := repositories.NewKey(*storage)
 
 	reader := common.CreateFile(t)
 	networkResolver, err := network.NewResolver(ctx, cfg, keyStore, reader)
@@ -388,7 +417,7 @@ func Test_identity_UpdateState(t *testing.T) {
 
 	rhsFactory := reversehash.NewFactory(*networkResolver, reversehash.DefaultRHSTimeOut)
 	revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
 
 	mediaTypeManager := NewMediaTypeManager(
 		map[iden3comm.ProtocolMessage][]string{
@@ -574,6 +603,7 @@ func Test_identity_GetByDID(t *testing.T) {
 	revocationRepository := repositories.NewRevocation()
 	mtService := NewIdentityMerkleTrees(mtRepo)
 	connectionsRepository := repositories.NewConnection()
+	keyRepository := repositories.NewKey(*storage)
 
 	reader := common.CreateFile(t)
 	networkResolver, err := network.NewResolver(ctx, cfg, keyStore, reader)
@@ -581,7 +611,7 @@ func Test_identity_GetByDID(t *testing.T) {
 
 	rhsFactory := reversehash.NewFactory(*networkResolver, reversehash.DefaultRHSTimeOut)
 	revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
 	identity, err := identityService.Create(ctx, "polygon-test", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ})
 	assert.NoError(t, err)
 
@@ -631,6 +661,7 @@ func Test_identity_GetLatestStateByID(t *testing.T) {
 	revocationRepository := repositories.NewRevocation()
 	mtService := NewIdentityMerkleTrees(mtRepo)
 	connectionsRepository := repositories.NewConnection()
+	keyRepository := repositories.NewKey(*storage)
 
 	reader := common.CreateFile(t)
 	networkResolver, err := network.NewResolver(ctx, cfg, keyStore, reader)
@@ -638,7 +669,7 @@ func Test_identity_GetLatestStateByID(t *testing.T) {
 
 	rhsFactory := reversehash.NewFactory(*networkResolver, reversehash.DefaultRHSTimeOut)
 	revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
 	identity, err := identityService.Create(ctx, "polygon-test", &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ})
 	assert.NoError(t, err)
 
@@ -688,3 +719,78 @@ func Test_identity_GetLatestStateByID(t *testing.T) {
 		})
 	}
 }
+
+func Test_identity_RotateKey(t *testing.T) {
+	ctx := context.Background()
+	identityRepo := repositories.NewIdentity()
+	claimsRepo := repositories.NewClaim()
+	mtRepo := repositories.NewIdentityMerkleTreeRepository()
+	identityStateRepo := repositories.NewIdentityState()
+	revocationRepository := repositories.NewRevocation()
+	mtService := NewIdentityMerkleTrees(mtRepo)
+	connectionsRepository := repositories.NewConnection()
+	keyRepository := repositories.NewKey(*storage)
+
+	reader := common.CreateFile(t)
+	networkResolver, err := network.NewResolver(ctx, cfg, keyStore, reader)
+	require.NoError(t, err)
+
+	rhsFactory := reversehash.NewFactory(*networkResolver, reversehash.DefaultRHSTimeOut)
+	revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
+	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
+
+	type testConfig struct {
+		name            string
+		options         *ports.DIDCreationOptions
+		shouldReturnErr bool
+	}
+
+	genesisStr := "0000000000000000000000000000000000000000000000000000000000000000"
+
+	for _, tc := range []testConfig{
+		{
+			name:            "should rotate BJJ identity",
+			options:         &ports.DIDCreationOptions{Method: method, Blockchain: blockchain, Network: net, KeyType: BJJ},
+			shouldReturnErr: false,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			identity, err := identityService.Create(ctx, cfg.ServerUrl, tc.options)
+			assert.NoError(t, err)
+			did, err := w3c.ParseDID(identity.Identifier)
+			assert.NoError(t, err)
+			authHash, err := core.AuthSchemaHash.MarshalText()
+			assert.NoError(t, err)
+
+			authCoreClaim, err := claimsRepo.FindOneClaimBySchemaHash(ctx, storage.Pgx, did, string(authHash))
+			assert.NoError(t, err)
+			if tc.shouldReturnErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.NotNil(t, identity.Identifier)
+				assert.NotNil(t, identity.AuthCoreClaimRevocationStatus)
+				assert.Equal(t, uint(0), identity.AuthCoreClaimRevocationStatus.RevocationNonce)
+				assert.Equal(t, string(verifiable.Iden3commRevocationStatusV1), identity.AuthCoreClaimRevocationStatus.Type)
+				assert.Equal(t, fmt.Sprintf("%s/v2/agent", cfg.ServerUrl), identity.AuthCoreClaimRevocationStatus.ID)
+				assert.NotNil(t, identity.State.State)
+				assert.Equal(t, "confirmed", string(identity.State.Status))
+				if tc.options.KeyType == ETH {
+					assert.NotNil(t, identity.Address)
+					assert.Equal(t, genesisStr, *identity.State.State)
+				} else if tc.options.KeyType == BJJ {
+					assert.NotNil(t, identity.State.ClaimsTreeRoot)
+				} else {
+					t.Errorf("invalid key type")
+				}
+				assert.Equal(t, string(verifiable.Iden3commRevocationStatusV1), identity.AuthCoreClaimRevocationStatus.Type)
+				assert.Equal(t, fmt.Sprintf("%s/v2/agent", cfg.ServerUrl), identity.AuthCoreClaimRevocationStatus.ID)
+				assert.Equal(t, uint(0), identity.AuthCoreClaimRevocationStatus.RevocationNonce)
+
+				authCoreClaimNew, err := claimsRepo.FindOneClaimBySchemaHash(ctx, storage.Pgx, did, string(authHash))
+				assert.NoError(t, err)
+				assert.Equal(t, authCoreClaim.ID, authCoreClaimNew.ID)
+			}
+		})
+	}
+}
diff --git a/internal/core/services/key.go b/internal/core/services/key.go
new file mode 100644
index 000000000..f57d78ae2
--- /dev/null
+++ b/internal/core/services/key.go
@@ -0,0 +1,397 @@
+package services
+
+import (
+	"context"
+	b64 "encoding/base64"
+	"errors"
+	"sort"
+	"strings"
+
+	"github.com/ethereum/go-ethereum/common/hexutil"
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/iden3/go-iden3-core/v2/w3c"
+
+	"github.com/polygonid/sh-id-platform/internal/common"
+	"github.com/polygonid/sh-id-platform/internal/core/domain"
+	"github.com/polygonid/sh-id-platform/internal/core/ports"
+	"github.com/polygonid/sh-id-platform/internal/kms"
+	"github.com/polygonid/sh-id-platform/internal/log"
+	"github.com/polygonid/sh-id-platform/internal/repositories"
+)
+
+var (
+
+	// ErrAuthCredentialNotRevoked is returned when the associated auth credential is not revoked
+	ErrAuthCredentialNotRevoked = errors.New("associated auth credential not revoked")
+	// ErrKeyAssociatedWithIdentity is returned when the key is associated with an identity
+	ErrKeyAssociatedWithIdentity = errors.New("key is associated with an identity")
+	// ErrDuplicateKeyName is returned when the key name already exists
+	ErrDuplicateKeyName = errors.New("duplicate key name")
+)
+
+// Key is the service that manages keys
+type Key struct {
+	kms           *kms.KMS
+	claimService  ports.ClaimService
+	keyRepository ports.KeyRepository
+}
+
+// NewKey creates a new Key
+func NewKey(kms *kms.KMS, claimService ports.ClaimService, keyRepository ports.KeyRepository) ports.KeyService {
+	return &Key{
+		kms:           kms,
+		claimService:  claimService,
+		keyRepository: keyRepository,
+	}
+}
+
+// Create creates a new key for the given DID
+func (ks *Key) Create(ctx context.Context, did *w3c.DID, keyType kms.KeyType, name string) (kms.KeyID, error) {
+	var keyID kms.KeyID
+	var err error
+
+	keyWithName, err := ks.keyRepository.GetByName(ctx, *did, name)
+	if keyWithName != nil {
+		return kms.KeyID{}, ErrDuplicateKeyName
+	}
+	if err != nil {
+		if !errors.Is(err, repositories.ErrKeyNotFound) {
+			return kms.KeyID{}, err
+		}
+	}
+
+	if keyType == kms.KeyTypeBabyJubJub {
+		keyID, err = ks.kms.CreateKey(keyType, did)
+		if err != nil {
+			log.Error(ctx, "failed to create key", "err", err)
+			return kms.KeyID{}, err
+		}
+	}
+
+	if keyType == kms.KeyTypeEthereum {
+		keyID, err = ks.kms.CreateKey(keyType, nil)
+		if err != nil {
+			log.Error(ctx, "failed to create key", "err", err)
+			return kms.KeyID{}, err
+		}
+		keyID, err = ks.kms.LinkToIdentity(ctx, keyID, *did)
+		if err != nil {
+			log.Error(ctx, "failed to link key to identity", "err", err)
+			return kms.KeyID{}, err
+		}
+	}
+
+	publicKeyAsBytes, err := ks.kms.PublicKey(keyID)
+	if err != nil {
+		log.Error(ctx, "failed to get public key", "err", err)
+		return kms.KeyID{}, err
+	}
+
+	publicKey := hexutil.Encode(publicKeyAsBytes)
+	keyToSave := domain.NewKey(*did, publicKey, name)
+	_, err = ks.keyRepository.Save(ctx, nil, keyToSave)
+	if err != nil {
+		log.Error(ctx, "failed to save key", "err", err)
+		return kms.KeyID{}, err
+	}
+
+	encodedKeyID := b64.StdEncoding.EncodeToString([]byte(keyID.ID))
+	log.Info(ctx, "key created successfully", "keyID", encodedKeyID)
+	keyID.ID = encodedKeyID
+	return keyID, nil
+}
+
+// Update updates the key with the given keyID
+func (ks *Key) Update(ctx context.Context, did *w3c.DID, keyID string, name string) error {
+	keyType, err := getKeyType(keyID)
+	if err != nil {
+		log.Error(ctx, "failed to get key type", "err", err)
+		return err
+	}
+
+	kmsKeyID := kms.KeyID{
+		ID:   keyID,
+		Type: keyType,
+	}
+
+	exists, err := ks.kms.Exists(ctx, kmsKeyID)
+	if err != nil {
+		log.Error(ctx, "failed to check if key exists", "err", err)
+		return err
+	}
+
+	if !exists {
+		return ErrKeyNotFound
+	}
+
+	publicKey, err := ks.getPublicKey(ctx, keyID)
+	if err != nil {
+		log.Error(ctx, "failed to get public key", "err", err)
+		return ErrKeyNotFound
+	}
+
+	keyInfo, err := ks.keyRepository.GetByPublicKey(ctx, *did, hexutil.Encode(publicKey))
+	if err != nil {
+		if !errors.Is(err, repositories.ErrKeyNotFound) {
+			return err
+		}
+	}
+	if keyInfo == nil {
+		keyInfo = domain.NewKey(*did, hexutil.Encode(publicKey), name)
+	}
+	keyInfo.Name = name
+	_, err = ks.keyRepository.Save(ctx, nil, keyInfo)
+	return err
+}
+
+// Get returns the public key for the given keyID
+func (ks *Key) Get(ctx context.Context, did *w3c.DID, keyID string) (*ports.KMSKey, error) {
+	keyType, err := getKeyType(keyID)
+	if err != nil {
+		log.Error(ctx, "failed to get key type", "err", err)
+		return nil, err
+	}
+
+	kmsKeyID := kms.KeyID{
+		ID:   keyID,
+		Type: keyType,
+	}
+
+	exists, err := ks.kms.Exists(ctx, kmsKeyID)
+	if err != nil {
+		log.Error(ctx, "failed to check if key exists", "err", err)
+		return nil, err
+	}
+
+	if !exists {
+		return nil, ErrKeyNotFound
+	}
+
+	publicKey, err := ks.getPublicKey(ctx, keyID)
+	if err != nil {
+		log.Error(ctx, "failed to get public key", "err", err)
+		return nil, ErrKeyNotFound
+	}
+
+	hasAssociatedAuthCredential := false
+	switch keyType {
+	case kms.KeyTypeBabyJubJub:
+		hasAssociatedAuthCredential, _, err = ks.hasAssociatedAuthCredential(ctx, did, publicKey)
+		if err != nil {
+			log.Error(ctx, "failed to check if key has associated auth credential", "err", err)
+			return nil, err
+		}
+	case kms.KeyTypeEthereum:
+		hasAssociatedAuthCredential, err = ks.isAssociatedWithIdentity(ctx, did, publicKey)
+		if err != nil {
+			log.Error(ctx, "failed to check if key has associated auth credential", "err", err)
+			return nil, err
+		}
+	default:
+		return nil, ErrInvalidKeyType
+	}
+
+	keyInfo, err := ks.keyRepository.GetByPublicKey(ctx, *did, hexutil.Encode(publicKey))
+	if err != nil {
+		if !errors.Is(err, repositories.ErrKeyNotFound) {
+			return nil, err
+		}
+		keyInfo = &domain.Key{
+			Name: hexutil.Encode(publicKey),
+		}
+	}
+
+	return &ports.KMSKey{
+		KeyID:                       keyID,
+		KeyType:                     keyType,
+		PublicKey:                   hexutil.Encode(publicKey),
+		HasAssociatedAuthCredential: hasAssociatedAuthCredential,
+		Name:                        keyInfo.Name,
+	}, nil
+}
+
+// GetAll returns all the keys for the given DID
+func (ks *Key) GetAll(ctx context.Context, did *w3c.DID, filter ports.KeyFilter) ([]*ports.KMSKey, uint, error) {
+	keyIDs, err := ks.kms.KeysByIdentity(ctx, *did)
+	if err != nil {
+		log.Error(ctx, "failed to get keys", "err", err)
+		return nil, 0, err
+	}
+
+	if filter.KeyType != nil {
+		filteredKeyIDs := make([]kms.KeyID, 0)
+		for _, keyID := range keyIDs {
+			if keyID.Type == *filter.KeyType {
+				filteredKeyIDs = append(filteredKeyIDs, keyID)
+			}
+		}
+		keyIDs = filteredKeyIDs
+	}
+
+	total := uint(len(keyIDs))
+	start := (int(filter.Page) - 1) * int(filter.MaxResults)
+	end := start + int(filter.MaxResults)
+
+	if start >= len(keyIDs) {
+		return []*ports.KMSKey{}, 0, nil
+	}
+
+	if end > len(keyIDs) {
+		end = len(keyIDs)
+	}
+
+	keys := make([]*ports.KMSKey, len(keyIDs))
+	for i, keyID := range keyIDs {
+		key, err := ks.Get(ctx, did, keyID.ID)
+		if err != nil {
+			log.Error(ctx, "failed to get key", "err", err)
+			return nil, 0, err
+		}
+		keys[i] = key
+	}
+
+	sort.Slice(keys, func(i, j int) bool {
+		return keys[i].Name < keys[j].Name
+	})
+
+	keys = keys[start:end]
+	return keys, total, nil
+}
+
+// Delete deletes the key with the given keyID
+func (ks *Key) Delete(ctx context.Context, did *w3c.DID, keyID string) error {
+	keyType, err := getKeyType(keyID)
+	if err != nil {
+		log.Error(ctx, "failed to get key type", "err", err)
+		return err
+	}
+
+	kmsKeyID := kms.KeyID{
+		ID:   keyID,
+		Type: keyType,
+	}
+
+	exists, err := ks.kms.Exists(ctx, kmsKeyID)
+	if err != nil {
+		log.Error(ctx, "failed to check if key exists", "err", err)
+		return err
+	}
+
+	if !exists {
+		return ErrKeyNotFound
+	}
+
+	publicKey, err := ks.getPublicKey(ctx, keyID)
+	if err != nil {
+		log.Error(ctx, "failed to get public key", "err", err)
+		return err
+	}
+
+	hasAssociatedAuthCoreCredential := false
+	var authCredential *domain.Claim
+	switch keyType {
+	case kms.KeyTypeBabyJubJub:
+		hasAssociatedAuthCoreCredential, authCredential, err = ks.hasAssociatedAuthCredential(ctx, did, publicKey)
+		if err != nil {
+			log.Error(ctx, "failed to check if key has associated auth credential", "err", err)
+			return err
+		}
+
+		if hasAssociatedAuthCoreCredential {
+			log.Info(ctx, "can not be deleted because it has an associated auth credential. Have to check revocation status")
+			revStatus, err := ks.claimService.GetRevocationStatus(ctx, *did, uint64(authCredential.RevNonce))
+			if err != nil {
+				log.Error(ctx, "failed to get revocation status", "err", err)
+				return err
+			}
+
+			if revStatus != nil && !revStatus.MTP.Existence {
+				log.Info(ctx, "auth credential is non revoked. Can not be deleted")
+				return ErrAuthCredentialNotRevoked
+			}
+		}
+	case kms.KeyTypeEthereum:
+		hasAssociatedAuthCoreCredential, err = ks.isAssociatedWithIdentity(ctx, did, publicKey)
+		if err != nil {
+			log.Error(ctx, "failed to check if key has associated auth credential", "err", err)
+			return err
+		}
+		if hasAssociatedAuthCoreCredential {
+			log.Info(ctx, "can not be deleted because it is associated with the identity")
+			return ErrKeyAssociatedWithIdentity
+		}
+	default:
+		return ErrInvalidKeyType
+	}
+
+	if err := ks.keyRepository.Delete(ctx, *did, hexutil.Encode(publicKey)); err != nil {
+		log.Error(ctx, "failed to delete key", "err", err)
+		return err
+	}
+	return ks.kms.Delete(ctx, kmsKeyID)
+}
+
+// getPublicKey returns the public key for the given keyID
+func (ks *Key) getPublicKey(ctx context.Context, keyID string) ([]byte, error) {
+	keyType, err := getKeyType(keyID)
+	if err != nil {
+		log.Error(ctx, "failed to get key type", "err", err)
+		return nil, err
+	}
+	kmsKeyID := kms.KeyID{
+		ID:   keyID,
+		Type: keyType,
+	}
+
+	return ks.kms.PublicKey(kmsKeyID)
+}
+
+// getKeyType returns the key type for the given keyID
+func getKeyType(keyID string) (kms.KeyType, error) {
+	var keyType kms.KeyType
+	if strings.Contains(keyID, "BJJ") {
+		keyType = kms.KeyTypeBabyJubJub
+	} else if strings.Contains(keyID, "ETH") {
+		keyType = kms.KeyTypeEthereum
+	} else {
+		return keyType, ErrInvalidKeyType
+	}
+
+	return keyType, nil
+}
+
+// hasAssociatedAuthCredential checks if the bbj key has an associated auth credential
+func (ks *Key) hasAssociatedAuthCredential(ctx context.Context, did *w3c.DID, publicKey []byte) (bool, *domain.Claim, error) {
+	hasAssociatedAuthCredential := false
+	authCredential, err := ks.claimService.GetAuthCredentialByPublicKey(ctx, did, publicKey)
+	if err != nil {
+		log.Error(ctx, "failed to check if key has associated auth credential", "err", err)
+		return false, nil, err
+	}
+	hasAssociatedAuthCredential = authCredential != nil
+	return hasAssociatedAuthCredential, authCredential, nil
+}
+
+// isAssociatedWithIdentity checks if the eth key is associated with the identity
+func (ks *Key) isAssociatedWithIdentity(ctx context.Context, did *w3c.DID, publicKey []byte) (bool, error) {
+	hasAssociatedAuthCredential := false
+	pubKey, err := crypto.DecompressPubkey(publicKey)
+	if err != nil {
+		log.Error(ctx, "failed to decompress public key", "err", err)
+		return false, err
+	}
+
+	keyETHAddress := crypto.PubkeyToAddress(*pubKey)
+	isEthAddress, identityAddress, err := common.CheckEthIdentityByDID(did)
+	if err != nil {
+		log.Error(ctx, "failed to check if DID is ETH identity", "err", err)
+		return false, err
+	}
+
+	identityAddressToBeChecked := strings.ToUpper("0x" + identityAddress)
+	if isEthAddress {
+		hasAssociatedAuthCredential = identityAddressToBeChecked == strings.ToUpper(keyETHAddress.Hex())
+	}
+
+	return hasAssociatedAuthCredential, nil
+}
diff --git a/internal/core/services/link_test.go b/internal/core/services/link_test.go
index 4730975d2..1550e61fd 100644
--- a/internal/core/services/link_test.go
+++ b/internal/core/services/link_test.go
@@ -35,6 +35,7 @@ func Test_link_issueClaim(t *testing.T) {
 	schemaRepository := repositories.NewSchema(*storage)
 	mtService := NewIdentityMerkleTrees(mtRepo)
 	connectionsRepository := repositories.NewConnection()
+	keyRepository := repositories.NewKey(*storage)
 
 	reader := common.CreateFile(t)
 	networkResolver, err := networkPkg.NewResolver(ctx, cfg, keyStore, reader)
@@ -42,7 +43,7 @@ func Test_link_issueClaim(t *testing.T) {
 
 	rhsFactory := reversehash.NewFactory(*networkResolver, reversehash.DefaultRHSTimeOut)
 	revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
 	sessionRepository := repositories.NewSessionCached(cachex)
 	schemaService := NewSchema(schemaRepository, docLoader)
 
diff --git a/internal/core/services/notification_test.go b/internal/core/services/notification_test.go
index cc9c99a06..77abc02cc 100644
--- a/internal/core/services/notification_test.go
+++ b/internal/core/services/notification_test.go
@@ -39,6 +39,7 @@ func TestNotification_SendNotification(t *testing.T) {
 	mtService := NewIdentityMerkleTrees(mtRepo)
 	revocationRepository := repositories.NewRevocation()
 	connectionsRepository := repositories.NewConnection()
+	keyRepository := repositories.NewKey(*storage)
 
 	reader := common.CreateFile(t)
 	networkResolver, err := networkPkg.NewResolver(ctx, cfg, keyStore, reader)
@@ -46,7 +47,7 @@ func TestNotification_SendNotification(t *testing.T) {
 
 	rhsFactory := reversehash.NewFactory(*networkResolver, reversehash.DefaultRHSTimeOut)
 	revocationStatusResolver := revocationstatus.NewRevocationStatusResolver(*networkResolver)
-	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver)
+	identityService := NewIdentity(keyStore, identityRepo, mtRepo, identityStateRepo, mtService, nil, claimsRepo, revocationRepository, connectionsRepository, storage, nil, nil, pubsub.NewMock(), *networkResolver, rhsFactory, revocationStatusResolver, keyRepository)
 
 	mediaTypeManager := NewMediaTypeManager(
 		map[iden3comm.ProtocolMessage][]string{
diff --git a/internal/db/schema/migrations/202412101722170_add_keys_table.sql b/internal/db/schema/migrations/202412101722170_add_keys_table.sql
new file mode 100644
index 000000000..faf15b958
--- /dev/null
+++ b/internal/db/schema/migrations/202412101722170_add_keys_table.sql
@@ -0,0 +1,18 @@
+-- +goose Up
+-- +goose StatementBegin
+CREATE TABLE keys(
+    id                              UUID PRIMARY KEY NOT NULL,
+    issuer_did                      text NOT NULL,
+    name                            text NOT NULL,
+    public_key                      text NOT NULL,
+    created_at                      timestamptz NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at                      timestamptz NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT keys_unique_name UNIQUE (issuer_did, name),
+    CONSTRAINT keys_identities_id_key foreign key (issuer_did) references identities (identifier)
+);
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS keys;
+-- +goose StatementEnd
\ No newline at end of file
diff --git a/internal/db/schema/migrations/202411131724000_payment_options.sql b/internal/db/schema/migrations/202412231508172_payment_options.sql
similarity index 100%
rename from internal/db/schema/migrations/202411131724000_payment_options.sql
rename to internal/db/schema/migrations/202412231508172_payment_options.sql
diff --git a/internal/kms/aws_kms_eth_key_provider.go b/internal/kms/aws_kms_eth_key_provider.go
index 3494c162f..39972e235 100644
--- a/internal/kms/aws_kms_eth_key_provider.go
+++ b/internal/kms/aws_kms_eth_key_provider.go
@@ -2,7 +2,6 @@ package kms
 
 import (
 	"context"
-	"encoding/hex"
 	"fmt"
 	"regexp"
 	"strings"
@@ -18,7 +17,11 @@ import (
 	"github.com/polygonid/sh-id-platform/internal/log"
 )
 
