From e0b4822536eea502bb0b280d7563b0e0b6fd90fd Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Fri, 12 Dec 2025 15:33:15 +0100
Subject: [PATCH 01/14] feat: add `ManagedKey` aggregate and related components

---
 agent_event_publisher_http/src/lib.rs         | 31 ++++++--
 agent_identity/src/lib.rs                     |  1 +
 agent_identity/src/managed_key/README.md      |  7 ++
 agent_identity/src/managed_key/aggregate.rs   | 79 +++++++++++++++++++
 agent_identity/src/managed_key/command.rs     |  2 +
 agent_identity/src/managed_key/error.rs       |  4 +
 agent_identity/src/managed_key/event.rs       | 18 +++++
 agent_identity/src/managed_key/mod.rs         |  5 ++
 .../src/managed_key/views/all_managed_keys.rs | 23 ++++++
 agent_identity/src/managed_key/views/mod.rs   | 15 ++++
 agent_identity/src/state.rs                   | 14 +++-
 agent_shared/src/config/mod.rs                |  5 ++
 agent_store/src/lib.rs                        | 22 ++++++
 13 files changed, 220 insertions(+), 6 deletions(-)
 create mode 100644 agent_identity/src/managed_key/README.md
 create mode 100644 agent_identity/src/managed_key/aggregate.rs
 create mode 100644 agent_identity/src/managed_key/command.rs
 create mode 100644 agent_identity/src/managed_key/error.rs
 create mode 100644 agent_identity/src/managed_key/event.rs
 create mode 100644 agent_identity/src/managed_key/mod.rs
 create mode 100644 agent_identity/src/managed_key/views/all_managed_keys.rs
 create mode 100644 agent_identity/src/managed_key/views/mod.rs

diff --git a/agent_event_publisher_http/src/lib.rs b/agent_event_publisher_http/src/lib.rs
index 418ddbf1..26537f96 100644
--- a/agent_event_publisher_http/src/lib.rs
+++ b/agent_event_publisher_http/src/lib.rs
@@ -4,8 +4,8 @@ use agent_authorization::domain::{
 };
 use agent_holder::presentation::aggregate::Presentation;
 use agent_identity::{
-    connection::aggregate::Connection, document::aggregate::Document, profile::aggregate::Profile,
-    service::aggregate::Service,
+    connection::aggregate::Connection, document::aggregate::Document, managed_key::aggregate::ManagedKey,
+    profile::aggregate::Profile, service::aggregate::Service,
 };
 use agent_issuance::{
     credential::aggregate::Credential, offer::aggregate::Offer, server_config::aggregate::ServerConfig,
@@ -15,9 +15,9 @@ use agent_shared::config::config;
 use agent_store::{
     AccessTokenEventPublisher, AuthorizationCodeEventPublisher, AuthorizationRequestEventPublisher,
     ClientEventPublisher, ConnectionEventPublisher, CredentialEventPublisher, DocumentEventPublisher, EventPublisher,
-    HolderCredentialEventPublisher, OAuth2AuthorizationRequestEventPublisher, OfferEventPublisher,
-    PresentationEventPublisher, ProfileEventPublisher, ReceivedOfferEventPublisher, ServerConfigEventPublisher,
-    ServiceEventPublisher, TemplateEventPublisher,
+    HolderCredentialEventPublisher, ManagedKeyEventPublisher, OAuth2AuthorizationRequestEventPublisher,
+    OfferEventPublisher, PresentationEventPublisher, ProfileEventPublisher, ReceivedOfferEventPublisher,
+    ServerConfigEventPublisher, ServiceEventPublisher, TemplateEventPublisher,
 };
 use agent_verification::authorization_request::aggregate::AuthorizationRequest;
 use async_trait::async_trait;
@@ -41,6 +41,7 @@ pub struct EventPublisherHttp {
     pub document: Option<AggregateEventPublisherHttp<Document>>,
     pub profile: Option<AggregateEventPublisherHttp<Profile>>,
     pub service: Option<AggregateEventPublisherHttp<Service>>,
+    pub managed_key: Option<AggregateEventPublisherHttp<ManagedKey>>,
 
     // Library
     pub template: Option<AggregateEventPublisherHttp<Template>>,
@@ -173,6 +174,19 @@ impl EventPublisherHttp {
             )
         });
 
+        let managed_key = (!event_publisher_http.events.managed_key.is_empty()).then(|| {
+            AggregateEventPublisherHttp::<ManagedKey>::new(
+                event_publisher_http.target_url.clone(),
+                event_publisher_http.headers.clone(),
+                event_publisher_http
+                    .events
+                    .managed_key
+                    .iter()
+                    .map(ToString::to_string)
+                    .collect(),
+            )
+        });
+
         let template = (!event_publisher_http.events.template.is_empty()).then(|| {
             AggregateEventPublisherHttp::<Template>::new(
                 event_publisher_http.target_url.clone(),
@@ -286,6 +300,7 @@ impl EventPublisherHttp {
             document,
             profile,
             service,
+            managed_key,
             template,
             server_config,
             credential,
@@ -327,6 +342,12 @@ impl EventPublisher for EventPublisherHttp {
             .map(|publisher| Box::new(publisher) as ServiceEventPublisher)
     }
 
+    fn managed_key(&mut self) -> Option<ManagedKeyEventPublisher> {
+        self.managed_key
+            .take()
+            .map(|publisher| Box::new(publisher) as ManagedKeyEventPublisher)
+    }
+
     fn template(&mut self) -> Option<TemplateEventPublisher> {
         self.template
             .take()
diff --git a/agent_identity/src/lib.rs b/agent_identity/src/lib.rs
index 59554c8c..1aa725eb 100644
--- a/agent_identity/src/lib.rs
+++ b/agent_identity/src/lib.rs
@@ -1,6 +1,7 @@
 // Aggregates
 pub mod connection;
 pub mod document;
+pub mod managed_key;
 pub mod profile;
 pub mod service;
 
diff --git a/agent_identity/src/managed_key/README.md b/agent_identity/src/managed_key/README.md
new file mode 100644
index 00000000..3af85459
--- /dev/null
+++ b/agent_identity/src/managed_key/README.md
@@ -0,0 +1,7 @@
+# Service
+
+This aggregate holds everything related to a service:
+- id
+- service (DID Document Service)
+- resource (e.g. Domain Linkage resource)
+
diff --git a/agent_identity/src/managed_key/aggregate.rs b/agent_identity/src/managed_key/aggregate.rs
new file mode 100644
index 00000000..9b0d0270
--- /dev/null
+++ b/agent_identity/src/managed_key/aggregate.rs
@@ -0,0 +1,79 @@
+use super::{command::ManagedKeyCommand, error::ManagedKeyError, event::ManagedKeyEvent};
+use agent_shared::config::config;
+use async_trait::async_trait;
+use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
+use cqrs_es::Aggregate;
+use identity_core::{
+    common::{Duration, OrderedSet, Timestamp},
+    convert::{FromJson, ToJson},
+};
+use identity_credential::{
+    credential::Jwt,
+    domain_linkage::{DomainLinkageConfiguration, DomainLinkageCredentialBuilder},
+};
+use identity_did::DIDUrl;
+use jsonwebtoken::{Algorithm, Header};
+use oid4vc_core::Sign as _;
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use std::{str::FromStr as _, sync::Arc};
+use tracing::{debug, info};
+
+#[derive(Debug, Clone, Serialize, Deserialize, Default)]
+pub struct ManagedKey {
+    #[serde(rename = "id")]
+    pub managed_key_id: String,
+    pub alias: Option<String>,
+    pub key_id: Option<String>,
+    pub signing_algorithm: Option<String>,
+}
+
+#[async_trait]
+impl Aggregate for ManagedKey {
+    type Command = ManagedKeyCommand;
+    type Event = ManagedKeyEvent;
+    type Error = ManagedKeyError;
+    type Services = ();
+
+    fn aggregate_type() -> String {
+        "managed_key".to_string()
+    }
+
+    async fn handle(&self, command: Self::Command, services: &Self::Services) -> Result<Vec<Self::Event>, Self::Error> {
+        use ManagedKeyCommand::*;
+        use ManagedKeyError::*;
+        use ManagedKeyEvent::*;
+
+        info!("Handling command: {:?}", command);
+
+        match command {}
+    }
+
+    fn apply(&mut self, event: Self::Event) {
+        use ManagedKeyEvent::*;
+
+        debug!("Applying event: {:?}", event);
+
+        match event {}
+    }
+}
+
+#[cfg(test)]
+pub mod managed_key_tests {
+    use super::test_utils::*;
+    use super::*;
+    use crate::document::aggregate::test_utils::both_verification_methods;
+    use agent_shared::config::set_config;
+    use cqrs_es::test::TestFramework;
+    use rstest::rstest;
+
+    type ManagedKeyTestFramework = TestFramework<ManagedKey>;
+}
+
+#[cfg(feature = "test_utils")]
+pub mod test_utils {
+    use super::*;
+    use identity_core::{common::Url, convert::FromJson};
+    use rstest::*;
+    use serde_json::json;
+}
diff --git a/agent_identity/src/managed_key/command.rs b/agent_identity/src/managed_key/command.rs
new file mode 100644
index 00000000..2f13e2df
--- /dev/null
+++ b/agent_identity/src/managed_key/command.rs
@@ -0,0 +1,2 @@
+#[derive(Debug)]
+pub enum ManagedKeyCommand {}
diff --git a/agent_identity/src/managed_key/error.rs b/agent_identity/src/managed_key/error.rs
new file mode 100644
index 00000000..a436e730
--- /dev/null
+++ b/agent_identity/src/managed_key/error.rs
@@ -0,0 +1,4 @@
+use thiserror::Error;
+
+#[derive(Error, Debug)]
+pub enum ManagedKeyError {}
diff --git a/agent_identity/src/managed_key/event.rs b/agent_identity/src/managed_key/event.rs
new file mode 100644
index 00000000..ae4a44fd
--- /dev/null
+++ b/agent_identity/src/managed_key/event.rs
@@ -0,0 +1,18 @@
+use cqrs_es::DomainEvent;
+use derivative::Derivative;
+use serde::{Deserialize, Serialize};
+use strum::Display;
+
+#[derive(Clone, Debug, Deserialize, Serialize, Derivative, Display)]
+#[derivative(PartialEq)]
+pub enum ManagedKeyEvent {}
+
+impl DomainEvent for ManagedKeyEvent {
+    fn event_type(&self) -> String {
+        self.to_string()
+    }
+
+    fn event_version(&self) -> String {
+        "1".to_string()
+    }
+}
diff --git a/agent_identity/src/managed_key/mod.rs b/agent_identity/src/managed_key/mod.rs
new file mode 100644
index 00000000..7cbc4ed7
--- /dev/null
+++ b/agent_identity/src/managed_key/mod.rs
@@ -0,0 +1,5 @@
+pub mod aggregate;
+pub mod command;
+pub mod error;
+pub mod event;
+pub mod views;
diff --git a/agent_identity/src/managed_key/views/all_managed_keys.rs b/agent_identity/src/managed_key/views/all_managed_keys.rs
new file mode 100644
index 00000000..1420ba78
--- /dev/null
+++ b/agent_identity/src/managed_key/views/all_managed_keys.rs
@@ -0,0 +1,23 @@
+use super::ManagedKeyView;
+use crate::managed_key::aggregate::ManagedKey;
+use cqrs_es::{EventEnvelope, View};
+use serde::{Deserialize, Serialize};
+use std::collections::HashMap;
+
+#[derive(Debug, Default, Serialize, Deserialize, Clone)]
+pub struct AllManagedKeysView {
+    #[serde(flatten)]
+    pub managed_keys: HashMap<String, ManagedKeyView>,
+}
+
+impl View<ManagedKey> for AllManagedKeysView {
+    fn update(&mut self, event: &EventEnvelope<ManagedKey>) {
+        self.managed_keys
+            // Get the entry for the aggregate_id
+            .entry(event.aggregate_id.clone())
+            // or insert a new one if it doesn't exist
+            .or_default()
+            // update the view with the event
+            .update(event);
+    }
+}
diff --git a/agent_identity/src/managed_key/views/mod.rs b/agent_identity/src/managed_key/views/mod.rs
new file mode 100644
index 00000000..c3e96276
--- /dev/null
+++ b/agent_identity/src/managed_key/views/mod.rs
@@ -0,0 +1,15 @@
+pub mod all_managed_keys;
+
+use super::aggregate::ManagedKey;
+use cqrs_es::{EventEnvelope, View};
+
+pub type ManagedKeyView = ManagedKey;
+impl View<ManagedKey> for ManagedKey {
+    fn update(&mut self, event: &EventEnvelope<ManagedKey>) {
+        use crate::managed_key::event::ManagedKeyEvent::*;
+
+        // match &event.payload {
+        //     _ => todo!(),
+        // }
+    }
+}
diff --git a/agent_identity/src/state.rs b/agent_identity/src/state.rs
index 019802f1..c2c7ea92 100644
--- a/agent_identity/src/state.rs
+++ b/agent_identity/src/state.rs
@@ -4,6 +4,9 @@ use crate::connection::views::ConnectionView;
 use crate::document::aggregate::Status;
 use crate::document::command::DocumentCommand;
 use crate::document::views::all_documents::AllDocumentsView;
+use crate::managed_key::aggregate::ManagedKey;
+use crate::managed_key::views::all_managed_keys::AllManagedKeysView;
+use crate::managed_key::views::ManagedKeyView;
 use crate::profile::aggregate::{Profile, Source};
 use crate::profile::command::ProfileCommand;
 use crate::profile::views::ProfileView;
@@ -43,6 +46,7 @@ pub struct CommandHandlers {
     pub document: CommandHandler<Document>,
     pub profile: CommandHandler<Profile>,
     pub service: CommandHandler<Service>,
+    pub managed_key: CommandHandler<ManagedKey>,
 }
 
 /// This type is used to define the queries that are used to query the view repositories. We make use of `dyn` here, so
@@ -56,9 +60,11 @@ type Queries = ViewRepositories<
     dyn ViewRepository<ProfileView, Profile>,
     dyn ViewRepository<ServiceView, Service>,
     dyn ViewRepository<AllServicesView, Service>,
+    dyn ViewRepository<ManagedKeyView, ManagedKey>,
+    dyn ViewRepository<AllManagedKeysView, ManagedKey>,
 >;
 
-pub struct ViewRepositories<C1, C2, D1, D2, P, S1, S2>
+pub struct ViewRepositories<C1, C2, D1, D2, P, S1, S2, MK1, MK2>
 where
     C1: ViewRepository<ConnectionView, Connection> + ?Sized,
     C2: ViewRepository<AllConnectionsView, Connection> + ?Sized,
@@ -67,6 +73,8 @@ where
     P: ViewRepository<ProfileView, Profile> + ?Sized,
     S1: ViewRepository<ServiceView, Service> + ?Sized,
     S2: ViewRepository<AllServicesView, Service> + ?Sized,
+    MK1: ViewRepository<ManagedKeyView, ManagedKey> + ?Sized,
+    MK2: ViewRepository<AllManagedKeysView, ManagedKey> + ?Sized,
 {
     pub connection: Arc<C1>,
     pub all_connections: Arc<C2>,
@@ -75,6 +83,8 @@ where
     pub profile: Arc<P>,
     pub service: Arc<S1>,
     pub all_services: Arc<S2>,
+    pub managed_key: Arc<MK1>,
+    pub all_managed_keys: Arc<MK2>,
 }
 
 impl Clone for Queries {
@@ -87,6 +97,8 @@ impl Clone for Queries {
             profile: self.profile.clone(),
             service: self.service.clone(),
             all_services: self.all_services.clone(),
+            managed_key: self.managed_key.clone(),
+            all_managed_keys: self.all_managed_keys.clone(),
         }
     }
 }
diff --git a/agent_shared/src/config/mod.rs b/agent_shared/src/config/mod.rs
index 06283a12..c211da90 100644
--- a/agent_shared/src/config/mod.rs
+++ b/agent_shared/src/config/mod.rs
@@ -610,6 +610,8 @@ pub struct Events {
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
     pub service: Vec<ServiceEvent>,
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
+    pub managed_key: Vec<ManagedKeyEvent>,
+    #[serde(default, skip_serializing_if = "Vec::is_empty")]
     pub template: Vec<TemplateEvent>,
     #[serde(default, skip_serializing_if = "Vec::is_empty")]
     pub server_config: Vec<ServerConfigEvent>,
@@ -681,6 +683,9 @@ pub enum ServiceEvent {
     LinkedVerifiablePresentationServiceCreated,
 }
 
+#[derive(Debug, Serialize, Deserialize, Clone, strum::Display)]
+pub enum ManagedKeyEvent {}
+
 #[derive(Debug, Serialize, Deserialize, Clone, strum::Display)]
 pub enum TemplateEvent {
     TemplateCreated,
diff --git a/agent_store/src/lib.rs b/agent_store/src/lib.rs
index 494d7353..4fdd26b8 100644
--- a/agent_store/src/lib.rs
+++ b/agent_store/src/lib.rs
@@ -22,6 +22,8 @@ use agent_holder::services::HolderServices;
 use agent_holder::state::HolderState;
 use agent_identity::connection::views::all_connections::AllConnectionsView;
 use agent_identity::document::views::all_documents::AllDocumentsView;
+use agent_identity::managed_key::aggregate::ManagedKey;
+use agent_identity::managed_key::views::all_managed_keys::AllManagedKeysView;
 use agent_identity::service::views::all_services::AllServicesView;
 use agent_identity::services::IdentityServices;
 use agent_identity::state::IdentityState;
@@ -176,6 +178,7 @@ pub async fn identity_state<CCB: CqrsComponentBuilder>(
     let Partitions {
         connection_event_publishers,
         document_event_publishers,
+        managed_key_event_publishers,
         service_event_publishers,
         ..
     } = partition_event_publishers(event_publishers);
@@ -195,6 +198,9 @@ pub async fn identity_state<CCB: CqrsComponentBuilder>(
     let (service_command_handler, service, all_services) = builder
         .commands_and_queries::<Service, Service, AllServicesView>(services.clone(), service_event_publishers)
         .await;
+    let (managed_key_command_handler, managed_key, all_managed_keys) = builder
+        .commands_and_queries::<ManagedKey, ManagedKey, AllManagedKeysView>((), managed_key_event_publishers)
+        .await;
 
     IdentityState {
         command: agent_identity::state::CommandHandlers {
@@ -202,6 +208,7 @@ pub async fn identity_state<CCB: CqrsComponentBuilder>(
             document: document_command_handler,
             profile: profile_command_handler,
             service: service_command_handler,
+            managed_key: managed_key_command_handler,
         },
         query: agent_identity::state::ViewRepositories {
             connection,
@@ -210,6 +217,8 @@ pub async fn identity_state<CCB: CqrsComponentBuilder>(
             all_documents,
             service,
             all_services,
+            managed_key,
+            all_managed_keys,
             profile,
         },
     }
@@ -429,6 +438,7 @@ pub type ConnectionEventPublisher = Box<dyn Query<Connection>>;
 pub type DocumentEventPublisher = Box<dyn Query<Document>>;
 pub type ProfileEventPublisher = Box<dyn Query<Profile>>;
 pub type ServiceEventPublisher = Box<dyn Query<Service>>;
+pub type ManagedKeyEventPublisher = Box<dyn Query<ManagedKey>>;
 pub type TemplateEventPublisher = Box<dyn Query<Template>>;
 pub type AuthorizationCodeEventPublisher = Box<dyn Query<AuthorizationCode>>;
 pub type ClientEventPublisher = Box<dyn Query<Client>>;
@@ -449,6 +459,7 @@ pub struct Partitions {
     pub document_event_publishers: Vec<DocumentEventPublisher>,
     pub profile_event_publishers: Vec<ProfileEventPublisher>,
     pub service_event_publishers: Vec<ServiceEventPublisher>,
+    pub managed_key_event_publishers: Vec<ManagedKeyEventPublisher>,
     pub template_event_publishers: Vec<TemplateEventPublisher>,
     pub authorization_code_event_publishers: Vec<AuthorizationCodeEventPublisher>,
     pub client_event_publishers: Vec<ClientEventPublisher>,
@@ -472,6 +483,7 @@ pub trait EventPublisher {
     fn document(&mut self) -> Option<DocumentEventPublisher>;
     fn profile(&mut self) -> Option<ProfileEventPublisher>;
     fn service(&mut self) -> Option<ServiceEventPublisher>;
+    fn managed_key(&mut self) -> Option<ManagedKeyEventPublisher>;
 
     fn template(&mut self) -> Option<TemplateEventPublisher>;
 
@@ -601,6 +613,10 @@ mod test {
             None
         }
 
+        fn managed_key(&mut self) -> Option<ManagedKeyEventPublisher> {
+            None
+        }
+
         fn template(&mut self) -> Option<TemplateEventPublisher> {
             None
         }
@@ -667,6 +683,10 @@ mod test {
             None
         }
 
+        fn managed_key(&mut self) -> Option<ManagedKeyEventPublisher> {
+            None
+        }
+
         fn template(&mut self) -> Option<TemplateEventPublisher> {
             None
         }
@@ -723,6 +743,7 @@ mod test {
             document_event_publishers,
             profile_event_publishers,
             service_event_publishers,
+            managed_key_event_publishers,
             template_event_publishers,
             authorization_code_event_publishers,
             client_event_publishers,
@@ -741,6 +762,7 @@ mod test {
         assert_eq!(document_event_publishers.len(), 0);
         assert_eq!(profile_event_publishers.len(), 0);
         assert_eq!(service_event_publishers.len(), 0);
+        assert_eq!(managed_key_event_publishers.len(), 0);
         assert_eq!(template_event_publishers.len(), 0);
         assert_eq!(authorization_code_event_publishers.len(), 0);
         assert_eq!(client_event_publishers.len(), 0);

From 58149f7742437401781aa0a7f4c9e9737a352695 Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Wed, 17 Dec 2025 09:53:35 +0100
Subject: [PATCH 02/14] feat: implement key generation and removal sagas,
 update managed key handling

