Quartech · SpencerMckayQ · Jan 15, 2026 · Jan 15, 2026 · Jan 17, 2026 · Feb 20, 2026
diff --git a/packages/core/src/container-impl.ts b/packages/core/src/container-impl.ts
@@ -87,6 +87,7 @@ export const defaultConfig: Config = {
   PINScreensConfig: {
     useNewPINDesign: false,
   },
+  trustedCertificatesUrl: ReactConfig.TRUSTED_CERTIFICATES_URL,
 }
 
 export const defaultHistoryEventsLogger: HistoryEventsLoggerConfig = {

diff --git a/packages/core/src/hooks/useBifoldAgentSetup.ts b/packages/core/src/hooks/useBifoldAgentSetup.ts
@@ -9,7 +9,7 @@ import { TOKENS, useServices } from '../container-api'
 import { DispatchAction } from '../contexts/reducers/store'
 import { useStore } from '../contexts/store'
 import { WalletSecret } from '../types/security'
-import { createLinkSecretIfRequired, getAgentModules } from '../utils/agent'
+import { createLinkSecretIfRequired, getAgentModulesWithCertificates } from '../utils/agent'
 import { migrateToAskar } from '../utils/migration'
 
 export type AgentSetupReturnType = {
@@ -22,11 +22,12 @@ const useBifoldAgentSetup = (): AgentSetupReturnType => {
   const [agent, setAgent] = useState<Agent | null>(null)
   const agentInstanceRef = useRef<Agent | null>(null)
   const [store, dispatch] = useStore()
-  const [cacheSchemas, cacheCredDefs, logger, indyLedgers] = useServices([
+  const [cacheSchemas, cacheCredDefs, logger, indyLedgers, config] = useServices([
     TOKENS.CACHE_SCHEMAS,
     TOKENS.CACHE_CRED_DEFS,
     TOKENS.UTIL_LOGGER,
     TOKENS.UTIL_LEDGERS,
+    TOKENS.CONFIG,
   ])
 
   const restartExistingAgent = useCallback(
@@ -62,15 +63,18 @@ const useBifoldAgentSetup = (): AgentSetupReturnType => {
           autoUpdateStorageOnStartup: true,
         },
         dependencies: agentDependencies,
-        modules: getAgentModules({
-          indyNetworks: indyLedgers,
-          mediatorInvitationUrl: mediatorUrl,
-          txnCache: {
-            capacity: 1000,
-            expiryOffsetMs: 1000 * 60 * 60 * 24 * 7,
-            path: CachesDirectoryPath + '/txn-cache',
+        modules: await getAgentModulesWithCertificates(
+          {
+            indyNetworks: indyLedgers,
+            mediatorInvitationUrl: mediatorUrl,
+            txnCache: {
+              capacity: 1000,
+              expiryOffsetMs: 1000 * 60 * 60 * 24 * 7,
+              path: CachesDirectoryPath + '/txn-cache',
+            },
           },
-        }),
+          config.trustedCertificatesUrl
+        ),
       })
       const wsTransport = new WsOutboundTransport()
       const httpTransport = new HttpOutboundTransport()
@@ -80,7 +84,7 @@ const useBifoldAgentSetup = (): AgentSetupReturnType => {
 
       return newAgent
     },
-    [store.preferences.walletName, logger, indyLedgers]
+    [store.preferences.walletName, logger, indyLedgers, config.trustedCertificatesUrl]
   )
 
   const migrateIfRequired = useCallback(

diff --git a/packages/core/src/index.ts b/packages/core/src/index.ts
@@ -99,7 +99,7 @@ export * from './types/attestation'
 export { BifoldError } from './types/error'
 export { Screens, Stacks, TabStacks } from './types/navigators'
 export * from './types/version-check'
-export { createLinkSecretIfRequired, getAgentModules } from './utils/agent'
+export { createLinkSecretIfRequired, getAgentModules, getAgentModulesWithCertificates } from './utils/agent'
 export { getCredentialIdentifiers, isValidAnonCredsCredential } from './utils/credential'
 export {
   connectFromScanOrDeepLink,

diff --git a/packages/core/src/types/config.ts b/packages/core/src/types/config.ts
@@ -49,6 +49,7 @@ export interface Config {
   appUpdateConfig?: AppUpdateConfig
   preventScreenCapture?: boolean
   PINScreensConfig: PINScreensConfig
+  trustedCertificatesUrl?: string
 }
 