-const aliasPrefix = "alias/"
+const (
+	aliasPrefix       = "alias/"
+	awsKmdKeyIDPrefix = "ETH/"
+	awsKmsKeyIDParts  = 2
+)
 
 type awsKmsEthKeyProvider struct {
 	keyType                  KeyType
@@ -79,37 +82,26 @@ func (awsKeyProv *awsKmsEthKeyProvider) New(identity *w3c.DID) (KeyID, error) {
 
 	keyArn, err := awsKeyProv.kmsClient.CreateKey(ctx, input)
 	if err != nil {
-		log.Error(ctx, "failed to create key: %v", err)
+		log.Error(ctx, "failed to create key", "err", err)
 		return KeyID{}, fmt.Errorf("failed to create key: %v", err)
 	}
-	log.Info(ctx, "keyArn:", keyArn.KeyMetadata.Arn)
-	inputPublicKey := &kms.GetPublicKeyInput{
-		KeyId: aws.String(*keyArn.KeyMetadata.Arn),
-	}
-
-	publicKeyResult, err := awsKeyProv.kmsClient.GetPublicKey(ctx, inputPublicKey)
-	if err != nil {
-		return KeyID{}, fmt.Errorf("failed to get public key: %v", err)
-	}
-	pubKeyHex := hex.EncodeToString(publicKeyResult.PublicKey)
-	keyID.ID = keyPathForAws(identity, awsKeyProv.keyType, pubKeyHex)
-
-	aliasName := aliasPrefix + keyID.ID
-	err = awsKeyProv.createAlias(ctx, aliasName, *keyArn.KeyMetadata.KeyId)
-	if err != nil {
-		log.Error(ctx, "failed to create alias: %v", err)
-		return KeyID{}, fmt.Errorf("failed to create alias: %v", err)
-	}
-	keyID.ID = aliasName
+	log.Info(ctx, "keyArn", "keyArn", keyArn.KeyMetadata.Arn)
+	keyID.ID = awsKmdKeyIDPrefix + *keyArn.KeyMetadata.KeyId
 	return keyID, nil
 }
 
 // PublicKey returns public key for given keyID
 func (awsKeyProv *awsKmsEthKeyProvider) PublicKey(keyID KeyID) ([]byte, error) {
+	ctx := context.Background()
 	if keyID.ID == awsKeyProv.issuerETHTransferKeyPath {
 		keyID.ID = aliasPrefix + awsKeyProv.issuerETHTransferKeyPath
+	} else {
+		keyIDParts := strings.Split(keyID.ID, "ETH/")
+		if len(keyIDParts) == awsKmsKeyIDParts {
+			keyID.ID = keyIDParts[1]
+		}
 	}
-	ctx := context.Background()
+
 	inputPublicKey := &kms.GetPublicKeyInput{
 		KeyId: aws.String(keyID.ID),
 	}
@@ -124,7 +116,14 @@ func (awsKeyProv *awsKmsEthKeyProvider) PublicKey(keyID KeyID) ([]byte, error) {
 func (awsKeyProv *awsKmsEthKeyProvider) Sign(ctx context.Context, keyID KeyID, data []byte) ([]byte, error) {
 	if keyID.ID == awsKeyProv.issuerETHTransferKeyPath {
 		keyID.ID = aliasPrefix + awsKeyProv.issuerETHTransferKeyPath
+	} else {
+		keyIDParts := strings.Split(keyID.ID, awsKmdKeyIDPrefix)
+		if len(keyIDParts) != awsKmsKeyIDParts {
+			return nil, fmt.Errorf("invalid keyID: %v", keyID.ID)
+		}
+		keyID.ID = keyIDParts[1]
 	}
+
 	signInput := &kms.SignInput{
 		KeyId:            aws.String(keyID.ID),
 		Message:          data,
@@ -165,14 +164,13 @@ func (awsKeyProv *awsKmsEthKeyProvider) Sign(ctx context.Context, keyID KeyID, d
 
 // LinkToIdentity links key to identity
 func (awsKeyProv *awsKmsEthKeyProvider) LinkToIdentity(ctx context.Context, keyID KeyID, identity w3c.DID) (KeyID, error) {
-	keyMetadata, err := awsKeyProv.getKeyInfoByAlias(ctx, keyID.ID)
+	keyIDStr, err := getAwsKmsKeyID(keyID)
 	if err != nil {
-		log.Error(ctx, "failed to get key metadata", "keyMetadata", keyMetadata, "err", err)
-		return KeyID{}, fmt.Errorf("failed to get key metadata: %v", err)
+		return KeyID{}, err
 	}
 
 	tagResourceInput := &kms.TagResourceInput{
-		KeyId: keyMetadata.KeyId,
+		KeyId: aws.String(keyIDStr),
 		Tags: []types.Tag{
 			{
 				TagKey:   aws.String("keyType"),
@@ -187,18 +185,20 @@ func (awsKeyProv *awsKmsEthKeyProvider) LinkToIdentity(ctx context.Context, keyI
 
 	resourceOutput, err := awsKeyProv.kmsClient.TagResource(ctx, tagResourceInput)
 	if err != nil {
-		log.Error(ctx, "failed to tag resource: %v", err)
+		log.Error(ctx, "failed to tag resource", "err", err)
 		return KeyID{}, fmt.Errorf("failed to tag resource: %v", err)
 	}
 
 	log.Info(ctx, "resource tagged:", "resourceOutput:", resourceOutput.ResultMetadata)
-	keyID.ID = identity.String()
 	return keyID, nil
 }
 
 // ListByIdentity returns list of keyIDs for given identity
 func (awsKeyProv *awsKmsEthKeyProvider) ListByIdentity(ctx context.Context, identity w3c.DID) ([]KeyID, error) {
-	listKeysInput := &kms.ListKeysInput{}
+	const limit = 500
+	listKeysInput := &kms.ListKeysInput{
+		Limit: aws.Int32(limit),
+	}
 	listKeysOutput, err := awsKeyProv.kmsClient.ListKeys(ctx, listKeysInput)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list keys: %w", err)
@@ -217,9 +217,10 @@ func (awsKeyProv *awsKmsEthKeyProvider) ListByIdentity(ctx context.Context, iden
 
 		for _, tag := range tagOutput.Tags {
 			if aws.ToString(tag.TagKey) == "did" && aws.ToString(tag.TagValue) == identity.String() {
+				id := "ETH/" + *key.KeyId
 				keysToReturn = append(keysToReturn, KeyID{
 					Type: KeyTypeEthereum,
-					ID:   aws.ToString(key.KeyId),
+					ID:   aws.ToString(&id),
 				})
 			}
 		}
@@ -228,25 +229,41 @@ func (awsKeyProv *awsKmsEthKeyProvider) ListByIdentity(ctx context.Context, iden
 	return keysToReturn, nil
 }
 
-// createAlias creates alias for key
-func (awsKeyProv *awsKmsEthKeyProvider) createAlias(ctx context.Context, aliasName, targetKeyId string) error {
-	input := &kms.CreateAliasInput{
-		AliasName:   aws.String(aliasName),
-		TargetKeyId: aws.String(targetKeyId),
+// Delete deletes key by keyID
+func (awsKeyProv *awsKmsEthKeyProvider) Delete(ctx context.Context, keyID KeyID) error {
+	const pendingWindowInDays = 7
+	keyIDStr, err := getAwsKmsKeyID(keyID)
+	if err != nil {
+		return err
 	}
-	_, err := awsKeyProv.kmsClient.CreateAlias(ctx, input)
+	_, err = awsKeyProv.kmsClient.ScheduleKeyDeletion(ctx, &kms.ScheduleKeyDeletionInput{
+		KeyId:               aws.String(keyIDStr),
+		PendingWindowInDays: aws.Int32(pendingWindowInDays),
+	})
+	return err
+}
+
+// Exists checks if key exists
+func (awsKeyProv *awsKmsEthKeyProvider) Exists(ctx context.Context, keyID KeyID) (bool, error) {
+	keyIDStr, err := getAwsKmsKeyID(keyID)
 	if err != nil {
-		return fmt.Errorf("failed to create alias: %v", err)
+		return false, err
+	}
+	keyInfo, err := awsKeyProv.getKeyInfo(ctx, keyIDStr)
+	if err != nil {
+		return false, nil
 	}
 
-	log.Info(ctx, "alias created:", "aliasName:", aliasName)
-	return nil
+	if keyInfo != nil && keyInfo.DeletionDate != nil {
+		return false, nil
+	}
+	return true, nil
 }
 
-// getKeyInfoByAlias returns key metadata by alias
-func (awsKeyProv *awsKmsEthKeyProvider) getKeyInfoByAlias(ctx context.Context, aliasName string) (*types.KeyMetadata, error) {
+// getKeyInfo returns key metadata by key id
+func (awsKeyProv *awsKmsEthKeyProvider) getKeyInfo(ctx context.Context, keyID string) (*types.KeyMetadata, error) {
 	aliasInput := &kms.DescribeKeyInput{
-		KeyId: aws.String(aliasName),
+		KeyId: aws.String(keyID),
 	}
 	aliasOutput, err := awsKeyProv.kmsClient.DescribeKey(ctx, aliasInput)
 	if err != nil {
@@ -255,3 +272,11 @@ func (awsKeyProv *awsKmsEthKeyProvider) getKeyInfoByAlias(ctx context.Context, a
 	}
 	return aliasOutput.KeyMetadata, nil
 }
+
+func getAwsKmsKeyID(keyID KeyID) (string, error) {
+	keyIDParts := strings.Split(keyID.ID, awsKmdKeyIDPrefix)
+	if len(keyIDParts) != awsKmsKeyIDParts {
+		return "", fmt.Errorf("invalid keyID: %v", keyID.ID)
+	}
+	return keyIDParts[1], nil
+}
diff --git a/internal/kms/aws_kms_eth_key_provider_test.go b/internal/kms/aws_kms_eth_key_provider_test.go
index ac55ecc10..c4c4fbcf9 100644
--- a/internal/kms/aws_kms_eth_key_provider_test.go
+++ b/internal/kms/aws_kms_eth_key_provider_test.go
@@ -71,12 +71,10 @@ func Test_LinkToIdentityInAWSKMS(t *testing.T) {
 		assert.NoError(t, err)
 		assert.NotEmpty(t, keyID.ID)
 		assert.Equal(t, ethereum, string(keyID.Type))
-
 		identity := randomDID(t)
-
-		keyID, err = awsStorageProvider.LinkToIdentity(ctx, keyID, identity)
+		newKeyID, err := awsStorageProvider.LinkToIdentity(ctx, keyID, identity)
 		assert.NoError(t, err)
-		assert.Equal(t, identity.String(), keyID.ID)
+		assert.Equal(t, keyID.ID, newKeyID.ID)
 	})
 
 	t.Run("should get an error", func(t *testing.T) {
diff --git a/internal/kms/aws_secret_storage_provider.go b/internal/kms/aws_secret_storage_provider.go
index 57bae4e1a..9cb6cbecd 100644
--- a/internal/kms/aws_secret_storage_provider.go
+++ b/internal/kms/aws_secret_storage_provider.go
@@ -166,3 +166,38 @@ func (a *awsSecretStorageProvider) searchPrivateKey(ctx context.Context, keyID K
 	}
 	return secretValue.PrivateKey, nil
 }
+
+func (a *awsSecretStorageProvider) deleteKeyMaterial(ctx context.Context, keyID KeyID) error {
+	encodedSecretName := base64.StdEncoding.EncodeToString([]byte(keyID.ID))
+	input := &secretsmanager.DeleteSecretInput{
+		SecretId:                   aws.String(encodedSecretName),
+		ForceDeleteWithoutRecovery: aws.Bool(true),
+	}
+	_, err := a.secretManager.DeleteSecret(ctx, input)
+	return err
+}
+
+func (a *awsSecretStorageProvider) getKeyMaterial(ctx context.Context, keyID KeyID) (map[string]string, error) {
+	encodedSecretName := base64.StdEncoding.EncodeToString([]byte(keyID.ID))
+	input := &secretsmanager.GetSecretValueInput{
+		SecretId: aws.String(encodedSecretName),
+	}
+	result, err := a.secretManager.GetSecretValue(ctx, input)
+	if err != nil {
+		log.Error(ctx, "error getting secret value", "err", err)
+		if strings.Contains(err.Error(), "ResourceNotFoundException") {
+			return nil, ErrKeyNotFound
+		}
+		return nil, errors.New("error getting secret value from AWS")
+	}
+
+	var secretValue secretStorageProviderKeyMaterial
+	if err := json.Unmarshal([]byte(aws.ToString(result.SecretString)), &secretValue); err != nil {
+		return nil, err
+	}
+
+	return map[string]string{
+		jsonKeyType: secretValue.KeyType,
+		jsonKeyData: secretValue.PrivateKey,
+	}, nil
+}
diff --git a/internal/kms/aws_secret_storage_provider_test.go b/internal/kms/aws_secret_storage_provider_test.go
index 09db2e2b1..80941f0a0 100644
--- a/internal/kms/aws_secret_storage_provider_test.go
+++ b/internal/kms/aws_secret_storage_provider_test.go
@@ -221,3 +221,88 @@ func Test_searchPrivateKey(t *testing.T) {
 		assert.Equal(t, privateKey, privateKeyFromStore)
 	})
 }
+
+func Test_getKeyMaterial(t *testing.T) {
+	ctx := context.Background()
+	awsStorageProvider, err := NewAwsSecretStorageProvider(ctx, AwsSecretStorageProviderConfig{
+		AccessKey: "access_key",
+		SecretKey: "secret_key",
+		Region:    "local",
+		URL:       "http://localhost:4566",
+	})
+	require.NoError(t, err)
+
+	t.Run("should get key material for bjj", func(t *testing.T) {
+		did := randomDID(t)
+		privateKey := "9d7abdd5a43573ab9b623c50b9fc8f4357329d3009fe0fc22c8931161d98a03d"
+		id := getKeyID(&did, KeyTypeBabyJubJub, "BJJ:2290140c920a31a596937095f18a9ae15c1fe7091091be485f353968a4310380")
+		err := awsStorageProvider.SaveKeyMaterial(ctx, map[string]string{
+			jsonKeyType: string(KeyTypeBabyJubJub),
+			jsonKeyData: privateKey,
+		}, id)
+		assert.NoError(t, err)
+
+		keyMaterial, err := awsStorageProvider.getKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   id,
+		})
+		require.NoError(t, err)
+		assert.Equal(t, map[string]string{
+			jsonKeyType: string(babyjubjub),
+			jsonKeyData: privateKey,
+		}, keyMaterial)
+	})
+
+	t.Run("should get an error for bjj", func(t *testing.T) {
+		_, err := awsStorageProvider.getKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   "wrong_id",
+		})
+		require.Error(t, err)
+	})
+}
+
+func Test_deleteKeyMaterial(t *testing.T) {
+	ctx := context.Background()
+	awsStorageProvider, err := NewAwsSecretStorageProvider(ctx, AwsSecretStorageProviderConfig{
+		AccessKey: "access_key",
+		SecretKey: "secret_key",
+		Region:    "local",
+		URL:       "http://localhost:4566",
+	})
+	require.NoError(t, err)
+
+	t.Run("should delete key material for bjj", func(t *testing.T) {
+		did := randomDID(t)
+		privateKey := "9d7abdd5a43573ab9b623c50b9fc8f4357329d3009fe0fc22c8931161d98a03d"
+		id := getKeyID(&did, KeyTypeBabyJubJub, "BJJ:2290140c920a31a596937095f18a9ae15c1fe7091091be485f353968a4310380")
+		err := awsStorageProvider.SaveKeyMaterial(ctx, map[string]string{
+			jsonKeyType: string(KeyTypeBabyJubJub),
+			jsonKeyData: privateKey,
+		}, id)
+		assert.NoError(t, err)
+
+		keyMaterial, err := awsStorageProvider.getKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   id,
+		})
+		require.NoError(t, err)
+		assert.Equal(t, map[string]string{
+			jsonKeyType: string(babyjubjub),
+			jsonKeyData: privateKey,
+		}, keyMaterial)
+
+		err = awsStorageProvider.deleteKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   id,
+		})
+
+		require.NoError(t, err)
+
+		_, err = awsStorageProvider.getKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   id,
+		})
+		require.Error(t, err)
+	})
+}
diff --git a/internal/kms/file_storage_manager.go b/internal/kms/file_storage_manager.go
index 36643108b..b6d55ae03 100644
--- a/internal/kms/file_storage_manager.go
+++ b/internal/kms/file_storage_manager.go
@@ -109,3 +109,44 @@ func readContentFile(ctx context.Context, file string) ([]localStorageProviderFi
 
 	return localStorageFileContent, nil
 }
+
+func (ls *fileStorageManager) deleteKeyMaterial(ctx context.Context, keyID KeyID) error {
+	localStorageFileContent, err := readContentFile(ctx, ls.file)
+	if err != nil {
+		return err
+	}
+	for i, keyMaterial := range localStorageFileContent {
+		if keyMaterial.KeyPath == keyID.ID {
+			localStorageFileContent = append(localStorageFileContent[:i], localStorageFileContent[i+1:]...)
+			break
+		}
+	}
+
+	newFileContent, err := json.Marshal(localStorageFileContent)
+	if err != nil {
+		log.Error(ctx, "cannot marshal file content", "err", err)
+		return err
+	}
+	// nolint: all
+	if err := os.WriteFile(ls.file, newFileContent, 0644); err != nil {
+		log.Error(ctx, "cannot write file", "err", err)
+		return err
+	}
+	return nil
+}
+
+func (ls *fileStorageManager) getKeyMaterial(ctx context.Context, keyID KeyID) (map[string]string, error) {
+	localStorageFileContent, err := readContentFile(ctx, ls.file)
+	if err != nil {
+		return nil, err
+	}
+	for _, keyMaterial := range localStorageFileContent {
+		if keyMaterial.KeyPath == keyID.ID {
+			return map[string]string{
+				jsonKeyType: keyMaterial.KeyType,
+				jsonKeyData: keyMaterial.PrivateKey,
+			}, nil
+		}
+	}
+	return nil, ErrKeyNotFound
+}
diff --git a/internal/kms/file_storage_manager_test.go b/internal/kms/file_storage_manager_test.go
index 1125f94bd..28fad8a8f 100644
--- a/internal/kms/file_storage_manager_test.go
+++ b/internal/kms/file_storage_manager_test.go
@@ -164,6 +164,91 @@ func TestSearchPrivateKeyInFile_ReturnsErrorWhenKeyNotFound(t *testing.T) {
 	assert.Error(t, err)
 }
 
+func Test_GetKeyMaterial(t *testing.T) {
+	tmpFile, err := createTestFile(t)
+	assert.NoError(t, err)
+	//nolint:errcheck
+	defer os.Remove(tmpFile.Name())
+
+	ls := NewFileStorageManager(tmpFile.Name())
+	ctx := context.Background()
+
+	t.Run("should return key material", func(t *testing.T) {
+		did := randomDID(t)
+		privateKey := "9d7abdd5a43573ab9b623c50b9fc8f4357329d3009fe0fc22c8931161d98a03d"
+		id := getKeyID(&did, KeyTypeBabyJubJub, "BJJ:2290140c920a31a596937095f18a9ae15c1fe7091091be485f353968a4310380")
+
+		err = ls.SaveKeyMaterial(ctx, map[string]string{
+			jsonKeyType: string(KeyTypeBabyJubJub),
+			jsonKeyData: privateKey,
+		}, id)
+		assert.NoError(t, err)
+
+		keyMaterial, err := ls.getKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   id,
+		})
+		require.NoError(t, err)
+		assert.Equal(t, map[string]string{
+			jsonKeyType: string(babyjubjub),
+			jsonKeyData: privateKey,
+		}, keyMaterial)
+	})
+
+	t.Run("should return an error", func(t *testing.T) {
+		_, err := ls.getKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   "wrong_id",
+		})
+		require.Error(t, err)
+	})
+}
+
+func Test_DeleteKeyMaterial(t *testing.T) {
+	tmpFile, err := createTestFile(t)
+	require.NoError(t, err)
+	//nolint:errcheck
+	defer os.Remove(tmpFile.Name())
+
+	ls := NewFileStorageManager(tmpFile.Name())
+	ctx := context.Background()
+
+	t.Run("should delete key material", func(t *testing.T) {
+		did := randomDID(t)
+		privateKey := "9d7abdd5a43573ab9b623c50b9fc8f4357329d3009fe0fc22c8931161d98a03d"
+		id := getKeyID(&did, KeyTypeBabyJubJub, "BJJ:2290140c920a31a596937095f18a9ae15c1fe7091091be485f353968a4310380")
+
+		err = ls.SaveKeyMaterial(ctx, map[string]string{
+			jsonKeyType: string(KeyTypeBabyJubJub),
+			jsonKeyData: privateKey,
+		}, id)
+		assert.NoError(t, err)
+
+		keyMaterial, err := ls.getKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   id,
+		})
+		require.NoError(t, err)
+		assert.Equal(t, map[string]string{
+			jsonKeyType: string(babyjubjub),
+			jsonKeyData: privateKey,
+		}, keyMaterial)
+
+		err = ls.deleteKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   id,
+		})
+
+		require.NoError(t, err)
+
+		_, err = ls.getKeyMaterial(ctx, KeyID{
+			Type: babyjubjub,
+			ID:   id,
+		})
+		require.Error(t, err)
+	})
+}
+
 func createTestFile(t *testing.T) (*os.File, error) {
 	t.Helper()
 	tmpFile, err := os.Create("./kms.json")
diff --git a/internal/kms/kms.go b/internal/kms/kms.go
index e3b7d2e57..2b921df46 100644
--- a/internal/kms/kms.go
+++ b/internal/kms/kms.go
@@ -20,6 +20,8 @@ type StorageManager interface {
 	SaveKeyMaterial(ctx context.Context, keyMaterial map[string]string, id string) error
 	searchByIdentity(ctx context.Context, identity w3c.DID, keyType KeyType) ([]KeyID, error)
 	searchPrivateKey(ctx context.Context, keyID KeyID) (string, error)
+	deleteKeyMaterial(ctx context.Context, keyID KeyID) error
+	getKeyMaterial(ctx context.Context, keyID KeyID) (map[string]string, error)
 }
 
 // KMSType represents the KMS interface
@@ -31,6 +33,8 @@ type KMSType interface {
 	Sign(ctx context.Context, keyID KeyID, data []byte) ([]byte, error)
 	KeysByIdentity(ctx context.Context, identity w3c.DID) ([]KeyID, error)
 	LinkToIdentity(ctx context.Context, keyID KeyID, identity w3c.DID) (KeyID, error)
+	Delete(ctx context.Context, keyID KeyID) error
+	Exists(ctx context.Context, keyID KeyID) (bool, error)
 }
 
 // ConfigProvider is a key provider configuration
@@ -82,6 +86,10 @@ type KeyProvider interface {
 	// KeyID can be changed after linking.
 	// Returning new KeyID.
 	LinkToIdentity(ctx context.Context, keyID KeyID, identity w3c.DID) (KeyID, error)
+	// Delete removes key from storage
+	Delete(ctx context.Context, keyID KeyID) error
+	// Exists checks if key exists
+	Exists(ctx context.Context, keyID KeyID) (bool, error)
 }
 