---
 Cargo.lock                                    |  10 +-
 agent_api_http/src/lib.rs                     |  11 +-
 agent_application/src/main.rs                 |  27 ++++-
 agent_event_publisher_nats/src/lib.rs         |  10 +-
 agent_holder/src/offer/event.rs               |   1 +
 agent_identity/src/application/mod.rs         |   1 +
 .../application/sagas/key_generation_saga.rs  |  88 ++++++++++++++
 .../src/application/sagas/key_removal_saga.rs |  78 ++++++++++++
 agent_identity/src/application/sagas/mod.rs   |   2 +
 agent_identity/src/document/aggregate.rs      |  78 ++++++++++++
 agent_identity/src/document/command.rs        |   9 ++
 agent_identity/src/document/event.rs          |  13 ++
 agent_identity/src/document/views/mod.rs      |  18 +++
 agent_identity/src/lib.rs                     |   1 +
 agent_identity/src/managed_key/aggregate.rs   | 114 +++++++++++++++++-
 agent_identity/src/managed_key/command.rs     |  15 ++-
 agent_identity/src/managed_key/event.rs       |  24 +++-
 agent_identity/src/state.rs                   |  12 +-
 agent_secret_manager/Cargo.toml               |   6 +-
 agent_store/src/lib.rs                        |   2 +-
 20 files changed, 484 insertions(+), 36 deletions(-)
 create mode 100644 agent_identity/src/application/mod.rs
 create mode 100644 agent_identity/src/application/sagas/key_generation_saga.rs
 create mode 100644 agent_identity/src/application/sagas/key_removal_saga.rs
 create mode 100644 agent_identity/src/application/sagas/mod.rs

diff --git a/Cargo.lock b/Cargo.lock
index ffd1fe56..52ae8d29 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2432,7 +2432,6 @@ checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6"
 [[package]]
 name = "consumer"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?tag=v1.0.0-beta.6#e8f68b575a3ee354ac4b08663939917977974556"
 dependencies = [
  "did_iota",
  "did_jwk",
@@ -3191,7 +3190,6 @@ dependencies = [
 [[package]]
 name = "did_iota"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?tag=v1.0.0-beta.6#e8f68b575a3ee354ac4b08663939917977974556"
 dependencies = [
  "anyhow",
  "identity_iota",
@@ -3206,7 +3204,6 @@ dependencies = [
 [[package]]
 name = "did_jwk"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?tag=v1.0.0-beta.6#e8f68b575a3ee354ac4b08663939917977974556"
 dependencies = [
  "did-jwk",
  "identity_iota",
@@ -3223,7 +3220,6 @@ dependencies = [
 [[package]]
 name = "did_key"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?tag=v1.0.0-beta.6#e8f68b575a3ee354ac4b08663939917977974556"
 dependencies = [
  "did-method-key",
  "identity_iota",
@@ -3270,7 +3266,6 @@ dependencies = [
 [[package]]
 name = "did_web"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?tag=v1.0.0-beta.6#e8f68b575a3ee354ac4b08663939917977974556"
 dependencies = [
  "did-web",
  "identity_iota",
@@ -5280,7 +5275,6 @@ dependencies = [
 [[package]]
 name = "identity_stronghold_ext"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?tag=v1.0.0-beta.6#e8f68b575a3ee354ac4b08663939917977974556"
 dependencies = [
  "async-trait",
  "elliptic-curve 0.13.8",
@@ -5291,6 +5285,7 @@ dependencies = [
  "k256",
  "log",
  "p256 0.13.2",
+ "rand 0.8.5",
  "secret-storage",
  "serde_json",
  "stronghold_ext",
@@ -10740,7 +10735,7 @@ dependencies = [
 [[package]]
 name = "secret-storage"
 version = "0.3.0"
-source = "git+https://github.com/iotaledger/secret-storage.git?tag=v0.3.0#7dc13ddae8a7f2c8a931d3155f3cb9e9a27902fb"
+source = "git+https://github.com/iotaledger/secret-storage?tag=v0.3.0#7dc13ddae8a7f2c8a931d3155f3cb9e9a27902fb"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -11183,7 +11178,6 @@ dependencies = [
 [[package]]
 name = "shared"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?tag=v1.0.0-beta.6#e8f68b575a3ee354ac4b08663939917977974556"
 dependencies = [
  "identity_iota",
  "identity_storage",
diff --git a/agent_api_http/src/lib.rs b/agent_api_http/src/lib.rs
index f2e1a0f4..b8f377dd 100644
--- a/agent_api_http/src/lib.rs
+++ b/agent_api_http/src/lib.rs
@@ -8,7 +8,10 @@ pub mod utils;
 
 use agent_authorization::state::AuthorizationState;
 use agent_holder::state::HolderState;
-use agent_identity::state::IdentityState;
+use agent_identity::{
+    application::sagas::{key_generation_saga::KeyGenerationSaga, key_removal_saga::KeyRemovalSaga},
+    state::IdentityState,
+};
 use agent_issuance::state::IssuanceState;
 use agent_library::state::LibraryState;
 use agent_shared::config::config;
@@ -40,6 +43,9 @@ pub struct ApplicationState {
     pub issuance_state: Option<Arc<IssuanceState>>,
     pub holder_state: Option<Arc<HolderState>>,
     pub verification_state: Option<Arc<VerificationState>>,
+
+    pub key_generation_saga: Option<KeyGenerationSaga>,
+    pub key_removal_saga: Option<KeyRemovalSaga>,
 }
 
 pub fn app(
@@ -50,6 +56,9 @@ pub fn app(
         issuance_state,
         holder_state,
         verification_state,
+
+        key_generation_saga: _,
+        key_removal_saga: _,
     }: ApplicationState,
 ) -> Router {
     let app = Router::new()
diff --git a/agent_application/src/main.rs b/agent_application/src/main.rs
index 0910715c..03a65aa5 100644
--- a/agent_application/src/main.rs
+++ b/agent_application/src/main.rs
@@ -12,7 +12,13 @@ use agent_authorization::services::AuthorizationServices;
 use agent_event_publisher_http::EventPublisherHttp;
 use agent_event_publisher_nats::EventPublisherNats;
 use agent_holder::services::HolderServices;
-use agent_identity::services::IdentityServices;
+use agent_identity::{
+    application::sagas::{
+        key_generation_saga::{self, KeyGenerationSaga},
+        key_removal_saga::{self, KeyRemovalSaga},
+    },
+    services::IdentityServices,
+};
 use agent_issuance::{
     application::policies::issuer_metadata_synchronization_policy::IssuerMetadataSynchronizationPolicy,
     services::IssuanceServices,
@@ -65,7 +71,10 @@ async fn main() -> io::Result<()> {
                     IssuerMetadataSynchronizationPolicy::new(issuance_state.clone());
 
                 (
-                    Arc::new(agent_store::identity_state(&builder, identity_services, identity_event_publishers).await),
+                    Arc::new(
+                        agent_store::identity_state(&builder, identity_services.clone(), identity_event_publishers)
+                            .await,
+                    ),
                     Arc::new(
                         agent_store::library_state(
                             &builder,
@@ -100,7 +109,10 @@ async fn main() -> io::Result<()> {
                     IssuerMetadataSynchronizationPolicy::new(issuance_state.clone());
 
                 (
-                    Arc::new(agent_store::identity_state(&builder, identity_services, identity_event_publishers).await),
+                    Arc::new(
+                        agent_store::identity_state(&builder, identity_services.clone(), identity_event_publishers)
+                            .await,
+                    ),
                     Arc::new(
                         agent_store::library_state(
                             &builder,
@@ -135,7 +147,8 @@ async fn main() -> io::Result<()> {
 
                 (
                     Arc::new(
-                        agent_store::identity_state(&InMemory, identity_services, identity_event_publishers).await,
+                        agent_store::identity_state(&InMemory, identity_services.clone(), identity_event_publishers)
+                            .await,
                     ),
                     Arc::new(
                         agent_store::library_state(
@@ -179,6 +192,9 @@ async fn main() -> io::Result<()> {
     agent_identity::state::initialize(&identity_state).await.unwrap();
     agent_issuance::state::initialize(&issuance_state).await.unwrap();
 
+    let key_generation_saga = KeyGenerationSaga::new(identity_state.clone(), identity_services.clone());
+    let key_removal_saga = KeyRemovalSaga::new(identity_state.clone(), identity_services.clone());
+
     let app = app(ApplicationState {
         identity_state: Some(identity_state),
         library_state: Some(library_state),
@@ -186,6 +202,9 @@ async fn main() -> io::Result<()> {
         issuance_state: Some(issuance_state),
         holder_state: Some(holder_state),
         verification_state: Some(verification_state),
+
+        key_generation_saga: Some(key_generation_saga),
+        key_removal_saga: Some(key_removal_saga),
     });
 
     let metadata_state = metadata::MetadataState {
diff --git a/agent_event_publisher_nats/src/lib.rs b/agent_event_publisher_nats/src/lib.rs
index b1a88cd7..472cfbc4 100644
--- a/agent_event_publisher_nats/src/lib.rs
+++ b/agent_event_publisher_nats/src/lib.rs
@@ -3,9 +3,9 @@ use agent_shared::config::config;
 use agent_store::{
     AccessTokenEventPublisher, AuthorizationCodeEventPublisher, AuthorizationRequestEventPublisher,
     ClientEventPublisher, ConnectionEventPublisher, CredentialEventPublisher, DocumentEventPublisher, EventPublisher,
-    HolderCredentialEventPublisher, OAuth2AuthorizationRequestEventPublisher, OfferEventPublisher,
-    PresentationEventPublisher, ProfileEventPublisher, ReceivedOfferEventPublisher, ServerConfigEventPublisher,
-    ServiceEventPublisher, TemplateEventPublisher,
+    HolderCredentialEventPublisher, ManagedKeyEventPublisher, OAuth2AuthorizationRequestEventPublisher,
+    OfferEventPublisher, PresentationEventPublisher, ProfileEventPublisher, ReceivedOfferEventPublisher,
+    ServerConfigEventPublisher, ServiceEventPublisher, TemplateEventPublisher,
 };
 use async_nats::Client;
 use async_trait::async_trait;
@@ -110,6 +110,10 @@ impl EventPublisher for EventPublisherNats {
         None
     }
 
+    fn managed_key(&mut self) -> Option<ManagedKeyEventPublisher> {
+        None
+    }
+
     fn template(&mut self) -> Option<TemplateEventPublisher> {
         None
     }
diff --git a/agent_holder/src/offer/event.rs b/agent_holder/src/offer/event.rs
index e57f85c6..bb157980 100644
--- a/agent_holder/src/offer/event.rs
+++ b/agent_holder/src/offer/event.rs
@@ -9,6 +9,7 @@ use std::collections::HashMap;
 use strum::Display;
 
 #[derive(Clone, Debug, Deserialize, PartialEq, Serialize, Display)]
+#[serde(tag = "type")]
 pub enum OfferEvent {
     CredentialOfferReceived {
         received_offer_id: String,
diff --git a/agent_identity/src/application/mod.rs b/agent_identity/src/application/mod.rs
new file mode 100644
index 00000000..c6dd99da
--- /dev/null
+++ b/agent_identity/src/application/mod.rs
@@ -0,0 +1 @@
+pub mod sagas;
diff --git a/agent_identity/src/application/sagas/key_generation_saga.rs b/agent_identity/src/application/sagas/key_generation_saga.rs
new file mode 100644
index 00000000..b63ee3ab
--- /dev/null
+++ b/agent_identity/src/application/sagas/key_generation_saga.rs
@@ -0,0 +1,88 @@
+use agent_shared::handlers::{command_handler, query_handler};
+use async_trait::async_trait;
+use cqrs_es::{EventEnvelope, Query};
+use identity_iota::verification::VerificationMethod;
+use identity_storage::KeyId;
+
+use crate::{
+    document::command::DocumentCommand,
+    managed_key::{
+        aggregate::{ManagedKey, SigningAlgorithm},
+        command::ManagedKeyCommand,
+    },
+    services::IdentityServices,
+    state::IdentityState,
+};
+use std::sync::Arc;
+
+pub struct KeyGenerationSaga {
+    identity_state: Arc<IdentityState>,
+    identity_services: Arc<IdentityServices>,
+}
+
+impl KeyGenerationSaga {
+    pub fn new(identity_state: Arc<IdentityState>, identity_services: Arc<IdentityServices>) -> Self {
+        Self {
+            identity_state,
+            identity_services,
+        }
+    }
+
+    pub async fn generate_key(&self, alias: String, signing_algorithm: SigningAlgorithm) {
+        // TODO: Add undo logic!!!
+
+        let managed_key_id = uuid::Uuid::new_v4().to_string();
+
+        let command = ManagedKeyCommand::GenerateKey {
+            managed_key_id: managed_key_id.clone(),
+            alias,
+            signing_algorithm,
+        };
+
+        command_handler(&managed_key_id, &self.identity_state.command.managed_key, command)
+            .await
+            .unwrap();
+
+        if let Some(managed_key_view) = query_handler(&managed_key_id, &self.identity_state.query.managed_key)
+            .await
+            .unwrap()
+        {
+            let key_id = managed_key_view.key_id.clone();
+            let signing_algorithm = managed_key_view.signing_algorithm.unwrap();
+
+            if let Some(all_documents_view) = query_handler("all_documents", &self.identity_state.query.all_documents)
+                .await
+                .unwrap()
+            {
+                for (document_id, document_view) in all_documents_view.documents {
+                    if document_view
+                        .did_method
+                        .map(|did_method| did_method.supports_update())
+                        .unwrap_or(false)
+                    {
+                        let command = DocumentCommand::AddVerificationMethod {
+                            key_id: key_id.clone(),
+                            signing_algorithm: signing_algorithm.clone(),
+                        };
+
+                        command_handler(&document_id, &self.identity_state.command.document, command)
+                            .await
+                            .unwrap();
+
+                        if document_view
+                            .did_method
+                            .map(|did_method| did_method.hosted_decentrally())
+                            .unwrap_or(false)
+                        {
+                            let command = DocumentCommand::PublishDocument;
+
+                            command_handler(&document_id, &self.identity_state.command.document, command)
+                                .await
+                                .unwrap();
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/agent_identity/src/application/sagas/key_removal_saga.rs b/agent_identity/src/application/sagas/key_removal_saga.rs
new file mode 100644
index 00000000..fdc8cba2
--- /dev/null
+++ b/agent_identity/src/application/sagas/key_removal_saga.rs
@@ -0,0 +1,78 @@
+use agent_shared::handlers::{command_handler, query_handler};
+use async_trait::async_trait;
+use cqrs_es::{EventEnvelope, Query};
+use identity_iota::verification::VerificationMethod;
+use identity_storage::KeyId;
+
+use crate::{
+    document::command::DocumentCommand,
+    managed_key::{
+        aggregate::{ManagedKey, SigningAlgorithm},
+        command::ManagedKeyCommand,
+    },
+    services::IdentityServices,
+    state::IdentityState,
+};
+use std::sync::Arc;
+
+pub struct KeyRemovalSaga {
+    identity_state: Arc<IdentityState>,
+    identity_services: Arc<IdentityServices>,
+}
+
+impl KeyRemovalSaga {
+    pub fn new(identity_state: Arc<IdentityState>, identity_services: Arc<IdentityServices>) -> Self {
+        Self {
+            identity_state,
+            identity_services,
+        }
+    }
+
+    pub async fn remove_key(&self, managed_key_id: String) {
+        // TODO: Add undo logic!!!
+
+        let command = ManagedKeyCommand::RemoveKey;
+
+        command_handler(&managed_key_id, &self.identity_state.command.managed_key, command)
+            .await
+            .unwrap();
+
+        if let Some(managed_key_view) = query_handler(&managed_key_id, &self.identity_state.query.managed_key)
+            .await
+            .unwrap()
+        {
+            let key_id = managed_key_view.key_id.clone();
+
+            if let Some(all_documents_view) = query_handler("all_documents", &self.identity_state.query.all_documents)
+                .await
+                .unwrap()
+            {
+                for (document_id, document_view) in all_documents_view.documents {
+                    if document_view
+                        .did_method
+                        .map(|did_method| did_method.supports_update())
+                        .unwrap_or(false)
+                    {
+                        let command = DocumentCommand::RemoveVerificationMethod { key_id: key_id.clone() };
+
+                        command_handler(&document_id, &self.identity_state.command.document, command)
+                            .await
+                            .unwrap();
+
+                        if document_view
+                            .did_method
+                            .map(|did_method| did_method.hosted_decentrally())
+                            .unwrap_or(false)
+                        {
+                            let command = DocumentCommand::PublishDocument;
+
+                            command_handler(&document_id, &self.identity_state.command.document, command)
+                                .await
+                                .unwrap();
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
diff --git a/agent_identity/src/application/sagas/mod.rs b/agent_identity/src/application/sagas/mod.rs
new file mode 100644
index 00000000..4253b6d6
--- /dev/null
+++ b/agent_identity/src/application/sagas/mod.rs
@@ -0,0 +1,2 @@
+pub mod key_generation_saga;
+pub mod key_removal_saga;
diff --git a/agent_identity/src/document/aggregate.rs b/agent_identity/src/document/aggregate.rs
index e006692f..501d9ba1 100644
--- a/agent_identity/src/document/aggregate.rs
+++ b/agent_identity/src/document/aggregate.rs
@@ -1,4 +1,5 @@
 use super::{command::DocumentCommand, error::DocumentError, event::DocumentEvent};
+use crate::managed_key::aggregate::SigningAlgorithm;
 use crate::services::IdentityServices;
 use agent_secret_manager::subject::StorageKey;
 use agent_shared::config::{config, get_all_enabled_signing_algorithms_supported};
@@ -17,6 +18,7 @@ use identity_iota::{
     iota::IotaDocument,
     verification::{MethodScope, MethodType, VerificationMethod},
 };
+use identity_storage::KeyId;
 use identity_storage::{JwkStorage, KeyIdStorage};
 use iota_sdk::types::base_types::IotaAddress;
 use iota_sdk::{IotaClient, IotaClientBuilder};
@@ -29,6 +31,7 @@ use serde::{Deserialize, Serialize};
 use serde_json::json;
 use ssi_dids::DIDMethod;
 use ssi_dids::Source;
+use std::collections::HashMap;
 use std::{collections::BTreeMap, sync::Arc};
 use tracing::{debug, info, warn};
 use url::Url;
@@ -60,6 +63,7 @@ pub enum Status {
     Disabled,
 }
 
+// TODO: `Document` most likely should not be an Aggregate, but rather a Read Model that is built from events emitted by other Aggregates, such as `ManagedKey` and `Service`.
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct Document {
     #[serde(rename = "id")]
@@ -71,6 +75,7 @@ pub struct Document {
     pub with_fixed_algorithm: Option<Algorithm>,
     // Applicable only for DID methods that are based on the IOTA ledger.
     pub iota_metadata: Option<IotaMetadata>,
+    pub verification_method_ids: HashMap<String, DIDUrl>,
     pub status: Status,
 }
 
@@ -378,6 +383,61 @@ impl Aggregate for Document {
                 document_id: self.document_id.clone(),
                 status,
             }]),
+            AddVerificationMethod {
+                key_id,
+                signing_algorithm,
+            } => {
+                let subject = &services.subject;
+                let stronghold_storage = &subject.stronghold_storage;
+
+                let mut document = self.document.clone().ok_or(MissingDocumentError)?;
+                let did = document.id().clone();
+
+                let did_method = self.did_method.ok_or(MissingDidMethodError)?;
+
+                let key_id = KeyId::new(&key_id);
+
+                let jwk = match signing_algorithm {
+                    SigningAlgorithm::EdDSA => stronghold_storage.get_ed25519_public_key(&key_id).await.unwrap(),
+                    SigningAlgorithm::ES256 => stronghold_storage.get_es256_public_key(&key_id).await.unwrap(),
+                };
+
+                let verification_method = VerificationMethod::new_from_jwk(
+                    did.clone(),
+                    jwk,
+                    (did_method == SupportedDidMethod::Key)
+                        .then_some(did.method_id())
+                        .or(did_method.fragment()),
+                )
+                .map_err(|err| VerificationMethodBuilderError(err.to_string()))?;
+
+                let mut verification_method_ids = self.verification_method_ids.clone();
+                verification_method_ids.insert(key_id.to_string(), verification_method.id().clone());
+
+                document
+                    .insert_method(verification_method, MethodScope::VerificationMethod) // TODO: add relationships, also TODO: adjust KID insertion elsewhere
+                    .map_err(|err| VerificationMethodInsertionError(err.to_string()))?;
+
+                Ok(vec![VerificationMethodAdded {
+                    document_id: self.document_id.clone(),
+                    verification_method_ids,
+                    document,
+                }])
+            }
+            RemoveVerificationMethod { key_id } => {
+                let mut document = self.document.clone().ok_or(MissingDocumentError)?;
+
+                let mut verification_method_ids = self.verification_method_ids.clone();
+                let verification_method_id = verification_method_ids.remove(&key_id.to_string()).unwrap();
+
+                document.remove_method(&verification_method_id);
+
+                Ok(vec![VerificationMethodRemoved {
+                    document_id: self.document_id.clone(),
+                    document,
+                    verification_method_ids,
+                }])
+            }
             AddService {
                 service_id,
                 mut service,
@@ -616,6 +676,24 @@ impl Aggregate for Document {
                 self.document_id = document_id;
                 self.document.replace(document);
             }
+            VerificationMethodAdded {
+                document_id,
+                document,
+                verification_method_ids,
+            } => {
+                self.document_id = document_id;
+                self.document.replace(document);
+                self.verification_method_ids = verification_method_ids;
+            }
+            VerificationMethodRemoved {
+                document_id,
+                document,
+                verification_method_ids,
+            } => {
+                self.document_id = document_id;
+                self.document.replace(document);
+                self.verification_method_ids = verification_method_ids;
+            }
             DocumentPublished {
                 document_id,
                 document,
diff --git a/agent_identity/src/document/command.rs b/agent_identity/src/document/command.rs
index 5730d969..98cc5966 100644
--- a/agent_identity/src/document/command.rs
+++ b/agent_identity/src/document/command.rs
@@ -1,3 +1,5 @@
+use crate::managed_key::aggregate::SigningAlgorithm;
+
 use super::aggregate::Status;
 use agent_shared::config::SupportedDidMethod;
 use identity_document::service::Service as DocumentService;
@@ -19,6 +21,13 @@ pub enum DocumentCommand {
     UpdatePublicKeys {
         public_key_jwks: Vec<Jwk>,
     },
+    AddVerificationMethod {
+        key_id: String,
+        signing_algorithm: SigningAlgorithm,
+    },
+    RemoveVerificationMethod {
+        key_id: String,
+    },
     AddService {
         service_id: String,
         service: Box<DocumentService>,
diff --git a/agent_identity/src/document/event.rs b/agent_identity/src/document/event.rs
index 18efb91c..2fbc6632 100644
--- a/agent_identity/src/document/event.rs
+++ b/agent_identity/src/document/event.rs
@@ -1,6 +1,9 @@
+use std::collections::HashMap;
+
 use super::aggregate::{IotaMetadata, Status};
 use agent_shared::config::SupportedDidMethod;
 use cqrs_es::DomainEvent;
+use identity_did::DIDUrl;
 use identity_document::document::CoreDocument;
 use jsonwebtoken::Algorithm;
 use serde::{Deserialize, Serialize};
@@ -20,6 +23,16 @@ pub enum DocumentEvent {
         document_id: String,
         document: CoreDocument,
     },
+    VerificationMethodAdded {
+        document_id: String,
+        document: CoreDocument,
+        verification_method_ids: HashMap<String, DIDUrl>,
+    },
+    VerificationMethodRemoved {
+        document_id: String,
+        document: CoreDocument,
+        verification_method_ids: HashMap<String, DIDUrl>,
+    },
     DocumentStatusUpdated {
         document_id: String,
         status: Status,
diff --git a/agent_identity/src/document/views/mod.rs b/agent_identity/src/document/views/mod.rs
index 8231a7e9..aa8886b0 100644
--- a/agent_identity/src/document/views/mod.rs
+++ b/agent_identity/src/document/views/mod.rs
@@ -36,6 +36,24 @@ impl View<Document> for Document {
                 self.document_id.clone_from(document_id);
                 self.document.replace(document.clone());
             }
+            VerificationMethodAdded {
+                document_id,
+                document,
+                verification_method_ids,
+            } => {
+                self.document_id.clone_from(document_id);
+                self.document.replace(document.clone());
+                self.verification_method_ids.clone_from(verification_method_ids);
+            }
+            VerificationMethodRemoved {
+                document_id,
+                document,
+                verification_method_ids,
+            } => {
+                self.document_id.clone_from(document_id);
+                self.document.replace(document.clone());
+                self.verification_method_ids.clone_from(verification_method_ids);
+            }
             DocumentPublished {
                 document_id,
                 document,
diff --git a/agent_identity/src/lib.rs b/agent_identity/src/lib.rs
index 1aa725eb..6aadf9de 100644
--- a/agent_identity/src/lib.rs
+++ b/agent_identity/src/lib.rs
@@ -5,5 +5,6 @@ pub mod managed_key;
 pub mod profile;
 pub mod service;
 
+pub mod application;
 pub mod services;
 pub mod state;
diff --git a/agent_identity/src/managed_key/aggregate.rs b/agent_identity/src/managed_key/aggregate.rs
index 9b0d0270..8638777d 100644
--- a/agent_identity/src/managed_key/aggregate.rs
+++ b/agent_identity/src/managed_key/aggregate.rs
@@ -1,4 +1,7 @@
+use crate::services::IdentityServices;
+
 use super::{command::ManagedKeyCommand, error::ManagedKeyError, event::ManagedKeyEvent};
+use agent_secret_manager::subject::Subject;
 use agent_shared::config::config;
 use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
@@ -12,6 +15,9 @@ use identity_credential::{
     domain_linkage::{DomainLinkageConfiguration, DomainLinkageCredentialBuilder},
 };
 use identity_did::DIDUrl;
+use identity_iota::{storage::JwkStorage as _, verification::jws::JwsAlgorithm};
+use identity_storage::KeyIdStorage;
+use identity_storage::{KeyId, KeyType};
 use jsonwebtoken::{Algorithm, Header};
 use oid4vc_core::Sign as _;
 use serde::{Deserialize, Serialize};
@@ -19,13 +25,35 @@ use serde_json::json;
 use std::{str::FromStr as _, sync::Arc};
 use tracing::{debug, info};
 
+#[derive(Debug, Serialize, Deserialize, Clone, strum::Display, PartialEq)]
+pub enum SigningAlgorithm {
+    EdDSA,
+    ES256,
+}
+
+impl Into<Algorithm> for SigningAlgorithm {
+    fn into(self) -> Algorithm {
+        match self {
+            SigningAlgorithm::EdDSA => Algorithm::EdDSA,
+            SigningAlgorithm::ES256 => Algorithm::ES256,
+        }
+    }
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub enum Vault {
+    Stronghold,
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize, Default)]
 pub struct ManagedKey {
     #[serde(rename = "id")]
     pub managed_key_id: String,
-    pub alias: Option<String>,
-    pub key_id: Option<String>,
-    pub signing_algorithm: Option<String>,
+    pub key_id: String,
+    pub alias: String,
+    pub signing_algorithm: Option<SigningAlgorithm>,
+    pub is_signing_key: bool,
+    pub is_removed: bool,
 }
 