 export interface PINScreensConfig {

diff --git a/packages/core/src/utils/agent.ts b/packages/core/src/utils/agent.ts
@@ -21,6 +21,7 @@ import {
   ProofsModule,
   V2CredentialProtocol,
   V2ProofProtocol,
+  X509Module,
 } from '@credo-ts/core'
 import { IndyVdrAnonCredsRegistry, IndyVdrModule, IndyVdrPoolConfig } from '@credo-ts/indy-vdr'
 import { OpenId4VcHolderModule } from '@credo-ts/openid4vc'
@@ -34,18 +35,46 @@ interface GetAgentModulesOptions {
   indyNetworks: IndyVdrPoolConfig[]
   mediatorInvitationUrl?: string
   txnCache?: { capacity: number; expiryOffsetMs: number; path?: string }
+  trustedCertificates?: string[]
 }
 
 export type BifoldAgent = Agent<ReturnType<typeof getAgentModules>>
 
+/**
+ * Fetches trusted certificates from a remote API
+ * @param url The API endpoint URL
+ * @returns Array of certificate strings
+ */
+async function fetchTrustedCertificates(url: string): Promise<string[]> {
+  try {
+    const response = await fetch(url)
+    if (!response.ok) {
+      return []
+    }
+    const certificates = await response.json()
+    if (!Array.isArray(certificates)) {
+      return []
+    }
+    return certificates.filter((cert) => typeof cert === 'string' && cert.trim().length > 0)
+  } catch (error) {
-  } catch (error) {
+  } catch (error) {
+    console.error(`Failed to fetch trusted certificates from "${url}". Returning empty list.`, error)
-  } catch (error) {
+  } catch (error) {
+    console.error(`Failed to fetch trusted certificates from "${url}". Returning empty list.`, error)
+    return []
+  }
+}
+
 /**
  * Constructs the modules to be used in the agent setup
  * @param indyNetworks
  * @param mediatorInvitationUrl determine which mediator to use
  * @param txnCache optional local cache config for indyvdr
+ * @param trustedCertificates optional array of trusted certificates for X509 module
  * @returns modules to be used in agent setup
  */
-export function getAgentModules({ indyNetworks, mediatorInvitationUrl, txnCache }: GetAgentModulesOptions) {
+export function getAgentModules({
+  indyNetworks,
+  mediatorInvitationUrl,
+  txnCache,
+  trustedCertificates = [],
+}: GetAgentModulesOptions) {
   const indyCredentialFormat = new LegacyIndyCredentialFormatService()
   const indyProofFormat = new LegacyIndyProofFormatService()
 
@@ -105,9 +134,34 @@ export function getAgentModules({ indyNetworks, mediatorInvitationUrl, txnCache
     pushNotificationsFcm: new PushNotificationsFcmModule(),
     pushNotificationsApns: new PushNotificationsApnsModule(),
     openId4VcHolder: new OpenId4VcHolderModule(),
+    ...(trustedCertificates.length > 0
+      ? {
+          x509: new X509Module({
+            trustedCertificates: trustedCertificates as [string, ...string[]],
-            trustedCertificates: trustedCertificates as [string, ...string[]],
+            trustedCertificates: [trustedCertificates[0], ...trustedCertificates.slice(1)],
-            trustedCertificates: trustedCertificates as [string, ...string[]],
+            trustedCertificates: [trustedCertificates[0], ...trustedCertificates.slice(1)],
+          }),
+        }
+      : {}),
   }
 }
 
+/**
+ * Fetches and prepares agent modules with trusted certificates from remote API
+ * @param options Agent module options including indyNetworks, mediatorInvitationUrl, txnCache
+ * @param trustedCertificatesUrl Optional URL to fetch trusted certificates from
+ * @returns Promise resolving to agent modules
+ */
+export async function getAgentModulesWithCertificates(
+  options: Omit<GetAgentModulesOptions, 'trustedCertificates'>,
+  trustedCertificatesUrl?: string
+) {
+  const trustedCertificates = trustedCertificatesUrl ? await fetchTrustedCertificates(trustedCertificatesUrl) : []
+
+  return getAgentModules({
+    ...options,
+    trustedCertificates,
+  })
+}
+
 interface MyAgentContextInterface {
   loading: boolean
   agent: BifoldAgent