 // KMS stores keys and secrets
@@ -111,6 +119,9 @@ var ErrKeyTypeConflict = stderr.New("key type already registered")
 // ErrPermissionDenied raises when we register new key provider with key type
 var ErrPermissionDenied = stderr.New("permission denied")
 
+// ErrKeyNotFound raises when key is not found
+var ErrKeyNotFound = stderr.New("key not found")
+
 // KeyID is a key unique identifier
 type KeyID struct {
 	Type KeyType
@@ -222,6 +233,24 @@ func (k *KMS) LinkToIdentity(ctx context.Context, keyID KeyID, identity w3c.DID)
 	return kp.LinkToIdentity(ctx, keyID, identity)
 }
 
+// Delete removes key from storage
+func (k *KMS) Delete(ctx context.Context, keyID KeyID) error {
+	kp, ok := k.registry[keyID.Type]
+	if !ok {
+		return errors.WithStack(ErrUnknownKeyType)
+	}
+	return kp.Delete(ctx, keyID)
+}
+
+// Exists checks if key exists
+func (k *KMS) Exists(ctx context.Context, keyID KeyID) (bool, error) {
+	kp, ok := k.registry[keyID.Type]
+	if !ok {
+		return false, errors.WithStack(ErrUnknownKeyType)
+	}
+	return kp.Exists(ctx, keyID)
+}
+
 // Open returns an initialized KMS
 func Open(pluginIden3MountPath string, vault *api.Client) (*KMS, error) {
 	bjjKeyProvider, err := NewVaultPluginIden3KeyProvider(vault, pluginIden3MountPath, KeyTypeBabyJubJub)
diff --git a/internal/kms/local_bjj_key_provider.go b/internal/kms/local_bjj_key_provider.go
index fc6e0ad00..728a2d126 100644
--- a/internal/kms/local_bjj_key_provider.go
+++ b/internal/kms/local_bjj_key_provider.go
@@ -125,6 +125,10 @@ func (ls *localBJJKeyProvider) LinkToIdentity(ctx context.Context, keyID KeyID,
 	return keyID, nil
 }
 
+func (ls *localBJJKeyProvider) Delete(ctx context.Context, keyID KeyID) error {
+	return ls.storageManager.deleteKeyMaterial(ctx, keyID)
+}
+
 func (ls *localBJJKeyProvider) privateKey(ctx context.Context, keyID KeyID) ([]byte, error) {
 	if keyID.Type != ls.keyType {
 		return nil, ErrIncorrectKeyType
@@ -155,3 +159,13 @@ func (ls *localBJJKeyProvider) privateKey(ctx context.Context, keyID KeyID) ([]b
 
 	return val, nil
 }
+
+func (ls *localBJJKeyProvider) Exists(ctx context.Context, keyID KeyID) (bool, error) {
+	_, err := ls.storageManager.getKeyMaterial(ctx, keyID)
+	if err != nil {
+		if errors.Is(err, ErrKeyNotFound) {
+			return false, nil
+		}
+	}
+	return true, nil
+}
diff --git a/internal/kms/local_bjj_key_provider_test.go b/internal/kms/local_bjj_key_provider_test.go
index bf0de78a7..db378dba0 100644
--- a/internal/kms/local_bjj_key_provider_test.go
+++ b/internal/kms/local_bjj_key_provider_test.go
@@ -259,12 +259,14 @@ func Test_PublicKey_LocalBJJKeyProvider(t *testing.T) {
 		AccessKey: "access_key",
 		SecretKey: "secret_key",
 		Region:    "local",
+		URL:       "http://localhost:4566",
 	})
 	require.NoError(t, err)
 
 	t.Run("should get public key using local storage manager", func(t *testing.T) {
+		did := randomDID(t)
 		localbbjKeyProvider := NewLocalBJJKeyProvider(KeyTypeBabyJubJub, ls)
-		keyID, err := localbbjKeyProvider.New(nil)
+		keyID, err := localbbjKeyProvider.New(&did)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, keyID.ID)
 
@@ -274,8 +276,9 @@ func Test_PublicKey_LocalBJJKeyProvider(t *testing.T) {
 	})
 
 	t.Run("should get public key using aws storage manager", func(t *testing.T) {
+		did := randomDID(t)
 		localbbjKeyProvider := NewLocalBJJKeyProvider(KeyTypeBabyJubJub, awsStorageProvider)
-		keyID, err := localbbjKeyProvider.New(nil)
+		keyID, err := localbbjKeyProvider.New(&did)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, keyID.ID)
 
@@ -375,3 +378,42 @@ func Test_Sign_LocalBJJKeyProvider(t *testing.T) {
 		assert.NotNil(t, signature)
 	})
 }
+
+func Test_DeleteKey_LocalBJJKeyProvider(t *testing.T) {
+	ctx := context.Background()
+	tmpFile, err := createTestFile(t)
+	assert.NoError(t, err)
+	//nolint:errcheck
+	defer os.Remove(tmpFile.Name())
+	ls := NewFileStorageManager(tmpFile.Name())
+
+	awsStorageProvider, err := NewAwsSecretStorageProvider(ctx, AwsSecretStorageProviderConfig{
+		AccessKey: "access_key",
+		SecretKey: "secret_key",
+		Region:    "local",
+		URL:       "http://localhost:4566",
+	})
+	require.NoError(t, err)
+
+	t.Run("should get public key using local storage manager", func(t *testing.T) {
+		did := randomDID(t)
+		localbbjKeyProvider := NewLocalBJJKeyProvider(KeyTypeBabyJubJub, ls)
+		keyID, err := localbbjKeyProvider.New(&did)
+		assert.NoError(t, err)
+		assert.NotEmpty(t, keyID.ID)
+
+		err = localbbjKeyProvider.Delete(ctx, keyID)
+		assert.NoError(t, err)
+	})
+
+	t.Run("should get public key using aws storage manager", func(t *testing.T) {
+		did := randomDID(t)
+		localbbjKeyProvider := NewLocalBJJKeyProvider(KeyTypeBabyJubJub, awsStorageProvider)
+		keyID, err := localbbjKeyProvider.New(&did)
+		assert.NoError(t, err)
+		assert.NotEmpty(t, keyID.ID)
+
+		err = localbbjKeyProvider.Delete(ctx, keyID)
+		assert.NoError(t, err)
+	})
+}
diff --git a/internal/kms/local_eth_key_provider.go b/internal/kms/local_eth_key_provider.go
index b384bbf02..b6bea84cc 100644
--- a/internal/kms/local_eth_key_provider.go
+++ b/internal/kms/local_eth_key_provider.go
@@ -119,7 +119,7 @@ func (ls *localEthKeyProvider) LinkToIdentity(ctx context.Context, keyID KeyID,
 		return KeyID{}, err
 	}
 
-	keyID.ID = identity.String()
+	keyID.ID = identity.String() + "/" + keyID.ID
 	return keyID, nil
 }
 
@@ -128,6 +128,20 @@ func (ls *localEthKeyProvider) ListByIdentity(ctx context.Context, identity w3c.
 	return ls.storageManager.searchByIdentity(ctx, identity, ls.keyType)
 }
 
+func (ls *localEthKeyProvider) Delete(ctx context.Context, keyID KeyID) error {
+	return ls.storageManager.deleteKeyMaterial(ctx, keyID)
+}
+
+func (ls *localEthKeyProvider) Exists(ctx context.Context, keyID KeyID) (bool, error) {
+	_, err := ls.storageManager.getKeyMaterial(ctx, keyID)
+	if err != nil {
+		if errors.Is(err, ErrKeyNotFound) {
+			return false, nil
+		}
+	}
+	return true, nil
+}
+
 // nolint
 func (ls *localEthKeyProvider) privateKey(ctx context.Context, keyID KeyID) ([]byte, error) {
 	if keyID.Type != ls.keyType {
diff --git a/internal/kms/local_eth_key_provider_test.go b/internal/kms/local_eth_key_provider_test.go
index db6b6e440..28b524526 100644
--- a/internal/kms/local_eth_key_provider_test.go
+++ b/internal/kms/local_eth_key_provider_test.go
@@ -96,10 +96,10 @@ func Test_LinkToIdentity_LocalETHKeyProvider(t *testing.T) {
 		assert.NotEmpty(t, keyID.ID)
 
 		did := randomDID(t)
-		keyID, err = localETHKeyProvider.LinkToIdentity(ctx, keyID, did)
+		newKeyID, err := localETHKeyProvider.LinkToIdentity(ctx, keyID, did)
 		assert.NoError(t, err)
 		assert.NotNil(t, keyID)
-		assert.Equal(t, did.String(), keyID.ID)
+		assert.Equal(t, did.String()+"/"+keyID.ID, newKeyID.ID)
 		assert.Equal(t, KeyTypeEthereum, keyID.Type)
 	})
 
@@ -110,10 +110,10 @@ func Test_LinkToIdentity_LocalETHKeyProvider(t *testing.T) {
 		assert.NotEmpty(t, keyID.ID)
 
 		did := randomDID(t)
-		keyID, err = localETHKeyProvider.LinkToIdentity(ctx, keyID, did)
+		newKeyID, err := localETHKeyProvider.LinkToIdentity(ctx, keyID, did)
 		assert.NoError(t, err)
 		assert.NotNil(t, keyID)
-		assert.Equal(t, did.String(), keyID.ID)
+		assert.Equal(t, did.String()+"/"+keyID.ID, newKeyID.ID)
 		assert.Equal(t, KeyTypeEthereum, keyID.Type)
 	})
 }
diff --git a/internal/kms/vaultPluginIden3KeyProvider.go b/internal/kms/vaultPluginIden3KeyProvider.go
index f25ac181f..aea4b4b0f 100644
--- a/internal/kms/vaultPluginIden3KeyProvider.go
+++ b/internal/kms/vaultPluginIden3KeyProvider.go
@@ -128,6 +128,9 @@ func (v *vaultPluginIden3KeyProvider) PublicKey(keyID KeyID) ([]byte, error) {
 
 	publicKeyStr, err := publicKey(v.vaultCli, v.keyPathFromID(keyID))
 	if err != nil {
+		if strings.Contains(err.Error(), "secret is nil") {
+			return nil, ErrKeyNotFound
+		}
 		return nil, err
 	}
 
@@ -161,6 +164,22 @@ func (v *vaultPluginIden3KeyProvider) New(identity *w3c.DID) (KeyID, error) {
 	return keyID, nil
 }
 
+func (v *vaultPluginIden3KeyProvider) Delete(ctx context.Context, keyID KeyID) error {
+	_, err := v.vaultCli.Logical().Delete(v.keyPathFromID(keyID).keys())
+	return err
+}
+
+func (v *vaultPluginIden3KeyProvider) Exists(ctx context.Context, keyID KeyID) (bool, error) {
+	_, err := publicKey(v.vaultCli, v.keyPathFromID(keyID))
+	if err != nil {
+		if strings.Contains(err.Error(), "secret is nil") {
+			return false, nil
+		}
+		return false, err
+	}
+	return true, nil
+}
+
 func (v *vaultPluginIden3KeyProvider) randomKeyPath() (keyPathT, error) {
 	var rnd [16]byte
 	_, err := rand.Read(rnd[:])
diff --git a/internal/kms/vault_bjj_key_provider.go b/internal/kms/vault_bjj_key_provider.go
index c99a248ec..4ebdb28f2 100644
--- a/internal/kms/vault_bjj_key_provider.go
+++ b/internal/kms/vault_bjj_key_provider.go
@@ -134,6 +134,14 @@ func (v *vaultBJJKeyProvider) PublicKey(keyID KeyID) ([]byte, error) {
 	return val, err
 }
 
+func (v *vaultBJJKeyProvider) Delete(ctx context.Context, keyID KeyID) error {
+	return nil
+}
+
+func (v *vaultBJJKeyProvider) Exists(ctx context.Context, keyID KeyID) (bool, error) {
+	return false, errors.New("not implemented")
+}
+
 func (v *vaultBJJKeyProvider) privateKey(keyID KeyID) ([]byte, error) {
 	if keyID.Type != v.keyType {
 		return nil, ErrIncorrectKeyType
diff --git a/internal/kms/vault_eth_key_provider.go b/internal/kms/vault_eth_key_provider.go
index c9433dad3..535a67ec5 100644
--- a/internal/kms/vault_eth_key_provider.go
+++ b/internal/kms/vault_eth_key_provider.go
@@ -193,6 +193,15 @@ func (v *vaultETHKeyProvider) New(identity *w3c.DID) (KeyID, error) {
 	return keyID, saveKeyMaterial(v.vaultCli, keyID.ID, keyMaterial)
 }
 
+func (v *vaultETHKeyProvider) Delete(ctx context.Context, keyID KeyID) error {
+	_, err := v.vaultCli.Logical().Delete(absVaultSecretPath(keyID.ID))
+	return err
+}
+
+func (v *vaultETHKeyProvider) Exists(ctx context.Context, keyID KeyID) (bool, error) {
+	return false, errors.New("not implemented")
+}
+
 // NewVaultEthProvider creates new provider for Ethereum keys stored in vault
 func NewVaultEthProvider(valutCli *api.Client, keyType KeyType) KeyProvider {
 	reIdenKeyPathHex := regexp.MustCompile("^(?i).*/" +
diff --git a/internal/kms/vault_providers_helpers.go b/internal/kms/vault_providers_helpers.go
index 6306cbee4..2073fc591 100644
--- a/internal/kms/vault_providers_helpers.go
+++ b/internal/kms/vault_providers_helpers.go
@@ -73,14 +73,6 @@ func keyPath(identity *w3c.DID, keyType KeyType, keyID string) string {
 	return basePath + string(keyType) + ":" + keyID
 }
 
-func keyPathForAws(identity *w3c.DID, keyType KeyType, keyID string) string {
-	basePath := ""
-	if identity != nil {
-		basePath = identityPath(identity) + "/"
-	}
-	return basePath + string(keyType) + keyID
-}
-
 func absVaultSecretPath(path string) string {
 	return kvStoragePath + "/data/" + strings.TrimPrefix(path, "/")
 }
diff --git a/internal/repositories/claim.go b/internal/repositories/claim.go
index 54cb6ffe6..0731b7a8c 100644
--- a/internal/repositories/claim.go
+++ b/internal/repositories/claim.go
@@ -24,8 +24,8 @@ import (
 
 const duplicateViolationErrorCode = "23505"
 
-// ErrClaimDuplication claim duplication error
 var (
+	// ErrClaimDuplication claim duplication error
 	ErrClaimDuplication = errors.New("claim duplication error")
 	// ErrClaimDoesNotExist claim does not exist
 	ErrClaimDoesNotExist = errors.New("claim does not exist")
@@ -345,6 +345,8 @@ func (c *claim) GetByRevocationNonce(ctx context.Context, conn db.Querier, ident
 	return claims, nil
 }
 
+// FindOneClaimBySchemaHash returns a claim by schema hash
+// The claim must have MTP proof and not be revoked. This means the claim is published.
 func (c *claim) FindOneClaimBySchemaHash(ctx context.Context, conn db.Querier, subject *w3c.DID, schemaHash string) (*domain.Claim, error) {
 	var claim domain.Claim
 
@@ -371,13 +373,14 @@ func (c *claim) FindOneClaimBySchemaHash(ctx context.Context, conn db.Querier, s
 		WHERE claims.identifier=$1  
 				AND ( claims.other_identifier = $1 or claims.other_identifier = '') 
 				AND claims.schema_hash = $2 
-				AND claims.revoked = false`, subject.String(), schemaHash)
+				AND claims.revoked = false 
+				AND claims.mtp_proof IS NOT NULL `, subject.String(), schemaHash)
 
 	err := row.Scan(&claim.ID,
 		&claim.Issuer,
 		&claim.SchemaHash,
 		&claim.SchemaType,
-		&claim.SchemaHash,
+		&claim.SchemaURL,
 		&claim.OtherIdentifier,
 		&claim.Expiration,
 		&claim.Updatable,
@@ -399,6 +402,73 @@ func (c *claim) FindOneClaimBySchemaHash(ctx context.Context, conn db.Querier, s
 	return &claim, err
 }
 
+// FindClaimsBySchemaHash returns all claims by schema hash
+// The claim must have MTP proof and not be revoked.
+func (c *claim) FindClaimsBySchemaHash(ctx context.Context, conn db.Querier, subject *w3c.DID, schemaHash string) ([]*domain.Claim, error) {
+	rows, err := conn.Query(ctx,
+		`SELECT claims.id,
+		   issuer,
+		   schema_hash,
+		   schema_type,
+		   schema_url,
+		   other_identifier,
+		   expiration,
+		   updatable,
+		   claims.version,
+		   rev_nonce,
+		   mtp_proof,
+		   signature_proof,
+		   data,
+		   claims.identifier,
+		   identity_state,
+		   credential_status,
+       	   core_claim,
+       	   revoked,
+		   mtp,
+		   claims.created_at
+		FROM claims
+		WHERE claims.identifier=$1  
+				AND ( claims.other_identifier = $1 or claims.other_identifier = '') 
+				AND claims.schema_hash = $2 
+				AND claims.revoked = false 
+				AND claims.mtp_proof IS NOT NULL `, subject.String(), schemaHash)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	credentials := make([]*domain.Claim, 0)
+	for rows.Next() {
+		var claim domain.Claim
+		err := rows.Scan(&claim.ID,
+			&claim.Issuer,
+			&claim.SchemaHash,
+			&claim.SchemaType,
+			&claim.SchemaURL,
+			&claim.OtherIdentifier,
+			&claim.Expiration,
+			&claim.Updatable,
+			&claim.Version,
+			&claim.RevNonce,
+			&claim.MTPProof,
+			&claim.SignatureProof,
+			&claim.Data,
+			&claim.Identifier,
+			&claim.IdentityState,
+			&claim.CredentialStatus,
+			&claim.CoreClaim,
+			&claim.Revoked,
+			&claim.MtProof,
+			&claim.CreatedAt)
+		if err != nil {
+			return nil, err
+		}
+		credentials = append(credentials, &claim)
+	}
+
+	return credentials, nil
+}
+
 func (c *claim) RevokeNonce(ctx context.Context, conn db.Querier, revocation *domain.Revocation) error {
 	_, err := conn.Exec(ctx,
 		`	INSERT INTO revocation (identifier, nonce, version, status, description) 
@@ -730,8 +800,8 @@ func processClaims(rows pgx.Rows) ([]*domain.Claim, error) {
 		err := rows.Scan(&claim.ID,
 			&claim.Issuer,
 			&claim.SchemaHash,
-			&claim.SchemaURL,
 			&claim.SchemaType,
+			&claim.SchemaURL,
 			&claim.OtherIdentifier,
 			&claim.Expiration,
 			&claim.Updatable,
@@ -1098,3 +1168,62 @@ func (c *claim) GetByStateIDWithMTPProof(ctx context.Context, conn db.Querier, d
 
 	return claims, nil
 }
+
+// GetAuthCoreClaims returns all the core claims for the given identifier and schema hash
+// The auth core claims returned may not be published onchain.
+func (c *claim) GetAuthCoreClaims(ctx context.Context, conn db.Querier, identifier *w3c.DID, schemaHash string) ([]*domain.Claim, error) {
+	rows, err := conn.Query(ctx,
+		`SELECT claims.id,
+		   issuer,
+		   schema_hash,
+		   schema_type,
+		   schema_url,
+		   other_identifier,
+		   expiration,
+		   updatable,
+		   claims.version,
+		   rev_nonce,
+		   mtp_proof,
+		   signature_proof,
+		   data,
+		   claims.identifier,
+		   identity_state,
+		   credential_status,
+		   revoked,
+		   core_claim
+		FROM claims
+		WHERE claims.identifier=$1  
+				AND ( claims.other_identifier = $1 or claims.other_identifier = '') 
+				AND claims.schema_hash = $2`, identifier.String(), schemaHash)
+	if err != nil {
+		return nil, err
+	}
+
+	claims := make([]*domain.Claim, 0)
+	for rows.Next() {
+		var claim domain.Claim
+		err := rows.Scan(&claim.ID,
+			&claim.Issuer,
+			&claim.SchemaHash,
+			&claim.SchemaType,
+			&claim.SchemaURL,
+			&claim.OtherIdentifier,
+			&claim.Expiration,
+			&claim.Updatable,
+			&claim.Version,
+			&claim.RevNonce,
+			&claim.MTPProof,
+			&claim.SignatureProof,
+			&claim.Data,
+			&claim.Identifier,
+			&claim.IdentityState,
+			&claim.CredentialStatus,
+			&claim.Revoked,
+			&claim.CoreClaim)
+		if err != nil {
+			return nil, err
+		}
+		claims = append(claims, &claim)
+	}
+	return claims, nil
+}
diff --git a/internal/repositories/fixture.go b/internal/repositories/fixture.go
index 26a223b98..0a631d836 100644
--- a/internal/repositories/fixture.go
+++ b/internal/repositories/fixture.go
@@ -13,7 +13,7 @@ import (
 // Fixture - Handle testing fixture configuration
 type Fixture struct {
 	storage                 *db.Storage
-	identityRepository      ports.IndentityRepository
+	identityRepository      ports.IdentityRepository
 	claimRepository         ports.ClaimRepository
 	connectionsRepository   ports.ConnectionRepository
 	schemaRepository        ports.SchemaRepository
diff --git a/internal/repositories/identity.go b/internal/repositories/identity.go
index e139add6b..2504c5d2a 100644
--- a/internal/repositories/identity.go
+++ b/internal/repositories/identity.go
@@ -22,8 +22,8 @@ var ErrDisplayNameDuplicated = errors.New("display name already exists")
 
 type identity struct{}
 
-// NewIdentity TODO
-func NewIdentity() ports.IndentityRepository {
+// NewIdentity - Create new identity repository
+func NewIdentity() ports.IdentityRepository {
 	return &identity{}
 }
 