 #[async_trait]
@@ -33,7 +61,7 @@ impl Aggregate for ManagedKey {
     type Command = ManagedKeyCommand;
     type Event = ManagedKeyEvent;
     type Error = ManagedKeyError;
-    type Services = ();
+    type Services = Arc<IdentityServices>;
 
     fn aggregate_type() -> String {
         "managed_key".to_string()
@@ -46,7 +74,54 @@ impl Aggregate for ManagedKey {
 
         info!("Handling command: {:?}", command);
 
-        match command {}
+        match command {
+            GenerateKey {
+                managed_key_id,
+                alias,
+                signing_algorithm,
+            } => {
+                let (key_type, alg) = match signing_algorithm {
+                    SigningAlgorithm::EdDSA => (KeyType::new("Ed25519"), JwsAlgorithm::EdDSA),
+                    SigningAlgorithm::ES256 => (KeyType::new("ES256"), JwsAlgorithm::ES256),
+                };
+
+                let key_id = services
+                    .subject
+                    .stronghold_storage
+                    .generate(key_type, alg)
+                    .await
+                    .unwrap()
+                    .key_id
+                    .to_string();
+
+                Ok(vec![KeyGenerated {
+                    managed_key_id,
+                    key_id,
+                    alias,
+                    signing_algorithm,
+                }])
+            }
+            RemoveKey => {
+                let key_id = KeyId::new(&self.key_id);
+
+                services.subject.stronghold_storage.delete(&key_id).await.unwrap();
+                // FIXME: services.subject.stronghold_storage.delete_key_id().await.unwrap();
+
+                Ok(vec![KeyRemoved {
+                    managed_key_id: self.managed_key_id.clone(),
+                }])
+            }
+            UpdateKeyAlias { new_alias } => Ok(vec![KeyAliasUpdated {
+                managed_key_id: self.managed_key_id.clone(),
+                new_alias,
+            }]),
+            SetSigningKey => {
+                // TODO: Unset other signing keys?
+                Ok(vec![SigningKeySet {
+                    managed_key_id: self.managed_key_id.clone(),
+                }])
+            }
+        }
     }
 
     fn apply(&mut self, event: Self::Event) {
@@ -54,7 +129,34 @@ impl Aggregate for ManagedKey {
 
         debug!("Applying event: {:?}", event);
 
-        match event {}
+        match event {
+            KeyGenerated {
+                managed_key_id,
+                key_id,
+                alias,
+                signing_algorithm,
+            } => {
+                self.managed_key_id = managed_key_id;
+                self.key_id = key_id;
+                self.alias = alias;
+                self.signing_algorithm.replace(signing_algorithm);
+            }
+            KeyRemoved { managed_key_id } => {
+                // Do not reset the entire state so that the removal can be undone if needed?
+                // *self = Self::default();
+                // self.managed_key_id = managed_key_id;
+                self.is_removed = true;
+            }
+            KeyAliasUpdated {
+                managed_key_id: _,
+                new_alias,
+            } => {
+                self.alias = new_alias;
+            }
+            SigningKeySet { managed_key_id: _ } => {
+                self.is_signing_key = true;
+            }
+        }
     }
 }
 
diff --git a/agent_identity/src/managed_key/command.rs b/agent_identity/src/managed_key/command.rs
index 2f13e2df..00e43e8b 100644
--- a/agent_identity/src/managed_key/command.rs
+++ b/agent_identity/src/managed_key/command.rs
@@ -1,2 +1,15 @@
+use crate::managed_key::aggregate::SigningAlgorithm;
+
 #[derive(Debug)]
-pub enum ManagedKeyCommand {}
+pub enum ManagedKeyCommand {
+    GenerateKey {
+        managed_key_id: String,
+        alias: String,
+        signing_algorithm: SigningAlgorithm,
+    },
+    RemoveKey,
+    UpdateKeyAlias {
+        new_alias: String,
+    },
+    SetSigningKey,
+}
diff --git a/agent_identity/src/managed_key/event.rs b/agent_identity/src/managed_key/event.rs
index ae4a44fd..536b6dcb 100644
--- a/agent_identity/src/managed_key/event.rs
+++ b/agent_identity/src/managed_key/event.rs
@@ -1,11 +1,27 @@
+use crate::managed_key::aggregate::SigningAlgorithm;
 use cqrs_es::DomainEvent;
-use derivative::Derivative;
 use serde::{Deserialize, Serialize};
 use strum::Display;
 
-#[derive(Clone, Debug, Deserialize, Serialize, Derivative, Display)]
-#[derivative(PartialEq)]
-pub enum ManagedKeyEvent {}
+#[derive(Clone, Debug, Deserialize, Serialize, Display, PartialEq)]
+pub enum ManagedKeyEvent {
+    KeyGenerated {
+        managed_key_id: String,
+        key_id: String,
+        alias: String,
+        signing_algorithm: SigningAlgorithm,
+    },
+    KeyRemoved {
+        managed_key_id: String,
+    },
+    KeyAliasUpdated {
+        managed_key_id: String,
+        new_alias: String,
+    },
+    SigningKeySet {
+        managed_key_id: String,
+    },
+}
 
 impl DomainEvent for ManagedKeyEvent {
     fn event_type(&self) -> String {
diff --git a/agent_identity/src/state.rs b/agent_identity/src/state.rs
index c2c7ea92..db999c01 100644
--- a/agent_identity/src/state.rs
+++ b/agent_identity/src/state.rs
@@ -361,13 +361,13 @@ async fn initialize_documents(state: &IdentityState) -> anyhow::Result<()> {
         if let Some((document_id, command)) = document_id_and_command {
             command_handler(&document_id, &state.command.document, command).await?;
 
-            if enabled {
-                let command = DocumentCommand::UpdatePublicKeys {
-                    public_key_jwks: vec![],
-                };
+            // if enabled {
+            //     let command = DocumentCommand::UpdatePublicKeys {
+            //         public_key_jwks: vec![],
+            //     };
 
-                command_handler(&document_id, &state.command.document, command).await?;
-            }
+            //     command_handler(&document_id, &state.command.document, command).await?;
+            // }
         }
     }
 
diff --git a/agent_secret_manager/Cargo.toml b/agent_secret_manager/Cargo.toml
index ce455e55..6437ee9a 100644
--- a/agent_secret_manager/Cargo.toml
+++ b/agent_secret_manager/Cargo.toml
@@ -13,8 +13,10 @@ agent_shared = { path = "../agent_shared" }
 # - All components of the `identity_stronghold_ext` module are still active.
 #
 # Future work: Migrate the remaining functionality into UniCore.
-did_manager_consumer = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "consumer" }
-did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "identity_stronghold_ext" }
+# did_manager_consumer = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "consumer" }
+# did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "identity_stronghold_ext" }
+did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
+did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
 
 anyhow.workspace = true
 async-trait.workspace = true
diff --git a/agent_store/src/lib.rs b/agent_store/src/lib.rs
index 4fdd26b8..6496a2d1 100644
--- a/agent_store/src/lib.rs
+++ b/agent_store/src/lib.rs
@@ -199,7 +199,7 @@ pub async fn identity_state<CCB: CqrsComponentBuilder>(
         .commands_and_queries::<Service, Service, AllServicesView>(services.clone(), service_event_publishers)
         .await;
     let (managed_key_command_handler, managed_key, all_managed_keys) = builder
-        .commands_and_queries::<ManagedKey, ManagedKey, AllManagedKeysView>((), managed_key_event_publishers)
+        .commands_and_queries::<ManagedKey, ManagedKey, AllManagedKeysView>(services, managed_key_event_publishers)
         .await;
 
     IdentityState {

From 3cd6c2cbfbad9dc09a7e55303a950195d617d355 Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Wed, 17 Dec 2025 11:53:59 +0100
Subject: [PATCH 03/14] fix: update did_manager dependencies

---
 Cargo.lock                      | 7 +++++++
 agent_secret_manager/Cargo.toml | 6 +++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 52ae8d29..f849ab90 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2432,6 +2432,7 @@ checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6"
 [[package]]
 name = "consumer"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
 dependencies = [
  "did_iota",
  "did_jwk",
@@ -3190,6 +3191,7 @@ dependencies = [
 [[package]]
 name = "did_iota"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
 dependencies = [
  "anyhow",
  "identity_iota",
@@ -3204,6 +3206,7 @@ dependencies = [
 [[package]]
 name = "did_jwk"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
 dependencies = [
  "did-jwk",
  "identity_iota",
@@ -3220,6 +3223,7 @@ dependencies = [
 [[package]]
 name = "did_key"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
 dependencies = [
  "did-method-key",
  "identity_iota",
@@ -3266,6 +3270,7 @@ dependencies = [
 [[package]]
 name = "did_web"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
 dependencies = [
  "did-web",
  "identity_iota",
@@ -5275,6 +5280,7 @@ dependencies = [
 [[package]]
 name = "identity_stronghold_ext"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
 dependencies = [
  "async-trait",
  "elliptic-curve 0.13.8",
@@ -11178,6 +11184,7 @@ dependencies = [
 [[package]]
 name = "shared"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
 dependencies = [
  "identity_iota",
  "identity_storage",
diff --git a/agent_secret_manager/Cargo.toml b/agent_secret_manager/Cargo.toml
index 6437ee9a..204f222c 100644
--- a/agent_secret_manager/Cargo.toml
+++ b/agent_secret_manager/Cargo.toml
@@ -11,12 +11,12 @@ agent_shared = { path = "../agent_shared" }
 # - The `producer` module has already been eliminated.
 # - In the `consumer` module, only the `Resolver` struct is still in use.
 # - All components of the `identity_stronghold_ext` module are still active.
-#
+# FIXME: make sure to use a tag for these dependencies.
 # Future work: Migrate the remaining functionality into UniCore.
 # did_manager_consumer = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "consumer" }
 # did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "identity_stronghold_ext" }
-did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
-did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
+did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "35eaec4", package = "consumer" }
+did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "35eaec4", package = "identity_stronghold_ext" }
 
 anyhow.workspace = true
 async-trait.workspace = true

From 6b9a62893782eb282fdedb0e171bc6a10011c521 Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Mon, 29 Dec 2025 17:33:32 +0100
Subject: [PATCH 04/14] fix: update signing algorithm for ES256 and enhance
 ManagedKey event handling

---
 Cargo.lock                                  | 14 +++++-----
 agent_identity/src/managed_key/aggregate.rs |  2 +-
 agent_identity/src/managed_key/views/mod.rs | 30 ++++++++++++++++++---
 agent_secret_manager/Cargo.toml             |  6 +++--
 4 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f849ab90..e5e0bc55 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2432,7 +2432,7 @@ checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6"
 [[package]]
 name = "consumer"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did_iota",
  "did_jwk",
@@ -3191,7 +3191,7 @@ dependencies = [
 [[package]]
 name = "did_iota"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "anyhow",
  "identity_iota",
@@ -3206,7 +3206,7 @@ dependencies = [
 [[package]]
 name = "did_jwk"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did-jwk",
  "identity_iota",
@@ -3223,7 +3223,7 @@ dependencies = [
 [[package]]
 name = "did_key"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did-method-key",
  "identity_iota",
@@ -3270,7 +3270,7 @@ dependencies = [
 [[package]]
 name = "did_web"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did-web",
  "identity_iota",
@@ -5280,7 +5280,7 @@ dependencies = [
 [[package]]
 name = "identity_stronghold_ext"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "async-trait",
  "elliptic-curve 0.13.8",
@@ -11184,7 +11184,7 @@ dependencies = [
 [[package]]
 name = "shared"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=35eaec4#35eaec40b4f0c00b132a40f054ab928c3f5c8306"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "identity_iota",
  "identity_storage",
diff --git a/agent_identity/src/managed_key/aggregate.rs b/agent_identity/src/managed_key/aggregate.rs
index 8638777d..e4e9a80d 100644
--- a/agent_identity/src/managed_key/aggregate.rs
+++ b/agent_identity/src/managed_key/aggregate.rs
@@ -82,7 +82,7 @@ impl Aggregate for ManagedKey {
             } => {
                 let (key_type, alg) = match signing_algorithm {
                     SigningAlgorithm::EdDSA => (KeyType::new("Ed25519"), JwsAlgorithm::EdDSA),
-                    SigningAlgorithm::ES256 => (KeyType::new("ES256"), JwsAlgorithm::ES256),
+                    SigningAlgorithm::ES256 => (KeyType::new("P256"), JwsAlgorithm::ES256),
                 };
 
                 let key_id = services
diff --git a/agent_identity/src/managed_key/views/mod.rs b/agent_identity/src/managed_key/views/mod.rs
index c3e96276..554c5160 100644
--- a/agent_identity/src/managed_key/views/mod.rs
+++ b/agent_identity/src/managed_key/views/mod.rs
@@ -8,8 +8,32 @@ impl View<ManagedKey> for ManagedKey {
     fn update(&mut self, event: &EventEnvelope<ManagedKey>) {
         use crate::managed_key::event::ManagedKeyEvent::*;
 
-        // match &event.payload {
-        //     _ => todo!(),
-        // }
+        match &event.payload {
+            KeyGenerated {
+                managed_key_id,
+                key_id,
+                alias,
+                signing_algorithm,
+            } => {
+                self.managed_key_id.clone_from(managed_key_id);
+                self.key_id.clone_from(key_id);
+                self.alias.clone_from(alias);
+                self.signing_algorithm.replace(signing_algorithm.clone());
+            }
+            KeyRemoved { managed_key_id: _ } => {
+                // Do not reset the entire state so that the removal can be undone if needed?
+                // *self = Self::default();
+                self.is_removed = true;
+            }
+            KeyAliasUpdated {
+                managed_key_id: _,
+                new_alias,
+            } => {
+                self.alias.clone_from(new_alias);
+            }
+            SigningKeySet { managed_key_id: _ } => {
+                self.is_signing_key = true;
+            }
+        }
     }
 }
diff --git a/agent_secret_manager/Cargo.toml b/agent_secret_manager/Cargo.toml
index 204f222c..73f21a4f 100644
--- a/agent_secret_manager/Cargo.toml
+++ b/agent_secret_manager/Cargo.toml
@@ -15,8 +15,10 @@ agent_shared = { path = "../agent_shared" }
 # Future work: Migrate the remaining functionality into UniCore.
 # did_manager_consumer = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "consumer" }
 # did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "identity_stronghold_ext" }
-did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "35eaec4", package = "consumer" }
-did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "35eaec4", package = "identity_stronghold_ext" }
+did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "consumer" }
+did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "identity_stronghold_ext" }
+# did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
+# did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
 
 anyhow.workspace = true
 async-trait.workspace = true

From 3480d3af51bb12fd562144dac4bb4fc01ea200e5 Mon Sep 17 00:00:00 2001
From: Chaya <79284542+coplat@users.noreply.github.com>
Date: Tue, 30 Dec 2025 13:43:05 +0100
Subject: [PATCH 05/14] feat: initialize API layer for key management system
 (#252)

---
 Cargo.lock                                    |   2 +
 agent_api_http/openapi.yaml                   | 105 +++++++++++
 .../postman/ssi-agent.postman_collection.json | 158 ++++++++++++++--
 agent_api_http/src/lib.rs                     |  19 +-
 agent_api_http/src/v0/identity/mod.rs         |   9 +-
 agent_api_http/src/v1/identity/keys/mod.rs    | 175 ++++++++++++++++++
 agent_api_http/src/v1/identity/mod.rs         |  34 ++++
 agent_api_http/src/v1/mod.rs                  |   1 +
 .../application/sagas/key_generation_saga.rs  |  30 ++-
 .../src/application/sagas/key_removal_saga.rs |   1 +
 agent_secret_manager/Cargo.toml               |   2 +
 11 files changed, 494 insertions(+), 42 deletions(-)
 create mode 100644 agent_api_http/src/v1/identity/keys/mod.rs
 create mode 100644 agent_api_http/src/v1/identity/mod.rs
 create mode 100644 agent_api_http/src/v1/mod.rs

diff --git a/Cargo.lock b/Cargo.lock
index e5e0bc55..c6c989a2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -425,6 +425,8 @@ dependencies = [
  "p256 0.13.2",
  "ring",
  "serde",
+ "strum 0.26.3",
+ "thiserror 1.0.69",
  "tokio",
  "url",
 ]
diff --git a/agent_api_http/openapi.yaml b/agent_api_http/openapi.yaml
index dd0f4d9a..5a702244 100644
--- a/agent_api_http/openapi.yaml
+++ b/agent_api_http/openapi.yaml
@@ -1429,6 +1429,111 @@ paths:
         "201":
           description: Linked VP service created successfully
 
+  /v0/keys/generate-new-key:
+    post:
+      tags:
+        - Identity
+      summary: Generate a new key
+      description: Generates a new cryptographic key and stores it in the key management system.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - alias
+              properties:
+                alias:
+                  type: string
+                  description: A human-readable name for this key.
+                  example: "my-signing-key-01"
+                signatureAlgorithm:
+                  type: string
+                  description: The signature algorithm to use for this key. Defaults to Ed25519 if not specified.
+                  example: "Ed25519"
+
+  /v0/keys/remove-key:
+    post:
+      tags:
+        - Identity
+      summary: Remove an existing key
+      description: Removes an existing cryptographic key from the key management system.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - keyId
+              properties:
+                keyId:
+                  type: string
+                  description: The ID of the key to remove.
+                  example: "a81bc81b-d7a7-4e5d-abff-90865d1e13b1"
+
+  /v0/keys/rename-key-alias:
+    post:
+      tags:
+        - Identity
+      summary: Rename the alias of a key
+      description: Renames the human-readable alias of an existing cryptographic key in the key management system.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - keyId
+                - newAlias
+              properties:
+                keyId:
+                  type: string
+                  description: The ID of the key to rename.
+                  example: "a81bc81b-d7a7-4e5d-abff-90865d1e13b1"
+                newAlias:
+                  type: string
+                  description: The new alias for the key.
+                  example: "my-new-key-alias"
+
+  /v0/keys/set-signing-key:
+    post:
+      tags:
+        - Identity
+      summary: Set a key as the active signing key
+      description: Designates a specific managed key to be used for signing operations.
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - keyId
+              properties:
+                keyId:
+                  type: string
+                  description: The ID of the key to set as the signing key.
+                  example: "a81bc81b-abcd-4e5d-abff-90865d1e13b1"
+
+  /v0/keys/list-all:
+    get:
+      tags:
+        - Identity
+      summary: List all managed keys
+      description: Retrieves a list of all cryptographic keys managed by the key management system.
+      responses:
+        "200":
+          description: Keys retrieved successfully
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  type: object
+
   /auth/token:
     post:
       summary: Standard OAuth 2.0 endpoint for fetching a token
diff --git a/agent_api_http/postman/ssi-agent.postman_collection.json b/agent_api_http/postman/ssi-agent.postman_collection.json
index 83403a3e..d5f4477a 100644
--- a/agent_api_http/postman/ssi-agent.postman_collection.json
+++ b/agent_api_http/postman/ssi-agent.postman_collection.json
@@ -1,9 +1,10 @@
 {
 	"info": {
-		"_postman_id": "e9b3fbae-f20e-4957-9d3a-6a310f5fda62",
+		"_postman_id": "4da8f32a-5645-4785-911d-5c2c729e2092",
 		"name": "ssi-agent",
 		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
-		"_exporter_id": "38461474"
+		"_exporter_id": "41786572",
+		"_collection_link": "https://impierce-technologies-bv.postman.co/workspace/New-Team-Workspace~1aa38760-77fc-4608-a1f5-e8a6fdaa0ad9/collection/41786572-4da8f32a-5645-4785-911d-5c2c729e2092?action=share&source=collection_link&creator=41786572"
 	},
 	"item": [
 		{
@@ -2283,25 +2284,148 @@
 			]
 		},
 		{
-			"name": "public",
+			"name": "v1",
 			"item": [
 				{
-					"name": "Show sponsoring configuration",
-					"request": {
-						"method": "GET",
-						"header": [],
-						"url": {
-							"raw": "{{HOST}}/public/sponsoring-configuration",
-							"host": [
-								"{{HOST}}"
-							],
-							"path": [
-								"public",
-								"sponsoring-configuration"
+					"name": "Identity",
+					"item": [
+						{
+							"name": "Keys",
+							"item": [
+								{
+									"name": "Generate Key",
+									"request": {
+										"method": "POST",
+										"header": [],
+										"body": {
+											"mode": "raw",
+											"raw": "{\n    \"alias\": \"An Example Alias\",\n    \"signingAlgorithm\": \"ES256\"\n}",
+											"options": {
+												"raw": {
+													"language": "json"
+												}
+											}
+										},
+										"url": {
+											"raw": "{{HOST}}/v0/keys/generate-new-key",
+											"host": [
+												"{{HOST}}"
+											],
+											"path": [
+												"v0",
+												"keys",
+												"generate-new-key"
+											]
+										}
+									},
+									"response": []
+								},
+								{
+									"name": "Remove Key",
+									"request": {
+										"method": "POST",
+										"header": [],
+										"body": {
+											"mode": "raw",
+											"raw": "{\n    \"keyId\": \"your-managed-key-id\"\n}",
+											"options": {
+												"raw": {
+													"language": "json"
+												}
+											}
+										},
+										"url": {
+											"raw": "{{HOST}}/v0/keys/remove-key",
+											"host": [
+												"{{HOST}}"
+											],
+											"path": [
+												"v0",
+												"keys",
+												"remove-key"
+											]
+										}
+									},
+									"response": []
+								},
+								{
+									"name": "Rename Key Alias",
+									"request": {
+										"method": "POST",
+										"header": [],
+										"body": {
+											"mode": "raw",
+											"raw": "{\n    \"keyId\": \"your-managed-key-id\",\n    \"newAlias\": \"new-key-alias\"\n}",
+											"options": {
+												"raw": {
+													"language": "json"
+												}
+											}
+										},
+										"url": {
+											"raw": "{{HOST}}/v0/keys/rename-key-alias",
+											"host": [
+												"{{HOST}}"
+											],
+											"path": [
+												"v0",
+												"keys",
+												"rename-key-alias"
+											]
+										}
+									},
+									"response": []
+								},
+								{
+									"name": "Set Signing Key",
+									"request": {
+										"method": "POST",
+										"header": [],
+										"body": {
+											"mode": "raw",
+											"raw": "{\n    \"keyId\": \"your-managed-key-id\"\n}",
+											"options": {
+												"raw": {
+													"language": "json"
+												}
+											}
+										},
+										"url": {
+											"raw": "{{HOST}}/v0/keys/set-signing-key",
+											"host": [
+												"{{HOST}}"
+											],
+											"path": [
+												"v0",
+												"keys",
+												"set-signing-key"
+											]
+										}
+									},
+									"response": []
+								},
+								{
+									"name": "List all Keys",
+									"request": {
+										"method": "GET",
+										"header": [],
+										"url": {
+											"raw": "{{HOST}}/v0/keys/list-all",
+											"host": [
+												"{{HOST}}"
+											],
+											"path": [
+												"v0",
+												"keys",
+												"list-all"
+											]
+										}
+									},
+									"response": []
+								}
 							]
 						}
-					},
-					"response": []
+					]
 				}
 			]
 		}
diff --git a/agent_api_http/src/lib.rs b/agent_api_http/src/lib.rs
index b8f377dd..e062828e 100644
--- a/agent_api_http/src/lib.rs
+++ b/agent_api_http/src/lib.rs
@@ -1,11 +1,13 @@
 pub mod public;
 pub mod v0;
+pub mod v1;
 
 pub mod error;
 pub mod handlers;
 pub mod metrics;
 pub mod utils;
 
+use crate::v1::identity::IdentityContext;
 use agent_authorization::state::AuthorizationState;
 use agent_holder::state::HolderState;
 use agent_identity::{
@@ -56,13 +58,24 @@ pub fn app(
         issuance_state,
         holder_state,
         verification_state,
-
-        key_generation_saga: _,
-        key_removal_saga: _,
+        key_generation_saga,
+        key_removal_saga,
     }: ApplicationState,
 ) -> Router {
+    let v1_identity_router = match (identity_state.clone(), key_generation_saga, key_removal_saga) {
+        (Some(state), Some(gen_saga), Some(rem_saga)) => {
+            let context = IdentityContext {
+                state,
+                key_generation_saga: gen_saga,
+                key_removal_saga: rem_saga,
+            };
+            v1::identity::router(context)
+        }
+        _ => Router::new(),
+    };
     let app = Router::new()
         .merge(identity_state.map(v0::identity::router).unwrap_or_default())
+        .merge(v1_identity_router)
         .merge(library_state.map(v0::library::router).unwrap_or_default())
         .merge(
             authorization_state
diff --git a/agent_api_http/src/v0/identity/mod.rs b/agent_api_http/src/v0/identity/mod.rs
index 945d8332..4cdca393 100644
--- a/agent_api_http/src/v0/identity/mod.rs
+++ b/agent_api_http/src/v0/identity/mod.rs
@@ -7,6 +7,10 @@ pub mod well_known;
 
 pub mod error;
 