@@ -70,7 +70,8 @@ func (i *identity) GetByID(ctx context.Context, conn db.Querier, identifier w3c.
 				        claims.credential_status
 			   FROM identities
 			   LEFT JOIN identity_states ON identities.identifier = identity_states.identifier
-               LEFT JOIN claims ON claims.identifier = identities.identifier and claims.schema_type = 'https://schema.iden3.io/core/jsonld/auth.jsonld#AuthBJJCredential'
+               LEFT JOIN claims ON claims.identifier = identities.identifier 
+                        AND claims.schema_type = 'https://schema.iden3.io/core/jsonld/auth.jsonld#AuthBJJCredential'
 			   WHERE identities.identifier=$1 
 			        AND ( status = 'transacted' OR status = 'confirmed')
     				OR (identities.identifier=$1 AND status = 'created' AND previous_state is null
diff --git a/internal/repositories/key.go b/internal/repositories/key.go
new file mode 100644
index 000000000..ae4e3284a
--- /dev/null
+++ b/internal/repositories/key.go
@@ -0,0 +1,95 @@
+package repositories
+
+import (
+	"context"
+	"errors"
+	"strings"
+
+	"github.com/google/uuid"
+	"github.com/iden3/go-iden3-core/v2/w3c"
+	"github.com/jackc/pgconn"
+
+	"github.com/polygonid/sh-id-platform/internal/core/domain"
+	"github.com/polygonid/sh-id-platform/internal/db"
+	"github.com/polygonid/sh-id-platform/internal/log"
+)
+
+var (
+	// ErrKeyNotFound key not found error
+	ErrKeyNotFound = errors.New("key not found")
+	// ErrDuplicateKeyName duplicate key name error
+	ErrDuplicateKeyName = errors.New("key name already exists")
+)
+
+type key struct {
+	conn db.Storage
+}
+
+// NewKey returns a new key repository
+func NewKey(conn db.Storage) *key {
+	return &key{
+		conn,
+	}
+}
+
+// Save saves a key
+func (k *key) Save(ctx context.Context, conn db.Querier, key *domain.Key) (uuid.UUID, error) {
+	if conn == nil {
+		conn = k.conn.Pgx
+	}
+	sql := `INSERT INTO keys (id, issuer_did, public_key, name)
+			VALUES($1, $2, $3, $4) ON CONFLICT (id) DO
+			UPDATE SET name=$4`
+	_, err := conn.Exec(ctx, sql, key.ID, key.IssuerCoreDID().String(), key.PublicKey, key.Name)
+	if err != nil {
+		var pgErr *pgconn.PgError
+		if errors.As(err, &pgErr) && pgErr.Code == duplicateViolationErrorCode {
+			return uuid.Nil, ErrDuplicateKeyName
+		}
+		return uuid.Nil, err
+	}
+	return key.ID, err
+}
+
+// GetByPublicKey returns a key by its public key
+func (k *key) GetByPublicKey(ctx context.Context, issuerDID w3c.DID, publicKey string) (*domain.Key, error) {
+	sql := `SELECT id, issuer_did, public_key, name 
+			FROM keys WHERE  issuer_did=$1 and public_key=$2`
+	row := k.conn.Pgx.QueryRow(ctx, sql, issuerDID.String(), publicKey)
+
+	key := domain.Key{}
+	err := row.Scan(&key.ID, &key.IssuerDID, &key.PublicKey, &key.Name)
+	if err != nil {
+		log.Error(ctx, "error getting key by public key", "err", err)
+		if strings.Contains(err.Error(), "no rows in result set") {
+			return nil, ErrKeyNotFound
+		}
+		return nil, err
+	}
+	return &key, nil
+}
+
+// Delete deletes a key by its public key
+func (k *key) Delete(ctx context.Context, issuerDID w3c.DID, publicKey string) error {
+	sql := `DELETE FROM keys WHERE issuer_did=$1 AND public_key=$2`
+	_, err := k.conn.Pgx.Exec(ctx, sql, issuerDID.String(), publicKey)
+	return err
+}
+
+// GetByName returns a key by its name
+func (k *key) GetByName(ctx context.Context, issuerDID w3c.DID, name string) (*domain.Key, error) {
+	sql := `SELECT id, issuer_did, public_key, name 
+			FROM keys WHERE  issuer_did=$1 and name=$2`
+	row := k.conn.Pgx.QueryRow(ctx, sql, issuerDID.String(), name)
+
+	key := domain.Key{}
+	err := row.Scan(&key.ID, &key.IssuerDID, &key.PublicKey, &key.Name)
+	if err != nil {
+		log.Error(ctx, "error getting key by name", "err", err)
+		if strings.Contains(err.Error(), "no rows in result set") {
+			return nil, ErrKeyNotFound
+		}
+		return nil, err
+	}
+	return &key, nil
+}
diff --git a/internal/repositories/key_test.go b/internal/repositories/key_test.go
new file mode 100644
index 000000000..54810a829
--- /dev/null
+++ b/internal/repositories/key_test.go
@@ -0,0 +1,95 @@
+package repositories
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/polygonid/sh-id-platform/internal/core/domain"
+)
+
+func TestKey_Save(t *testing.T) {
+	keyRepository := NewKey(*storage)
+
+	ctx := context.Background()
+	did := randomDID(t)
+	_, err := storage.Pgx.Exec(ctx, "INSERT INTO identities (identifier, keytype) VALUES ($1, $2)", did.String(), "BJJ")
+	assert.NoError(t, err)
+
+	t.Run("should save a new key", func(t *testing.T) {
+		key := domain.Key{
+			ID:        uuid.New(),
+			IssuerDID: domain.KeyCoreDID(did),
+			PublicKey: "publicKey",
+			Name:      "name",
+		}
+		id, err := keyRepository.Save(context.Background(), storage.Pgx, &key)
+		require.NoError(t, err)
+		require.NotEqual(t, uuid.Nil, id)
+		assert.Equal(t, key.ID, id)
+	})
+
+	t.Run("should get an error", func(t *testing.T) {
+		key := domain.Key{
+			ID:        uuid.New(),
+			IssuerDID: domain.KeyCoreDID(did),
+			PublicKey: "publicKey",
+			Name:      "name_1",
+		}
+
+		id, err := keyRepository.Save(context.Background(), storage.Pgx, &key)
+		require.NoError(t, err)
+		require.NotEqual(t, uuid.Nil, id)
+		assert.Equal(t, key.ID, id)
+
+		key2 := domain.Key{
+			ID:        uuid.New(),
+			IssuerDID: domain.KeyCoreDID(did),
+			PublicKey: "publicKey2",
+			Name:      "name_1",
+		}
+
+		id, err = keyRepository.Save(context.Background(), storage.Pgx, &key2)
+		require.Error(t, err)
+		require.Equal(t, uuid.Nil, id)
+	})
+}
+
+func TestKey_GetByPublicKey(t *testing.T) {
+	keyRepository := NewKey(*storage)
+	ctx := context.Background()
+	did := randomDID(t)
+	_, err := storage.Pgx.Exec(ctx, "INSERT INTO identities (identifier, keytype) VALUES ($1, $2)", did.String(), "BJJ")
+	assert.NoError(t, err)
+
+	key := domain.Key{
+		ID:        uuid.New(),
+		IssuerDID: domain.KeyCoreDID(did),
+		PublicKey: "publicKey",
+		Name:      "name" + uuid.New().String(),
+	}
+	id, err := keyRepository.Save(context.Background(), storage.Pgx, &key)
+	require.NoError(t, err)
+	require.NotEqual(t, uuid.Nil, id)
+	assert.Equal(t, key.ID, id)
+
+	t.Run("should get the key by public key", func(t *testing.T) {
+		keyFromDatabase, err := keyRepository.GetByPublicKey(ctx, did, key.PublicKey)
+		require.NoError(t, err)
+		assert.Equal(t, key.ID, keyFromDatabase.ID)
+		assert.Equal(t, key.IssuerDID, keyFromDatabase.IssuerDID)
+		assert.Equal(t, key.PublicKey, keyFromDatabase.PublicKey)
+		assert.Equal(t, key.Name, keyFromDatabase.Name)
+	})
+
+	t.Run("should get an error - ErrKeyNotFound", func(t *testing.T) {
+		keyFromDatabase, err := keyRepository.GetByPublicKey(ctx, did, "wrong public key")
+		assert.Error(t, err)
+		assert.Nil(t, keyFromDatabase)
+		assert.True(t, errors.Is(err, ErrKeyNotFound))
+	})
+}
diff --git a/internal/repositories/main_test.go b/internal/repositories/main_test.go
index d58adcca7..d208d681e 100644
--- a/internal/repositories/main_test.go
+++ b/internal/repositories/main_test.go
@@ -2,9 +2,14 @@ package repositories
 
 import (
 	"context"
+	"crypto/rand"
 	"os"
 	"testing"
 
+	core "github.com/iden3/go-iden3-core/v2"
+	"github.com/iden3/go-iden3-core/v2/w3c"
+	"github.com/stretchr/testify/require"
+
 	"github.com/polygonid/sh-id-platform/internal/config"
 	"github.com/polygonid/sh-id-platform/internal/db"
 	"github.com/polygonid/sh-id-platform/internal/db/tests"
@@ -47,3 +52,16 @@ func lookupPostgresURL() string {
 	}
 	return con
 }
+
+func randomDID(t *testing.T) w3c.DID {
+	t.Helper()
+	typ, err := core.BuildDIDType(core.DIDMethodIden3, core.Privado, core.Main)
+	var genesis [27]byte
+	require.NoError(t, err)
+	_, err = rand.Read(genesis[:])
+	require.NoError(t, err)
+	id := core.NewID(typ, genesis)
+	did, err := core.ParseDIDFromID(id)
+	require.NoError(t, err)
+	return *did
+}
diff --git a/internal/utils/public_key.go b/internal/utils/public_key.go
new file mode 100644
index 000000000..adf8ec793
--- /dev/null
+++ b/internal/utils/public_key.go
@@ -0,0 +1,58 @@
+package utils
+
+import (
+	"bytes"
+
+	"github.com/iden3/go-iden3-crypto/babyjub"
+	"github.com/iden3/go-schema-processor/v2/verifiable"
+
+	"github.com/polygonid/sh-id-platform/internal/core/domain"
+)
+
+// PublicKey - defines the interface for public keys
+type PublicKey interface {
+	Equal([]byte) bool
+	String() string
+}
+
+type bjjPublicKey struct {
+	publicKey babyjub.PublicKey
+}
+
+// newBJJPublicKey creates a new PublicKey from a Claim
+func newBJJPublicKey(claim domain.Claim) PublicKey {
+	entry := claim.CoreClaim.Get()
+	bjjClaim := entry.RawSlotsAsInts()
+	var authCoreClaimPublicKey babyjub.PublicKey
+	authCoreClaimPublicKey.X = bjjClaim[2]
+	authCoreClaimPublicKey.Y = bjjClaim[3]
+	return &bjjPublicKey{publicKey: authCoreClaimPublicKey}
+}
+
+func (b *bjjPublicKey) Equal(pubKey []byte) bool {
+	compPubKey := b.publicKey.Compress()
+	return bytes.Equal(pubKey, compPubKey[:])
+}
+
+func (b *bjjPublicKey) String() string {
+	return "0x" + b.publicKey.String()
+}
+
+type unSupportedPublicKeyType struct{}
+
+func (u *unSupportedPublicKeyType) Equal([]byte) bool {
+	return false
+}
+
+func (u *unSupportedPublicKeyType) String() string {
+	return ""
+}
+
+// GetPublicKeyFromClaim returns the public key of the claim
+// If the schema is not supported, it returns an unSupportedPublicKeyType
+func GetPublicKeyFromClaim(c *domain.Claim) PublicKey {
+	if c.SchemaURL == verifiable.JSONSchemaIden3AuthBJJCredential {
+		return newBJJPublicKey(*c)
+	}
+	return &unSupportedPublicKeyType{}
+}
diff --git a/k8s/helm/templates/issuer-node-ui-deployment.yaml b/k8s/helm/templates/issuer-node-ui-deployment.yaml
index 2a8b1d1c6..1ca56222c 100644
--- a/k8s/helm/templates/issuer-node-ui-deployment.yaml
+++ b/k8s/helm/templates/issuer-node-ui-deployment.yaml
@@ -25,7 +25,7 @@ spec:
           image: {{ .Values.issuernode_ui_repository_image }}:{{ .Values.issuernode_ui_repository_tag }}
           imagePullPolicy: {{ .Values.uiIssuerNode.deployment.imagePullPolicy | quote }}
           ports:
-          - containerPort: {{ .Values.uiIssuerNode.deployment.containerPort }}
+            - containerPort: {{ .Values.uiIssuerNode.deployment.containerPort }}
           envFrom:
-          - configMapRef:
-              name: {{ .Values.uiIssuerNode.deployment.uiconfigMapRef }}
\ No newline at end of file
+            - configMapRef:
+                name: {{ .Values.uiIssuerNode.deployment.uiconfigMapRef }}
\ No newline at end of file
diff --git a/ui/package-lock.json b/ui/package-lock.json
index 6427b3cda..b76a8a5a0 100644
--- a/ui/package-lock.json
+++ b/ui/package-lock.json
@@ -8,6 +8,7 @@
       "name": "issuer-node-ui",
       "version": "1.0.0",
       "dependencies": {
+        "@iden3/js-crypto": "^1.1.0",
         "ajv": "^8.17.1",
         "ajv-formats": "^3.0.1",
         "ajv-formats-draft2019": "^1.6.1",
@@ -1240,6 +1241,12 @@
         "typescript": ">=5"
       }
     },
+    "node_modules/@iden3/js-crypto": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@iden3/js-crypto/-/js-crypto-1.1.0.tgz",
+      "integrity": "sha512-MbL7OpOxBoCybAPoorxrp+fwjDVESyDe6giIWxErjEIJy0Q2n1DU4VmKh4vDoCyhJx/RdVgT8Dkb59lKwISqsw==",
+      "license": "AGPL-3.0"
+    },
     "node_modules/@jridgewell/gen-mapping": {
       "version": "0.3.5",
       "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.5.tgz",
diff --git a/ui/package.json b/ui/package.json
index ad9f459d1..6bf0d357e 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -2,6 +2,7 @@
   "name": "issuer-node-ui",
   "version": "1.0.0",
   "dependencies": {
+    "@iden3/js-crypto": "^1.1.0",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
     "ajv-formats-draft2019": "^1.6.1",
diff --git a/ui/src/adapters/api/credentials.ts b/ui/src/adapters/api/credentials.ts
index 45ca7bb5a..1082dc0b5 100644
--- a/ui/src/adapters/api/credentials.ts
+++ b/ui/src/adapters/api/credentials.ts
@@ -12,14 +12,17 @@ import {
   serializeSorters,
 } from "src/adapters/api";
 import {
+  buildAppError,
   datetimeParser,
   getListParser,
   getResourceParser,
   getStrictParser,
 } from "src/adapters/parsers";
 import {
+  AuthCredential,
   Credential,
   CredentialDisplayMethod,
+  CredentialStatusType,
   DisplayMethodType,
   Env,
   IssuedMessage,
@@ -42,12 +45,14 @@ type CredentialInput = Pick<Credential, "id" | "revoked" | "schemaHash"> & {
     } & Record<string, unknown>;
     credentialStatus: {
       revocationNonce: number;
+      type: CredentialStatusType;
     } & Record<string, unknown>;
     credentialSubject: Record<string, unknown>;
     displayMethod?: CredentialDisplayMethod | null;
     expirationDate?: string | null;
     issuanceDate: string;
     issuer: string;
+    proof?: Array<{ type: ProofType }> | null;
     refreshService?: RefreshService | null;
     type: [string, string];
   };
@@ -69,6 +74,7 @@ export const credentialParser = getStrictParser<CredentialInput, Credential>()(
         credentialStatus: z
           .object({
             revocationNonce: z.number(),
+            type: z.nativeEnum(CredentialStatusType),
           })
           .and(z.record(z.unknown())),
         credentialSubject: z.record(z.unknown()),
@@ -79,6 +85,14 @@ export const credentialParser = getStrictParser<CredentialInput, Credential>()(
         expirationDate: datetimeParser.nullable().default(null),
         issuanceDate: datetimeParser,
         issuer: z.string(),
+        proof: z
+          .array(
+            z.object({
+              type: z.nativeEnum(ProofType),
+            })
+          )
+          .nullable()
+          .default(null),
         refreshService: z
           .object({ id: z.string(), type: z.literal("Iden3RefreshService2023") })
           .nullable()
@@ -100,6 +114,7 @@ export const credentialParser = getStrictParser<CredentialInput, Credential>()(
           expirationDate,
           issuanceDate,
           issuer,
+          proof,
           refreshService,
           type,
         },
@@ -108,12 +123,14 @@ export const credentialParser = getStrictParser<CredentialInput, Credential>()(
         const [, schemaType] = type;
 
         return {
+          credentialStatus,
           credentialSubject,
           displayMethod,
           expirationDate,
           expired,
           id,
           issuanceDate,
+          proof,
           proofTypes,
           refreshService,
           revNonce: credentialStatus.revocationNonce,
@@ -133,6 +150,27 @@ export const credentialStatusParser = getStrictParser<CredentialStatus>()(
   z.union([z.literal("all"), z.literal("revoked"), z.literal("expired")])
 );
 
+export type AuthCredentialSubjectInput = {
+  x: string;
+  y: string;
+};
+export type AuthCredentialSubject = {
+  x: bigint;
+  y: bigint;
+};
+
+export const authCredentialSubjectParser = getStrictParser<
+  AuthCredentialSubjectInput,
+  AuthCredentialSubject
+>()(
+  z
+    .object({
+      x: z.string().regex(/^\d+$/, "x must be a numeric string"),
+      y: z.string().regex(/^\d+$/, "y must be a numeric string"),
+    })
+    .transform(({ x, y }) => ({ x: BigInt(x), y: BigInt(y) }))
+);
+
 export async function getCredential({
   credentialID,
   env,
@@ -202,6 +240,65 @@ export async function getCredentials({
   }
 }
 
+export async function getAuthCredentialsByIDs({
+  env,
+  identifier,
+  IDs,
+  signal,
+}: {
+  IDs: Array<string>;
+  env: Env;
+  identifier: string;
+  signal?: AbortSignal;
+}): Promise<Response<List<AuthCredential>>> {
+  try {
+    const promises = IDs.map((id) => getCredential({ credentialID: id, env, identifier, signal }));
+    const credentials = await Promise.all(promises);
+
+    const { failed, successful } = credentials.reduce<List<AuthCredential>>(
+      (acc, credential) => {
+        try {
+          if (credential.success) {
+            const parsedCredentialSubject = authCredentialSubjectParser.parse({
+              x: credential.data.credentialSubject.x,
+              y: credential.data.credentialSubject.y,
+            });
+
+            const published =
+              credential.data.proof?.some(
+                ({ type }) => type === ProofType.Iden3SparseMerkleTreeProof
+              ) || false;
+
+            return {
+              ...acc,
+              successful: [
+                ...acc.successful,
+                {
+                  ...credential.data,
+                  credentialSubject: { ...parsedCredentialSubject },
+                  published,
+                },
+              ],
+            };
+          } else {
+            return { ...acc, failed: [...acc.failed, credential.error] };
+          }
+        } catch (error) {
+          return { ...acc, failed: [...acc.failed, buildAppError(error)] };
+        }
+      },
+      { failed: [], successful: [] }
+    );
+
+    return buildSuccessResponse({
+      failed,
+      successful,
+    });
+  } catch (error) {
+    return buildErrorResponse(error);
+  }
+}
+
 export type CreateCredential = {
   credentialSchema: string;
   credentialSubject: Json;
@@ -579,3 +676,33 @@ export async function getIssuedMessages({
     return buildErrorResponse(error);
   }
 }
+
+export type CreateAuthCredential = {
+  credentialStatusType: CredentialStatusType;
+  keyID: string;
+};
+
+export async function createAuthCredential({
+  env,
+  identifier,
+  payload,
+}: {
+  env: Env;
+  identifier: string;
+  payload: CreateAuthCredential;
+}): Promise<Response<ID>> {
+  try {
+    const response = await axios({
+      baseURL: env.api.url,
+      data: payload,
+      headers: {
+        Authorization: buildAuthorizationHeader(env),
+      },
+      method: "POST",
+      url: `${API_VERSION}/identities/${identifier}/create-auth-credential`,
+    });
+    return buildSuccessResponse(IDParser.parse(response.data));
+  } catch (error) {
+    return buildErrorResponse(error);
+  }
+}
diff --git a/ui/src/adapters/api/identities.ts b/ui/src/adapters/api/identities.ts
index 8e298c0d8..6303290d8 100644
--- a/ui/src/adapters/api/identities.ts
+++ b/ui/src/adapters/api/identities.ts
@@ -49,7 +49,7 @@ export async function getIdentities({
       url: `${API_VERSION}/identities`,
     });
 
-    return buildSuccessResponse(getListParser(identityParser).parse(response.data || []));
+    return buildSuccessResponse(getListParser(identityParser).parse(response.data));
   } catch (error) {
     return buildErrorResponse(error);
   }
@@ -101,6 +101,7 @@ export async function createIdentity({
 
 export const identityDetailsParser = getStrictParser<IdentityDetails>()(
   z.object({
+    authCredentialsIDs: z.array(z.string()),
     credentialStatusType: z.nativeEnum(CredentialStatusType),
     displayName: z.string().nullable(),
     identifier: z.string(),
diff --git a/ui/src/adapters/api/keys.ts b/ui/src/adapters/api/keys.ts
new file mode 100644
index 000000000..194bd9b3d
--- /dev/null
+++ b/ui/src/adapters/api/keys.ts
@@ -0,0 +1,168 @@
+import axios from "axios";
+import { z } from "zod";
+
+import { Response, buildErrorResponse, buildSuccessResponse } from "src/adapters";
+import { ID, IDParser, Message, buildAuthorizationHeader, messageParser } from "src/adapters/api";
+import { getResourceParser, getStrictParser } from "src/adapters/parsers";
+import { Env, Key, KeyType } from "src/domain";
+import { API_VERSION } from "src/utils/constants";
+import { Resource } from "src/utils/types";
+
+const keyParser = getStrictParser<Key>()(
+  z.object({
+    id: z.string(),
+    isAuthCredential: z.boolean(),
+    keyType: z.nativeEnum(KeyType),
+    name: z.string(),
+    publicKey: z.string(),
+  })
+);
+
+export async function getKeys({
+  env,
+  identifier,
+  params: { maxResults, page, type },
+  signal,
+}: {
+  env: Env;
+  identifier: string;
+  params: {
+    maxResults?: number;
+    page?: number;
+    type?: KeyType;
+  };
+  signal?: AbortSignal;
+}): Promise<Response<Resource<Key>>> {
+  try {
+    const response = await axios({
+      baseURL: env.api.url,
+      headers: {
+        Authorization: buildAuthorizationHeader(env),
+      },
+      method: "GET",
+      params: new URLSearchParams({
+        ...(maxResults !== undefined ? { max_results: maxResults.toString() } : {}),
+        ...(page !== undefined ? { page: page.toString() } : {}),
+        ...(type !== undefined ? { type } : {}),
+      }),
+      signal,
+      url: `${API_VERSION}/identities/${identifier}/keys`,
+    });
+    return buildSuccessResponse(getResourceParser(keyParser).parse(response.data));
+  } catch (error) {
+    return buildErrorResponse(error);
+  }
+}
+
+export async function getKey({
+  env,
+  identifier,
+  keyID,
+  signal,
+}: {
+  env: Env;
+  identifier: string;
+  keyID: string;
+  signal?: AbortSignal;
+}): Promise<Response<Key>> {
+  try {
+    const response = await axios({
+      baseURL: env.api.url,
+      headers: {
+        Authorization: buildAuthorizationHeader(env),
+      },
+      method: "GET",
+      signal,
+      url: `${API_VERSION}/identities/${identifier}/keys/${keyID}`,
+    });
+    return buildSuccessResponse(keyParser.parse(response.data));
+  } catch (error) {
+    return buildErrorResponse(error);
+  }
+}
+
+export type CreateKey = {
+  keyType: KeyType;
+  name: string;
+};
+
+export async function createKey({
+  env,
+  identifier,
+  payload,
+}: {
+  env: Env;
+  identifier: string;
+  payload: CreateKey;
+}): Promise<Response<ID>> {
+  try {
+    const response = await axios({
+      baseURL: env.api.url,
+      data: payload,
+      headers: {
+        Authorization: buildAuthorizationHeader(env),
+      },
+      method: "POST",
+      url: `${API_VERSION}/identities/${identifier}/keys`,
+    });
+    return buildSuccessResponse(IDParser.parse(response.data));
+  } catch (error) {
+    return buildErrorResponse(error);
+  }
+}
+
+export type UpdateKey = {
+  name: string;
+};
+
+export async function updateKeyName({
+  env,
+  identifier,
+  keyID,
+  payload,
+}: {
+  env: Env;
+  identifier: string;
+  keyID: string;
+  payload: UpdateKey;
+}) {
+  try {
+    await axios({
+      baseURL: env.api.url,
+      data: payload,
+      headers: {
+        Authorization: buildAuthorizationHeader(env),
+      },
+      method: "PATCH",
+      url: `${API_VERSION}/identities/${identifier}/keys/${keyID}`,
+    });
+
+    return buildSuccessResponse(undefined);
+  } catch (error) {
+    return buildErrorResponse(error);
+  }
+}
+
+export async function deleteKey({
+  env,
+  identifier,
+  keyID,
+}: {
+  env: Env;
+  identifier: string;
+  keyID: string;
+}): Promise<Response<Message>> {
+  try {
+    const response = await axios({
+      baseURL: env.api.url,
+      headers: {
+        Authorization: buildAuthorizationHeader(env),
+      },
+      method: "DELETE",
+      url: `${API_VERSION}/identities/${identifier}/keys/${keyID}`,
+    });
+    return buildSuccessResponse(messageParser.parse(response.data));
+  } catch (error) {
+    return buildErrorResponse(error);
+  }
+}
diff --git a/ui/src/adapters/index.ts b/ui/src/adapters/index.ts
index e566ba8ed..1c683edad 100644
--- a/ui/src/adapters/index.ts
+++ b/ui/src/adapters/index.ts
@@ -1,5 +1,5 @@
+import { buildAppError } from "src/adapters/parsers";
 import { AppError } from "src/domain";
-import { buildAppError } from "src/utils/error";
 
 type SuccessResponse<D> = {
   data: D;
diff --git a/ui/src/adapters/jsonSchemas.ts b/ui/src/adapters/jsonSchemas.ts
index f3ed5c401..1c75f89a8 100644
--- a/ui/src/adapters/jsonSchemas.ts
+++ b/ui/src/adapters/jsonSchemas.ts
@@ -1,8 +1,8 @@
 import { Response } from "src/adapters";
 import { getJsonFromUrl } from "src/adapters/json";
+import { buildAppError } from "src/adapters/parsers";
 import { getJsonLdTypeParser, jsonSchemaParser } from "src/adapters/parsers/jsonSchemas";
 import { Env, Json, JsonLdType, JsonSchema } from "src/domain";
-import { buildAppError } from "src/utils/error";
 
 export async function getJsonSchemaFromUrl({
   env,
diff --git a/ui/src/adapters/parsers/index.ts b/ui/src/adapters/parsers/index.ts
index ed71013e2..643d3f42a 100644
--- a/ui/src/adapters/parsers/index.ts
+++ b/ui/src/adapters/parsers/index.ts
@@ -1,5 +1,9 @@
+import { message } from "antd";
+import { MessageType } from "antd/es/message/interface";
+import { isAxiosError, isCancel } from "axios";
 import { z } from "zod";
 
+import { AppError } from "src/domain";
 import { List, ResourceMeta } from "src/utils/types";
 
 export function getListParser<Input, Output = Input>(
@@ -11,23 +15,30 @@ export function getListParser<Input, Output = Input>(
         (acc: List<Output>, curr: unknown, index): List<Output> => {
           const parsed = parser.safeParse(curr);
 
-          return parsed.success
-            ? {
-                ...acc,
-                successful: [...acc.successful, parsed.data],
-              }
-            : {
-                ...acc,
-                failed: [
-                  ...acc.failed,
-                  new z.ZodError<Output>(
-                    parsed.error.issues.map((issue) => ({
-                      ...issue,
-                      path: [index, ...issue.path],
-                    }))
-                  ),
-                ],
-              };
+          if (parsed.success) {
+            return {
+              ...acc,
+              successful: [...acc.successful, parsed.data],
+            };
+          } else {
+            const error = new z.ZodError<Output>(
+              parsed.error.issues.map((issue) => ({
+                ...issue,
+                path: [index, ...issue.path],
+              }))
+            );
+            return {
+              ...acc,
+              failed: [
+                ...acc.failed,
+                {
+                  error,
+                  message: processZodError(error).join("\n"),
+                  type: "parse-error",
+                },
+              ],
+            };
+          }
         },
         { failed: [], successful: [] }
       )
@@ -119,3 +130,132 @@ export function getStrictParser<Input, Output = Input>(): <
 ) => z.ZodSchema<Output, z.ZodTypeDef, Input> {
   return (parser: z.ZodSchema) => parser;
 }
+
+export function processZodError<T>(error: z.ZodError<T>, init: string[] = []) {
+  return error.errors.reduce((mainAcc, issue): string[] => {
+    switch (issue.code) {
+      case "invalid_union": {
+        return [
+          ...mainAcc,
+          ...issue.unionErrors.reduce(
+            (innerAcc: string[], current: z.ZodError<T>): string[] => [
+              ...innerAcc,
+              ...processZodError(current),
+            ],
+            []
+          ),
+        ];
+      }
+
+      default: {
+        const errorMsg = issue.path.length
+          ? `${issue.message} at ${issue.path.join(".")}`
+          : issue.message;
+        return [...mainAcc, errorMsg];
+      }
+    }
+  }, init);
+}
+
+export function notifyError(error: AppError, compact = false): MessageType[] {
+  if (!compact && error.type === "parse-error") {
+    return notifyParseError(error.error);
+  } else {
+    return [message.error(error.message)];
+  }
+}
+
+export function notifyParseError(error: z.ZodError): MessageType[] {
+  return processZodError(error).map((error) => message.error(error));
+}
+
+export function notifyErrors(errors: AppError[]): MessageType[] {
+  return errors.reduce(
+    (acc: MessageType[], curr) => [
+      ...acc,
+      ...(curr.type === "parse-error" ? notifyParseError(curr.error) : notifyError(curr)),
+    ],
+    []
+  );
+}
+
+const messageParser = getStrictParser<{ message: string }>()(z.object({ message: z.string() }));
+
+export function buildAppError(error: unknown): AppError {
+  if (typeof error === "string") {
+    return {
+      message: error,
+      type: "custom-error",
+    };
+  } else if (isCancel(error)) {
+    return {
+      error,
+      message: error.message
+        ? `The request has been aborted. ${error.message}`
+        : "The request has been aborted.",
+      type: "cancel-error",
+    };
+  } else if (isAxiosError(error)) {
+    const parsedMessage = messageParser.safeParse(error.response?.data);
+
+    return {
+      error,
+      message: parsedMessage.success
+        ? `${error.message}: ${parsedMessage.data.message}`
+        : error.message,
+      type: "request-error",
+    };
+  } else if (error instanceof z.ZodError) {
+    return {
+      error,
+      message: processZodError(error).join("\n"),
+      type: "parse-error",
+    };
+  } else if (error instanceof Error) {
+    return {
+      error,
+      message: error.message,
+      type: "general-error",
+    };
+  } else {
+    return {
+      error,
+      message: "Unknown error",
+      type: "unknown-error",
+    };
+  }
+}
+
+export const envErrorToString = (error: AppError) =>
+  [
+    "An error occurred while reading the environment variables:",
+    error.message,
+    "Please provide valid environment variables.",
+  ].join("\n");
+
+export const credentialSubjectValueErrorToString = (error: AppError) =>
+  [
+    error.type === "parse-error" || error.type === "custom-error"
+      ? "An error occurred while parsing the value of the credentialSubject:"
+      : "An error occurred while processing the value of the credentialSubject",
+    error.message,
+    "Please try again.",
+  ].join("\n");
+
+export const jsonSchemaErrorToString = (error: AppError) =>
+  [
+    error.type === "parse-error" || error.type === "custom-error"
+      ? "An error occurred while parsing the JSON Schema:"
+      : "An error occurred while downloading the JSON Schema:",
+    error.message,
+    "Please try again.",
+  ].join("\n");
+
+export const jsonLdContextErrorToString = (error: AppError) =>
+  [
+    error.type === "parse-error" || error.type === "custom-error"
+      ? "An error occurred while parsing the JSON LD Type referenced in this schema:"
+      : "An error occurred while downloading the JSON LD Type referenced in this schema:",
+    error.message,
+    "Please try again.",
+  ].join("\n");
diff --git a/ui/src/components/connections/ConnectionsTable.tsx b/ui/src/components/connections/ConnectionsTable.tsx
index ae66e8a82..6a9bbc3ce 100644
--- a/ui/src/components/connections/ConnectionsTable.tsx
+++ b/ui/src/components/connections/ConnectionsTable.tsx
@@ -16,7 +16,7 @@ import { generatePath, useNavigate, useSearchParams } from "react-router-dom";
 
 import { Sorter, parseSorters, serializeSorters } from "src/adapters/api";
 import { getConnections } from "src/adapters/api/connections";
-import { positiveIntegerFromStringParser } from "src/adapters/parsers";
+import { notifyErrors, positiveIntegerFromStringParser } from "src/adapters/parsers";
 import { tableSorterParser } from "src/adapters/parsers/view";
 import IconCreditCardPlus from "src/assets/icons/credit-card-plus.svg?react";
 import IconDots from "src/assets/icons/dots-vertical.svg?react";
@@ -49,7 +49,6 @@ import {
   QUERY_SEARCH_PARAM,
   SORT_PARAM,
 } from "src/utils/constants";
-import { notifyParseErrors } from "src/utils/error";
 
 export function ConnectionsTable() {
   const env = useEnvContext();
@@ -217,7 +216,7 @@ export function ConnectionsTable() {
           maxResults: response.data.meta.max_results,
           page: response.data.meta.page,
         });
-        notifyParseErrors(response.data.items.failed);
+        void notifyErrors(response.data.items.failed);
       } else {
         if (!isAbortedError(response.error)) {
           setConnections({ error: response.error, status: "failed" });
diff --git a/ui/src/components/connections/CredentialsTable.tsx b/ui/src/components/connections/CredentialsTable.tsx
index 2868d3453..23b41b537 100644
--- a/ui/src/components/connections/CredentialsTable.tsx
+++ b/ui/src/components/connections/CredentialsTable.tsx
@@ -21,6 +21,7 @@ import {
   credentialStatusParser,
   getCredentials,
 } from "src/adapters/api/credentials";
+import { notifyErrors, notifyParseError } from "src/adapters/parsers";
 import IconCreditCardRefresh from "src/assets/icons/credit-card-refresh.svg?react";
 import IconDots from "src/assets/icons/dots-vertical.svg?react";
 import IconInfoCircle from "src/assets/icons/info-circle.svg?react";
@@ -49,7 +50,6 @@ import {
   REVOCATION,
   REVOKE,
 } from "src/utils/constants";
-import { notifyParseError, notifyParseErrors } from "src/utils/error";
 import { formatDate } from "src/utils/forms";
 
 export function CredentialsTable({ userID }: { userID: string }) {
@@ -199,7 +199,7 @@ export function CredentialsTable({ userID }: { userID: string }) {
             data: response.data.items.successful,
             status: "successful",
           });
-          notifyParseErrors(response.data.items.failed);
+          void notifyErrors(response.data.items.failed);
         } else {
           if (!isAbortedError(response.error)) {
             setCredentials({ error: response.error, status: "failed" });
@@ -215,7 +215,7 @@ export function CredentialsTable({ userID }: { userID: string }) {
     if (parsedCredentialStatus.success) {
       setCredentialStatus(parsedCredentialStatus.data);
     } else {
-      notifyParseError(parsedCredentialStatus.error);
+      void notifyParseError(parsedCredentialStatus.error);
     }
   };
 
diff --git a/ui/src/components/credentials/CreateAuthCredential.tsx b/ui/src/components/credentials/CreateAuthCredential.tsx
new file mode 100644
index 000000000..9b1b4eb4e
--- /dev/null
+++ b/ui/src/components/credentials/CreateAuthCredential.tsx
@@ -0,0 +1,210 @@
+import { App, Button, Card, Divider, Flex, Form, Select, Space } from "antd";
+import { useCallback, useEffect, useState } from "react";
+import { generatePath, useNavigate } from "react-router-dom";
+import {
+  CreateAuthCredential as CreateAuthCredentialType,
+  createAuthCredential,
+} from "src/adapters/api/credentials";
+import { getSupportedBlockchains } from "src/adapters/api/identities";
+import { getKeys } from "src/adapters/api/keys";
+import { notifyErrors } from "src/adapters/parsers";
+import { ErrorResult } from "src/components/shared/ErrorResult";
+import { LoadingResult } from "src/components/shared/LoadingResult";
+
+import { SiderLayoutContent } from "src/components/shared/SiderLayoutContent";
+import { useEnvContext } from "src/contexts/Env";
+import { useIdentityContext } from "src/contexts/Identity";
+import { AppError, CredentialStatusType, Key, KeyType } from "src/domain";
+import { ROUTES } from "src/routes";
+import {
+  AsyncTask,
+  hasAsyncTaskFailed,
+  isAsyncTaskDataAvailable,
+  isAsyncTaskStarting,
+} from "src/utils/async";
+import { isAbortedError, makeRequestAbortable } from "src/utils/browser";
+import { VALUE_REQUIRED } from "src/utils/constants";
+
+export function CreateAuthCredential() {
+  const env = useEnvContext();
+  const { identifier } = useIdentityContext();
+  const [form] = Form.useForm<CreateAuthCredentialType>();
+  const navigate = useNavigate();
+  const { message } = App.useApp();
+
+  const [keys, setKeys] = useState<AsyncTask<Key[], AppError>>({
+    status: "pending",
+  });
+
+  const [credentialStatusTypes, setCredentialStatusTypes] = useState<
+    AsyncTask<CredentialStatusType[], AppError>
+  >({
+    status: "pending",
+  });
+
+  const handleSubmit = (formValues: CreateAuthCredentialType) => {
+    return void createAuthCredential({
+      env,
+      identifier,
+      payload: formValues,
+    }).then((response) => {
+      if (response.success) {
+        void message.success("Auth credential added successfully");
+        navigate(generatePath(ROUTES.identityDetails.path, { identityID: identifier }));
+      } else {
+        void message.error(response.error.message);
+      }
+    });
+  };
+
+  const fetchKeys = useCallback(
+    async (signal?: AbortSignal) => {
+      setKeys((previousKeys) =>
+        isAsyncTaskDataAvailable(previousKeys)
+          ? { data: previousKeys.data, status: "reloading" }
+          : { status: "loading" }
+      );
+
+      const response = await getKeys({
+        env,
+        identifier,
+        params: {
+          type: KeyType.babyjubJub,
+        },
+        signal,
+      });
+      if (response.success) {
+        setKeys({
+          data: response.data.items.successful,
+          status: "successful",
+        });
+
+        void notifyErrors(response.data.items.failed);
+      } else {
+        if (!isAbortedError(response.error)) {
+          setKeys({ error: response.error, status: "failed" });
+        }
+      }
+    },
+    [env, identifier]
+  );
+
+  const fetchBlockChains = useCallback(
+    async (signal: AbortSignal) => {
+      setCredentialStatusTypes((previousState) =>
+        isAsyncTaskDataAvailable(previousState)
+          ? { data: previousState.data, status: "reloading" }
+          : { status: "loading" }
+      );
+
+      const response = await getSupportedBlockchains({
+        env,
+        signal,
+      });
+
+      if (response.success) {
+        const [, , blockchain = "", network = ""] = identifier.split(":");
+        const identityBlockchainNetworks =
+          response.data.successful.find(({ name }) => name === blockchain)?.networks || [];
+        const identityNetworkCredentialStatusTypes =
+          identityBlockchainNetworks.find(({ name }) => name === network)?.credentialStatus || [];
+
+        setCredentialStatusTypes({
+          data: identityNetworkCredentialStatusTypes,
+          status: "successful",
+        });
+      } else {
+        if (!isAbortedError(response.error)) {
+          setCredentialStatusTypes({ error: response.error, status: "failed" });
+          void message.error(response.error.message);
+        }
+      }
+    },
+    [env, message, identifier]
+  );
+
+  useEffect(() => {
+    const { aborter } = makeRequestAbortable(fetchKeys);
+
+    return aborter;
+  }, [fetchKeys]);
+
+  useEffect(() => {
+    const { aborter } = makeRequestAbortable(fetchBlockChains);
+
+    return aborter;
+  }, [fetchBlockChains]);
+
+  return (
+    <SiderLayoutContent
+      description="Create a new auth credential"
+      showBackButton
+      showDivider
+      title="Add new auth credential"
+    >
+      {(() => {
+        if (hasAsyncTaskFailed(keys) || hasAsyncTaskFailed(credentialStatusTypes)) {
+          return (
+            <Card className="centered">
+              {hasAsyncTaskFailed(keys) && <ErrorResult error={keys.error.message} />};
+              {hasAsyncTaskFailed(credentialStatusTypes) && (
+                <ErrorResult error={credentialStatusTypes.error.message} />
+              )}
+              ;
+            </Card>
+          );
+        } else if (isAsyncTaskStarting(keys) || isAsyncTaskStarting(credentialStatusTypes)) {
+          return (
+            <Card className="centered">
+              <LoadingResult />
+            </Card>
+          );
+        } else {
+          return (
+            <Card className="centered" title="Auth credential details">
+              <Space direction="vertical" size="large">
+                <Form form={form} layout="vertical" onFinish={handleSubmit}>
+                  <Form.Item
+                    label="Key"
+                    name="keyID"
+                    rules={[{ message: VALUE_REQUIRED, required: true }]}
+                  >
+                    <Select className="full-width" placeholder="Choose a key">
+                      {keys.data.map(({ id, name }) => (
+                        <Select.Option key={id} value={id}>
+                          {name}
+                        </Select.Option>
+                      ))}
+                    </Select>
+                  </Form.Item>
+
+                  <Form.Item
+                    label="Credential status"
+                    name="credentialStatusType"
+                    rules={[{ message: VALUE_REQUIRED, required: true }]}
+                  >
+                    <Select className="full-width" placeholder="Choose a credential status type">
+                      {credentialStatusTypes.data.map((type) => (
+                        <Select.Option key={type} value={type}>
+                          {type}
+                        </Select.Option>
+                      ))}
+                    </Select>
+                  </Form.Item>
+
+                  <Divider />
+
+                  <Flex justify="flex-end">
+                    <Button htmlType="submit" type="primary">
+                      Submit
+                    </Button>
+                  </Flex>
+                </Form>
+              </Space>
+            </Card>
+          );
+        }
+      })()}
+    </SiderLayoutContent>
+  );
+}
diff --git a/ui/src/components/credentials/CredentialDetails.tsx b/ui/src/components/credentials/CredentialDetails.tsx
index 18b0fde64..41d32de85 100644
--- a/ui/src/components/credentials/CredentialDetails.tsx
+++ b/ui/src/components/credentials/CredentialDetails.tsx
@@ -4,6 +4,7 @@ import { generatePath, useNavigate, useParams } from "react-router-dom";
 
 import { getCredential, getIssuedMessages } from "src/adapters/api/credentials";
 import { getJsonSchemaFromUrl } from "src/adapters/jsonSchemas";
+import { buildAppError, credentialSubjectValueErrorToString } from "src/adapters/parsers";
 import { getAttributeValueParser } from "src/adapters/parsers/jsonSchemas";
 import IconTrash from "src/assets/icons/trash-01.svg?react";
 import IconClose from "src/assets/icons/x.svg?react";
@@ -26,7 +27,6 @@ import {
 } from "src/utils/async";
 import { isAbortedError, makeRequestAbortable } from "src/utils/browser";
 import { CREDENTIALS_TABS, DELETE, REVOKE } from "src/utils/constants";
-import { buildAppError, credentialSubjectValueErrorToString } from "src/utils/error";
 import { formatDate } from "src/utils/forms";
 import { extractCredentialSubjectAttribute } from "src/utils/jsonSchemas";
 
diff --git a/ui/src/components/credentials/CredentialsTable.tsx b/ui/src/components/credentials/CredentialsTable.tsx
index a6e5964e1..a61baf69e 100644
--- a/ui/src/components/credentials/CredentialsTable.tsx
+++ b/ui/src/components/credentials/CredentialsTable.tsx
@@ -19,7 +19,11 @@ import { Link, generatePath, useNavigate, useSearchParams } from "react-router-d
 
 import { Sorter, parseSorters, serializeSorters } from "src/adapters/api";
 import { credentialStatusParser, getCredentials } from "src/adapters/api/credentials";
-import { positiveIntegerFromStringParser } from "src/adapters/parsers";
+import {
+  notifyErrors,
+  notifyParseError,
+  positiveIntegerFromStringParser,
+} from "src/adapters/parsers";
 import { tableSorterParser } from "src/adapters/parsers/view";
 import IconCreditCardPlus from "src/assets/icons/credit-card-plus.svg?react";
 import IconCreditCardRefresh from "src/assets/icons/credit-card-refresh.svg?react";
@@ -57,7 +61,6 @@ import {
   SORT_PARAM,
   STATUS_SEARCH_PARAM,
 } from "src/utils/constants";
-import { notifyParseError, notifyParseErrors } from "src/utils/error";
 import { formatDate } from "src/utils/forms";
 
 export function CredentialsTable() {
@@ -270,7 +273,7 @@ export function CredentialsTable() {
           maxResults: response.data.meta.max_results,
           page: response.data.meta.page,
         });
-        notifyParseErrors(response.data.items.failed);
+        void notifyErrors(response.data.items.failed);
       } else {
         if (!isAbortedError(response.error)) {
           setCredentials({ error: response.error, status: "failed" });
@@ -321,7 +324,7 @@ export function CredentialsTable() {
 
       setSearchParams(params);
     } else {
-      notifyParseError(parsedCredentialStatus.error);
+      void notifyParseError(parsedCredentialStatus.error);
     }
   };
 
diff --git a/ui/src/components/credentials/IssuanceMethodForm.tsx b/ui/src/components/credentials/IssuanceMethodForm.tsx
index ae5633b92..433f11320 100644
--- a/ui/src/components/credentials/IssuanceMethodForm.tsx
+++ b/ui/src/components/credentials/IssuanceMethodForm.tsx
@@ -17,6 +17,7 @@ import dayjs from "dayjs";
 import { useCallback, useEffect, useState } from "react";
 
 import { getConnections } from "src/adapters/api/connections";
+import { notifyErrors } from "src/adapters/parsers";
 import { IssuanceMethodFormData, issuanceMethodFormDataParser } from "src/adapters/parsers/view";
 import IconRight from "src/assets/icons/arrow-narrow-right.svg?react";
 import { useEnvContext } from "src/contexts/Env";
@@ -25,7 +26,6 @@ import { AppError, Connection } from "src/domain";
 import { AsyncTask, isAsyncTaskDataAvailable } from "src/utils/async";
 import { makeRequestAbortable } from "src/utils/browser";
 import { ACCESSIBLE_UNTIL, CREDENTIAL_LINK, VALUE_REQUIRED } from "src/utils/constants";
-import { notifyParseErrors } from "src/utils/error";
 
 export function IssuanceMethodForm({
   initialValues,
@@ -64,7 +64,7 @@ export function IssuanceMethodForm({
 
       if (response.success) {
         setConnections({ data: response.data.items.successful, status: "successful" });
-        notifyParseErrors(response.data.items.failed);
+        void notifyErrors(response.data.items.failed);
       } else {
         setConnections({ error: response.error, status: "failed" });
       }
diff --git a/ui/src/components/credentials/IssueCredential.tsx b/ui/src/components/credentials/IssueCredential.tsx
index a74e30193..83a28897d 100644
--- a/ui/src/components/credentials/IssueCredential.tsx
+++ b/ui/src/components/credentials/IssueCredential.tsx
@@ -3,6 +3,7 @@ import { useCallback, useEffect, useState } from "react";
 import { generatePath, useNavigate, useSearchParams } from "react-router-dom";
 
 import { createCredential, createLink } from "src/adapters/api/credentials";
+import { notifyParseError } from "src/adapters/parsers";
 import {
   CredentialDirectIssuance,
   CredentialFormInput,
@@ -23,7 +24,6 @@ import { ApiSchema, JsonSchema, ProofType } from "src/domain";
 import { ROUTES } from "src/routes";
 import { AsyncTask, isAsyncTaskDataAvailable } from "src/utils/async";
 import { DID_SEARCH_PARAM, ISSUE_CREDENTIAL, SCHEMA_SEARCH_PARAM } from "src/utils/constants";
-import { notifyParseError } from "src/utils/error";
 import {
   extractCredentialSubjectAttribute,
   extractCredentialSubjectAttributeWithoutId,
@@ -140,7 +140,7 @@ export function IssueCredential() {
           void message.error(response.error.message);
         }
       } else {
-        notifyParseError(serializedCredentialForm.error);
+        void notifyParseError(serializedCredentialForm.error);
       }
       setIsLoading(false);
     }
@@ -188,7 +188,7 @@ export function IssueCredential() {
           void message.error(response.error.message);
         }
       } else {
-        notifyParseError(serializedCredentialForm.error);
+        void notifyParseError(serializedCredentialForm.error);
       }
 