+use crate::{
+    v0::identity::profiles::{get_profile, patch_profile},
+    API_VERSION,
+};
 use agent_identity::state::IdentityState;
 use axum::{
     routing::{get, post},
@@ -18,11 +22,6 @@ use services::{linked_vp::linked_vp, service, services};
 use std::sync::Arc;
 use well_known::{did::did, did_configuration::did_configuration};
 
-use crate::{
-    v0::identity::profiles::{get_profile, patch_profile},
-    API_VERSION,
-};
-
 pub fn router(identity_state: Arc<IdentityState>) -> Router {
     Router::new()
         .nest(
diff --git a/agent_api_http/src/v1/identity/keys/mod.rs b/agent_api_http/src/v1/identity/keys/mod.rs
new file mode 100644
index 00000000..794f8b86
--- /dev/null
+++ b/agent_api_http/src/v1/identity/keys/mod.rs
@@ -0,0 +1,175 @@
+use crate::IdentityContext;
+use agent_identity::managed_key::aggregate::{ManagedKey, SigningAlgorithm};
+use agent_identity::managed_key::command::ManagedKeyCommand;
+
+use agent_shared::handlers::{command_handler, query_handler};
+use axum::extract::{Json, State};
+use http_api_problem::ApiError;
+use hyper::StatusCode;
+use serde::{Deserialize, Serialize};
+
+/// Data transfer object for Managed Keys.
+#[derive(Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ManagedKeyDto {
+    #[serde(rename = "id")]
+    pub managed_key_id: String,
+    pub key_id: String,
+    pub alias: String,
+    pub signing_algorithm: Option<SigningAlgorithm>,
+}
+
+impl From<ManagedKey> for ManagedKeyDto {
+    fn from(value: ManagedKey) -> Self {
+        Self {
+            managed_key_id: value.managed_key_id,
+            key_id: value.key_id,
+            alias: value.alias,
+            signing_algorithm: value.signing_algorithm,
+        }
+    }
+}
+
+#[derive(Deserialize, Serialize, Default)]
+#[serde(default, rename_all = "camelCase")]
+pub struct PostGenerateKey {
+    pub alias: String,
+    pub signature_algorithm: Option<SigningAlgorithm>,
+}
+
+#[axum_macros::debug_handler]
+pub(crate) async fn generate_key(
+    State(context): State<IdentityContext>,
+    Json(payload): Json<PostGenerateKey>,
+) -> Result<(StatusCode, String), ApiError> {
+    let signing_algorithm = payload.signature_algorithm.unwrap_or(SigningAlgorithm::ES256);
+
+    let managed_key_id = context
+        .key_generation_saga
+        .generate_key(payload.alias, signing_algorithm)
+        .await
+        .map_err(|e| {
+            tracing::error!("Saga failed: {:?}", e);
+            ApiError::new(StatusCode::INTERNAL_SERVER_ERROR)
+        })?;
+
+    Ok((StatusCode::CREATED, managed_key_id))
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct PostRemoveKey {
+    pub key_id: String,
+}
+
+pub(crate) async fn remove_key(
+    State(context): State<IdentityContext>,
+    Json(payload): Json<PostRemoveKey>,
+) -> Result<StatusCode, ApiError> {
+    let managed_key_id = get_managed_key_id(&payload.key_id, &context).await?;
+
+    context.key_removal_saga.remove_key(managed_key_id).await;
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct PostRenameKeyAlias {
+    pub key_id: String,
+    pub new_alias: String,
+}
+
+pub(crate) async fn rename_key_alias(
+    State(context): State<IdentityContext>,
+    Json(payload): Json<PostRenameKeyAlias>,
+) -> Result<StatusCode, ApiError> {
+    let managed_key_id = get_managed_key_id(&payload.key_id, &context).await?;
+
+    let command = ManagedKeyCommand::UpdateKeyAlias {
+        new_alias: payload.new_alias,
+    };
+
+    command_handler(&managed_key_id, &context.state.command.managed_key, command)
+        .await
+        .map_err(|e| {
+            tracing::error!("Saga failed: {:?}", e);
+            ApiError::new(StatusCode::INTERNAL_SERVER_ERROR)
+        })?;
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+#[derive(Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct PostSetSigningKey {
+    pub key_id: String,
+}
+
+pub(crate) async fn set_signing_key(
+    State(context): State<IdentityContext>,
+    Json(payload): Json<PostSetSigningKey>,
+) -> Result<StatusCode, ApiError> {
+    let managed_key_id = get_managed_key_id(&payload.key_id, &context).await?;
+
+    let command = ManagedKeyCommand::SetSigningKey {};
+
+    command_handler(&managed_key_id, &context.state.command.managed_key, command)
+        .await
+        .map_err(|e| {
+            tracing::error!("Saga failed: {:?}", e);
+            ApiError::new(StatusCode::INTERNAL_SERVER_ERROR)
+        })?;
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+#[axum_macros::debug_handler]
+pub(crate) async fn list_all(
+    State(context): State<IdentityContext>,
+) -> Result<(StatusCode, Json<Vec<ManagedKeyDto>>), ApiError> {
+    let view = query_handler("all_managed_keys", &context.state.query.all_managed_keys)
+        .await
+        .map_err(|e| {
+            tracing::error!("Query failed: {:?}", e);
+            ApiError::new(StatusCode::INTERNAL_SERVER_ERROR)
+        })?;
+
+    let keys = match view {
+        Some(all_keys_view) => all_keys_view
+            .managed_keys
+            .into_values()
+            .filter_map(|key_view| {
+                (!key_view.is_removed).then(|| ManagedKeyDto {
+                    managed_key_id: key_view.managed_key_id,
+                    key_id: key_view.key_id,
+                    alias: key_view.alias,
+                    signing_algorithm: key_view.signing_algorithm,
+                })
+            })
+            .collect(),
+        None => Vec::new(),
+    };
+
+    Ok((StatusCode::OK, Json(keys)))
+}
+
+// Helper function to fetch the managed_key_id by its key_id.
+async fn get_managed_key_id(key_id: &str, context: &IdentityContext) -> Result<String, ApiError> {
+    let view = query_handler("all_managed_keys", &context.state.query.all_managed_keys)
+        .await
+        .map_err(|e| {
+            tracing::error!("Query failed: {:?}", e);
+            ApiError::new(StatusCode::INTERNAL_SERVER_ERROR)
+        })?;
+
+    match view {
+        Some(all_keys_view) => all_keys_view
+            .managed_keys
+            .into_values()
+            .find(|key_view| key_view.key_id == key_id && !key_view.is_removed)
+            .map(|key_view| key_view.managed_key_id)
+            .ok_or_else(|| ApiError::new(StatusCode::NOT_FOUND)),
+        None => Err(ApiError::new(StatusCode::NOT_FOUND)),
+    }
+}
diff --git a/agent_api_http/src/v1/identity/mod.rs b/agent_api_http/src/v1/identity/mod.rs
new file mode 100644
index 00000000..988501d7
--- /dev/null
+++ b/agent_api_http/src/v1/identity/mod.rs
@@ -0,0 +1,34 @@
+pub mod keys;
+
+use crate::v1::identity::keys::{generate_key, list_all, remove_key, rename_key_alias, set_signing_key};
+use crate::API_VERSION;
+use agent_identity::application::sagas::key_generation_saga::KeyGenerationSaga;
+use agent_identity::application::sagas::key_removal_saga::KeyRemovalSaga;
+use agent_identity::state::IdentityState;
+use axum::{
+    routing::{get, post},
+    Router,
+};
+
+use std::sync::Arc;
+
+#[derive(Clone)]
+pub struct IdentityContext {
+    pub state: Arc<IdentityState>,
+    pub key_generation_saga: KeyGenerationSaga,
+    pub key_removal_saga: KeyRemovalSaga,
+}
+
+pub fn router(context: IdentityContext) -> Router {
+    Router::new()
+        .nest(
+            API_VERSION,
+            Router::new()
+                .route("/keys/generate-new-key", post(generate_key))
+                .route("/keys/remove-key", post(remove_key))
+                .route("/keys/rename-key-alias", post(rename_key_alias))
+                .route("/keys/set-signing-key", post(set_signing_key))
+                .route("/keys/list-all", get(list_all)),
+        )
+        .with_state(context)
+}
diff --git a/agent_api_http/src/v1/mod.rs b/agent_api_http/src/v1/mod.rs
new file mode 100644
index 00000000..db53a0c9
--- /dev/null
+++ b/agent_api_http/src/v1/mod.rs
@@ -0,0 +1 @@
+pub mod identity;
diff --git a/agent_identity/src/application/sagas/key_generation_saga.rs b/agent_identity/src/application/sagas/key_generation_saga.rs
index b63ee3ab..a13d4a56 100644
--- a/agent_identity/src/application/sagas/key_generation_saga.rs
+++ b/agent_identity/src/application/sagas/key_generation_saga.rs
@@ -15,6 +15,7 @@ use crate::{
 };
 use std::sync::Arc;
 
+#[derive(Clone)]
 pub struct KeyGenerationSaga {
     identity_state: Arc<IdentityState>,
     identity_services: Arc<IdentityServices>,
@@ -28,7 +29,11 @@ impl KeyGenerationSaga {
         }
     }
 
-    pub async fn generate_key(&self, alias: String, signing_algorithm: SigningAlgorithm) {
+    pub async fn generate_key(
+        &self,
+        alias: String,
+        signing_algorithm: SigningAlgorithm,
+    ) -> Result<String, Box<dyn std::error::Error>> {
         // TODO: Add undo logic!!!
 
         let managed_key_id = uuid::Uuid::new_v4().to_string();
@@ -39,20 +44,14 @@ impl KeyGenerationSaga {
             signing_algorithm,
         };
 
-        command_handler(&managed_key_id, &self.identity_state.command.managed_key, command)
-            .await
-            .unwrap();
+        command_handler(&managed_key_id, &self.identity_state.command.managed_key, command).await?;
 
-        if let Some(managed_key_view) = query_handler(&managed_key_id, &self.identity_state.query.managed_key)
-            .await
-            .unwrap()
-        {
+        if let Some(managed_key_view) = query_handler(&managed_key_id, &self.identity_state.query.managed_key).await? {
             let key_id = managed_key_view.key_id.clone();
             let signing_algorithm = managed_key_view.signing_algorithm.unwrap();
 
-            if let Some(all_documents_view) = query_handler("all_documents", &self.identity_state.query.all_documents)
-                .await
-                .unwrap()
+            if let Some(all_documents_view) =
+                query_handler("all_documents", &self.identity_state.query.all_documents).await?
             {
                 for (document_id, document_view) in all_documents_view.documents {
                     if document_view
@@ -65,9 +64,7 @@ impl KeyGenerationSaga {
                             signing_algorithm: signing_algorithm.clone(),
                         };
 
-                        command_handler(&document_id, &self.identity_state.command.document, command)
-                            .await
-                            .unwrap();
+                        command_handler(&document_id, &self.identity_state.command.document, command).await?;
 
                         if document_view
                             .did_method
@@ -76,13 +73,12 @@ impl KeyGenerationSaga {
                         {
                             let command = DocumentCommand::PublishDocument;
 
-                            command_handler(&document_id, &self.identity_state.command.document, command)
-                                .await
-                                .unwrap();
+                            command_handler(&document_id, &self.identity_state.command.document, command).await?;
                         }
                     }
                 }
             }
         }
+        Ok(managed_key_id)
     }
 }
diff --git a/agent_identity/src/application/sagas/key_removal_saga.rs b/agent_identity/src/application/sagas/key_removal_saga.rs
index fdc8cba2..2e173dea 100644
--- a/agent_identity/src/application/sagas/key_removal_saga.rs
+++ b/agent_identity/src/application/sagas/key_removal_saga.rs
@@ -15,6 +15,7 @@ use crate::{
 };
 use std::sync::Arc;
 
+#[derive(Clone)]
 pub struct KeyRemovalSaga {
     identity_state: Arc<IdentityState>,
     identity_services: Arc<IdentityServices>,
diff --git a/agent_secret_manager/Cargo.toml b/agent_secret_manager/Cargo.toml
index 73f21a4f..35d696c3 100644
--- a/agent_secret_manager/Cargo.toml
+++ b/agent_secret_manager/Cargo.toml
@@ -34,7 +34,9 @@ log = "0.4"
 oid4vc-core.workspace = true
 p256 = { version = "0.13", features = ["jwk"] }
 serde.workspace = true
+strum.workspace = true
 tokio.workspace = true
+thiserror.workspace = true
 url.workspace = true
 
 [dev-dependencies]

From e49a46dd75b38f5ec144f609196045118c5a6f2d Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Tue, 30 Dec 2025 18:25:43 +0100
Subject: [PATCH 06/14] refactor: `agent_issuance` and `agent_secret_manager`
 modules

---
 Cargo.lock                                    |  23 +-
 agent_api_http/Cargo.toml                     |   3 +
 agent_api_http/src/lib.rs                     |  26 +-
 .../src}/sagas/key_generation_saga.rs         |  28 +-
 .../src}/sagas/key_removal_saga.rs            |  23 +-
 .../src}/sagas/mod.rs                         |   0
 agent_api_http/src/v1/identity/keys/mod.rs    |  42 +-
 agent_api_http/src/v1/identity/mod.rs         |   8 +-
 agent_application/src/main.rs                 | 303 +++++----
 agent_event_publisher_http/Cargo.toml         |   1 +
 agent_event_publisher_http/src/lib.rs         |   5 +-
 agent_holder/src/offer/aggregate.rs           | 520 +++++++-------
 agent_identity/Cargo.toml                     |  14 +
 agent_identity/src/application/mod.rs         |   1 -
 agent_identity/src/document/aggregate.rs      | 100 +--
 agent_identity/src/document/command.rs        |   6 +-
 agent_identity/src/lib.rs                     |   2 -
 agent_identity/src/services.rs                | 244 ++++++-
 agent_identity/src/state.rs                   |  14 +-
 agent_issuance/Cargo.toml                     |   1 +
 agent_issuance/src/credential/aggregate.rs    | 247 +++----
 agent_issuance/src/offer/aggregate.rs         | 634 +++++++++---------
 agent_issuance/src/server_config/aggregate.rs | 192 +++---
 agent_issuance/src/services.rs                |  15 +-
 agent_secret_manager/Cargo.toml               |  15 +-
 agent_secret_manager/src/lib.rs               |   4 +
 .../src/managed_key/README.md                 |   0
 .../src/managed_key/aggregate.rs              |  20 +-
 .../src/managed_key/command.rs                |   0
 .../src/managed_key/error.rs                  |   0
 .../src/managed_key/event.rs                  |   0
 .../src/managed_key/mod.rs                    |   0
 .../src/managed_key/views/all_managed_keys.rs |   0
 .../src/managed_key/views/mod.rs              |   0
 agent_secret_manager/src/service.rs           |  15 +-
 agent_secret_manager/src/state.rs             |  44 ++
 agent_secret_manager/src/subject.rs           | 133 +---
 agent_store/Cargo.toml                        |   1 +
 agent_store/src/lib.rs                        |  41 +-
 39 files changed, 1482 insertions(+), 1243 deletions(-)
 rename {agent_identity/src/application => agent_api_http/src}/sagas/key_generation_saga.rs (75%)
 rename {agent_identity/src/application => agent_api_http/src}/sagas/key_removal_saga.rs (78%)
 rename {agent_identity/src/application => agent_api_http/src}/sagas/mod.rs (100%)
 delete mode 100644 agent_identity/src/application/mod.rs
 rename {agent_identity => agent_secret_manager}/src/managed_key/README.md (100%)
 rename {agent_identity => agent_secret_manager}/src/managed_key/aggregate.rs (90%)
 rename {agent_identity => agent_secret_manager}/src/managed_key/command.rs (100%)
 rename {agent_identity => agent_secret_manager}/src/managed_key/error.rs (100%)
 rename {agent_identity => agent_secret_manager}/src/managed_key/event.rs (100%)
 rename {agent_identity => agent_secret_manager}/src/managed_key/mod.rs (100%)
 rename {agent_identity => agent_secret_manager}/src/managed_key/views/all_managed_keys.rs (100%)
 rename {agent_identity => agent_secret_manager}/src/managed_key/views/mod.rs (100%)
 create mode 100644 agent_secret_manager/src/state.rs

diff --git a/Cargo.lock b/Cargo.lock
index c6c989a2..1e712b5f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -86,6 +86,7 @@ dependencies = [
  "agent_verification",
  "anyhow",
  "askama",
+ "async-trait",
  "axum 0.8.3",
  "axum-auth 0.8.1",
  "axum-macros",
@@ -99,6 +100,8 @@ dependencies = [
  "identity_core",
  "identity_credential",
  "identity_did",
+ "identity_iota",
+ "identity_storage",
  "jsonwebtoken",
  "lazy_static",
  "metrics",
@@ -198,6 +201,7 @@ dependencies = [
  "agent_identity",
  "agent_issuance",
  "agent_library",
+ "agent_secret_manager",
  "agent_shared",
  "agent_store",
  "agent_verification",
@@ -292,6 +296,7 @@ dependencies = [
  "async-trait",
  "axum 0.8.3",
  "base64 0.22.1",
+ "consumer",
  "cqrs-es",
  "derivative",
  "did-jwk",
@@ -303,6 +308,7 @@ dependencies = [
  "identity_document",
  "identity_iota",
  "identity_storage",
+ "identity_stronghold_ext",
  "iota-sdk 1.6.1",
  "itertools 0.14.0",
  "jsonwebtoken",
@@ -310,6 +316,7 @@ dependencies = [
  "mime",
  "names",
  "oid4vc-core",
+ "p256 0.13.2",
  "product_common",
  "rand 0.9.1",
  "reqwest 0.12.20",
@@ -336,6 +343,7 @@ name = "agent_issuance"
 version = "0.1.0"
 dependencies = [
  "agent_holder",
+ "agent_identity",
  "agent_issuance",
  "agent_library",
  "agent_secret_manager",
@@ -411,8 +419,13 @@ dependencies = [
  "async-trait",
  "base64 0.22.1",
  "consumer",
+ "cqrs-es",
  "futures",
+ "identity_core",
+ "identity_credential",
+ "identity_did",
  "identity_iota",
+ "identity_storage",
  "identity_stronghold_ext",
  "iota-sdk 1.1.5",
  "iota-sdk 1.6.1",
@@ -425,9 +438,11 @@ dependencies = [
  "p256 0.13.2",
  "ring",
  "serde",
+ "serde_json",
  "strum 0.26.3",
  "thiserror 1.0.69",
  "tokio",
+ "tracing",
  "url",
 ]
 
@@ -474,6 +489,7 @@ dependencies = [
  "agent_identity",
  "agent_issuance",
  "agent_library",
+ "agent_secret_manager",
  "agent_shared",
  "agent_verification",
  "async-trait",
@@ -2434,7 +2450,6 @@ checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6"
 [[package]]
 name = "consumer"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did_iota",
  "did_jwk",
@@ -3193,7 +3208,6 @@ dependencies = [
 [[package]]
 name = "did_iota"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "anyhow",
  "identity_iota",
@@ -3208,7 +3222,6 @@ dependencies = [
 [[package]]
 name = "did_jwk"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did-jwk",
  "identity_iota",
@@ -3225,7 +3238,6 @@ dependencies = [
 [[package]]
 name = "did_key"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did-method-key",
  "identity_iota",
@@ -3272,7 +3284,6 @@ dependencies = [
 [[package]]
 name = "did_web"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did-web",
  "identity_iota",
@@ -5282,7 +5293,6 @@ dependencies = [
 [[package]]
 name = "identity_stronghold_ext"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "async-trait",
  "elliptic-curve 0.13.8",
@@ -11186,7 +11196,6 @@ dependencies = [
 [[package]]
 name = "shared"
 version = "0.1.0"
-source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "identity_iota",
  "identity_storage",
diff --git a/agent_api_http/Cargo.toml b/agent_api_http/Cargo.toml
index 31916237..26da8d98 100644
--- a/agent_api_http/Cargo.toml
+++ b/agent_api_http/Cargo.toml
@@ -16,6 +16,7 @@ agent_verification = { path = "../agent_verification" }
 
 anyhow.workspace = true
 askama = "0.14"
+async-trait.workspace = true
 axum.workspace = true
 axum-auth = "0.8"
 axum-macros = "0.5"
@@ -28,6 +29,8 @@ hyper = { version = "1.2" }
 identity_core.workspace = true
 identity_credential.workspace = true
 identity_did.workspace = true
+identity_iota.workspace = true
+identity_storage.workspace = true
 metrics = "0.24"
 metrics-exporter-prometheus = { version = "0.17", default-features = false }
 oauth_tsl.workspace = true
diff --git a/agent_api_http/src/lib.rs b/agent_api_http/src/lib.rs
index e062828e..4b5ebf2c 100644
--- a/agent_api_http/src/lib.rs
+++ b/agent_api_http/src/lib.rs
@@ -5,17 +5,19 @@ pub mod v1;
 pub mod error;
 pub mod handlers;
 pub mod metrics;
+pub mod sagas;
 pub mod utils;
 
-use crate::v1::identity::IdentityContext;
+use crate::{
+    sagas::{key_generation_saga::KeyGenerationSaga, key_removal_saga::KeyRemovalSaga},
+    v1::identity::IdentityContext,
+};
 use agent_authorization::state::AuthorizationState;
 use agent_holder::state::HolderState;
-use agent_identity::{
-    application::sagas::{key_generation_saga::KeyGenerationSaga, key_removal_saga::KeyRemovalSaga},
-    state::IdentityState,
-};
+use agent_identity::state::IdentityState;
 use agent_issuance::state::IssuanceState;
 use agent_library::state::LibraryState;
+use agent_secret_manager::state::SecretManagerState;
 use agent_shared::config::config;
 use agent_verification::state::VerificationState;
 use axum::{
@@ -39,6 +41,7 @@ pub const DOCUMENTATION_URL: &str = "https://beta.docs.impierce.com/unicore/";
 
 #[derive(Default)]
 pub struct ApplicationState {
+    pub secret_manager_state: Option<Arc<SecretManagerState>>,
     pub identity_state: Option<Arc<IdentityState>>,
     pub library_state: Option<Arc<LibraryState>>,
     pub authorization_state: Option<Arc<AuthorizationState>>,
@@ -52,6 +55,7 @@ pub struct ApplicationState {
 
 pub fn app(
     ApplicationState {
+        secret_manager_state,
         identity_state,
         library_state,
         authorization_state,
@@ -62,10 +66,16 @@ pub fn app(
         key_removal_saga,
     }: ApplicationState,
 ) -> Router {
-    let v1_identity_router = match (identity_state.clone(), key_generation_saga, key_removal_saga) {
-        (Some(state), Some(gen_saga), Some(rem_saga)) => {
+    let v1_identity_router = match (
+        identity_state.clone(),
+        secret_manager_state.clone(),
+        key_generation_saga,
+        key_removal_saga,
+    ) {
+        (Some(identity_state), Some(secret_manager_state), Some(gen_saga), Some(rem_saga)) => {
             let context = IdentityContext {
-                state,
+                identity_state,
+                secret_manager_state,
                 key_generation_saga: gen_saga,
                 key_removal_saga: rem_saga,
             };
diff --git a/agent_identity/src/application/sagas/key_generation_saga.rs b/agent_api_http/src/sagas/key_generation_saga.rs
similarity index 75%
rename from agent_identity/src/application/sagas/key_generation_saga.rs
rename to agent_api_http/src/sagas/key_generation_saga.rs
index a13d4a56..0918c4aa 100644
--- a/agent_identity/src/application/sagas/key_generation_saga.rs
+++ b/agent_api_http/src/sagas/key_generation_saga.rs
@@ -1,29 +1,31 @@
+use agent_secret_manager::{
+    managed_key::{aggregate::SigningAlgorithm, command::ManagedKeyCommand},
+    state::SecretManagerState,
+};
 use agent_shared::handlers::{command_handler, query_handler};
 use async_trait::async_trait;
 use cqrs_es::{EventEnvelope, Query};
 use identity_iota::verification::VerificationMethod;
 use identity_storage::KeyId;
 
-use crate::{
-    document::command::DocumentCommand,
-    managed_key::{
-        aggregate::{ManagedKey, SigningAlgorithm},
-        command::ManagedKeyCommand,
-    },
-    services::IdentityServices,
-    state::IdentityState,
-};
+use agent_identity::{document::command::DocumentCommand, services::IdentityServices, state::IdentityState};
 use std::sync::Arc;
 