       setIsLoading(false);
@@ -270,7 +270,7 @@ export function IssueCredential() {
                           });
                         }
                       } else {
-                        notifyParseError(parsedForm.error);
+                        void notifyParseError(parsedForm.error);
                       }
                     }}
                     type={credentialFormInput.issuanceMethod.type}
diff --git a/ui/src/components/credentials/IssueCredentialForm.tsx b/ui/src/components/credentials/IssueCredentialForm.tsx
index cf4e2fe0a..85aa8fa1c 100644
--- a/ui/src/components/credentials/IssueCredentialForm.tsx
+++ b/ui/src/components/credentials/IssueCredentialForm.tsx
@@ -26,6 +26,7 @@ import { z } from "zod";
 import { getDisplayMethods } from "src/adapters/api/display-method";
 import { getApiSchemas } from "src/adapters/api/schemas";
 import { getJsonSchemaFromUrl } from "src/adapters/jsonSchemas";
+import { buildAppError, jsonSchemaErrorToString, notifyError } from "src/adapters/parsers";
 import {
   IssueCredentialFormData,
   dayjsInstanceParser,
@@ -58,7 +59,6 @@ import {
   URL_FIELD_ERROR_MESSAGE,
   VALUE_REQUIRED,
 } from "src/utils/constants";
-import { buildAppError, jsonSchemaErrorToString, notifyError } from "src/utils/error";
 import {
   extractCredentialSubjectAttributeWithoutId,
   makeAttributeOptional,
@@ -215,10 +215,10 @@ export function IssueCredentialForm({
             );
           }
         } catch (error) {
-          notifyError(buildAppError(error));
+          void notifyError(buildAppError(error));
         }
       } else {
-        notifyError(buildAppError(serializedSchemaForm.error));
+        void notifyError(buildAppError(serializedSchemaForm.error));
       }
     }
     return false;
diff --git a/ui/src/components/credentials/LinkDetails.tsx b/ui/src/components/credentials/LinkDetails.tsx
index a10595d83..ed89d3c35 100644
--- a/ui/src/components/credentials/LinkDetails.tsx
+++ b/ui/src/components/credentials/LinkDetails.tsx
@@ -4,6 +4,7 @@ import { generatePath, useNavigate, useParams } from "react-router-dom";
 
 import { getLink } from "src/adapters/api/credentials";
 import { getJsonSchemaFromUrl } from "src/adapters/jsonSchemas";
+import { buildAppError, credentialSubjectValueErrorToString } from "src/adapters/parsers";
 import { getAttributeValueParser } from "src/adapters/parsers/jsonSchemas";
 import IconTrash from "src/assets/icons/trash-01.svg?react";
 import { LinkDeleteModal } from "src/components/credentials/LinkDeleteModal";
@@ -24,7 +25,6 @@ import {
 } from "src/utils/async";
 import { isAbortedError, makeRequestAbortable } from "src/utils/browser";
 import { CREDENTIALS_TABS, DELETE } from "src/utils/constants";
-import { buildAppError, credentialSubjectValueErrorToString } from "src/utils/error";
 import { formatDate } from "src/utils/forms";
 import { extractCredentialSubjectAttributeWithoutId } from "src/utils/jsonSchemas";
 
diff --git a/ui/src/components/credentials/LinksTable.tsx b/ui/src/components/credentials/LinksTable.tsx
index 301e1c336..d9a682527 100644
--- a/ui/src/components/credentials/LinksTable.tsx
+++ b/ui/src/components/credentials/LinksTable.tsx
@@ -22,6 +22,7 @@ import { useCallback, useEffect, useState } from "react";
 import { generatePath, useNavigate, useSearchParams } from "react-router-dom";
 
 import { getLinks, linkStatusParser, updateLink } from "src/adapters/api/credentials";
+import { notifyErrors } from "src/adapters/parsers";
 import IconCreditCardPlus from "src/assets/icons/credit-card-plus.svg?react";
 import IconDots from "src/assets/icons/dots-vertical.svg?react";
 import IconInfoCircle from "src/assets/icons/info-circle.svg?react";
@@ -46,7 +47,6 @@ import {
   STATUS,
   STATUS_SEARCH_PARAM,
 } from "src/utils/constants";
-import { notifyParseErrors } from "src/utils/error";
 import { formatDate } from "src/utils/forms";
 
 export function LinksTable() {
@@ -231,7 +231,7 @@ export function LinksTable() {
 
       if (response.success) {
         setLinks({ data: response.data.successful, status: "successful" });
-        notifyParseErrors(response.data.failed);
+        void notifyErrors(response.data.failed);
       } else {
         if (!isAbortedError(response.error)) {
           setLinks({ error: response.error, status: "failed" });
diff --git a/ui/src/components/display-methods/DisplayMethodDetails.tsx b/ui/src/components/display-methods/DisplayMethodDetails.tsx
index 9174a944d..1f13e8fd1 100644
--- a/ui/src/components/display-methods/DisplayMethodDetails.tsx
+++ b/ui/src/components/display-methods/DisplayMethodDetails.tsx
@@ -24,6 +24,7 @@ import {
   updateDisplayMethod,
 } from "src/adapters/api/display-method";
 import { processUrl } from "src/adapters/api/schemas";
+import { buildAppError, notifyError } from "src/adapters/parsers";
 import IconDots from "src/assets/icons/dots-vertical.svg?react";
 import EditIcon from "src/assets/icons/edit-02.svg?react";
 import { DisplayMethodCard } from "src/components/display-methods/DisplayMethodCard";
@@ -45,7 +46,6 @@ import {
   isAsyncTaskStarting,
 } from "src/utils/async";
 import { isAbortedError, makeRequestAbortable } from "src/utils/browser";
-import { buildAppError, notifyError } from "src/utils/error";
 
 function Details({ data }: { data: DisplayMethod }) {
   const env = useEnvContext();
@@ -170,11 +170,11 @@ export function DisplayMethodDetails() {
           void fetchDisplayMethod();
           setIsEditModalOpen(false);
         } else {
-          notifyError(buildAppError(response.error.message));
+          void notifyError(buildAppError(response.error.message));
         }
       });
     } else {
-      notifyError(buildAppError(`"${url}" is not a valid URL`));
+      void notifyError(buildAppError(`"${url}" is not a valid URL`));
     }
   };
 
diff --git a/ui/src/components/display-methods/DisplayMethodForm.tsx b/ui/src/components/display-methods/DisplayMethodForm.tsx
index 7497d21ea..ce0e1e2bc 100644
--- a/ui/src/components/display-methods/DisplayMethodForm.tsx
+++ b/ui/src/components/display-methods/DisplayMethodForm.tsx
@@ -3,12 +3,12 @@ import { useState } from "react";
 import { z } from "zod";
 
 import { UpsertDisplayMethod, getDisplayMethodMetadata } from "src/adapters/api/display-method";
+import { buildAppError, notifyError } from "src/adapters/parsers";
 import { DisplayMethodErrorResult } from "src/components/display-methods/DisplayMethodErrorResult";
 import { useEnvContext } from "src/contexts/Env";
 import { AppError, DisplayMethodMetadata } from "src/domain";
 import { AsyncTask, hasAsyncTaskFailed, isAsyncTaskStarting } from "src/utils/async";
 import { VALUE_REQUIRED } from "src/utils/constants";
-import { buildAppError, notifyError } from "src/utils/error";
 
 export function DisplayMethodForm({
   initialValues,
@@ -39,7 +39,7 @@ export function DisplayMethodForm({
         }
       });
     } else {
-      notifyError(buildAppError(`"${url}" is not a valid URL`));
+      void notifyError(buildAppError(`"${url}" is not a valid URL`));
     }
   };
 
diff --git a/ui/src/components/display-methods/DisplayMethodsTable.tsx b/ui/src/components/display-methods/DisplayMethodsTable.tsx
index 1dd58558a..86f52558f 100644
--- a/ui/src/components/display-methods/DisplayMethodsTable.tsx
+++ b/ui/src/components/display-methods/DisplayMethodsTable.tsx
@@ -16,7 +16,7 @@ import { Link, generatePath, useNavigate, useSearchParams } from "react-router-d
 
 import { Sorter, parseSorters, serializeSorters } from "src/adapters/api";
 import { deleteDisplayMethod, getDisplayMethods } from "src/adapters/api/display-method";
-import { positiveIntegerFromStringParser } from "src/adapters/parsers";
+import { notifyErrors, positiveIntegerFromStringParser } from "src/adapters/parsers";
 import { tableSorterParser } from "src/adapters/parsers/view";
 import IconIssuers from "src/assets/icons/building-08.svg?react";
 import IconCheckMark from "src/assets/icons/check.svg?react";
@@ -46,7 +46,6 @@ import {
   QUERY_SEARCH_PARAM,
   SORT_PARAM,
 } from "src/utils/constants";
-import { notifyParseErrors } from "src/utils/error";
 
 export function DisplayMethodsTable() {
   const env = useEnvContext();
@@ -240,7 +239,7 @@ export function DisplayMethodsTable() {
           maxResults: response.data.meta.max_results,
           page: response.data.meta.page,
         });
-        notifyParseErrors(response.data.items.failed);
+        void notifyErrors(response.data.items.failed);
       } else {
         if (!isAbortedError(response.error)) {
           setDisplayMethods({ error: response.error, status: "failed" });
diff --git a/ui/src/components/identities/Identity.tsx b/ui/src/components/identities/Identity.tsx
index 1557698be..808b019dd 100644
--- a/ui/src/components/identities/Identity.tsx
+++ b/ui/src/components/identities/Identity.tsx
@@ -1,4 +1,4 @@
-import { App, Button, Card, Flex, Form, Input, Space } from "antd";
+import { App, Button, Card, Divider, Flex, Form, Input, Space } from "antd";
 import { useCallback, useEffect, useState } from "react";
 import { useParams } from "react-router-dom";
 import { useIdentityContext } from "../../contexts/Identity";
@@ -7,6 +7,7 @@ import { IdentityDetailsFormData } from "src/adapters/parsers/view";
 import CheckIcon from "src/assets/icons/check.svg?react";
 import EditIcon from "src/assets/icons/edit-02.svg?react";
 import CloseIcon from "src/assets/icons/x-close.svg?react";
+import { IdentityAuthCredentials } from "src/components/identities/IdentityAuthCredentials";
 import { Detail } from "src/components/shared/Detail";
 import { ErrorResult } from "src/components/shared/ErrorResult";
 import { LoadingResult } from "src/components/shared/LoadingResult";
@@ -126,69 +127,77 @@ export function Identity() {
         } else {
           const [, method = "", blockchain = "", network = ""] = identifier.split(":");
           return (
-            <Card
-              className="centered"
-              styles={{ header: { border: "none" } }}
-              title={
-                <Flex align="center" gap={8} style={{ paddingTop: "24px" }}>
-                  {displayNameEditable ? (
-                    <Form
-                      form={form}
-                      initialValues={{ displayName: identity.data.displayName }}
-                      onFinish={handleEditDisplayName}
-                      style={{ width: "100%" }}
-                    >
-                      <Flex gap={16}>
-                        <Form.Item
-                          name="displayName"
-                          rules={[{ message: VALUE_REQUIRED, required: true }]}
-                          style={{ marginBottom: 0, width: "50%" }}
-                        >
-                          <Input placeholder="Enter name" />
-                        </Form.Item>
-                        <Flex gap={8}>
-                          <Button
-                            icon={<CloseIcon />}
-                            onClick={() => setDisplayNameEditable(false)}
-                          />
-                          <Button htmlType="submit" icon={<CheckIcon />} onClick={() => {}} />
+            <>
+              <Card
+                className="centered"
+                styles={{ header: { border: "none" } }}
+                title={
+                  <Flex align="center" gap={8} style={{ paddingTop: "24px" }}>
+                    {displayNameEditable ? (
+                      <Form
+                        form={form}
+                        initialValues={{ displayName: identity.data.displayName }}
+                        onFinish={handleEditDisplayName}
+                        style={{ width: "100%" }}
+                      >
+                        <Flex gap={16}>
+                          <Form.Item
+                            name="displayName"
+                            rules={[{ message: VALUE_REQUIRED, required: true }]}
+                            style={{ marginBottom: 0, width: "50%" }}
+                          >
+                            <Input placeholder="Enter name" />
+                          </Form.Item>
+                          <Flex gap={8}>
+                            <Button
+                              icon={<CloseIcon />}
+                              onClick={() => setDisplayNameEditable(false)}
+                            />
+                            <Button htmlType="submit" icon={<CheckIcon />} onClick={() => {}} />
+                          </Flex>
                         </Flex>
-                      </Flex>
-                    </Form>
-                  ) : (
-                    <>
-                      {identity.data.displayName}
-                      <Button
-                        icon={<EditIcon />}
-                        onClick={() => setDisplayNameEditable(true)}
-                        size="small"
-                        type="text"
-                      />
-                    </>
-                  )}
-                </Flex>
-              }
-            >
-              <Card className="background-grey">
-                <Space direction="vertical">
-                  <Detail
-                    copyable
-                    copyableText={identifier}
-                    label="Identifier"
-                    text={formatIdentifier(identifier)}
-                  />
-
-                  <Detail label="Method" text={method} />
-
-                  <Detail label="Blockchain" text={blockchain} />
-
-                  <Detail label="Network" text={network} />
-
-                  <Detail label="Type" text={identity.data.keyType} />
-                  <Detail label="Credential status" text={identity.data.credentialStatusType} />
-                </Space>
+                      </Form>
+                    ) : (
+                      <>
+                        {identity.data.displayName}
+                        <Button
+                          icon={<EditIcon />}
+                          onClick={() => setDisplayNameEditable(true)}
+                          size="small"
+                          type="text"
+                        />
+                      </>
+                    )}
+                  </Flex>
+                }
+              >
+                <Card className="background-grey">
+                  <Space direction="vertical">
+                    <Detail
+                      copyable
+                      copyableText={identifier}
+                      label="Identifier"
+                      text={formatIdentifier(identifier)}
+                    />
+
+                    <Detail label="Method" text={method} />
+
+                    <Detail label="Blockchain" text={blockchain} />
+
+                    <Detail label="Network" text={network} />
+
+                    <Detail label="Type" text={identity.data.keyType} />
+                    <Detail label="Credential status" text={identity.data.credentialStatusType} />
+                  </Space>
+                </Card>
               </Card>
-            </Card>
+
+              <Divider />
+
+              {identity.data.authCredentialsIDs.length && (
+                <IdentityAuthCredentials IDs={identity.data.authCredentialsIDs} />
+              )}
+            </>
           );
         }
       })()}
diff --git a/ui/src/components/identities/IdentityAuthCredentials.tsx b/ui/src/components/identities/IdentityAuthCredentials.tsx
new file mode 100644
index 000000000..b4cf048cd
--- /dev/null
+++ b/ui/src/components/identities/IdentityAuthCredentials.tsx
@@ -0,0 +1,269 @@
+import { PublicKey } from "@iden3/js-crypto";
+import {
+  Avatar,
+  Button,
+  Card,
+  Dropdown,
+  Flex,
+  Row,
+  Space,
+  Table,
+  TableColumnsType,
+  Tag,
+  Tooltip,
+  Typography,
+} from "antd";
+import { useCallback, useEffect, useState } from "react";
+import { useNavigate } from "react-router-dom";
+
+import { getAuthCredentialsByIDs } from "src/adapters/api/credentials";
+import { notifyErrors } from "src/adapters/parsers";
+import IconCheckMark from "src/assets/icons/check.svg?react";
+import IconCopy from "src/assets/icons/copy-01.svg?react";
+import IconCreditCardRefresh from "src/assets/icons/credit-card-refresh.svg?react";
+import IconDots from "src/assets/icons/dots-vertical.svg?react";
+import IconPlus from "src/assets/icons/plus.svg?react";
+import IconClose from "src/assets/icons/x.svg?react";
+import { CredentialRevokeModal } from "src/components/shared/CredentialRevokeModal";
+import { TableCard } from "src/components/shared/TableCard";
+
+import { useEnvContext } from "src/contexts/Env";
+import { useIdentityContext } from "src/contexts/Identity";
+import { AppError, AuthCredential } from "src/domain";
+import { ROUTES } from "src/routes";
+import { AsyncTask, isAsyncTaskDataAvailable, isAsyncTaskStarting } from "src/utils/async";
+import { isAbortedError, makeRequestAbortable } from "src/utils/browser";
+import { DOTS_DROPDOWN_WIDTH, ISSUE_DATE, REVOCATION, REVOKE } from "src/utils/constants";
+import { formatDate } from "src/utils/forms";
+
+export function IdentityAuthCredentials({ IDs }: { IDs: Array<string> }) {
+  const env = useEnvContext();
+  const { identifier } = useIdentityContext();
+  const navigate = useNavigate();
+
+  const [credentials, setCredentials] = useState<AsyncTask<AuthCredential[], AppError>>({
+    status: "pending",
+  });
+
+  const [credentialToRevoke, setCredentialToRevoke] = useState<AuthCredential>();
+
+  const fetchAuthCredentials = useCallback(
+    async (signal?: AbortSignal) => {
+      setCredentials((previousCredentials) =>
+        isAsyncTaskDataAvailable(previousCredentials)
+          ? { data: previousCredentials.data, status: "reloading" }
+          : { status: "loading" }
+      );
+
+      const response = await getAuthCredentialsByIDs({
+        env,
+        identifier,
+        IDs,
+        signal,
+      });
+      if (response.success) {
+        setCredentials({
+          data: response.data.successful,
+          status: "successful",
+        });
+
+        void notifyErrors(response.data.failed.filter((error) => error.type !== "cancel-error"));
+      } else {
+        if (!isAbortedError(response.error)) {
+          setCredentials({ error: response.error, status: "failed" });
+        }
+      }
+    },
+    [env, identifier, IDs]
+  );
+
+  const tableColumns: TableColumnsType<AuthCredential> = [
+    {
+      dataIndex: "credentialSubject",
+      ellipsis: { showTitle: false },
+      key: "credentialSubject",
+      render: (credentialSubject: AuthCredential["credentialSubject"]) => {
+        const { x, y } = credentialSubject;
+        const pKey = new PublicKey([x, y]);
+        const pKeyHex = pKey.hex();
+        return (
+          <Tooltip title={pKeyHex}>
+            <Typography.Text
+              copyable={{
+                icon: [<IconCopy key={0} />, <IconCheckMark key={1} />],
+                text: pKeyHex,
+              }}
+              ellipsis={{
+                suffix: pKeyHex.slice(-5),
+              }}
+            >
+              {pKeyHex}
+            </Typography.Text>
+          </Tooltip>
+        );
+      },
+
+      title: "Public key",
+    },
+    {
+      dataIndex: "credentialStatus",
+      ellipsis: { showTitle: false },
+      key: "credentialStatus",
+      render: (credentialStatus: AuthCredential["credentialStatus"]) => (
+        <Typography.Text>{credentialStatus.revocationNonce}</Typography.Text>
+      ),
+      title: "Revocation nonce",
+    },
+    {
+      dataIndex: "schemaType",
+      ellipsis: { showTitle: false },
+      key: "schemaType",
+      render: (schemaType: AuthCredential["schemaType"]) => (
+        <Typography.Text strong>{schemaType}</Typography.Text>
+      ),
+      sorter: {
+        compare: ({ schemaType: a }, { schemaType: b }) => (a && b ? a.localeCompare(b) : 0),
+        multiple: 1,
+      },
+      title: "Type",
+    },
+    {
+      dataIndex: "credentialStatus",
+      ellipsis: { showTitle: false },
+      key: "credentialStatus",
+      render: (credentialStatus: AuthCredential["credentialStatus"]) => (
+        <Typography.Text>{credentialStatus.type}</Typography.Text>
+      ),
+      title: "Revocation status",
+    },
+    {
+      dataIndex: "createdAt",
+      key: "createdAt",
+      render: (issuanceDate: AuthCredential["issuanceDate"]) => (
+        <Typography.Text>{formatDate(issuanceDate)}</Typography.Text>
+      ),
+      sorter: ({ issuanceDate: a }, { issuanceDate: b }) => b.getTime() - a.getTime(),
+      title: ISSUE_DATE,
+    },
+    {
+      dataIndex: "revoked",
+      key: "revoked",
+      render: (revoked: AuthCredential["revoked"]) => (
+        <Typography.Text>{revoked ? "Revoked" : "-"}</Typography.Text>
+      ),
+      responsive: ["sm"],
+      title: REVOCATION,
+    },
+    {
+      dataIndex: "published",
+      key: "published",
+      render: (published: AuthCredential["published"]) => (
+        <Typography.Text>{published ? "Published" : "Pending"}</Typography.Text>
+      ),
+      responsive: ["sm"],
+      title: "Published",
+    },
+    {
+      dataIndex: "id",
+      key: "id",
+      render: (id: AuthCredential["id"], credential: AuthCredential) => (
+        <Dropdown
+          menu={{
+            items: [
+              {
+                danger: true,
+                disabled: credential.revoked,
+                icon: <IconClose />,
+                key: "revoke",
+                label: REVOKE,
+                onClick: () => setCredentialToRevoke(credential),
+              },
+            ],
+          }}
+        >
+          <Row>
+            <IconDots className="icon-secondary" />
+          </Row>
+        </Dropdown>
+      ),
+      width: DOTS_DROPDOWN_WIDTH,
+    },
+  ];
+
+  useEffect(() => {
+    const { aborter } = makeRequestAbortable(fetchAuthCredentials);
+
+    return aborter;
+  }, [fetchAuthCredentials]);
+
+  const credentialsList = isAsyncTaskDataAvailable(credentials) ? credentials.data : [];
+  const showDefaultContent = credentials.status === "successful" && credentialsList.length === 0;
+
+  return (
+    <Card
+      style={{ width: "100%" }}
+      title={
+        <Flex align="center" justify="flex-end" style={{ padding: 12 }}>
+          <Button
+            icon={<IconPlus />}
+            onClick={() => navigate(ROUTES.createAuthCredential.path)}
+            type="primary"
+          >
+            Create auth credential
+          </Button>
+        </Flex>
+      }
+    >
+      <TableCard
+        defaultContents={
+          <>
+            <Avatar className="avatar-color-icon" icon={<IconCreditCardRefresh />} size={48} />
+
+            <Typography.Text strong>No auth credentials</Typography.Text>
+
+            <Typography.Text type="secondary">
+              Auth credentials will be listed here.
+            </Typography.Text>
+          </>
+        }
+        isLoading={isAsyncTaskStarting(credentials)}
+        searchPlaceholder="Search credentials, attributes, identifiers..."
+        showDefaultContents={showDefaultContent}
+        table={
+          <Table
+            columns={tableColumns.map(({ title, ...column }) => ({
+              title: (
+                <Typography.Text type="secondary">
+                  <>{title}</>
+                </Typography.Text>
+              ),
+              ...column,
+            }))}
+            dataSource={credentialsList}
+            loading={credentials.status === "reloading"}
+            pagination={false}
+            rowKey="id"
+            showSorterTooltip
+            sortDirections={["ascend", "descend"]}
+          />
+        }
+        title={
+          <Row gutter={[0, 8]} justify="space-between">
+            <Space size="middle">
+              <Card.Meta title="Auth credentials" />
+
+              <Tag>{credentialsList.length}</Tag>
+            </Space>
+          </Row>
+        }
+      />
+      {credentialToRevoke && (
+        <CredentialRevokeModal
+          credential={credentialToRevoke}
+          onClose={() => setCredentialToRevoke(undefined)}
+          onRevoke={() => void fetchAuthCredentials()}
+        />
+      )}
+    </Card>
+  );
+}
diff --git a/ui/src/components/identities/IdentityForm.tsx b/ui/src/components/identities/IdentityForm.tsx
index a266d095b..af355851f 100644
--- a/ui/src/components/identities/IdentityForm.tsx
+++ b/ui/src/components/identities/IdentityForm.tsx
@@ -2,6 +2,7 @@ import { App, Button, Col, Divider, Form, Input, Row, Select, Typography } from
 import { useCallback, useEffect, useState } from "react";
 