 #[derive(Clone)]
 pub struct KeyGenerationSaga {
+    secret_manager_state: Arc<SecretManagerState>,
     identity_state: Arc<IdentityState>,
     identity_services: Arc<IdentityServices>,
 }
 
 impl KeyGenerationSaga {
-    pub fn new(identity_state: Arc<IdentityState>, identity_services: Arc<IdentityServices>) -> Self {
+    pub fn new(
+        secret_manager_state: Arc<SecretManagerState>,
+        identity_state: Arc<IdentityState>,
+        identity_services: Arc<IdentityServices>,
+    ) -> Self {
         Self {
+            secret_manager_state,
             identity_state,
             identity_services,
         }
@@ -44,9 +46,11 @@ impl KeyGenerationSaga {
             signing_algorithm,
         };
 
-        command_handler(&managed_key_id, &self.identity_state.command.managed_key, command).await?;
+        command_handler(&managed_key_id, &self.secret_manager_state.command.managed_key, command).await?;
 
-        if let Some(managed_key_view) = query_handler(&managed_key_id, &self.identity_state.query.managed_key).await? {
+        if let Some(managed_key_view) =
+            query_handler(&managed_key_id, &self.secret_manager_state.query.managed_key).await?
+        {
             let key_id = managed_key_view.key_id.clone();
             let signing_algorithm = managed_key_view.signing_algorithm.unwrap();
 
diff --git a/agent_identity/src/application/sagas/key_removal_saga.rs b/agent_api_http/src/sagas/key_removal_saga.rs
similarity index 78%
rename from agent_identity/src/application/sagas/key_removal_saga.rs
rename to agent_api_http/src/sagas/key_removal_saga.rs
index 2e173dea..f589dc24 100644
--- a/agent_identity/src/application/sagas/key_removal_saga.rs
+++ b/agent_api_http/src/sagas/key_removal_saga.rs
@@ -1,29 +1,28 @@
+use agent_secret_manager::{managed_key::command::ManagedKeyCommand, state::SecretManagerState};
 use agent_shared::handlers::{command_handler, query_handler};
 use async_trait::async_trait;
 use cqrs_es::{EventEnvelope, Query};
 use identity_iota::verification::VerificationMethod;
 use identity_storage::KeyId;
 
-use crate::{
-    document::command::DocumentCommand,
-    managed_key::{
-        aggregate::{ManagedKey, SigningAlgorithm},
-        command::ManagedKeyCommand,
-    },
-    services::IdentityServices,
-    state::IdentityState,
-};
+use agent_identity::{document::command::DocumentCommand, services::IdentityServices, state::IdentityState};
 use std::sync::Arc;
 
 #[derive(Clone)]
 pub struct KeyRemovalSaga {
+    secret_manager_state: Arc<SecretManagerState>,
     identity_state: Arc<IdentityState>,
     identity_services: Arc<IdentityServices>,
 }
 
 impl KeyRemovalSaga {
-    pub fn new(identity_state: Arc<IdentityState>, identity_services: Arc<IdentityServices>) -> Self {
+    pub fn new(
+        secret_manager_state: Arc<SecretManagerState>,
+        identity_state: Arc<IdentityState>,
+        identity_services: Arc<IdentityServices>,
+    ) -> Self {
         Self {
+            secret_manager_state,
             identity_state,
             identity_services,
         }
@@ -34,11 +33,11 @@ impl KeyRemovalSaga {
 
         let command = ManagedKeyCommand::RemoveKey;
 
-        command_handler(&managed_key_id, &self.identity_state.command.managed_key, command)
+        command_handler(&managed_key_id, &self.secret_manager_state.command.managed_key, command)
             .await
             .unwrap();
 
-        if let Some(managed_key_view) = query_handler(&managed_key_id, &self.identity_state.query.managed_key)
+        if let Some(managed_key_view) = query_handler(&managed_key_id, &self.secret_manager_state.query.managed_key)
             .await
             .unwrap()
         {
diff --git a/agent_identity/src/application/sagas/mod.rs b/agent_api_http/src/sagas/mod.rs
similarity index 100%
rename from agent_identity/src/application/sagas/mod.rs
rename to agent_api_http/src/sagas/mod.rs
diff --git a/agent_api_http/src/v1/identity/keys/mod.rs b/agent_api_http/src/v1/identity/keys/mod.rs
index 794f8b86..b767b35c 100644
--- a/agent_api_http/src/v1/identity/keys/mod.rs
+++ b/agent_api_http/src/v1/identity/keys/mod.rs
@@ -1,7 +1,9 @@
 use crate::IdentityContext;
-use agent_identity::managed_key::aggregate::{ManagedKey, SigningAlgorithm};
-use agent_identity::managed_key::command::ManagedKeyCommand;
 
+use agent_secret_manager::managed_key::{
+    aggregate::{ManagedKey, SigningAlgorithm},
+    command::ManagedKeyCommand,
+};
 use agent_shared::handlers::{command_handler, query_handler};
 use axum::extract::{Json, State};
 use http_api_problem::ApiError;
@@ -90,12 +92,16 @@ pub(crate) async fn rename_key_alias(
         new_alias: payload.new_alias,
     };
 
-    command_handler(&managed_key_id, &context.state.command.managed_key, command)
-        .await
-        .map_err(|e| {
-            tracing::error!("Saga failed: {:?}", e);
-            ApiError::new(StatusCode::INTERNAL_SERVER_ERROR)
-        })?;
+    command_handler(
+        &managed_key_id,
+        &context.secret_manager_state.command.managed_key,
+        command,
+    )
+    .await
+    .map_err(|e| {
+        tracing::error!("Saga failed: {:?}", e);
+        ApiError::new(StatusCode::INTERNAL_SERVER_ERROR)
+    })?;
 
     Ok(StatusCode::NO_CONTENT)
 }
@@ -114,12 +120,16 @@ pub(crate) async fn set_signing_key(
 
     let command = ManagedKeyCommand::SetSigningKey {};
 
-    command_handler(&managed_key_id, &context.state.command.managed_key, command)
-        .await
-        .map_err(|e| {
-            tracing::error!("Saga failed: {:?}", e);
-            ApiError::new(StatusCode::INTERNAL_SERVER_ERROR)
-        })?;
+    command_handler(
+        &managed_key_id,
+        &context.secret_manager_state.command.managed_key,
+        command,
+    )
+    .await
+    .map_err(|e| {
+        tracing::error!("Saga failed: {:?}", e);
+        ApiError::new(StatusCode::INTERNAL_SERVER_ERROR)
+    })?;
 
     Ok(StatusCode::NO_CONTENT)
 }
@@ -128,7 +138,7 @@ pub(crate) async fn set_signing_key(
 pub(crate) async fn list_all(
     State(context): State<IdentityContext>,
 ) -> Result<(StatusCode, Json<Vec<ManagedKeyDto>>), ApiError> {
-    let view = query_handler("all_managed_keys", &context.state.query.all_managed_keys)
+    let view = query_handler("all_managed_keys", &context.secret_manager_state.query.all_managed_keys)
         .await
         .map_err(|e| {
             tracing::error!("Query failed: {:?}", e);
@@ -156,7 +166,7 @@ pub(crate) async fn list_all(
 
 // Helper function to fetch the managed_key_id by its key_id.
 async fn get_managed_key_id(key_id: &str, context: &IdentityContext) -> Result<String, ApiError> {
-    let view = query_handler("all_managed_keys", &context.state.query.all_managed_keys)
+    let view = query_handler("all_managed_keys", &context.secret_manager_state.query.all_managed_keys)
         .await
         .map_err(|e| {
             tracing::error!("Query failed: {:?}", e);
diff --git a/agent_api_http/src/v1/identity/mod.rs b/agent_api_http/src/v1/identity/mod.rs
index 988501d7..db7c92a4 100644
--- a/agent_api_http/src/v1/identity/mod.rs
+++ b/agent_api_http/src/v1/identity/mod.rs
@@ -1,10 +1,11 @@
 pub mod keys;
 
+use crate::sagas::key_generation_saga::KeyGenerationSaga;
+use crate::sagas::key_removal_saga::KeyRemovalSaga;
 use crate::v1::identity::keys::{generate_key, list_all, remove_key, rename_key_alias, set_signing_key};
 use crate::API_VERSION;
-use agent_identity::application::sagas::key_generation_saga::KeyGenerationSaga;
-use agent_identity::application::sagas::key_removal_saga::KeyRemovalSaga;
 use agent_identity::state::IdentityState;
+use agent_secret_manager::state::SecretManagerState;
 use axum::{
     routing::{get, post},
     Router,
@@ -14,7 +15,8 @@ use std::sync::Arc;
 
 #[derive(Clone)]
 pub struct IdentityContext {
-    pub state: Arc<IdentityState>,
+    pub identity_state: Arc<IdentityState>,
+    pub secret_manager_state: Arc<SecretManagerState>,
     pub key_generation_saga: KeyGenerationSaga,
     pub key_removal_saga: KeyRemovalSaga,
 }
diff --git a/agent_application/src/main.rs b/agent_application/src/main.rs
index 03a65aa5..b1af4f3b 100644
--- a/agent_application/src/main.rs
+++ b/agent_application/src/main.rs
@@ -6,24 +6,22 @@ mod probes;
 use agent_api_http::{
     app,
     metrics::{metrics, track_metrics},
+    sagas::{key_generation_saga::KeyGenerationSaga, key_removal_saga::KeyRemovalSaga},
     ApplicationState,
 };
 use agent_authorization::services::AuthorizationServices;
 use agent_event_publisher_http::EventPublisherHttp;
 use agent_event_publisher_nats::EventPublisherNats;
 use agent_holder::services::HolderServices;
-use agent_identity::{
-    application::sagas::{
-        key_generation_saga::{self, KeyGenerationSaga},
-        key_removal_saga::{self, KeyRemovalSaga},
-    },
-    services::IdentityServices,
-};
+use agent_identity::services::{IdentityServices, ThisIsTheMainService};
 use agent_issuance::{
     application::policies::issuer_metadata_synchronization_policy::IssuerMetadataSynchronizationPolicy,
     services::IssuanceServices,
 };
-use agent_secret_manager::{service::Service as _, subject::Subject};
+use agent_secret_manager::{
+    service::{SecretManagerServices, Service as _},
+    subject::Subject,
+};
 use agent_shared::config::{config, EventStoreType};
 use agent_store::{in_memory::InMemory, mongodb::MongoDB, postgres::Postgres, EventPublisher};
 use agent_verification::services::VerificationServices;
@@ -35,17 +33,11 @@ use tracing::info;
 
 #[tokio::main]
 async fn main() -> io::Result<()> {
-    let subject = Arc::new(Subject::new().await);
-
-    let identity_services = Arc::new(IdentityServices::new(subject.clone()));
-    let authorization_services = Arc::new(AuthorizationServices::new(subject.clone()));
-    let issuance_services = Arc::new(IssuanceServices::new(subject.clone()));
-    let holder_services = Arc::new(HolderServices::new(subject.clone()));
-    let verification_services = Arc::new(VerificationServices::new(subject.clone()));
-
     // TODO: Currently all these `*_event_publishers` are exactly the same, which is weird. We need some sort of layer
     // between `agent_application` and `agent_store` that will provide a cleaner way of initializing the event
     // publishers and sending them over to `agent_store`.
+    let secret_manager_event_publishers: Vec<Box<dyn EventPublisher>> =
+        vec![Box::new(EventPublisherHttp::load().unwrap())];
     let identity_event_publishers: Vec<Box<dyn EventPublisher>> = vec![Box::new(EventPublisherHttp::load().unwrap())];
     let issuance_event_publishers: Vec<Box<dyn EventPublisher>> = vec![
         Box::new(EventPublisherHttp::load().unwrap()),
@@ -58,127 +50,165 @@ async fn main() -> io::Result<()> {
     let verification_event_publishers: Vec<Box<dyn EventPublisher>> =
         vec![Box::new(EventPublisherHttp::load().unwrap())];
 
+    let subject = Arc::new(Subject::new().await);
+
+    let secret_manager_services = Arc::new(SecretManagerServices::new().await);
+    let secret_manager_state = match config().event_store.type_ {
+        EventStoreType::Postgres => {
+            let builder = Postgres::new().await;
+            Arc::new(
+                agent_store::secret_manager_state(
+                    &builder,
+                    secret_manager_services.clone(),
+                    secret_manager_event_publishers,
+                )
+                .await,
+            )
+        }
+        EventStoreType::MongoDb => {
+            let builder = MongoDB::new().await;
+            Arc::new(
+                agent_store::secret_manager_state(
+                    &builder,
+                    secret_manager_services.clone(),
+                    secret_manager_event_publishers,
+                )
+                .await,
+            )
+        }
+        EventStoreType::InMemory => Arc::new(
+            agent_store::secret_manager_state(
+                &InMemory,
+                secret_manager_services.clone(),
+                secret_manager_event_publishers,
+            )
+            .await,
+        ),
+    };
+
+    let identity_services = Arc::new(IdentityServices::new(subject.clone()));
+    let identity_state = match config().event_store.type_ {
+        EventStoreType::Postgres => {
+            let builder = Postgres::new().await;
+            Arc::new(agent_store::identity_state(&builder, identity_services.clone(), identity_event_publishers).await)
+        }
+        EventStoreType::MongoDb => {
+            let builder = MongoDB::new().await;
+            Arc::new(agent_store::identity_state(&builder, identity_services.clone(), identity_event_publishers).await)
+        }
+        EventStoreType::InMemory => {
+            Arc::new(agent_store::identity_state(&InMemory, identity_services.clone(), identity_event_publishers).await)
+        }
+    };
+
+    let this_is_the_main_service = Arc::new(
+        ThisIsTheMainService::new(
+            secret_manager_state.clone(),
+            secret_manager_services.clone(),
+            identity_state.clone(),
+        )
+        .await,
+    );
+
+    let authorization_services = Arc::new(AuthorizationServices::new(subject.clone()));
+    let issuance_services = Arc::new(IssuanceServices::new(subject.clone(), this_is_the_main_service.clone()));
+    let holder_services = Arc::new(HolderServices::new(subject.clone()));
+    let verification_services = Arc::new(VerificationServices::new(subject.clone()));
+
     // TODO: Refactor this to reduce code duplication.
-    let (identity_state, library_state, authorization_state, issuance_state, holder_state, verification_state) =
-        match config().event_store.type_ {
-            EventStoreType::Postgres => {
-                let builder = Postgres::new().await;
-
-                let issuance_state =
-                    Arc::new(agent_store::issuance_state(&builder, issuance_services, issuance_event_publishers).await);
-
-                let issuer_metadata_synchronization_policy =
-                    IssuerMetadataSynchronizationPolicy::new(issuance_state.clone());
-
-                (
-                    Arc::new(
-                        agent_store::identity_state(&builder, identity_services.clone(), identity_event_publishers)
-                            .await,
-                    ),
-                    Arc::new(
-                        agent_store::library_state(
-                            &builder,
-                            library_event_publishers,
-                            vec![Box::new(issuer_metadata_synchronization_policy)],
-                        )
+    let (library_state, authorization_state, issuance_state, holder_state, verification_state) = match config()
+        .event_store
+        .type_
+    {
+        EventStoreType::Postgres => {
+            let builder = Postgres::new().await;
+
+            let issuance_state =
+                Arc::new(agent_store::issuance_state(&builder, issuance_services, issuance_event_publishers).await);
+
+            let issuer_metadata_synchronization_policy =
+                IssuerMetadataSynchronizationPolicy::new(issuance_state.clone());
+
+            (
+                Arc::new(
+                    agent_store::library_state(
+                        &builder,
+                        library_event_publishers,
+                        vec![Box::new(issuer_metadata_synchronization_policy)],
+                    )
+                    .await,
+                ),
+                Arc::new(
+                    agent_store::authorization_state(&builder, authorization_services, authorization_event_publishers)
                         .await,
-                    ),
-                    Arc::new(
-                        agent_store::authorization_state(
-                            &builder,
-                            authorization_services,
-                            authorization_event_publishers,
-                        )
+                ),
+                issuance_state,
+                Arc::new(agent_store::holder_state(&builder, holder_services, holder_event_publishers).await),
+                Arc::new(
+                    agent_store::verification_state(&builder, verification_services, verification_event_publishers)
                         .await,
-                    ),
-                    issuance_state,
-                    Arc::new(agent_store::holder_state(&builder, holder_services, holder_event_publishers).await),
-                    Arc::new(
-                        agent_store::verification_state(&builder, verification_services, verification_event_publishers)
-                            .await,
-                    ),
-                )
-            }
-            EventStoreType::MongoDb => {
-                let builder = MongoDB::new().await;
-
-                let issuance_state =
-                    Arc::new(agent_store::issuance_state(&builder, issuance_services, issuance_event_publishers).await);
-
-                let issuer_metadata_synchronization_policy =
-                    IssuerMetadataSynchronizationPolicy::new(issuance_state.clone());
-
-                (
-                    Arc::new(
-                        agent_store::identity_state(&builder, identity_services.clone(), identity_event_publishers)
-                            .await,
-                    ),
-                    Arc::new(
-                        agent_store::library_state(
-                            &builder,
-                            library_event_publishers,
-                            vec![Box::new(issuer_metadata_synchronization_policy)],
-                        )
+                ),
+            )
+        }
+        EventStoreType::MongoDb => {
+            let builder = MongoDB::new().await;
+
+            let issuance_state =
+                Arc::new(agent_store::issuance_state(&builder, issuance_services, issuance_event_publishers).await);
+
+            let issuer_metadata_synchronization_policy =
+                IssuerMetadataSynchronizationPolicy::new(issuance_state.clone());
+
+            (
+                Arc::new(
+                    agent_store::library_state(
+                        &builder,
+                        library_event_publishers,
+                        vec![Box::new(issuer_metadata_synchronization_policy)],
+                    )
+                    .await,
+                ),
+                Arc::new(
+                    agent_store::authorization_state(&builder, authorization_services, authorization_event_publishers)
                         .await,
-                    ),
-                    Arc::new(
-                        agent_store::authorization_state(
-                            &builder,
-                            authorization_services,
-                            authorization_event_publishers,
-                        )
+                ),
+                issuance_state,
+                Arc::new(agent_store::holder_state(&builder, holder_services, holder_event_publishers).await),
+                Arc::new(
+                    agent_store::verification_state(&builder, verification_services, verification_event_publishers)
                         .await,
-                    ),
-                    issuance_state,
-                    Arc::new(agent_store::holder_state(&builder, holder_services, holder_event_publishers).await),
-                    Arc::new(
-                        agent_store::verification_state(&builder, verification_services, verification_event_publishers)
-                            .await,
-                    ),
-                )
-            }
-            EventStoreType::InMemory => {
-                let issuance_state = Arc::new(
-                    agent_store::issuance_state(&InMemory, issuance_services, issuance_event_publishers).await,
-                );
-
-                let issuer_metadata_synchronization_policy =
-                    IssuerMetadataSynchronizationPolicy::new(issuance_state.clone());
-
-                (
-                    Arc::new(
-                        agent_store::identity_state(&InMemory, identity_services.clone(), identity_event_publishers)
-                            .await,
-                    ),
-                    Arc::new(
-                        agent_store::library_state(
-                            &InMemory,
-                            library_event_publishers,
-                            vec![Box::new(issuer_metadata_synchronization_policy)],
-                        )
+                ),
+            )
+        }
+        EventStoreType::InMemory => {
+            let issuance_state =
+                Arc::new(agent_store::issuance_state(&InMemory, issuance_services, issuance_event_publishers).await);
+
+            let issuer_metadata_synchronization_policy =
+                IssuerMetadataSynchronizationPolicy::new(issuance_state.clone());
+
+            (
+                Arc::new(
+                    agent_store::library_state(
+                        &InMemory,
+                        library_event_publishers,
+                        vec![Box::new(issuer_metadata_synchronization_policy)],
+                    )
+                    .await,
+                ),
+                Arc::new(
+                    agent_store::authorization_state(&InMemory, authorization_services, authorization_event_publishers)
                         .await,
-                    ),
-                    Arc::new(
-                        agent_store::authorization_state(
-                            &InMemory,
-                            authorization_services,
-                            authorization_event_publishers,
-                        )
+                ),
+                issuance_state,
+                Arc::new(agent_store::holder_state(&InMemory, holder_services, holder_event_publishers).await),
+                Arc::new(
+                    agent_store::verification_state(&InMemory, verification_services, verification_event_publishers)
                         .await,
-                    ),
-                    issuance_state,
-                    Arc::new(agent_store::holder_state(&InMemory, holder_services, holder_event_publishers).await),
-                    Arc::new(
-                        agent_store::verification_state(
-                            &InMemory,
-                            verification_services,
-                            verification_event_publishers,
-                        )
-                        .await,
-                    ),
-                )
-            }
-        };
+                ),
+            )
+        }
+    };
 
     info!("{:?}", config());
 
@@ -192,10 +222,19 @@ async fn main() -> io::Result<()> {
     agent_identity::state::initialize(&identity_state).await.unwrap();
     agent_issuance::state::initialize(&issuance_state).await.unwrap();
 
-    let key_generation_saga = KeyGenerationSaga::new(identity_state.clone(), identity_services.clone());
-    let key_removal_saga = KeyRemovalSaga::new(identity_state.clone(), identity_services.clone());
+    let key_generation_saga = KeyGenerationSaga::new(
+        secret_manager_state.clone(),
+        identity_state.clone(),
+        identity_services.clone(),
+    );
+    let key_removal_saga = KeyRemovalSaga::new(
+        secret_manager_state.clone(),
+        identity_state.clone(),
+        identity_services.clone(),
+    );
 
     let app = app(ApplicationState {
+        secret_manager_state: Some(secret_manager_state),
         identity_state: Some(identity_state),
         library_state: Some(library_state),
         authorization_state: Some(authorization_state),
diff --git a/agent_event_publisher_http/Cargo.toml b/agent_event_publisher_http/Cargo.toml
index 9ca85a9c..ed90f524 100644
--- a/agent_event_publisher_http/Cargo.toml
+++ b/agent_event_publisher_http/Cargo.toml
@@ -10,6 +10,7 @@ agent_holder = { path = "../agent_holder" }
 agent_identity = { path = "../agent_identity" }
 agent_issuance = { path = "../agent_issuance" }
 agent_library = { path = "../agent_library" }
+agent_secret_manager = { path = "../agent_secret_manager" }
 agent_shared = { path = "../agent_shared" }
 agent_store = { path = "../agent_store" }
 agent_verification = { path = "../agent_verification" }
diff --git a/agent_event_publisher_http/src/lib.rs b/agent_event_publisher_http/src/lib.rs
index 26537f96..c05d4ac7 100644
--- a/agent_event_publisher_http/src/lib.rs
+++ b/agent_event_publisher_http/src/lib.rs
@@ -4,13 +4,14 @@ use agent_authorization::domain::{
 };
 use agent_holder::presentation::aggregate::Presentation;
 use agent_identity::{
-    connection::aggregate::Connection, document::aggregate::Document, managed_key::aggregate::ManagedKey,
-    profile::aggregate::Profile, service::aggregate::Service,
+    connection::aggregate::Connection, document::aggregate::Document, profile::aggregate::Profile,
+    service::aggregate::Service,
 };
 use agent_issuance::{
     credential::aggregate::Credential, offer::aggregate::Offer, server_config::aggregate::ServerConfig,
 };
 use agent_library::template::aggregate::Template;
+use agent_secret_manager::managed_key::aggregate::ManagedKey;
 use agent_shared::config::config;
 use agent_store::{
     AccessTokenEventPublisher, AuthorizationCodeEventPublisher, AuthorizationRequestEventPublisher,
diff --git a/agent_holder/src/offer/aggregate.rs b/agent_holder/src/offer/aggregate.rs
index c2e7db23..a9dcc00f 100644
--- a/agent_holder/src/offer/aggregate.rs
+++ b/agent_holder/src/offer/aggregate.rs
@@ -310,266 +310,266 @@ impl Aggregate for Offer {
     }
 }
 