 import { getSupportedBlockchains } from "src/adapters/api/identities";
+import { buildAppError } from "src/adapters/parsers";
 import { IdentityFormData, identityFormDataParser } from "src/adapters/parsers/view";
 import { ErrorResult } from "src/components/shared/ErrorResult";
 import { LoadingResult } from "src/components/shared/LoadingResult";
@@ -10,7 +11,6 @@ import { AppError, Blockchain, CredentialStatusType, IdentityType, Method } from
 import { AsyncTask, isAsyncTaskDataAvailable } from "src/utils/async";
 import { isAbortedError, makeRequestAbortable } from "src/utils/browser";
 import { VALUE_REQUIRED } from "src/utils/constants";
-import { buildAppError } from "src/utils/error";
 
 const initialValues: IdentityFormData = {
   blockchain: "",
diff --git a/ui/src/components/issuer-state/IssuerState.tsx b/ui/src/components/issuer-state/IssuerState.tsx
index a4fc8df4f..f438260bc 100644
--- a/ui/src/components/issuer-state/IssuerState.tsx
+++ b/ui/src/components/issuer-state/IssuerState.tsx
@@ -18,7 +18,7 @@ import { useSearchParams } from "react-router-dom";
 import { Sorter, parseSorters, serializeSorters } from "src/adapters/api";
 
 import { getTransactions, publishState, retryPublishState } from "src/adapters/api/issuer-state";
-import { positiveIntegerFromStringParser } from "src/adapters/parsers";
+import { notifyErrors, positiveIntegerFromStringParser } from "src/adapters/parsers";
 import { tableSorterParser } from "src/adapters/parsers/view";
 import IconAlert from "src/assets/icons/alert-circle.svg?react";
 import IconSwitch from "src/assets/icons/switch-horizontal.svg?react";
@@ -44,7 +44,6 @@ import {
   SORT_PARAM,
   STATUS,
 } from "src/utils/constants";
-import { notifyParseErrors } from "src/utils/error";
 import { formatDate } from "src/utils/forms";
 
 const PUBLISHED_MESSAGE = "Issuer state is being published";
@@ -160,7 +159,7 @@ export function IssuerState() {
           maxResults: response.data.meta.max_results,
           page: response.data.meta.page,
         });
-        notifyParseErrors(response.data.items.failed);
+        void notifyErrors(response.data.items.failed);
       } else {
         if (!isAbortedError(response.error)) {
           setTransactions({ error: response.error, status: "failed" });
diff --git a/ui/src/components/keys/CreateKey.tsx b/ui/src/components/keys/CreateKey.tsx
new file mode 100644
index 000000000..ff3947b27
--- /dev/null
+++ b/ui/src/components/keys/CreateKey.tsx
@@ -0,0 +1,86 @@
+import { App, Button, Card, Divider, Flex, Form, Input, Select, Space } from "antd";
+import { useNavigate } from "react-router-dom";
+
+import { CreateKey as CreateKeyType, createKey } from "src/adapters/api/keys";
+import { SiderLayoutContent } from "src/components/shared/SiderLayoutContent";
+import { useEnvContext } from "src/contexts/Env";
+import { useIdentityContext } from "src/contexts/Identity";
+import { KeyType } from "src/domain";
+import { ROUTES } from "src/routes";
+import { KEY_ADD_NEW, VALUE_REQUIRED } from "src/utils/constants";
+
+export function CreateKey() {
+  const env = useEnvContext();
+  const { identifier } = useIdentityContext();
+  const [form] = Form.useForm<CreateKeyType>();
+  const navigate = useNavigate();
+  const { message } = App.useApp();
+
+  const handleSubmit = (formValues: CreateKeyType) => {
+    return void createKey({
+      env,
+      identifier,
+      payload: formValues,
+    }).then((response) => {
+      if (response.success) {
+        void message.success("Key added successfully");
+        navigate(ROUTES.keys.path);
+      } else {
+        void message.error(response.error.message);
+      }
+    });
+  };
+
+  return (
+    <SiderLayoutContent
+      description="Create a new display key"
+      showBackButton
+      showDivider
+      title={KEY_ADD_NEW}
+    >
+      <Card className="centered" title="Key details">
+        <Space direction="vertical" size="large">
+          <Form
+            form={form}
+            initialValues={{
+              keyType: KeyType.babyjubJub,
+              name: "",
+            }}
+            layout="vertical"
+            onFinish={handleSubmit}
+          >
+            <Form.Item
+              label="Key name"
+              name="name"
+              rules={[{ message: VALUE_REQUIRED, required: true }]}
+            >
+              <Input placeholder="Enter name" />
+            </Form.Item>
+
+            <Form.Item
+              label="Type"
+              name="keyType"
+              rules={[{ message: VALUE_REQUIRED, required: true }]}
+            >
+              <Select className="full-width" placeholder="Type">
+                {Object.values(KeyType).map((type) => (
+                  <Select.Option key={type} value={type}>
+                    {type}
+                  </Select.Option>
+                ))}
+              </Select>
+            </Form.Item>
+
+            <Divider />
+
+            <Flex justify="flex-end">
+              <Button htmlType="submit" type="primary">
+                Submit
+              </Button>
+            </Flex>
+          </Form>
+        </Space>
+      </Card>
+    </SiderLayoutContent>
+  );
+}
diff --git a/ui/src/components/keys/Key.tsx b/ui/src/components/keys/Key.tsx
new file mode 100644
index 000000000..b2b61c47a
--- /dev/null
+++ b/ui/src/components/keys/Key.tsx
@@ -0,0 +1,206 @@
+import { App, Button, Card, Dropdown, Flex, Form, Input, Row, Space, Typography } from "antd";
+import { useCallback, useEffect, useState } from "react";
+import { useNavigate, useParams } from "react-router-dom";
+
+import { useIdentityContext } from "../../contexts/Identity";
+import { UpdateKey, deleteKey, getKey, updateKeyName } from "src/adapters/api/keys";
+import IconDots from "src/assets/icons/dots-vertical.svg?react";
+import EditIcon from "src/assets/icons/edit-02.svg?react";
+import { DeleteItem } from "src/components/schemas/DeleteItem";
+import { Detail } from "src/components/shared/Detail";
+import { EditModal } from "src/components/shared/EditModal";
+import { ErrorResult } from "src/components/shared/ErrorResult";
+import { LoadingResult } from "src/components/shared/LoadingResult";
+import { SiderLayoutContent } from "src/components/shared/SiderLayoutContent";
+import { useEnvContext } from "src/contexts/Env";
+import { AppError, Key as KeyType } from "src/domain";
+import { ROUTES } from "src/routes";
+import { AsyncTask, hasAsyncTaskFailed, isAsyncTaskStarting } from "src/utils/async";
+import { isAbortedError, makeRequestAbortable } from "src/utils/browser";
+import { KEY_DETAILS, VALUE_REQUIRED } from "src/utils/constants";
+
+export function Key() {
+  const env = useEnvContext();
+  const { identifier } = useIdentityContext();
+  const { message } = App.useApp();
+  const navigate = useNavigate();
+  const [form] = Form.useForm<UpdateKey>();
+
+  const [isEditModalOpen, setIsEditModalOpen] = useState(false);
+
+  const [key, setKey] = useState<AsyncTask<KeyType, AppError>>({
+    status: "pending",
+  });
+
+  const { keyID } = useParams();
+
+  const fetchKey = useCallback(
+    async (signal?: AbortSignal) => {
+      if (keyID) {
+        setKey({ status: "loading" });
+
+        const response = await getKey({
+          env,
+          identifier,
+          keyID,
+          signal,
+        });
+
+        if (response.success) {
+          setKey({ data: response.data, status: "successful" });
+        } else {
+          if (!isAbortedError(response.error)) {
+            setKey({ error: response.error, status: "failed" });
+          }
+        }
+      }
+    },
+    [env, keyID, identifier]
+  );
+
+  useEffect(() => {
+    const { aborter } = makeRequestAbortable(fetchKey);
+
+    return aborter;
+  }, [fetchKey]);
+
+  if (!keyID) {
+    return <ErrorResult error="No key provided." />;
+  }
+
+  const handleEdit = () => {
+    const { name } = form.getFieldsValue();
+    void updateKeyName({
+      env,
+      identifier,
+      keyID,
+      payload: { name: name.trim() },
+    }).then((response) => {
+      setIsEditModalOpen(false);
+      if (response.success) {
+        void fetchKey().then(() => {
+          void message.success("Key edited successfully");
+        });
+      } else {
+        void message.error(response.error.message);
+      }
+    });
+  };
+
+  const handleDeleteKey = () => {
+    void deleteKey({ env, identifier, keyID }).then((response) => {
+      if (response.success) {
+        navigate(ROUTES.keys.path);
+        void message.success(response.data.message);
+      } else {
+        void message.error(response.error.message);
+      }
+    });
+  };
+
+  return (
+    <SiderLayoutContent
+      description="View and edit key details"
+      showBackButton
+      showDivider
+      title={KEY_DETAILS}
+    >
+      {(() => {
+        if (hasAsyncTaskFailed(key)) {
+          return (
+            <Card className="centered">
+              <ErrorResult
+                error={[
+                  "An error occurred while downloading an key from the API:",
+                  key.error.message,
+                ].join("\n")}
+              />
+            </Card>
+          );
+        } else if (isAsyncTaskStarting(key)) {
+          return (
+            <Card className="centered">
+              <LoadingResult />
+            </Card>
+          );
+        } else {
+          return (
+            <>
+              <Card
+                className="centered"
+                title={
+                  <Flex align="center" gap={8} justify="space-between">
+                    <Typography.Text style={{ fontWeight: 600 }}>{key.data.name}</Typography.Text>
+                    <Flex gap={8}>
+                      <Button
+                        icon={<EditIcon />}
+                        onClick={() => setIsEditModalOpen(true)}
+                        style={{ flexShrink: 0 }}
+                        type="text"
+                      />
+                      {!key.data.isAuthCredential && (
+                        <Dropdown
+                          menu={{
+                            items: [
+                              {
+                                danger: true,
+                                key: "delete",
+                                label: (
+                                  <DeleteItem
+                                    onOk={handleDeleteKey}
+                                    title="Are you sure you want to delete this key?"
+                                  />
+                                ),
+                              },
+                            ],
+                          }}
+                        >
+                          <Row>
+                            <IconDots className="icon-secondary" />
+                          </Row>
+                        </Dropdown>
+                      )}
+                    </Flex>
+                  </Flex>
+                }
+              >
+                <Card className="background-grey">
+                  <Space direction="vertical">
+                    <Detail copyable label="Name" text={key.data.name} />
+
+                    <Detail
+                      copyable
+                      copyableText={key.data.publicKey}
+                      ellipsisPosition={5}
+                      label="Public key"
+                      text={key.data.publicKey}
+                    />
+                    <Detail copyable label="Type" text={key.data.keyType} />
+                    <Detail label="Auth credential" text={`${key.data.isAuthCredential}`} />
+                  </Space>
+                </Card>
+              </Card>
+
+              <EditModal
+                onClose={() => setIsEditModalOpen(false)}
+                onSubmit={handleEdit}
+                open={isEditModalOpen}
+                title="Edit key"
+              >
+                <Form form={form} initialValues={{ name: key.data.name }} layout="vertical">
+                  <Form.Item
+                    label="Name"
+                    name="name"
+                    rules={[{ message: VALUE_REQUIRED, required: true }]}
+                  >
+                    <Input placeholder="Enter name" />
+                  </Form.Item>
+                </Form>
+              </EditModal>
+            </>
+          );
+        }
+      })()}
+    </SiderLayoutContent>
+  );
+}
diff --git a/ui/src/components/keys/Keys.tsx b/ui/src/components/keys/Keys.tsx
new file mode 100644
index 000000000..722fac2a5
--- /dev/null
+++ b/ui/src/components/keys/Keys.tsx
@@ -0,0 +1,32 @@
+import { Button, Space } from "antd";
+import { generatePath, useNavigate } from "react-router-dom";
+
+import IconPlus from "src/assets/icons/plus.svg?react";
+import { KeysTable } from "src/components/keys/KeysTable";
+import { SiderLayoutContent } from "src/components/shared/SiderLayoutContent";
+import { ROUTES } from "src/routes";
+import { KEYS, KEY_ADD } from "src/utils/constants";
+
+export function Keys() {
+  const navigate = useNavigate();
+
+  return (
+    <SiderLayoutContent
+      description="Description..."
+      extra={
+        <Button
+          icon={<IconPlus />}
+          onClick={() => navigate(generatePath(ROUTES.createKey.path))}
+          type="primary"
+        >
+          {KEY_ADD}
+        </Button>
+      }
+      title={KEYS}
+    >
+      <Space direction="vertical" size="large">
+        <KeysTable />
+      </Space>
+    </SiderLayoutContent>
+  );
+}
diff --git a/ui/src/components/keys/KeysTable.tsx b/ui/src/components/keys/KeysTable.tsx
new file mode 100644
index 000000000..a6d8161a9
--- /dev/null
+++ b/ui/src/components/keys/KeysTable.tsx
@@ -0,0 +1,321 @@
+import {
+  App,
+  Avatar,
+  Button,
+  Card,
+  Dropdown,
+  Row,
+  Space,
+  Table,
+  TableColumnsType,
+  Tag,
+  Tooltip,
+  Typography,
+} from "antd";
+import { ItemType } from "antd/es/menu/interface";
+import { useCallback, useEffect, useState } from "react";
+import { Link, generatePath, useNavigate, useSearchParams } from "react-router-dom";
+
+import { deleteKey, getKeys } from "src/adapters/api/keys";
+import { notifyErrors, positiveIntegerFromStringParser } from "src/adapters/parsers";
+import IconIssuers from "src/assets/icons/building-08.svg?react";
+import IconCheckMark from "src/assets/icons/check.svg?react";
+import IconCopy from "src/assets/icons/copy-01.svg?react";
+import IconDots from "src/assets/icons/dots-vertical.svg?react";
+import IconInfoCircle from "src/assets/icons/info-circle.svg?react";
+import IconPlus from "src/assets/icons/plus.svg?react";
+import { DeleteItem } from "src/components/schemas/DeleteItem";
+import { ErrorResult } from "src/components/shared/ErrorResult";
+import { NoResults } from "src/components/shared/NoResults";
+import { TableCard } from "src/components/shared/TableCard";
+import { useEnvContext } from "src/contexts/Env";
+import { useIdentityContext } from "src/contexts/Identity";
+import { AppError, Key } from "src/domain";
+import { ROUTES } from "src/routes";
+import { AsyncTask, isAsyncTaskDataAvailable, isAsyncTaskStarting } from "src/utils/async";
+import { isAbortedError, makeRequestAbortable } from "src/utils/browser";
+import {
+  DEFAULT_PAGINATION_MAX_RESULTS,
+  DEFAULT_PAGINATION_PAGE,
+  DEFAULT_PAGINATION_TOTAL,
+  DETAILS,
+  DOTS_DROPDOWN_WIDTH,
+  KEY_ADD_NEW,
+  PAGINATION_MAX_RESULTS_PARAM,
+  PAGINATION_PAGE_PARAM,
+  QUERY_SEARCH_PARAM,
+} from "src/utils/constants";
+
+export function KeysTable() {
+  const env = useEnvContext();
+  const { identifier } = useIdentityContext();
+  const { message } = App.useApp();
+  const navigate = useNavigate();
+
+  const [keys, setKeys] = useState<AsyncTask<Key[], AppError>>({
+    status: "pending",
+  });
+
+  const [searchParams, setSearchParams] = useSearchParams();
+  const queryParam = searchParams.get(QUERY_SEARCH_PARAM);
+  const paginationPageParam = searchParams.get(PAGINATION_PAGE_PARAM);
+  const paginationMaxResultsParam = searchParams.get(PAGINATION_MAX_RESULTS_PARAM);
+
+  const paginationPageParsed = positiveIntegerFromStringParser.safeParse(paginationPageParam);
+  const paginationMaxResultsParsed =
+    positiveIntegerFromStringParser.safeParse(paginationMaxResultsParam);
+
+  const [paginationTotal, setPaginationTotal] = useState<number>(DEFAULT_PAGINATION_TOTAL);
+  const paginationPage = paginationPageParsed.success
+    ? paginationPageParsed.data
+    : DEFAULT_PAGINATION_PAGE;
+  const paginationMaxResults = paginationMaxResultsParsed.success
+    ? paginationMaxResultsParsed.data
+    : DEFAULT_PAGINATION_MAX_RESULTS;
+
+  const keysList = isAsyncTaskDataAvailable(keys) ? keys.data : [];
+  const showDefaultContent = keys.status === "successful" && keysList.length === 0;
+
+  const tableColumns: TableColumnsType<Key> = [
+    {
+      dataIndex: "name",
+      key: "name",
+      render: (name: Key["name"], { id }: Key) => (
+        <Typography.Link
+          onClick={() =>
+            navigate(
+              generatePath(ROUTES.keyDetails.path, {
+                keyID: id,
+              })
+            )
+          }
+          strong
+        >
+          {name}
+        </Typography.Link>
+      ),
+      title: "Name",
+    },
+    {
+      dataIndex: "keyType",
+      key: "keyType",
+      render: (keyType: Key["keyType"]) => <Typography.Text>{keyType}</Typography.Text>,
+      title: "Type",
+    },
+    {
+      dataIndex: "publicKey",
+      key: "publicKey",
+      render: (publicKey: Key["publicKey"]) => (
+        <Tooltip title={publicKey}>
+          <Typography.Text
+            copyable={{
+              icon: [<IconCopy key={0} />, <IconCheckMark key={1} />],
+            }}
+            ellipsis={{
+              suffix: publicKey.slice(-5),
+            }}
+          >
+            {publicKey}
+          </Typography.Text>
+        </Tooltip>
+      ),
+      title: "Public key",
+    },
+    {
+      dataIndex: "id",
+      key: "id",
+      render: (id: Key["id"], { isAuthCredential }: Key) => {
+        const items: Array<ItemType> = [
+          {
+            icon: <IconInfoCircle />,
+            key: "details",
+            label: DETAILS,
+            onClick: () =>
+              navigate(
+                generatePath(ROUTES.keyDetails.path, {
+                  keyID: id,
+                })
+              ),
+          },
+        ];
+
+        if (!isAuthCredential) {
+          items.push(
+            {
+              key: "divider1",
+              type: "divider",
+            },
+            {
+              danger: true,
+              key: "delete",
+              label: (
+                <DeleteItem
+                  onOk={() => handleDeleteKey(id)}
+                  title="Are you sure you want to delete this key?"
+                />
+              ),
+            }
+          );
+        }
+
+        return (
+          <Dropdown
+            menu={{
+              items,
+            }}
+          >
+            <Row>
+              <IconDots className="icon-secondary" />
+            </Row>
+          </Dropdown>
+        );
+      },
+
+      width: DOTS_DROPDOWN_WIDTH,
+    },
+  ];
+
+  const updateUrlParams = useCallback(
+    ({ maxResults, page }: { maxResults?: number; page?: number }) => {
+      setSearchParams((previousParams) => {
+        const params = new URLSearchParams(previousParams);
+        params.set(
+          PAGINATION_PAGE_PARAM,
+          page !== undefined ? page.toString() : DEFAULT_PAGINATION_PAGE.toString()
+        );
+        params.set(
+          PAGINATION_MAX_RESULTS_PARAM,
+          maxResults !== undefined
+            ? maxResults.toString()
+            : DEFAULT_PAGINATION_MAX_RESULTS.toString()
+        );
+
+        return params;
+      });
+    },
+    [setSearchParams]
+  );
+
+  const fetchKeys = useCallback(
+    async (signal?: AbortSignal) => {
+      setKeys((previousKeys) =>
+        isAsyncTaskDataAvailable(previousKeys)
+          ? { data: previousKeys.data, status: "reloading" }
+          : { status: "loading" }
+      );
+
+      const response = await getKeys({
+        env,
+        identifier,
+        params: {
+          maxResults: paginationMaxResults,
+          page: paginationPage,
+        },
+        signal,
+      });
+      if (response.success) {
+        setKeys({
+          data: response.data.items.successful,
+          status: "successful",
+        });
+        setPaginationTotal(response.data.meta.total);
+        updateUrlParams({
+          maxResults: response.data.meta.max_results,
+          page: response.data.meta.page,
+        });
+        void notifyErrors(response.data.items.failed);
+      } else {
+        if (!isAbortedError(response.error)) {
+          setKeys({ error: response.error, status: "failed" });
+        }
+      }
+    },
+    [env, paginationMaxResults, paginationPage, identifier, updateUrlParams]
+  );
+
+  const handleDeleteKey = (keyID: string) => {
+    void deleteKey({ env, identifier, keyID }).then((response) => {
+      if (response.success) {
+        void fetchKeys();
+        void message.success(response.data.message);
+      } else {
+        void message.error(response.error.message);
+      }
+    });
+  };
+
+  useEffect(() => {
+    const { aborter } = makeRequestAbortable(fetchKeys);
+
+    return aborter;
+  }, [fetchKeys]);
+
+  return (
+    <TableCard
+      defaultContents={
+        <>
+          <Avatar className="avatar-color-icon" icon={<IconIssuers />} size={48} />
+
+          <Typography.Text strong>No keys</Typography.Text>
+
+          <Typography.Text type="secondary">Your keys will be listed here.</Typography.Text>
+
+          <Link to={ROUTES.createKey.path}>
+            <Button icon={<IconPlus />} type="primary">
+              {KEY_ADD_NEW}
+            </Button>
+          </Link>
+        </>
+      }
+      isLoading={isAsyncTaskStarting(keys)}
+      query={queryParam}
+      showDefaultContents={showDefaultContent}
+      table={
+        <Table
+          columns={tableColumns.map(({ title, ...column }) => ({
+            title: (
+              <Typography.Text type="secondary">
+                <>{title}</>
+              </Typography.Text>
+            ),
+            ...column,
+          }))}
+          dataSource={keysList}
+          locale={{
+            emptyText:
+              keys.status === "failed" ? (
+                <ErrorResult error={keys.error.message} />
+              ) : (
+                <NoResults searchQuery={queryParam} />
+              ),
+          }}
+          onChange={({ current, pageSize, total }) => {
+            setPaginationTotal(total || DEFAULT_PAGINATION_TOTAL);
+            updateUrlParams({
+              maxResults: pageSize,
+              page: current,
+            });
+          }}
+          pagination={{
+            current: paginationPage,
+            hideOnSinglePage: true,
+            pageSize: paginationMaxResults,
+            position: ["bottomRight"],
+            total: paginationTotal,
+          }}
+          rowKey="id"
+          showSorterTooltip
+          sortDirections={["ascend", "descend"]}
+        />
+      }
+      title={
+        <Row justify="space-between">
+          <Space size="middle">
+            <Card.Meta title="Keys" />
+            <Tag>{paginationTotal}</Tag>
+          </Space>
+        </Row>
+      }
+    />
+  );
+}
diff --git a/ui/src/components/schemas/DeleteItem.tsx b/ui/src/components/schemas/DeleteItem.tsx
new file mode 100644
index 000000000..0eb0f6ceb
--- /dev/null
+++ b/ui/src/components/schemas/DeleteItem.tsx
@@ -0,0 +1,35 @@
+import { Flex, Modal, Typography } from "antd";
+import { useState } from "react";
+import IconTrash from "src/assets/icons/trash-01.svg?react";
+import IconClose from "src/assets/icons/x.svg?react";
+import { CLOSE, DELETE } from "src/utils/constants";
+
+export function DeleteItem({ onOk, title }: { onOk: () => void; title: string }) {
+  const [isModalOpen, setIsModalOpen] = useState(false);
+
+  return (
+    <>
+      <Flex gap={8} onClick={() => setIsModalOpen(true)}>
+        <IconTrash />
+        <Typography.Text style={{ color: "inherit", fontSize: "inherit" }}>
+          {DELETE}
+        </Typography.Text>
+      </Flex>
+      <Modal
+        cancelText={CLOSE}
+        centered
+        closable
+        closeIcon={<IconClose />}
+        maskClosable
+        okButtonProps={{ danger: true }}
+        okText={DELETE}
+        onCancel={() => setIsModalOpen(false)}
+        onOk={onOk}
+        open={isModalOpen}
+        title={title}
+      >
+        <Typography.Text type="secondary">This action cannot be undone.</Typography.Text>
+      </Modal>
+    </>
+  );
+}
diff --git a/ui/src/components/schemas/ImportSchemaForm.tsx b/ui/src/components/schemas/ImportSchemaForm.tsx
index caeaa30fa..20fee09a1 100644
--- a/ui/src/components/schemas/ImportSchemaForm.tsx
+++ b/ui/src/components/schemas/ImportSchemaForm.tsx
@@ -3,16 +3,16 @@ import { useState } from "react";
 import { z } from "zod";
 