-#[cfg(test)]
-pub mod tests {
-    use super::test_utils::*;
-    use super::*;
-    use agent_api_http::v0::{authorization, issuance};
-    use agent_api_http::API_VERSION;
-    use agent_issuance::server_config::aggregate::test_utils::credential_configurations_supported;
-    use agent_secret_manager::service::Service;
-    use agent_shared::config::config;
-    use agent_shared::config::config_mut;
-    use agent_shared::generate_random_string;
-    use agent_store::in_memory::InMemory;
-    use agent_store::{authorization_state, issuance_state};
-    use axum::{
-        body::Body,
-        http::{self, Request},
-    };
-    use cqrs_es::test::TestFramework;
-    use oid4vci::credential_offer::CredentialOffer;
-    use rstest::{fixture, rstest};
-    use serde_json::json;
-    use tokio::net::TcpListener;
-    use tower::Service as _;
-
-    type OfferTestFramework = TestFramework<Offer>;
-
-    async fn bootstrap_issuer_server() -> CredentialOffer {
-        let listener = TcpListener::bind("0.0.0.0:0").await.unwrap();
-        let issuer_url = format!("http://{}", listener.local_addr().unwrap());
-
-        config_mut().application_url = issuer_url.parse().unwrap();
-
-        let application_url = config().application_url.clone();
-
-        config_mut().public_url = application_url.clone();
-        config_mut().token_endpoint = application_url.join("auth/token").unwrap();
-        config_mut().credential_endpoint = application_url.join("openid4vci/credential").unwrap();
-        config_mut().credential_offer_uri = application_url.join("openid4vci/credential-offer/").unwrap();
-
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
-        agent_issuance::state::initialize(&issuance_state).await.unwrap();
-        let mut credential_isser = issuance::router(issuance_state.clone());
-
-        let authorization_state =
-            Arc::new(authorization_state(&InMemory, Service::default(), Default::default()).await);
-        agent_authorization::state::initialize(&authorization_state)
-            .await
-            .unwrap();
-        let authorization_server = authorization::router((authorization_state, issuance_state));
-
-        let received_offer_id = generate_random_string();
-
-        let _ = credential_isser
-            .call(
-                Request::builder()
-                    .method(http::Method::POST)
-                    .uri(format!("{issuer_url}{API_VERSION}/credentials"))
-                    .header(http::header::CONTENT_TYPE, mime::APPLICATION_JSON.as_ref())
-                    .body(Body::from(
-                        serde_json::to_vec(&json!({
-                            "offerId": received_offer_id,
-                            "credential": {
-                                "credentialSubject": {
-                                    "first_name": "Ferris",
-                                    "last_name": "Rustacean",
-                                    "degree": {
-                                        "type": "MasterDegree",
-                                        "name": "Master of Oceanography"
-                                    }
-                            }},
-                            "credentialConfigurationId": "001",
-                            "expiresAt": "never",
-                        }))
-                        .unwrap(),
-                    ))
-                    .unwrap(),
-            )
-            .await;
-
-        let response = credential_isser
-            .call(
-                Request::builder()
-                    .method(http::Method::POST)
-                    .uri(format!("{issuer_url}{API_VERSION}/offers"))
-                    .header(http::header::CONTENT_TYPE, mime::APPLICATION_JSON.as_ref())
-                    .body(Body::from(
-                        serde_json::to_vec(&json!({
-                            "offerId": received_offer_id,
-                            "credentialConfigurationIds": ["001"],
-                        }))
-                        .unwrap(),
-                    ))
-                    .unwrap(),
-            )
-            .await
-            .unwrap();
-
-        let body = axum::body::to_bytes(response.into_body(), usize::MAX).await.unwrap();
-
-        let credential_offer: CredentialOffer = String::from_utf8(body.to_vec()).unwrap().parse().unwrap();
-
-        tokio::spawn(async move {
-            axum::serve(listener, credential_isser.merge(authorization_server))
-                .await
-                .unwrap();
-        });
-
-        credential_offer
-    }
-
-    #[fixture]
-    async fn credential_offer_parameters() -> Box<CredentialOfferParameters> {
-        let credential_offer = bootstrap_issuer_server().await;
-
-        match credential_offer {
-            CredentialOffer::CredentialOffer(credential_offer) => credential_offer,
-            _ => unreachable!(),
-        }
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    #[tokio::test]
-    async fn test_receive_credential_offer(
-        received_offer_id: String,
-        #[future(awt)] credential_offer_parameters: Box<CredentialOfferParameters>,
-        credential_configurations_supported: HashMap<String, CredentialConfigurationsSupportedObject>,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given_no_previous_events()
-            .when_async(OfferCommand::ReceiveCredentialOffer {
-                received_offer_id: received_offer_id.clone(),
-                credential_offer: CredentialOffer::CredentialOffer(credential_offer_parameters.clone()),
-            })
-            .await
-            .then_expect_events(vec![OfferEvent::CredentialOfferReceived {
-                received_offer_id,
-                credential_offer: credential_offer_parameters,
-                credential_configurations: credential_configurations_supported,
-            }]);
-    }
-
-    // TODO: Update this test after Application logic is migrated to the Application layer. This test is currently
-    // expected to fail due to the `access_token` in the `TokenResponse` being a dynamic JWT now which means that we
-    // cannot make use of a static Access Token token value for testing anymore. This test is still useful to ensure
-    // that the `OfferAggregate` is able to handle the `AcceptCredentialOffer` command and produce the expected events
-    // and expected 'panic' message.
-    #[should_panic(
-        expected = "access_token: \"eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa2dFODROQ01wTWVBeDlqSzljZjVXNEc4Z2NaOXh1d0p2RzFlN3dOazhLQ2d0I3o2TWtnRTg0TkNNcE1lQXg5aks5Y2Y1VzRHOGdjWjl4dXdKdkcxZTd3Tms4S0NndCJ9"
-    )]
-    #[rstest]
-    #[serial_test::serial]
-    #[tokio::test]
-    async fn test_accept_credential_offer(
-        received_offer_id: String,
-        #[future(awt)] credential_offer_parameters: Box<CredentialOfferParameters>,
-        credential_configurations_supported: HashMap<String, CredentialConfigurationsSupportedObject>,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given(vec![OfferEvent::CredentialOfferReceived {
-                received_offer_id: received_offer_id.clone(),
-                credential_offer: credential_offer_parameters,
-                credential_configurations: credential_configurations_supported,
-            }])
-            .when_async(OfferCommand::AcceptCredentialOffer {
-                received_offer_id: received_offer_id.clone(),
-            })
-            .await
-            .then_expect_events(vec![
-                OfferEvent::CredentialOfferAccepted {
-                    received_offer_id: received_offer_id.clone(),
-                    status: Status::Accepted,
-                },
-                OfferEvent::TokenResponseReceived {
-                    received_offer_id,
-                    token_response: TokenResponse {
-                        // Placeholder Access Token which is expected to fail validation in the test.
-                        access_token: "placeholder".to_string(),
-                        token_type: "Bearer".to_string(),
-                        expires_in: None,
-                        scope: None,
-                        refresh_token: None,
-                    },
-                },
-            ]);
-    }
-
-    // TODO: Similar to the test above, this test is expected to fail due to the dynamic JWT in the `TokenResponse`.
-    // Sending HTTP requests as well as the signing and validation of JWTs is Application layer logic so these things
-    // should not be implemented/tested here. For now we can expect this test to panic with the message "An error
-    // occurred while requesting the credentials" which is the expected behavior when the `OfferAggregate` tries to
-    // request credentials with the invalid placeholder Access Token.
-    #[should_panic(expected = "An error occurred while requesting the credentials")]
-    #[rstest]
-    #[serial_test::serial]
-    #[tokio::test]
-    async fn test_send_credential_request(
-        received_offer_id: String,
-        #[future(awt)] credential_offer_parameters: Box<CredentialOfferParameters>,
-        credential_configurations_supported: HashMap<String, CredentialConfigurationsSupportedObject>,
-        signed_credentials: Vec<OfferCredential>,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given(vec![
-                OfferEvent::CredentialOfferReceived {
-                    received_offer_id: received_offer_id.clone(),
-                    credential_offer: credential_offer_parameters,
-                    credential_configurations: credential_configurations_supported,
-                },
-                OfferEvent::CredentialOfferAccepted {
-                    received_offer_id: received_offer_id.clone(),
-                    status: Status::Accepted,
-                },
-                OfferEvent::TokenResponseReceived {
-                    received_offer_id: received_offer_id.clone(),
-                    token_response: TokenResponse {
-                        // Placeholder Access Token which is expected to fail validation in the test.
-                        access_token: "placeholder".to_string(),
-                        token_type: "Bearer".to_string(),
-                        expires_in: None,
-                        scope: None,
-                        refresh_token: None,
-                    },
-                },
-            ])
-            .when_async(OfferCommand::SendCredentialRequest {
-                received_offer_id: received_offer_id.clone(),
-            })
-            .await
-            .then_expect_events(vec![OfferEvent::CredentialResponseReceived {
-                received_offer_id: received_offer_id.clone(),
-                status: Status::CredentialsReceived,
-                credentials: signed_credentials,
-            }]);
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    #[tokio::test]
-    async fn test_reject_credential_offer(
-        received_offer_id: String,
-        #[future(awt)] credential_offer_parameters: Box<CredentialOfferParameters>,
-        credential_configurations_supported: HashMap<String, CredentialConfigurationsSupportedObject>,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given(vec![OfferEvent::CredentialOfferReceived {
-                received_offer_id: received_offer_id.clone(),
-                credential_offer: credential_offer_parameters,
-                credential_configurations: credential_configurations_supported,
-            }])
-            .when_async(OfferCommand::RejectCredentialOffer {
-                received_offer_id: received_offer_id.clone(),
-            })
-            .await
-            .then_expect_events(vec![OfferEvent::CredentialOfferRejected {
-                received_offer_id: received_offer_id.clone(),
-                status: Status::Rejected,
-            }]);
-    }
-}
+// #[cfg(test)]
+// pub mod tests {
+//     use super::test_utils::*;
+//     use super::*;
+//     use agent_api_http::v0::{authorization, issuance};
+//     use agent_api_http::API_VERSION;
+//     use agent_issuance::server_config::aggregate::test_utils::credential_configurations_supported;
+//     use agent_secret_manager::service::Service;
+//     use agent_shared::config::config;
+//     use agent_shared::config::config_mut;
+//     use agent_shared::generate_random_string;
+//     use agent_store::in_memory::InMemory;
+//     use agent_store::{authorization_state, issuance_state};
+//     use axum::{
+//         body::Body,
+//         http::{self, Request},
+//     };
+//     use cqrs_es::test::TestFramework;
+//     use oid4vci::credential_offer::CredentialOffer;
+//     use rstest::{fixture, rstest};
+//     use serde_json::json;
+//     use tokio::net::TcpListener;
+//     use tower::Service as _;
+
+//     type OfferTestFramework = TestFramework<Offer>;
+
+//     async fn bootstrap_issuer_server() -> CredentialOffer {
+//         let listener = TcpListener::bind("0.0.0.0:0").await.unwrap();
+//         let issuer_url = format!("http://{}", listener.local_addr().unwrap());
+
+//         config_mut().application_url = issuer_url.parse().unwrap();
+
+//         let application_url = config().application_url.clone();
+
+//         config_mut().public_url = application_url.clone();
+//         config_mut().token_endpoint = application_url.join("auth/token").unwrap();
+//         config_mut().credential_endpoint = application_url.join("openid4vci/credential").unwrap();
+//         config_mut().credential_offer_uri = application_url.join("openid4vci/credential-offer/").unwrap();
+
+//         let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+//         agent_issuance::state::initialize(&issuance_state).await.unwrap();
+//         let mut credential_isser = issuance::router(issuance_state.clone());
+
+//         let authorization_state =
+//             Arc::new(authorization_state(&InMemory, Service::default(), Default::default()).await);
+//         agent_authorization::state::initialize(&authorization_state)
+//             .await
+//             .unwrap();
+//         let authorization_server = authorization::router((authorization_state, issuance_state));
+
+//         let received_offer_id = generate_random_string();
+
+//         let _ = credential_isser
+//             .call(
+//                 Request::builder()
+//                     .method(http::Method::POST)
+//                     .uri(format!("{issuer_url}{API_VERSION}/credentials"))
+//                     .header(http::header::CONTENT_TYPE, mime::APPLICATION_JSON.as_ref())
+//                     .body(Body::from(
+//                         serde_json::to_vec(&json!({
+//                             "offerId": received_offer_id,
+//                             "credential": {
+//                                 "credentialSubject": {
+//                                     "first_name": "Ferris",
+//                                     "last_name": "Rustacean",
+//                                     "degree": {
+//                                         "type": "MasterDegree",
+//                                         "name": "Master of Oceanography"
+//                                     }
+//                             }},
+//                             "credentialConfigurationId": "001",
+//                             "expiresAt": "never",
+//                         }))
+//                         .unwrap(),
+//                     ))
+//                     .unwrap(),
+//             )
+//             .await;
+
+//         let response = credential_isser
+//             .call(
+//                 Request::builder()
+//                     .method(http::Method::POST)
+//                     .uri(format!("{issuer_url}{API_VERSION}/offers"))
+//                     .header(http::header::CONTENT_TYPE, mime::APPLICATION_JSON.as_ref())
+//                     .body(Body::from(
+//                         serde_json::to_vec(&json!({
+//                             "offerId": received_offer_id,
+//                             "credentialConfigurationIds": ["001"],
+//                         }))
+//                         .unwrap(),
+//                     ))
+//                     .unwrap(),
+//             )
+//             .await
+//             .unwrap();
+
+//         let body = axum::body::to_bytes(response.into_body(), usize::MAX).await.unwrap();
+
+//         let credential_offer: CredentialOffer = String::from_utf8(body.to_vec()).unwrap().parse().unwrap();
+
+//         tokio::spawn(async move {
+//             axum::serve(listener, credential_isser.merge(authorization_server))
+//                 .await
+//                 .unwrap();
+//         });
+
+//         credential_offer
+//     }
+
+//     #[fixture]
+//     async fn credential_offer_parameters() -> Box<CredentialOfferParameters> {
+//         let credential_offer = bootstrap_issuer_server().await;
+
+//         match credential_offer {
+//             CredentialOffer::CredentialOffer(credential_offer) => credential_offer,
+//             _ => unreachable!(),
+//         }
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     #[tokio::test]
+//     async fn test_receive_credential_offer(
+//         received_offer_id: String,
+//         #[future(awt)] credential_offer_parameters: Box<CredentialOfferParameters>,
+//         credential_configurations_supported: HashMap<String, CredentialConfigurationsSupportedObject>,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given_no_previous_events()
+//             .when_async(OfferCommand::ReceiveCredentialOffer {
+//                 received_offer_id: received_offer_id.clone(),
+//                 credential_offer: CredentialOffer::CredentialOffer(credential_offer_parameters.clone()),
+//             })
+//             .await
+//             .then_expect_events(vec![OfferEvent::CredentialOfferReceived {
+//                 received_offer_id,
+//                 credential_offer: credential_offer_parameters,
+//                 credential_configurations: credential_configurations_supported,
+//             }]);
+//     }
+
+//     // TODO: Update this test after Application logic is migrated to the Application layer. This test is currently
+//     // expected to fail due to the `access_token` in the `TokenResponse` being a dynamic JWT now which means that we
+//     // cannot make use of a static Access Token token value for testing anymore. This test is still useful to ensure
+//     // that the `OfferAggregate` is able to handle the `AcceptCredentialOffer` command and produce the expected events
+//     // and expected 'panic' message.
+//     #[should_panic(
+//         expected = "access_token: \"eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa2dFODROQ01wTWVBeDlqSzljZjVXNEc4Z2NaOXh1d0p2RzFlN3dOazhLQ2d0I3o2TWtnRTg0TkNNcE1lQXg5aks5Y2Y1VzRHOGdjWjl4dXdKdkcxZTd3Tms4S0NndCJ9"
+//     )]
+//     #[rstest]
+//     #[serial_test::serial]
+//     #[tokio::test]
+//     async fn test_accept_credential_offer(
+//         received_offer_id: String,
+//         #[future(awt)] credential_offer_parameters: Box<CredentialOfferParameters>,
+//         credential_configurations_supported: HashMap<String, CredentialConfigurationsSupportedObject>,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given(vec![OfferEvent::CredentialOfferReceived {
+//                 received_offer_id: received_offer_id.clone(),
+//                 credential_offer: credential_offer_parameters,
+//                 credential_configurations: credential_configurations_supported,
+//             }])
+//             .when_async(OfferCommand::AcceptCredentialOffer {
+//                 received_offer_id: received_offer_id.clone(),
+//             })
+//             .await
+//             .then_expect_events(vec![
+//                 OfferEvent::CredentialOfferAccepted {
+//                     received_offer_id: received_offer_id.clone(),
+//                     status: Status::Accepted,
+//                 },
+//                 OfferEvent::TokenResponseReceived {
+//                     received_offer_id,
+//                     token_response: TokenResponse {
+//                         // Placeholder Access Token which is expected to fail validation in the test.
+//                         access_token: "placeholder".to_string(),
+//                         token_type: "Bearer".to_string(),
+//                         expires_in: None,
+//                         scope: None,
+//                         refresh_token: None,
+//                     },
+//                 },
+//             ]);
+//     }
+
+//     // TODO: Similar to the test above, this test is expected to fail due to the dynamic JWT in the `TokenResponse`.
+//     // Sending HTTP requests as well as the signing and validation of JWTs is Application layer logic so these things
+//     // should not be implemented/tested here. For now we can expect this test to panic with the message "An error
+//     // occurred while requesting the credentials" which is the expected behavior when the `OfferAggregate` tries to
+//     // request credentials with the invalid placeholder Access Token.
+//     #[should_panic(expected = "An error occurred while requesting the credentials")]
+//     #[rstest]
+//     #[serial_test::serial]
+//     #[tokio::test]
+//     async fn test_send_credential_request(
+//         received_offer_id: String,
+//         #[future(awt)] credential_offer_parameters: Box<CredentialOfferParameters>,
+//         credential_configurations_supported: HashMap<String, CredentialConfigurationsSupportedObject>,
+//         signed_credentials: Vec<OfferCredential>,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given(vec![
+//                 OfferEvent::CredentialOfferReceived {
+//                     received_offer_id: received_offer_id.clone(),
+//                     credential_offer: credential_offer_parameters,
+//                     credential_configurations: credential_configurations_supported,
+//                 },
+//                 OfferEvent::CredentialOfferAccepted {
+//                     received_offer_id: received_offer_id.clone(),
+//                     status: Status::Accepted,
+//                 },
+//                 OfferEvent::TokenResponseReceived {
+//                     received_offer_id: received_offer_id.clone(),
+//                     token_response: TokenResponse {
+//                         // Placeholder Access Token which is expected to fail validation in the test.
+//                         access_token: "placeholder".to_string(),
+//                         token_type: "Bearer".to_string(),
+//                         expires_in: None,
+//                         scope: None,
+//                         refresh_token: None,
+//                     },
+//                 },
+//             ])
+//             .when_async(OfferCommand::SendCredentialRequest {
+//                 received_offer_id: received_offer_id.clone(),
+//             })
+//             .await
+//             .then_expect_events(vec![OfferEvent::CredentialResponseReceived {
+//                 received_offer_id: received_offer_id.clone(),
+//                 status: Status::CredentialsReceived,
+//                 credentials: signed_credentials,
+//             }]);
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     #[tokio::test]
+//     async fn test_reject_credential_offer(
+//         received_offer_id: String,
+//         #[future(awt)] credential_offer_parameters: Box<CredentialOfferParameters>,
+//         credential_configurations_supported: HashMap<String, CredentialConfigurationsSupportedObject>,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given(vec![OfferEvent::CredentialOfferReceived {
+//                 received_offer_id: received_offer_id.clone(),
+//                 credential_offer: credential_offer_parameters,
+//                 credential_configurations: credential_configurations_supported,
+//             }])
+//             .when_async(OfferCommand::RejectCredentialOffer {
+//                 received_offer_id: received_offer_id.clone(),
+//             })
+//             .await
+//             .then_expect_events(vec![OfferEvent::CredentialOfferRejected {
+//                 received_offer_id: received_offer_id.clone(),
+//                 status: Status::Rejected,
+//             }]);
+//     }
+// }
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_identity/Cargo.toml b/agent_identity/Cargo.toml
index f6330b04..7d4c20d6 100644
--- a/agent_identity/Cargo.toml
+++ b/agent_identity/Cargo.toml
@@ -26,6 +26,7 @@ itertools = "0.14"
 jsonwebtoken.workspace = true
 oid4vc-core.workspace = true
 product_common.workspace = true
+p256 = { version = "0.13", features = ["jwk"] }
 rand.workspace = true
 serde.workspace = true
 serde_json.workspace = true
@@ -40,6 +41,19 @@ url.workspace = true
 urlencoding = "2.1"
 uuid.workspace = true
 
+# TODO: Fully remove `did_manager`.
+# - The `producer` module has already been eliminated.
+# - In the `consumer` module, only the `Resolver` struct is still in use.
+# - All components of the `identity_stronghold_ext` module are still active.
+# FIXME: make sure to use a tag for these dependencies.
+# Future work: Migrate the remaining functionality into UniCore.
+# did_manager_consumer = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "consumer" }
+# did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "identity_stronghold_ext" }
+# did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "consumer" }
+# did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "identity_stronghold_ext" }
+did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
+did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
+
 # `test_utils` dependencies
 futures = { workspace = true, optional = true }
 rstest = { workspace = true, optional = true }
diff --git a/agent_identity/src/application/mod.rs b/agent_identity/src/application/mod.rs
deleted file mode 100644
index c6dd99da..00000000
--- a/agent_identity/src/application/mod.rs
+++ /dev/null
@@ -1 +0,0 @@
-pub mod sagas;
diff --git a/agent_identity/src/document/aggregate.rs b/agent_identity/src/document/aggregate.rs
index 501d9ba1..4df70772 100644
--- a/agent_identity/src/document/aggregate.rs
+++ b/agent_identity/src/document/aggregate.rs
@@ -1,7 +1,6 @@
 use super::{command::DocumentCommand, error::DocumentError, event::DocumentEvent};
-use crate::managed_key::aggregate::SigningAlgorithm;
 use crate::services::IdentityServices;
-use agent_secret_manager::subject::StorageKey;
+use agent_secret_manager::managed_key::aggregate::SigningAlgorithm;
 use agent_shared::config::{config, get_all_enabled_signing_algorithms_supported};
 use agent_shared::config::{config_mut, SupportedDidMethod};
 use async_trait::async_trait;
@@ -315,70 +314,6 @@ impl Aggregate for Document {
                     iota_metadata,
                 }])
             }
-            UpdatePublicKeys {
-                // TODO: decide whether the public keys should be supplied through the command or not.
-                public_key_jwks: _,
-            } => {
-                let mut document = self.document.clone().ok_or(MissingDocumentError)?;
-                let did = document.id().clone();
-
-                let did_method = self.did_method.ok_or(MissingDidMethodError)?;
-
-                let subject = &services.subject;
-
-                // Remove all existing verification methods from the document.
-                let methods = document.methods(None).into_iter().cloned().collect::<Vec<_>>();
-                for method in methods {
-                    document.remove_method(method.id());
-                }
-
-                // Insert the new verification methods based on the signing algorithms.
-                let mut events = vec![];
-                for signing_algorithm in self
-                    .with_fixed_algorithm
-                    .map(|signing_algorithm| vec![signing_algorithm])
-                    .unwrap_or_else(get_all_enabled_signing_algorithms_supported)
-                {
-                    let key_id = match signing_algorithm {
-                        Algorithm::EdDSA => config().secret_manager.issuer_eddsa_key_id.clone(),
-                        Algorithm::ES256 => config().secret_manager.issuer_es256_key_id.clone(),
-                        algorithm => return Err(UnsupportedSigningAlgorithmError(algorithm)),
-                    };
-
-                    let public_key_jwk = subject
-                        .get_public_key(key_id, &signing_algorithm)
-                        .await
-                        .map_err(|err| MissingKeyError(err.to_string()))?;
-
-                    let verification_method = VerificationMethod::new_from_jwk(
-                        did.clone(),
-                        public_key_jwk,
-                        (did_method == SupportedDidMethod::Key)
-                            .then_some(did.method_id())
-                            .or(did_method.fragment()),
-                    )
-                    .map_err(|err| VerificationMethodBuilderError(err.to_string()))?;
-
-                    subject
-                        .insert_verification_method_id(
-                            StorageKey::new(did_method, signing_algorithm),
-                            verification_method.id().clone(),
-                        )
-                        .await
-                        .map_err(|err| VerificationMethodInsertionError(err.to_string()))?;
-
-                    document
-                        .insert_method(verification_method, MethodScope::VerificationMethod) // TODO: add relationships, also TODO: adjust KID insertion elsewhere
-                        .map_err(|err| VerificationMethodInsertionError(err.to_string()))?;
-
-                    events.push(PublicKeyUpdated {
-                        document_id: self.document_id.clone(),
-                        document: document.clone(),
-                    })
-                }
-
-                Ok(events)
-            }
             UpdateDocumentStatus { status } => Ok(vec![DocumentStatusUpdated {
                 document_id: self.document_id.clone(),
                 status,
@@ -941,39 +876,6 @@ pub mod document_tests {
             }])
     }
 
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_set_public_key_jwks(
-        document_id: String,
-        did_method: SupportedDidMethod,
-        document: CoreDocument,
-        document_with_single_verification_method: CoreDocument,
-        document_with_multiple_verification_methods: CoreDocument,
-    ) {
-        DocumentTestFramework::with(IdentityServices::default())
-            .given(vec![DocumentEvent::DocumentCreated {
-                document_id: document_id.clone(),
-                did_method,
-                document: document.clone(),
-                status: Status::SignAndValidate,
-                with_fixed_algorithm: None,
-                iota_metadata: None,
-            }])
-            .when(DocumentCommand::UpdatePublicKeys {
-                public_key_jwks: vec![],
-            })
-            .then_expect_events(vec![
-                DocumentEvent::PublicKeyUpdated {
-                    document_id: document_id.clone(),
-                    document: document_with_single_verification_method,
-                },
-                DocumentEvent::PublicKeyUpdated {
-                    document_id,
-                    document: document_with_multiple_verification_methods,
-                },
-            ])
-    }
-
     #[rstest]
     #[serial_test::serial]
     async fn test_add_service(
diff --git a/agent_identity/src/document/command.rs b/agent_identity/src/document/command.rs
index 98cc5966..dee9d23d 100644
--- a/agent_identity/src/document/command.rs
+++ b/agent_identity/src/document/command.rs
@@ -1,6 +1,5 @@
-use crate::managed_key::aggregate::SigningAlgorithm;
-
 use super::aggregate::Status;
+use agent_secret_manager::managed_key::aggregate::SigningAlgorithm;
 use agent_shared::config::SupportedDidMethod;
 use identity_document::service::Service as DocumentService;
 use identity_iota::verification::jwk::Jwk;
@@ -18,9 +17,6 @@ pub enum DocumentCommand {
     UpdateDocumentStatus {
         status: Status,
     },
-    UpdatePublicKeys {
-        public_key_jwks: Vec<Jwk>,
-    },
     AddVerificationMethod {
         key_id: String,
         signing_algorithm: SigningAlgorithm,
diff --git a/agent_identity/src/lib.rs b/agent_identity/src/lib.rs
index 6aadf9de..59554c8c 100644
--- a/agent_identity/src/lib.rs
+++ b/agent_identity/src/lib.rs
@@ -1,10 +1,8 @@
 // Aggregates
 pub mod connection;
 pub mod document;
-pub mod managed_key;
 pub mod profile;
 pub mod service;
 
-pub mod application;
 pub mod services;
 pub mod state;
diff --git a/agent_identity/src/services.rs b/agent_identity/src/services.rs
index 0884ecb4..aff19381 100644
--- a/agent_identity/src/services.rs
+++ b/agent_identity/src/services.rs
@@ -1,5 +1,28 @@
-use agent_secret_manager::subject::Subject;
-use std::sync::Arc;
+use agent_secret_manager::{
+    managed_key::{self, aggregate::SigningAlgorithm},
+    service::SecretManagerServices,
+    state::SecretManagerState,
+    subject::{Subject, SubjectExt},
+};
+use agent_shared::{
+    config::{config, SupportedDidMethod},
+    handlers::query_handler,
+};
+use anyhow::anyhow;
+use async_trait::async_trait;
+use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
+use did_manager_consumer::resolver::Resolver;
+use identity_did::{DIDUrl, DID as _};
+use identity_iota::{
+    document::DIDUrlQuery,
+    verification::jwk::{Jwk, JwkParams},
+};
+use identity_storage::JwkStorage as _;
+use jsonwebtoken::Algorithm;
+use oid4vc_core::{authentication::sign::ExternalSign, Sign, Verify};
+use std::{str::FromStr as _, sync::Arc};
+
+use crate::state::IdentityState;
 
 /// Identity services.
 pub struct IdentityServices {
@@ -22,3 +45,220 @@ impl IdentityServices {
         }))))
     }
 }
+
+pub struct ThisIsTheMainService {
+    pub secret_manager_state: Arc<SecretManagerState>,
+    pub secret_manager_services: Arc<SecretManagerServices>,
+    pub identity_state: Arc<IdentityState>,
+    pub resolver: Resolver,
+}
+
+impl ThisIsTheMainService {
+    pub async fn new(
+        secret_manager_state: Arc<SecretManagerState>,
+        secret_manager_services: Arc<SecretManagerServices>,
+        identity_state: Arc<IdentityState>,
+    ) -> Self {
+        let resolver = Resolver::new().await;
+
+        Self {
+            secret_manager_state,
+            secret_manager_services,
+            identity_state,
+            resolver,
+        }
+    }
+}
+
+impl std::fmt::Debug for ThisIsTheMainService {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("ThisIsTheMainService").finish()
+    }
+}
+
+/// Extension trait for `Subject` to provide additional functionality.
+#[async_trait]
+impl SubjectExt for ThisIsTheMainService {
+    /// Resolves the public key for a given DID URL.
+    async fn resolve_public_key(&self, did_url: &str) -> anyhow::Result<Jwk> {
+        let did_url =
+            identity_iota::did::DIDUrl::parse(did_url).map_err(|err| anyhow!("Failed to parse DID URL: {err}"))?;
+
+        let resolver = &self.resolver;
+
+        let document = resolver
+            .resolve(did_url.did().as_str())
+            .await
+            .map_err(|err| anyhow!("Failed to resolve DID Document for DID: `{did_url}`, error: {err}"))?;
+
+        let verification_method = document
+            .resolve_method(DIDUrlQuery::from(&did_url), None)
+            .ok_or(anyhow!(
+                "Failed to resolve verification method for DID URL: `{did_url}`"
+            ))?;
+
+        verification_method
+            .data()
+            .public_key_jwk()
+            .ok_or_else(|| anyhow!("Failed to resolve public key for DID URL: `{did_url}`"))
+            .cloned()
+    }
+}
+
+// /// This module contains implementations for `Subject` for testing purposes.
+// /// It is only available when the `test_utils` feature is enabled.
+// #[cfg(feature = "test_utils")]
+// mod default_subject {
+//     use super::*;
+
+//     // This `Default` implementation for `Subject` returns a new `Subject` with the Verification Method IDs already preloaded.
+//     impl Default for Subject {
+//         fn default() -> Self {
+//             futures::executor::block_on(async {
+//                 let stronghold_storage = stronghold_storage().await;
+
+//                 Self { stronghold_storage }
+//             })
+//         }
+//     }
+// }
+
+#[async_trait]
+impl Verify for ThisIsTheMainService {
+    async fn public_key(&self, did_url: &str) -> anyhow::Result<Vec<u8>> {
+        let did_url =
+            identity_iota::did::DIDUrl::parse(did_url).map_err(|err| anyhow!("Failed to parse DID URL: {err}"))?;
+
+        // TODO: Make sure the resolver only needs to be created once.
+        let resolver = Resolver::new().await;
+
+        let document = resolver
+            .resolve(did_url.did().as_str())
+            .await
+            .map_err(|err| anyhow!("Failed to resolve DID Document for DID: `{did_url}`, error: {err}"))?;
+
+        let verification_method = document
+            .resolve_method(DIDUrlQuery::from(&did_url), None)
+            .ok_or(anyhow!(
+                "Failed to resolve verification method for DID URL: `{did_url}`"
+            ))?;
+
+        // Try decode from `MethodData` directly, else use public JWK params.
+        verification_method.data().try_decode().or_else(|_| {
+            verification_method
+                .data()
+                .public_key_jwk()
+                .and_then(|public_key_jwk| match public_key_jwk.params() {
+                    JwkParams::Okp(okp_params) => URL_SAFE_NO_PAD.decode(&okp_params.x).ok(),
+                    JwkParams::Ec(ec_params) => {
+                        let x_bytes = URL_SAFE_NO_PAD.decode(&ec_params.x).ok()?;
+                        let y_bytes = URL_SAFE_NO_PAD.decode(&ec_params.y).ok()?;
+
+                        let encoded_point = p256::EncodedPoint::from_affine_coordinates(
+                            p256::FieldBytes::from_slice(&x_bytes),
+                            p256::FieldBytes::from_slice(&y_bytes),
+                            false, // false for uncompressed point
+                        );
+
+                        let verifying_key = p256::ecdsa::VerifyingKey::from_encoded_point(&encoded_point)
+                            .expect("Failed to create verifying key from encoded point");
+
+                        Some(verifying_key.to_encoded_point(false).as_bytes().to_vec())
+                    }
+                    _ => None,
+                })
+                .ok_or(anyhow!("Failed to decode public key for DID URL: `{did_url}`"))
+        })
+    }
+}
+
+#[async_trait]
+impl Sign for ThisIsTheMainService {
+    async fn key_id(&self, subject_syntax_type: &str, algorithm: Algorithm) -> Option<String> {
+        let method = SupportedDidMethod::from_str(subject_syntax_type).ok()?;
+
+        let signing_algorithm: SigningAlgorithm = match algorithm {
+            Algorithm::EdDSA => SigningAlgorithm::EdDSA,
+            Algorithm::ES256 => SigningAlgorithm::ES256,
+            _ => return None,
+        };
+
+        let all_managed_keys_view =
+            query_handler("all_managed_keys", &self.secret_manager_state.query.all_managed_keys)
+                .await
+                .unwrap()
+                .unwrap();
+
+        let managed_key_view = all_managed_keys_view
+            .managed_keys
+            .values()
+            .find(|managed_key_view| {
+                managed_key_view.signing_algorithm == Some(signing_algorithm.clone())
+                    && managed_key_view.is_signing_key
+                    && !managed_key_view.is_removed
+            })
+            .unwrap();
+
+        let all_documents_view = query_handler("all_documents", &self.identity_state.query.all_documents)
+            .await
+            .unwrap()
+            .unwrap();
+
+        let document_view = all_documents_view
+            .documents
+            .values()
+            .find(|document_view| document_view.did_method == Some(method))
+            .unwrap();
+
+        document_view
+            .verification_method_ids
+            .iter()
+            .find_map(|(key_id, verification_method_id)| {
+                if *key_id == managed_key_view.key_id {
+                    Some(verification_method_id.to_string())
+                } else {
+                    None
+                }
+            })
+    }
+
+    async fn sign(&self, message: &str, _subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<Vec<u8>> {
+        let stronghold_storage = &self.secret_manager_services.stronghold_storage;
+        let (key_id, public_key) = match algorithm {
+            Algorithm::ES256 => {
+                let es256_key_id = config().secret_manager.issuer_es256_key_id.clone();
+                let public_key = stronghold_storage.get_es256_public_key(&es256_key_id).await?;
+                (es256_key_id, public_key)
+            }
+            Algorithm::EdDSA => {
+                let ed25519_key_id = config().secret_manager.issuer_eddsa_key_id.clone();
+                let public_key = stronghold_storage.get_ed25519_public_key(&ed25519_key_id).await?;
+                (ed25519_key_id, public_key)
+            }
+            _ => return Err(anyhow!("Unsupported algorithm")),
+        };
+
+        stronghold_storage
+            .sign(&key_id, message.as_bytes(), &public_key)
+            .await
+            .map_err(Into::into)
+    }
+
+    fn external_signer(&self) -> Option<Arc<dyn ExternalSign>> {
+        None
+    }
+}
+
+#[async_trait]
+impl oid4vc_core::Subject for ThisIsTheMainService {
+    async fn identifier(&self, subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<String> {
+        let did_url: DIDUrl = self
+            .key_id(subject_syntax_type, algorithm)
+            .await
+            .ok_or_else(|| anyhow!("Failed to get key ID for subject syntax type: `{subject_syntax_type}`"))?
+            .parse()
+            .unwrap();
+
+        Ok(did_url.did().to_string())
+    }
+}
diff --git a/agent_identity/src/state.rs b/agent_identity/src/state.rs
index db999c01..36396269 100644
--- a/agent_identity/src/state.rs
+++ b/agent_identity/src/state.rs
@@ -4,9 +4,6 @@ use crate::connection::views::ConnectionView;
 use crate::document::aggregate::Status;
 use crate::document::command::DocumentCommand;
 use crate::document::views::all_documents::AllDocumentsView;
-use crate::managed_key::aggregate::ManagedKey;
-use crate::managed_key::views::all_managed_keys::AllManagedKeysView;
-use crate::managed_key::views::ManagedKeyView;
 use crate::profile::aggregate::{Profile, Source};
 use crate::profile::command::ProfileCommand;
 use crate::profile::views::ProfileView;
@@ -46,7 +43,6 @@ pub struct CommandHandlers {
     pub document: CommandHandler<Document>,
     pub profile: CommandHandler<Profile>,
     pub service: CommandHandler<Service>,
-    pub managed_key: CommandHandler<ManagedKey>,
 }
 
 /// This type is used to define the queries that are used to query the view repositories. We make use of `dyn` here, so
@@ -60,11 +56,9 @@ type Queries = ViewRepositories<
     dyn ViewRepository<ProfileView, Profile>,
     dyn ViewRepository<ServiceView, Service>,
     dyn ViewRepository<AllServicesView, Service>,
-    dyn ViewRepository<ManagedKeyView, ManagedKey>,
-    dyn ViewRepository<AllManagedKeysView, ManagedKey>,
 >;
 
-pub struct ViewRepositories<C1, C2, D1, D2, P, S1, S2, MK1, MK2>
+pub struct ViewRepositories<C1, C2, D1, D2, P, S1, S2>
 where
     C1: ViewRepository<ConnectionView, Connection> + ?Sized,
     C2: ViewRepository<AllConnectionsView, Connection> + ?Sized,
@@ -73,8 +67,6 @@ where
     P: ViewRepository<ProfileView, Profile> + ?Sized,
     S1: ViewRepository<ServiceView, Service> + ?Sized,
     S2: ViewRepository<AllServicesView, Service> + ?Sized,
-    MK1: ViewRepository<ManagedKeyView, ManagedKey> + ?Sized,
-    MK2: ViewRepository<AllManagedKeysView, ManagedKey> + ?Sized,
 {
     pub connection: Arc<C1>,
     pub all_connections: Arc<C2>,
@@ -83,8 +75,6 @@ where
     pub profile: Arc<P>,
     pub service: Arc<S1>,
     pub all_services: Arc<S2>,
-    pub managed_key: Arc<MK1>,
-    pub all_managed_keys: Arc<MK2>,
 }
 
 impl Clone for Queries {
@@ -97,8 +87,6 @@ impl Clone for Queries {
             profile: self.profile.clone(),
             service: self.service.clone(),
             all_services: self.all_services.clone(),
-            managed_key: self.managed_key.clone(),
-            all_managed_keys: self.all_managed_keys.clone(),
         }
     }
 }
diff --git a/agent_issuance/Cargo.toml b/agent_issuance/Cargo.toml
index c7e973fa..644e7491 100644
--- a/agent_issuance/Cargo.toml
+++ b/agent_issuance/Cargo.toml
@@ -5,6 +5,7 @@ edition.workspace = true
 rust-version.workspace = true
 
 [dependencies]
+agent_identity = { path = "../agent_identity" }
 agent_library = { path = "../agent_library" }
 agent_shared = { path = "../agent_shared" }
 agent_secret_manager = { path = "../agent_secret_manager" }
diff --git a/agent_issuance/src/credential/aggregate.rs b/agent_issuance/src/credential/aggregate.rs
index d0453f8f..7b836c22 100644
--- a/agent_issuance/src/credential/aggregate.rs
+++ b/agent_issuance/src/credential/aggregate.rs
@@ -16,6 +16,7 @@ use jsonwebtoken::Header;
 use oauth_tsl::status_list::StatusType;
 use oauth_tsl::tokens::status_list_token::StatusListTyp;
 use oid4vc_core::jwt;
+use oid4vc_core::Subject as _;
 use oid4vci::credential_format_profiles::w3c_verifiable_credentials::jwt_vc_json::{
     CredentialDefinition, JwtVcJson, JwtVcJsonParameters,
 };
@@ -356,7 +357,7 @@ impl Aggregate for Credential {
                 let default_did_method = get_preferred_did_method();
 
                 let issuer_did = services
-                    .issuer
+                    .this_is_the_main_service
                     .identifier(&default_did_method.to_string(), get_preferred_signing_algorithm())
                     .await
                     .unwrap();
@@ -454,7 +455,7 @@ impl Aggregate for Credential {
                     );
 
                     json!(jwt::encode(
-                        services.issuer.clone(),
+                        services.this_is_the_main_service.clone(),
                         Header::new(get_preferred_signing_algorithm()),
                         vc_jwt_object,
                         &default_did_method.to_string()
@@ -556,127 +557,127 @@ fn get_status_list_url(index: usize) -> Result<Url, CredentialError> {
     Ok(status_list_url)
 }
 
-#[cfg(test)]
-pub mod credential_tests {
-    use super::test_utils::*;
-    use super::*;
-
-    use jsonwebtoken::Algorithm;
-
-    use rstest::rstest;
-    use serde_json::json;
-
-    use cqrs_es::test::TestFramework;
-
-    use crate::credential::aggregate::Credential;
-    use crate::credential::event::CredentialEvent;
-    use crate::offer::aggregate::test_utils::holder;
-    use agent_secret_manager::service::Service;
-    use oid4vc_core::Subject;
-
-    type CredentialTestFramework = TestFramework<Credential>;
-
-    #[rstest]
-    #[case::openbadges(
-        OPENBADGE_CREDENTIAL_SUBJECT.clone(),
-        OPENBADGE_CREDENTIAL_CONFIGURATION.clone(),
-        UNSIGNED_OPENBADGE_CREDENTIAL.clone()
-    )]
-    #[case::w3c_vc(
-        W3C_VC_CREDENTIAL_SUBJECT.clone(),
-        W3C_VC_CREDENTIAL_CONFIGURATION.clone(),
-        UNSIGNED_W3C_VC_CREDENTIAL.clone()
-    )]
-    #[serial_test::serial]
-    async fn test_create_unsigned_credential(
-        #[case] credential_subject: serde_json::Value,
-        #[case] credential_configuration: CredentialConfigurationsSupportedObject,
-        #[case] unsigned_credential: serde_json::Value,
-        credential_id: String,
-        notification_id: String,
-    ) {
-        CredentialTestFramework::with(Service::default())
-            .given_no_previous_events()
-            .when(CredentialCommand::CreateUnsignedCredential {
-                credential_id: credential_id.clone(),
-                data: Data {
-                    raw: credential_subject,
-                },
-                credential_configuration: Box::new(credential_configuration.clone()),
-                expires_at: CredentialExpiry::Never,
-                credential_status_index: 0,
-            })
-            .then_expect_events(vec![CredentialEvent::UnsignedCredentialCreated {
-                credential_id,
-                data: Data {
-                    raw: unsigned_credential,
-                },
-                notification_id: Some(notification_id.clone()),
-                credential_configuration: Box::new(credential_configuration),
-                credential_status: CredentialStatus {
-                    index: 0,
-                    status: StatusType::VALID,
-                },
-            }])
-    }
-
-    #[rstest]
-    #[case::openbadges(
-        UNSIGNED_OPENBADGE_CREDENTIAL.clone(),
-        OPENBADGE_CREDENTIAL_CONFIGURATION.clone(),
-        OPENBADGE_VERIFIABLE_CREDENTIAL_JWT.to_string(),
-    )]
-    #[case::w3c_vc(
-        UNSIGNED_W3C_VC_CREDENTIAL.clone(),
-        W3C_VC_CREDENTIAL_CONFIGURATION.clone(),
-        W3C_VC_VERIFIABLE_CREDENTIAL_JWT.to_string(),
-    )]
-    #[serial_test::serial]
-    async fn test_sign_credential(
-        #[future(awt)] holder: Arc<dyn Subject>,
-        #[case] unsigned_credential: serde_json::Value,
-        #[case] credential_configuration: CredentialConfigurationsSupportedObject,
-        #[case] verifiable_credential_jwt: String,
-        credential_id: String,
-    ) {
-        CredentialTestFramework::with(Service::default())
-            .given(vec![CredentialEvent::UnsignedCredentialCreated {
-                credential_id: credential_id.clone(),
-                data: Data {
-                    raw: unsigned_credential,
-                },
-                credential_configuration: Box::new(credential_configuration),
-                notification_id: None,
-                credential_status: CredentialStatus {
-                    index: 0,
-                    status: StatusType::VALID,
-                },
-            }])
-            .when(CredentialCommand::SignCredential {
-                credential_id: credential_id.clone(),
-                subject_id: Some(holder.identifier("did:key", Algorithm::EdDSA).await.unwrap()),
-                overwrite: false,
-            })
-            .then_expect_events(vec![CredentialEvent::CredentialSigned {
-                credential_id,
-                signed_credential: json!(verifiable_credential_jwt),
-                status: Status::Issued,
-            }])
-    }
-
-    pub mod expiry_tests {
-        use super::*;
-
-        #[test]
-        fn custom_serializer_for_credential_expiry() {
-            let deserialized: CredentialExpiry = serde_json::from_value(serde_json::json!("never")).unwrap();
-            assert_eq!(deserialized, CredentialExpiry::Never);
-
-            let serialized = serde_json::to_value(&CredentialExpiry::Never).unwrap();
-            assert_eq!(serialized, serde_json::json!("never"));
-        }
-    }
-}
+// #[cfg(test)]
+// pub mod credential_tests {
+//     use super::test_utils::*;
+//     use super::*;
+
+//     use jsonwebtoken::Algorithm;
+
+//     use rstest::rstest;
+//     use serde_json::json;
+
+//     use cqrs_es::test::TestFramework;
+
+//     use crate::credential::aggregate::Credential;
+//     use crate::credential::event::CredentialEvent;
+//     use crate::offer::aggregate::test_utils::holder;
+//     use agent_secret_manager::service::Service;
+//     use oid4vc_core::Subject;
+
+//     type CredentialTestFramework = TestFramework<Credential>;
+
+//     #[rstest]
+//     #[case::openbadges(
+//         OPENBADGE_CREDENTIAL_SUBJECT.clone(),
+//         OPENBADGE_CREDENTIAL_CONFIGURATION.clone(),
+//         UNSIGNED_OPENBADGE_CREDENTIAL.clone()
+//     )]
+//     #[case::w3c_vc(
+//         W3C_VC_CREDENTIAL_SUBJECT.clone(),
+//         W3C_VC_CREDENTIAL_CONFIGURATION.clone(),
+//         UNSIGNED_W3C_VC_CREDENTIAL.clone()
+//     )]
+//     #[serial_test::serial]
+//     async fn test_create_unsigned_credential(
+//         #[case] credential_subject: serde_json::Value,
+//         #[case] credential_configuration: CredentialConfigurationsSupportedObject,
+//         #[case] unsigned_credential: serde_json::Value,
+//         credential_id: String,
+//         notification_id: String,
+//     ) {
+//         CredentialTestFramework::with(Service::default())
+//             .given_no_previous_events()
+//             .when(CredentialCommand::CreateUnsignedCredential {
+//                 credential_id: credential_id.clone(),
+//                 data: Data {
+//                     raw: credential_subject,
+//                 },
+//                 credential_configuration: Box::new(credential_configuration.clone()),
+//                 expires_at: CredentialExpiry::Never,
+//                 credential_status_index: 0,
+//             })
+//             .then_expect_events(vec![CredentialEvent::UnsignedCredentialCreated {
+//                 credential_id,
+//                 data: Data {
+//                     raw: unsigned_credential,
+//                 },
+//                 notification_id: Some(notification_id.clone()),
+//                 credential_configuration: Box::new(credential_configuration),
+//                 credential_status: CredentialStatus {
+//                     index: 0,
+//                     status: StatusType::VALID,
+//                 },
+//             }])
+//     }
+
+//     #[rstest]
+//     #[case::openbadges(
+//         UNSIGNED_OPENBADGE_CREDENTIAL.clone(),
+//         OPENBADGE_CREDENTIAL_CONFIGURATION.clone(),
+//         OPENBADGE_VERIFIABLE_CREDENTIAL_JWT.to_string(),
+//     )]
+//     #[case::w3c_vc(
+//         UNSIGNED_W3C_VC_CREDENTIAL.clone(),
+//         W3C_VC_CREDENTIAL_CONFIGURATION.clone(),
+//         W3C_VC_VERIFIABLE_CREDENTIAL_JWT.to_string(),
+//     )]
+//     #[serial_test::serial]
+//     async fn test_sign_credential(
+//         #[future(awt)] holder: Arc<dyn Subject>,
+//         #[case] unsigned_credential: serde_json::Value,
+//         #[case] credential_configuration: CredentialConfigurationsSupportedObject,
+//         #[case] verifiable_credential_jwt: String,
+//         credential_id: String,
+//     ) {
+//         CredentialTestFramework::with(Service::default())
+//             .given(vec![CredentialEvent::UnsignedCredentialCreated {
+//                 credential_id: credential_id.clone(),
+//                 data: Data {
+//                     raw: unsigned_credential,
+//                 },
+//                 credential_configuration: Box::new(credential_configuration),
+//                 notification_id: None,
+//                 credential_status: CredentialStatus {
+//                     index: 0,
+//                     status: StatusType::VALID,
+//                 },
+//             }])
+//             .when(CredentialCommand::SignCredential {
+//                 credential_id: credential_id.clone(),
+//                 subject_id: Some(holder.identifier("did:key", Algorithm::EdDSA).await.unwrap()),
+//                 overwrite: false,
+//             })
+//             .then_expect_events(vec![CredentialEvent::CredentialSigned {
+//                 credential_id,
+//                 signed_credential: json!(verifiable_credential_jwt),
+//                 status: Status::Issued,
+//             }])
+//     }
+
+//     pub mod expiry_tests {
+//         use super::*;
+
+//         #[test]
+//         fn custom_serializer_for_credential_expiry() {
+//             let deserialized: CredentialExpiry = serde_json::from_value(serde_json::json!("never")).unwrap();
+//             assert_eq!(deserialized, CredentialExpiry::Never);
+
+//             let serialized = serde_json::to_value(&CredentialExpiry::Never).unwrap();
+//             assert_eq!(serialized, serde_json::json!("never"));
+//         }
+//     }
+// }
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_issuance/src/offer/aggregate.rs b/agent_issuance/src/offer/aggregate.rs
index 1922c8c3..0b1fe539 100644
--- a/agent_issuance/src/offer/aggregate.rs
+++ b/agent_issuance/src/offer/aggregate.rs
@@ -265,7 +265,7 @@ impl Aggregate for Offer {
                 credential_request,
             } => {
                 let credential_issuer = CredentialIssuer {
-                    subject: services.issuer.clone(),
+                    subject: services.this_is_the_main_service.clone(),
                     metadata: *credential_issuer_metadata,
                     authorization_server_metadata: *authorization_server_metadata,
                 };
@@ -273,7 +273,7 @@ impl Aggregate for Offer {
                 let proof = credential_issuer
                     .validate_proof(
                         credential_request.proof.ok_or(MissingProofError)?,
-                        Validator::Subject(services.issuer.clone()),
+                        Validator::Subject(services.this_is_the_main_service.clone()),
                     )
                     .await
                     .map_err(|e| InvalidProofError(e.to_string()))?;
@@ -370,321 +370,321 @@ impl Aggregate for Offer {
     }
 }
 