 import { getJsonSchemaFromUrl, getSchemaJsonLdTypes } from "src/adapters/jsonSchemas";
+import {
+  buildAppError,
+  jsonLdContextErrorToString,
+  jsonSchemaErrorToString,
+} from "src/adapters/parsers";
 import { ErrorResult } from "src/components/shared/ErrorResult";
 import { LoadingResult } from "src/components/shared/LoadingResult";
 import { useEnvContext } from "src/contexts/Env";
 import { AppError, Env, Json, JsonLdType, JsonSchema } from "src/domain";
 import { AsyncTask, isAsyncTaskDataAvailable } from "src/utils/async";
-import {
-  buildAppError,
-  jsonLdContextErrorToString,
-  jsonSchemaErrorToString,
-} from "src/utils/error";
 
 export type FormData = {
   jsonLdContextObject: Json;
diff --git a/ui/src/components/schemas/SchemaDetails.tsx b/ui/src/components/schemas/SchemaDetails.tsx
index 872f337ab..5f32ddbd2 100644
--- a/ui/src/components/schemas/SchemaDetails.tsx
+++ b/ui/src/components/schemas/SchemaDetails.tsx
@@ -4,6 +4,11 @@ import { generatePath, useNavigate, useParams } from "react-router-dom";
 
 import { getApiSchema, processUrl } from "src/adapters/api/schemas";
 import { getJsonSchemaFromUrl, getSchemaJsonLdTypes } from "src/adapters/jsonSchemas";
+import {
+  buildAppError,
+  jsonLdContextErrorToString,
+  jsonSchemaErrorToString,
+} from "src/adapters/parsers";
 import CreditCardIcon from "src/assets/icons/credit-card-plus.svg?react";
 import { DownloadSchema } from "src/components/schemas/DownloadSchema";
 import { SchemaViewer } from "src/components/schemas/SchemaViewer";
@@ -18,11 +23,6 @@ import { ROUTES } from "src/routes";
 import { AsyncTask, hasAsyncTaskFailed, isAsyncTaskStarting } from "src/utils/async";
 import { isAbortedError, makeRequestAbortable } from "src/utils/browser";
 import { SCHEMA_SEARCH_PARAM } from "src/utils/constants";
-import {
-  buildAppError,
-  jsonLdContextErrorToString,
-  jsonSchemaErrorToString,
-} from "src/utils/error";
 import { formatDate } from "src/utils/forms";
 
 export function SchemaDetails() {
diff --git a/ui/src/components/schemas/SchemasTable.tsx b/ui/src/components/schemas/SchemasTable.tsx
index 1d0f78ee1..ce181a3d1 100644
--- a/ui/src/components/schemas/SchemasTable.tsx
+++ b/ui/src/components/schemas/SchemasTable.tsx
@@ -16,6 +16,7 @@ import { useCallback, useEffect, useState } from "react";
 import { Link, generatePath, useSearchParams } from "react-router-dom";
 
 import { getApiSchemas } from "src/adapters/api/schemas";
+import { notifyErrors } from "src/adapters/parsers";
 import IconSchema from "src/assets/icons/file-search-02.svg?react";
 import IconUpload from "src/assets/icons/upload-01.svg?react";
 import { ErrorResult } from "src/components/shared/ErrorResult";
@@ -34,7 +35,6 @@ import {
   SCHEMA_SEARCH_PARAM,
   SCHEMA_TYPE,
 } from "src/utils/constants";
-import { notifyParseErrors } from "src/utils/error";
 import { formatDate } from "src/utils/forms";
 
 export function SchemasTable() {
@@ -138,7 +138,7 @@ export function SchemasTable() {
       });
       if (response.success) {
         setApiSchemas({ data: response.data.successful, status: "successful" });
-        notifyParseErrors(response.data.failed);
+        void notifyErrors(response.data.failed);
       } else {
         if (!isAbortedError(response.error)) {
           setApiSchemas({ error: response.error, status: "failed" });
diff --git a/ui/src/components/shared/Detail.tsx b/ui/src/components/shared/Detail.tsx
index 37d91ad28..eae3faa61 100644
--- a/ui/src/components/shared/Detail.tsx
+++ b/ui/src/components/shared/Detail.tsx
@@ -1,7 +1,7 @@
 import { App, Button, Col, Flex, Grid, Row, Tag, TagProps, Typography } from "antd";
-
 import copy from "copy-to-clipboard";
 import { useRef } from "react";
+
 import IconCheckMark from "src/assets/icons/check.svg?react";
 import IconCopy from "src/assets/icons/copy-01.svg?react";
 import IconDownload from "src/assets/icons/download-01.svg?react";
@@ -47,11 +47,13 @@ export function Detail({
   const componentProps =
     Component === Typography.Link
       ? {
+          className: "detail",
           ellipsis: true,
           href,
           target: "_blank",
         }
       : {
+          className: "detail",
           ellipsis: ellipsisPosition ? { suffix: text.slice(-ellipsisPosition) } : true,
         };
 
diff --git a/ui/src/components/shared/Router.tsx b/ui/src/components/shared/Router.tsx
index 3533f64de..be894e50a 100644
--- a/ui/src/components/shared/Router.tsx
+++ b/ui/src/components/shared/Router.tsx
@@ -3,6 +3,7 @@ import { Navigate, Route, Routes } from "react-router-dom";
 
 import { ConnectionDetails } from "src/components/connections/ConnectionDetails";
 import { ConnectionsTable } from "src/components/connections/ConnectionsTable";
+import { CreateAuthCredential } from "src/components/credentials/CreateAuthCredential";
 import { CredentialDetails } from "src/components/credentials/CredentialDetails";
 import { Credentials } from "src/components/credentials/Credentials";
 import { IssueCredential } from "src/components/credentials/IssueCredential";
@@ -15,6 +16,9 @@ import { Identities } from "src/components/identities/Identities";
 import { Identity } from "src/components/identities/Identity";
 import { Onboarding } from "src/components/identities/Onboarding";
 import { IssuerState } from "src/components/issuer-state/IssuerState";
+import { CreateKey } from "src/components/keys/CreateKey";
+import { Key } from "src/components/keys/Key";
+import { Keys } from "src/components/keys/Keys";
 import { FullWidthLayout } from "src/components/layouts/FullWidthLayout";
 import { SiderLayout } from "src/components/layouts/SiderLayout";
 import { ImportSchema } from "src/components/schemas/ImportSchema";
@@ -28,8 +32,10 @@ import { ROOT_PATH } from "src/utils/constants";
 const COMPONENTS: Record<RouteID, ComponentType> = {
   connectionDetails: ConnectionDetails,
   connections: ConnectionsTable,
+    createAuthCredential: CreateAuthCredential,
   createDisplayMethod: CreateDisplayMethod,
   createIdentity: CreateIdentity,
+  createKey: CreateKey,
   credentialDetails: CredentialDetails,
   credentials: Credentials,
   displayMethodDetails: DisplayMethodDetails,
@@ -39,6 +45,8 @@ const COMPONENTS: Record<RouteID, ComponentType> = {
   importSchema: ImportSchema,
   issueCredential: IssueCredential,
   issuerState: IssuerState,
+  keyDetails: Key,
+  keys: Keys,
   linkDetails: LinkDetails,
   notFound: NotFound,
   onboarding: Onboarding,
diff --git a/ui/src/components/shared/SiderMenu.tsx b/ui/src/components/shared/SiderMenu.tsx
index 2dc575041..d046adbcb 100644
--- a/ui/src/components/shared/SiderMenu.tsx
+++ b/ui/src/components/shared/SiderMenu.tsx
@@ -25,6 +25,7 @@ import {
   DOCS_URL,
   IDENTITIES,
   ISSUER_STATE,
+  KEYS,
   SCHEMAS,
 } from "src/utils/constants";
 
@@ -50,6 +51,7 @@ export function SiderMenu({
   const schemasPath = ROUTES.schemas.path;
   const identitiesPath = ROUTES.identities.path;
   const displayMethodsPath = ROUTES.displayMethods.path;
+    const keysPath = ROUTES.keys.path;
 
   const getSelectedKey = (): string[] => {
     if (
@@ -103,6 +105,13 @@ export function SiderMenu({
       )
     ) {
       return [displayMethodsPath];
+    } else if (
+        matchRoutes(
+            [{ path: keysPath }, { path: ROUTES.keyDetails.path }, { path: ROUTES.createKey.path }],
+            pathname
+        )
+    ) {
+        return [keysPath];
     }
 
     return [];
@@ -182,6 +191,13 @@ export function SiderMenu({
                 onClick: () => onMenuClick(identitiesPath),
                 title: "",
               },
+              {
+                icon: <IconIdentities />,
+                key: keysPath,
+                label: KEYS,
+                onClick: () => onMenuClick(keysPath),
+                title: "",
+              },
             ]}
             selectedKeys={getSelectedKey()}
             style={{ marginTop: 16 }}
diff --git a/ui/src/contexts/Env.tsx b/ui/src/contexts/Env.tsx
index cfdde2d67..3e2d0d79d 100644
--- a/ui/src/contexts/Env.tsx
+++ b/ui/src/contexts/Env.tsx
@@ -2,9 +2,9 @@ import { PropsWithChildren, createContext, useContext, useEffect, useMemo, useSt
 import { z } from "zod";
 
 import { EnvInput, envParser } from "src/adapters/env";
+import { buildAppError, envErrorToString } from "src/adapters/parsers";
 import { ErrorResult } from "src/components/shared/ErrorResult";
 import { Env } from "src/domain";
-import { buildAppError, envErrorToString } from "src/utils/error";
 
 const defaultEnvContext: Env = {
   api: {
diff --git a/ui/src/contexts/Identity.tsx b/ui/src/contexts/Identity.tsx
index 129318fa9..c04a6f2c1 100644
--- a/ui/src/contexts/Identity.tsx
+++ b/ui/src/contexts/Identity.tsx
@@ -1,4 +1,4 @@
-import { App, Space } from "antd";
+import { Space } from "antd";
 import {
   PropsWithChildren,
   createContext,
@@ -11,6 +11,7 @@ import {
 import { useLocation, useNavigate, useSearchParams } from "react-router-dom";
 
 import { getIdentities, identifierParser } from "src/adapters/api/identities";
+import { notifyErrors } from "src/adapters/parsers";
 import { ErrorResult } from "src/components/shared/ErrorResult";
 import { LoadingResult } from "src/components/shared/LoadingResult";
 import { useEnvContext } from "src/contexts/Env";
@@ -28,7 +29,6 @@ import {
   IDENTIFIER_SEARCH_PARAM,
   ROOT_PATH,
 } from "src/utils/constants";
-import { buildAppError } from "src/utils/error";
 
 type IdentityState = {
   fetchIdentities: (signal: AbortSignal) => void;
@@ -50,7 +50,6 @@ const IdentityContext = createContext(defaultIdentityState);
 
 export function IdentityProvider(props: PropsWithChildren) {
   const env = useEnvContext();
-  const { message } = App.useApp();
   const navigate = useNavigate();
   const location = useLocation();
   const [identityList, setIdentityList] = useState<AsyncTask<Identity[], AppError>>({
@@ -78,9 +77,7 @@ export function IdentityProvider(props: PropsWithChildren) {
         const identities = response.data.successful;
 
         if (response.data.failed.length) {
-          void message.error(
-            response.data.failed.map((error) => buildAppError(error).message).join("\n")
-          );
+          void notifyErrors(response.data.failed);
         }
 
         const savedIdentifier = getStorageByKey({
@@ -106,7 +103,7 @@ export function IdentityProvider(props: PropsWithChildren) {
         }
       }
     },
-    [env, message, identifierParam]
+    [env, identifierParam]
   );
 
   const selectIdentity = useCallback(
diff --git a/ui/src/domain/credential.ts b/ui/src/domain/credential.ts
index b7466b8de..cd5deae4a 100644
--- a/ui/src/domain/credential.ts
+++ b/ui/src/domain/credential.ts
@@ -1,5 +1,5 @@
 import { DisplayMethodType } from "src/domain/display-method";
-
+import { CredentialStatusType } from "src/domain/identity";
 export type CredentialsTabIDs = "issued" | "links";
 
 export enum ProofType {
@@ -17,13 +17,22 @@ export type CredentialDisplayMethod = {
   type: DisplayMethodType;
 };
 
+export type CredentialStatus = {
+  revocationNonce: number;
+  type: CredentialStatusType;
+};
+
 export type Credential = {
+  credentialStatus: CredentialStatus;
   credentialSubject: Record<string, unknown>;
   displayMethod: CredentialDisplayMethod | null;
   expirationDate: Date | null;
   expired: boolean;
   id: string;
   issuanceDate: Date;
+  proof: Array<{
+    type: ProofType;
+  }> | null;
   proofTypes: ProofType[];
   refreshService: RefreshService | null;
   revNonce: number;
@@ -34,6 +43,14 @@ export type Credential = {
   userID: string;
 };
 
+export type AuthCredential = Omit<Credential, "credentialSubject"> & {
+  credentialSubject: {
+    x: bigint;
+    y: bigint;
+  };
+  published: boolean;
+};
+
 export type IssuedMessage = {
   schemaType: string;
   universalLink: string;
diff --git a/ui/src/domain/identity.ts b/ui/src/domain/identity.ts
index 48ac61b92..4355a9134 100644
--- a/ui/src/domain/identity.ts
+++ b/ui/src/domain/identity.ts
@@ -35,6 +35,7 @@ export type Identity = {
 };
 
 export type IdentityDetails = {
+  authCredentialsIDs: string[];
   credentialStatusType: CredentialStatusType;
   displayName: string | null;
   identifier: string;
diff --git a/ui/src/domain/index.ts b/ui/src/domain/index.ts
index 3b1cd554d..5be033699 100644
--- a/ui/src/domain/index.ts
+++ b/ui/src/domain/index.ts
@@ -3,6 +3,7 @@ export type { AppError } from "src/domain/error";
 export type { Connection } from "src/domain/connection";
 
 export type {
+  AuthCredential,
   Credential,
   CredentialsTabIDs,
   IssuedMessage,
@@ -66,3 +67,6 @@ export { IdentityType, Method, CredentialStatusType } from "src/domain/identity"
 export type { DisplayMethod, DisplayMethodMetadata } from "src/domain/display-method";
 
 export { DisplayMethodType } from "./display-method";
+
+export type { Key } from "src/domain/key";
+export { KeyType } from "src/domain/key";
diff --git a/ui/src/domain/key.ts b/ui/src/domain/key.ts
new file mode 100644
index 000000000..735209bae
--- /dev/null
+++ b/ui/src/domain/key.ts
@@ -0,0 +1,12 @@
+export enum KeyType {
+  babyjubJub = "babyjubJub",
+  secp256k1 = "secp256k1",
+}
+
+export type Key = {
+  id: string;
+  isAuthCredential: boolean;
+  keyType: KeyType;
+  name: string;
+  publicKey: string;
+};
diff --git a/ui/src/routes.ts b/ui/src/routes.ts
index 462770a09..af716b8b3 100644
--- a/ui/src/routes.ts
+++ b/ui/src/routes.ts
@@ -5,6 +5,7 @@ export type RouteID =
   | "credentials"
   | "importSchema"
   | "issueCredential"
+  | "createAuthCredential"
   | "issuerState"
   | "linkDetails"
   | "notFound"
@@ -16,7 +17,10 @@ export type RouteID =
   | "onboarding"
   | "displayMethods"
   | "displayMethodDetails"
-  | "createDisplayMethod";
+  | "createDisplayMethod"
+  | "keys"
+  | "keyDetails"
+  | "createKey";
 
 export type Layout = "fullWidth" | "fullWidthGrey" | "sider";
 
@@ -37,6 +41,10 @@ export const ROUTES: Routes = {
     layout: "sider",
     path: "/connections",
   },
+  createAuthCredential: {
+    layout: "sider",
+    path: "/credentials/auth",
+  },
   createDisplayMethod: {
     layout: "sider",
     path: "/display-methods/create",
@@ -45,6 +53,10 @@ export const ROUTES: Routes = {
     layout: "sider",
     path: "/identities/create",
   },
+  createKey: {
+    layout: "sider",
+    path: "/keys/create",
+  },
   credentialDetails: {
     layout: "sider",
     path: "/credentials/issued/:credentialID",
@@ -81,6 +93,14 @@ export const ROUTES: Routes = {
     layout: "sider",
     path: "/issuer-state",
   },
+  keyDetails: {
+    layout: "sider",
+    path: "/keys/:keyID",
+  },
+  keys: {
+    layout: "sider",
+    path: "/keys",
+  },
   linkDetails: {
     layout: "sider",
     path: "/credentials/links/:linkID",
diff --git a/ui/src/utils/constants.ts b/ui/src/utils/constants.ts
index fb2a83be3..55b8c380d 100644
--- a/ui/src/utils/constants.ts
+++ b/ui/src/utils/constants.ts
@@ -29,6 +29,10 @@ export const DISPLAY_METHOD_ADD_NEW = "Add new display method";
 export const DISPLAY_METHOD_EDIT = "Edit display method";
 export const DISPLAY_METHOD_ADD = "Add display method";
 export const DISPLAY_METHOD_DETAILS = "Display method details";
+export const KEYS = "Keys";
+export const KEY_ADD = "Add key";
+export const KEY_ADD_NEW = "Add new key";
+export const KEY_DETAILS = "Key details";
 export const LINKS = "Links";
 export const REVOCATION = "Revocation";
 export const REVOKE = "Revoke";
diff --git a/ui/src/utils/error.ts b/ui/src/utils/error.ts
deleted file mode 100644
index 248849151..000000000
--- a/ui/src/utils/error.ts
+++ /dev/null
@@ -1,129 +0,0 @@
-import { message } from "antd";
-import { isAxiosError, isCancel } from "axios";
-import { z } from "zod";
-
-import { getStrictParser } from "src/adapters/parsers";
-import { AppError } from "src/domain";
-
-function processZodError<T>(error: z.ZodError<T>, init: string[] = []) {
-  return error.errors.reduce((mainAcc, issue): string[] => {
-    switch (issue.code) {
-      case "invalid_union": {
-        return [
-          ...mainAcc,
-          ...issue.unionErrors.reduce(
-            (innerAcc: string[], current: z.ZodError<T>): string[] => [
-              ...innerAcc,
-              ...processZodError(current),
-            ],
-            []
-          ),
-        ];
-      }
-
-      default: {
-        const errorMsg = issue.path.length
-          ? `${issue.message} at ${issue.path.join(".")}`
-          : issue.message;
-        return [...mainAcc, errorMsg];
-      }
-    }
-  }, init);
-}
-
-export function notifyError(error: AppError, compact = false): void {
-  if (!compact && error.type === "parse-error") {
-    notifyParseError(error.error);
-  } else {
-    void message.error(error.message);
-  }
-}
-
-export function notifyParseError(error: z.ZodError): void {
-  processZodError(error).forEach((error) => void message.error(error));
-}
-
-export function notifyParseErrors(errors: z.ZodError[]): void {
-  errors.forEach(notifyParseError);
-}
-
-const messageParser = getStrictParser<{ message: string }>()(z.object({ message: z.string() }));
-
-export function buildAppError(error: unknown): AppError {
-  if (typeof error === "string") {
-    return {
-      message: error,
-      type: "custom-error",
-    };
-  } else if (isCancel(error)) {
-    return {
-      error,
-      message: error.message
-        ? `The request has been aborted. ${error.message}`
-        : "The request has been aborted.",
-      type: "cancel-error",
-    };
-  } else if (isAxiosError(error)) {
-    const parsedMessage = messageParser.safeParse(error.response?.data);
-
-    return {
-      error,
-      message: parsedMessage.success
-        ? `${error.message}: ${parsedMessage.data.message}`
-        : error.message,
-      type: "request-error",
-    };
-  } else if (error instanceof z.ZodError) {
-    return {
-      error,
-      message: processZodError(error).join("\n"),
-      type: "parse-error",
-    };
-  } else if (error instanceof Error) {
-    return {
-      error,
-      message: error.message,
-      type: "general-error",
-    };
-  } else {
-    return {
-      error,
-      message: "Unknown error",
-      type: "unknown-error",
-    };
-  }
-}
-
-export const envErrorToString = (error: AppError) =>
-  [
-    "An error occurred while reading the environment variables:",
-    error.message,
-    "Please provide valid environment variables.",
-  ].join("\n");
-
-export const credentialSubjectValueErrorToString = (error: AppError) =>
-  [
-    error.type === "parse-error" || error.type === "custom-error"
-      ? "An error occurred while parsing the value of the credentialSubject:"
-      : "An error occurred while processing the value of the credentialSubject",
-    error.message,
-    "Please try again.",
-  ].join("\n");
-
-export const jsonSchemaErrorToString = (error: AppError) =>
-  [
-    error.type === "parse-error" || error.type === "custom-error"
-      ? "An error occurred while parsing the JSON Schema:"
-      : "An error occurred while downloading the JSON Schema:",
-    error.message,
-    "Please try again.",
-  ].join("\n");
-
-export const jsonLdContextErrorToString = (error: AppError) =>
-  [
-    error.type === "parse-error" || error.type === "custom-error"
-      ? "An error occurred while parsing the JSON LD Type referenced in this schema:"
-      : "An error occurred while downloading the JSON LD Type referenced in this schema:",
-    error.message,
-    "Please try again.",
-  ].join("\n");
diff --git a/ui/src/utils/iden3.ts b/ui/src/utils/iden3.ts
index 760795114..2bfd8b7ae 100644
--- a/ui/src/utils/iden3.ts
+++ b/ui/src/utils/iden3.ts
@@ -1,8 +1,8 @@
 import { keccak256 } from "js-sha3";
 import { Response, buildErrorResponse, buildSuccessResponse } from "src/adapters";
+import { buildAppError } from "src/adapters/parsers";
 
 import { JsonLdType } from "src/domain";
-import { buildAppError } from "src/utils/error";
 
 const HEX_TABLE = "0123456789abcdef";
 
diff --git a/ui/src/utils/types.ts b/ui/src/utils/types.ts
index 5a1cac2bf..eaabf62a9 100644
--- a/ui/src/utils/types.ts
+++ b/ui/src/utils/types.ts
@@ -1,4 +1,4 @@
-import { z } from "zod";
+import { AppError } from "src/domain/error";
 
 export type ResourceMeta = {
   max_results: number;
@@ -7,7 +7,7 @@ export type ResourceMeta = {
 };
 
 export type List<T> = {
-  failed: z.ZodError<T>[];
+  failed: AppError[];
   successful: T[];
 };