-#[cfg(test)]
-#[allow(unused_imports)]
-pub mod tests {
-    use super::test_utils::*;
-    use crate::credential::aggregate::test_utils::notification_id;
-    use crate::{
-        credential::aggregate::test_utils::OPENBADGE_VERIFIABLE_CREDENTIAL_JWT, offer,
-        server_config::aggregate::test_utils::*,
-    };
-    use agent_secret_manager::service::Service;
-    use cqrs_es::test::TestFramework;
-    use jsonwebtoken::Algorithm;
-    use oid4vc_core::Subject;
-    use oid4vci::{
-        credential_issuer::{
-            authorization_server_metadata::AuthorizationServerMetadata,
-            credential_issuer_metadata::CredentialIssuerMetadata,
-        },
-        credential_request::CredentialRequest,
-    };
-
-    use serde_json::json;
-
-    type OfferTestFramework = TestFramework<Offer>;
-
-    #[rstest]
-    #[serial_test::serial]
-    #[allow(clippy::too_many_arguments)]
-    async fn test_create_offer(
-        offer_id: String,
-        grant_types: Vec<GrantType>,
-        #[future(awt)] pre_authorized_code: String,
-        #[future(awt)] credential_offer: CredentialOffer,
-        #[future(awt)] credential_offer_uri: CredentialOffer,
-        #[future(awt)] form_url_encoded_credential_offer: String,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given_no_previous_events()
-            .when(OfferCommand::CreateCredentialOffer {
-                offer_id: offer_id.clone(),
-                credential_configuration_ids: vec![],
-                grant_types: grant_types.clone(),
-                tx_code_constraints: None,
-                delivery_options: None,
-            })
-            .then_expect_events(vec![
-                OfferEvent::CredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    grant_types,
-                    credential_offer,
-                    credential_offer_uri,
-                    pre_authorized_code,
-                    status: Status::Created,
-                    tx_code: None,
-                    delivery_options: None,
-                },
-                OfferEvent::FormUrlEncodedCredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    form_url_encoded_credential_offer,
-                    status: Status::Pending,
-                },
-            ]);
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    #[allow(clippy::too_many_arguments)]
-    async fn test_create_offer_with_delivery_options(
-        offer_id: String,
-        grant_types: Vec<GrantType>,
-        #[future(awt)] pre_authorized_code: String,
-        #[future(awt)] credential_offer: CredentialOffer,
-        #[future(awt)] credential_offer_uri: CredentialOffer,
-        #[future(awt)] form_url_encoded_credential_offer: String,
-        delivery_options: DeliveryOptions,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given_no_previous_events()
-            .when(OfferCommand::CreateCredentialOffer {
-                offer_id: offer_id.clone(),
-                credential_configuration_ids: vec![],
-                grant_types: grant_types.clone(),
-                tx_code_constraints: None,
-                delivery_options: Some(delivery_options.clone()),
-            })
-            .then_expect_events(vec![
-                OfferEvent::CredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    grant_types,
-                    credential_offer,
-                    credential_offer_uri,
-                    pre_authorized_code,
-                    status: Status::Created,
-                    tx_code: None,
-                    delivery_options: Some(delivery_options.clone()),
-                },
-                OfferEvent::FormUrlEncodedCredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    form_url_encoded_credential_offer,
-                    status: Status::Pending,
-                },
-            ]);
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    #[allow(clippy::too_many_arguments)]
-    async fn test_add_credential(
-        offer_id: String,
-        grant_types: Vec<GrantType>,
-        #[future(awt)] pre_authorized_code: String,
-        #[future(awt)] credential_offer: CredentialOffer,
-        #[future(awt)] credential_offer_uri: CredentialOffer,
-        credential_configuration_id: String,
-        #[future(awt)] credential_offer_with_credential_configuration_ids: CredentialOffer,
-        #[future(awt)] form_url_encoded_credential_offer_with_credential_configuration_ids: String,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given(vec![OfferEvent::CredentialOfferCreated {
-                offer_id: offer_id.clone(),
-                grant_types,
-                credential_offer_uri,
-                credential_offer,
-                pre_authorized_code,
-                status: Status::Created,
-                tx_code: None,
-                delivery_options: None,
-            }])
-            .when(OfferCommand::AddCredentials {
-                offer_id: offer_id.clone(),
-                credential_ids: vec!["credential-id".to_string()],
-                credential_configuration_ids: vec![credential_configuration_id],
-            })
-            .then_expect_events(vec![
-                OfferEvent::CredentialsAdded {
-                    offer_id: offer_id.clone(),
-                    credential_ids: vec!["credential-id".to_string()],
-                    credential_offer: credential_offer_with_credential_configuration_ids,
-                },
-                OfferEvent::FormUrlEncodedCredentialOfferCreated {
-                    offer_id,
-                    form_url_encoded_credential_offer:
-                        form_url_encoded_credential_offer_with_credential_configuration_ids,
-                    status: Status::Pending,
-                },
-            ]);
-    }
-
-    #[allow(clippy::too_many_arguments)]
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_verify_credential_response(
-        offer_id: String,
-        grant_types: Vec<GrantType>,
-        #[future(awt)] holder: Arc<dyn Subject>,
-        #[future(awt)] pre_authorized_code: String,
-        #[future(awt)] credential_offer: CredentialOffer,
-        #[future(awt)] credential_offer_uri: CredentialOffer,
-        #[future(awt)] credential_offer_with_credential_configuration_ids: CredentialOffer,
-        #[future(awt)] form_url_encoded_credential_offer_with_credential_configuration_ids: String,
-        #[future(awt)] credential_request: CredentialRequest,
-        credential_issuer_metadata: Box<CredentialIssuerMetadata>,
-        authorization_server_metadata: Box<AuthorizationServerMetadata>,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given(vec![
-                OfferEvent::CredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    grant_types,
-                    credential_offer,
-                    credential_offer_uri,
-                    pre_authorized_code,
-                    status: Status::Created,
-                    tx_code: None,
-                    delivery_options: None,
-                },
-                OfferEvent::CredentialsAdded {
-                    offer_id: offer_id.clone(),
-                    credential_ids: vec!["credential-id".to_string()],
-                    credential_offer: credential_offer_with_credential_configuration_ids,
-                },
-                OfferEvent::FormUrlEncodedCredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    form_url_encoded_credential_offer:
-                        form_url_encoded_credential_offer_with_credential_configuration_ids,
-                    status: Status::Pending,
-                },
-            ])
-            .when(OfferCommand::VerifyCredentialRequest {
-                offer_id: offer_id.clone(),
-                credential_issuer_metadata,
-                authorization_server_metadata,
-                credential_request,
-            })
-            .then_expect_events(vec![OfferEvent::CredentialRequestVerified {
-                offer_id: offer_id.clone(),
-                subject_id: Some(holder.identifier("did:key", Algorithm::EdDSA).await.unwrap()),
-            }]);
-    }
-
-    #[rstest]
-    #[allow(clippy::too_many_arguments)]
-    #[serial_test::serial]
-    async fn test_create_credential_response(
-        offer_id: String,
-        grant_types: Vec<GrantType>,
-        #[future(awt)] holder: Arc<dyn Subject>,
-        #[future(awt)] pre_authorized_code: String,
-        #[future(awt)] credential_offer: CredentialOffer,
-        #[future(awt)] credential_offer_uri: CredentialOffer,
-        #[future(awt)] credential_offer_with_credential_configuration_ids: CredentialOffer,
-        #[future(awt)] form_url_encoded_credential_offer_with_credential_configuration_ids: String,
-        credential_response: CredentialResponse,
-        notification_id: String,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given(vec![
-                OfferEvent::CredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    grant_types,
-                    credential_offer,
-                    credential_offer_uri,
-                    pre_authorized_code,
-                    status: Status::Created,
-                    tx_code: None,
-                    delivery_options: None,
-                },
-                OfferEvent::CredentialsAdded {
-                    offer_id: offer_id.clone(),
-                    credential_ids: vec!["credential-id".to_string()],
-                    credential_offer: credential_offer_with_credential_configuration_ids,
-                },
-                OfferEvent::FormUrlEncodedCredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    form_url_encoded_credential_offer:
-                        form_url_encoded_credential_offer_with_credential_configuration_ids,
-                    status: Status::Pending,
-                },
-                OfferEvent::CredentialRequestVerified {
-                    offer_id: offer_id.clone(),
-                    subject_id: Some(holder.identifier("did:key", Algorithm::EdDSA).await.unwrap()),
-                },
-            ])
-            .when(OfferCommand::CreateCredentialResponse {
-                offer_id: offer_id.clone(),
-                signed_credentials: vec![(
-                    json!(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT),
-                    Some(notification_id.clone()),
-                )],
-            })
-            .then_expect_events(vec![OfferEvent::CredentialResponseCreated {
-                offer_id: offer_id.clone(),
-                credential_response,
-                status: Status::Issued,
-            }]);
-    }
-
-    #[rstest]
-    #[allow(clippy::too_many_arguments)]
-    #[serial_test::serial]
-    async fn test_just_in_time_credential_flow(
-        offer_id: String,
-        grant_types: Vec<GrantType>,
-        #[future(awt)] holder: Arc<dyn Subject>,
-        #[future(awt)] pre_authorized_code: String,
-        #[future(awt)] credential_offer: CredentialOffer,
-        #[future(awt)] credential_offer_uri: CredentialOffer,
-        #[future(awt)] credential_offer_with_credential_configuration_ids: CredentialOffer,
-        #[future(awt)] form_url_encoded_credential_offer_with_credential_configuration_ids: String,
-        credential_response: CredentialResponse,
-        notification_id: String,
-    ) {
-        OfferTestFramework::with(Service::default())
-            .given(vec![
-                OfferEvent::CredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    grant_types,
-                    credential_offer,
-                    credential_offer_uri,
-                    pre_authorized_code,
-                    status: Status::Created,
-                    tx_code: None,
-                    delivery_options: None,
-                },
-                OfferEvent::FormUrlEncodedCredentialOfferCreated {
-                    offer_id: offer_id.clone(),
-                    form_url_encoded_credential_offer:
-                        form_url_encoded_credential_offer_with_credential_configuration_ids,
-                    status: Status::Pending,
-                },
-                OfferEvent::CredentialRequestVerified {
-                    offer_id: offer_id.clone(),
-                    subject_id: Some(holder.identifier("did:key", Algorithm::EdDSA).await.unwrap()),
-                },
-                // Credentials are only added after the credential request is verified (JIT)
-                OfferEvent::CredentialsAdded {
-                    offer_id: offer_id.clone(),
-                    credential_ids: vec!["credential-id".to_string()],
-                    credential_offer: credential_offer_with_credential_configuration_ids,
-                },
-            ])
-            .when(OfferCommand::CreateCredentialResponse {
-                offer_id: offer_id.clone(),
-                signed_credentials: vec![(
-                    json!(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT),
-                    Some(notification_id.clone()),
-                )],
-            })
-            .then_expect_events(vec![OfferEvent::CredentialResponseCreated {
-                offer_id: offer_id.clone(),
-                credential_response,
-                status: Status::Issued,
-            }]);
-    }
-}
+// #[cfg(test)]
+// #[allow(unused_imports)]
+// pub mod tests {
+//     use super::test_utils::*;
+//     use crate::credential::aggregate::test_utils::notification_id;
+//     use crate::{
+//         credential::aggregate::test_utils::OPENBADGE_VERIFIABLE_CREDENTIAL_JWT, offer,
+//         server_config::aggregate::test_utils::*,
+//     };
+//     use agent_secret_manager::service::Service;
+//     use cqrs_es::test::TestFramework;
+//     use jsonwebtoken::Algorithm;
+//     use oid4vc_core::Subject;
+//     use oid4vci::{
+//         credential_issuer::{
+//             authorization_server_metadata::AuthorizationServerMetadata,
+//             credential_issuer_metadata::CredentialIssuerMetadata,
+//         },
+//         credential_request::CredentialRequest,
+//     };
+
+//     use serde_json::json;
+
+//     type OfferTestFramework = TestFramework<Offer>;
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     #[allow(clippy::too_many_arguments)]
+//     async fn test_create_offer(
+//         offer_id: String,
+//         grant_types: Vec<GrantType>,
+//         #[future(awt)] pre_authorized_code: String,
+//         #[future(awt)] credential_offer: CredentialOffer,
+//         #[future(awt)] credential_offer_uri: CredentialOffer,
+//         #[future(awt)] form_url_encoded_credential_offer: String,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given_no_previous_events()
+//             .when(OfferCommand::CreateCredentialOffer {
+//                 offer_id: offer_id.clone(),
+//                 credential_configuration_ids: vec![],
+//                 grant_types: grant_types.clone(),
+//                 tx_code_constraints: None,
+//                 delivery_options: None,
+//             })
+//             .then_expect_events(vec![
+//                 OfferEvent::CredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     grant_types,
+//                     credential_offer,
+//                     credential_offer_uri,
+//                     pre_authorized_code,
+//                     status: Status::Created,
+//                     tx_code: None,
+//                     delivery_options: None,
+//                 },
+//                 OfferEvent::FormUrlEncodedCredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     form_url_encoded_credential_offer,
+//                     status: Status::Pending,
+//                 },
+//             ]);
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     #[allow(clippy::too_many_arguments)]
+//     async fn test_create_offer_with_delivery_options(
+//         offer_id: String,
+//         grant_types: Vec<GrantType>,
+//         #[future(awt)] pre_authorized_code: String,
+//         #[future(awt)] credential_offer: CredentialOffer,
+//         #[future(awt)] credential_offer_uri: CredentialOffer,
+//         #[future(awt)] form_url_encoded_credential_offer: String,
+//         delivery_options: DeliveryOptions,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given_no_previous_events()
+//             .when(OfferCommand::CreateCredentialOffer {
+//                 offer_id: offer_id.clone(),
+//                 credential_configuration_ids: vec![],
+//                 grant_types: grant_types.clone(),
+//                 tx_code_constraints: None,
+//                 delivery_options: Some(delivery_options.clone()),
+//             })
+//             .then_expect_events(vec![
+//                 OfferEvent::CredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     grant_types,
+//                     credential_offer,
+//                     credential_offer_uri,
+//                     pre_authorized_code,
+//                     status: Status::Created,
+//                     tx_code: None,
+//                     delivery_options: Some(delivery_options.clone()),
+//                 },
+//                 OfferEvent::FormUrlEncodedCredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     form_url_encoded_credential_offer,
+//                     status: Status::Pending,
+//                 },
+//             ]);
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     #[allow(clippy::too_many_arguments)]
+//     async fn test_add_credential(
+//         offer_id: String,
+//         grant_types: Vec<GrantType>,
+//         #[future(awt)] pre_authorized_code: String,
+//         #[future(awt)] credential_offer: CredentialOffer,
+//         #[future(awt)] credential_offer_uri: CredentialOffer,
+//         credential_configuration_id: String,
+//         #[future(awt)] credential_offer_with_credential_configuration_ids: CredentialOffer,
+//         #[future(awt)] form_url_encoded_credential_offer_with_credential_configuration_ids: String,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given(vec![OfferEvent::CredentialOfferCreated {
+//                 offer_id: offer_id.clone(),
+//                 grant_types,
+//                 credential_offer_uri,
+//                 credential_offer,
+//                 pre_authorized_code,
+//                 status: Status::Created,
+//                 tx_code: None,
+//                 delivery_options: None,
+//             }])
+//             .when(OfferCommand::AddCredentials {
+//                 offer_id: offer_id.clone(),
+//                 credential_ids: vec!["credential-id".to_string()],
+//                 credential_configuration_ids: vec![credential_configuration_id],
+//             })
+//             .then_expect_events(vec![
+//                 OfferEvent::CredentialsAdded {
+//                     offer_id: offer_id.clone(),
+//                     credential_ids: vec!["credential-id".to_string()],
+//                     credential_offer: credential_offer_with_credential_configuration_ids,
+//                 },
+//                 OfferEvent::FormUrlEncodedCredentialOfferCreated {
+//                     offer_id,
+//                     form_url_encoded_credential_offer:
+//                         form_url_encoded_credential_offer_with_credential_configuration_ids,
+//                     status: Status::Pending,
+//                 },
+//             ]);
+//     }
+
+//     #[allow(clippy::too_many_arguments)]
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_verify_credential_response(
+//         offer_id: String,
+//         grant_types: Vec<GrantType>,
+//         #[future(awt)] holder: Arc<dyn Subject>,
+//         #[future(awt)] pre_authorized_code: String,
+//         #[future(awt)] credential_offer: CredentialOffer,
+//         #[future(awt)] credential_offer_uri: CredentialOffer,
+//         #[future(awt)] credential_offer_with_credential_configuration_ids: CredentialOffer,
+//         #[future(awt)] form_url_encoded_credential_offer_with_credential_configuration_ids: String,
+//         #[future(awt)] credential_request: CredentialRequest,
+//         credential_issuer_metadata: Box<CredentialIssuerMetadata>,
+//         authorization_server_metadata: Box<AuthorizationServerMetadata>,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given(vec![
+//                 OfferEvent::CredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     grant_types,
+//                     credential_offer,
+//                     credential_offer_uri,
+//                     pre_authorized_code,
+//                     status: Status::Created,
+//                     tx_code: None,
+//                     delivery_options: None,
+//                 },
+//                 OfferEvent::CredentialsAdded {
+//                     offer_id: offer_id.clone(),
+//                     credential_ids: vec!["credential-id".to_string()],
+//                     credential_offer: credential_offer_with_credential_configuration_ids,
+//                 },
+//                 OfferEvent::FormUrlEncodedCredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     form_url_encoded_credential_offer:
+//                         form_url_encoded_credential_offer_with_credential_configuration_ids,
+//                     status: Status::Pending,
+//                 },
+//             ])
+//             .when(OfferCommand::VerifyCredentialRequest {
+//                 offer_id: offer_id.clone(),
+//                 credential_issuer_metadata,
+//                 authorization_server_metadata,
+//                 credential_request,
+//             })
+//             .then_expect_events(vec![OfferEvent::CredentialRequestVerified {
+//                 offer_id: offer_id.clone(),
+//                 subject_id: Some(holder.identifier("did:key", Algorithm::EdDSA).await.unwrap()),
+//             }]);
+//     }
+
+//     #[rstest]
+//     #[allow(clippy::too_many_arguments)]
+//     #[serial_test::serial]
+//     async fn test_create_credential_response(
+//         offer_id: String,
+//         grant_types: Vec<GrantType>,
+//         #[future(awt)] holder: Arc<dyn Subject>,
+//         #[future(awt)] pre_authorized_code: String,
+//         #[future(awt)] credential_offer: CredentialOffer,
+//         #[future(awt)] credential_offer_uri: CredentialOffer,
+//         #[future(awt)] credential_offer_with_credential_configuration_ids: CredentialOffer,
+//         #[future(awt)] form_url_encoded_credential_offer_with_credential_configuration_ids: String,
+//         credential_response: CredentialResponse,
+//         notification_id: String,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given(vec![
+//                 OfferEvent::CredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     grant_types,
+//                     credential_offer,
+//                     credential_offer_uri,
+//                     pre_authorized_code,
+//                     status: Status::Created,
+//                     tx_code: None,
+//                     delivery_options: None,
+//                 },
+//                 OfferEvent::CredentialsAdded {
+//                     offer_id: offer_id.clone(),
+//                     credential_ids: vec!["credential-id".to_string()],
+//                     credential_offer: credential_offer_with_credential_configuration_ids,
+//                 },
+//                 OfferEvent::FormUrlEncodedCredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     form_url_encoded_credential_offer:
+//                         form_url_encoded_credential_offer_with_credential_configuration_ids,
+//                     status: Status::Pending,
+//                 },
+//                 OfferEvent::CredentialRequestVerified {
+//                     offer_id: offer_id.clone(),
+//                     subject_id: Some(holder.identifier("did:key", Algorithm::EdDSA).await.unwrap()),
+//                 },
+//             ])
+//             .when(OfferCommand::CreateCredentialResponse {
+//                 offer_id: offer_id.clone(),
+//                 signed_credentials: vec![(
+//                     json!(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT),
+//                     Some(notification_id.clone()),
+//                 )],
+//             })
+//             .then_expect_events(vec![OfferEvent::CredentialResponseCreated {
+//                 offer_id: offer_id.clone(),
+//                 credential_response,
+//                 status: Status::Issued,
+//             }]);
+//     }
+
+//     #[rstest]
+//     #[allow(clippy::too_many_arguments)]
+//     #[serial_test::serial]
+//     async fn test_just_in_time_credential_flow(
+//         offer_id: String,
+//         grant_types: Vec<GrantType>,
+//         #[future(awt)] holder: Arc<dyn Subject>,
+//         #[future(awt)] pre_authorized_code: String,
+//         #[future(awt)] credential_offer: CredentialOffer,
+//         #[future(awt)] credential_offer_uri: CredentialOffer,
+//         #[future(awt)] credential_offer_with_credential_configuration_ids: CredentialOffer,
+//         #[future(awt)] form_url_encoded_credential_offer_with_credential_configuration_ids: String,
+//         credential_response: CredentialResponse,
+//         notification_id: String,
+//     ) {
+//         OfferTestFramework::with(Service::default())
+//             .given(vec![
+//                 OfferEvent::CredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     grant_types,
+//                     credential_offer,
+//                     credential_offer_uri,
+//                     pre_authorized_code,
+//                     status: Status::Created,
+//                     tx_code: None,
+//                     delivery_options: None,
+//                 },
+//                 OfferEvent::FormUrlEncodedCredentialOfferCreated {
+//                     offer_id: offer_id.clone(),
+//                     form_url_encoded_credential_offer:
+//                         form_url_encoded_credential_offer_with_credential_configuration_ids,
+//                     status: Status::Pending,
+//                 },
+//                 OfferEvent::CredentialRequestVerified {
+//                     offer_id: offer_id.clone(),
+//                     subject_id: Some(holder.identifier("did:key", Algorithm::EdDSA).await.unwrap()),
+//                 },
+//                 // Credentials are only added after the credential request is verified (JIT)
+//                 OfferEvent::CredentialsAdded {
+//                     offer_id: offer_id.clone(),
+//                     credential_ids: vec!["credential-id".to_string()],
+//                     credential_offer: credential_offer_with_credential_configuration_ids,
+//                 },
+//             ])
+//             .when(OfferCommand::CreateCredentialResponse {
+//                 offer_id: offer_id.clone(),
+//                 signed_credentials: vec![(
+//                     json!(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT),
+//                     Some(notification_id.clone()),
+//                 )],
+//             })
+//             .then_expect_events(vec![OfferEvent::CredentialResponseCreated {
+//                 offer_id: offer_id.clone(),
+//                 credential_response,
+//                 status: Status::Issued,
+//             }]);
+//     }
+// }
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_issuance/src/server_config/aggregate.rs b/agent_issuance/src/server_config/aggregate.rs
index 1441d788..4a0ec6a4 100644
--- a/agent_issuance/src/server_config/aggregate.rs
+++ b/agent_issuance/src/server_config/aggregate.rs
@@ -307,102 +307,102 @@ impl Aggregate for ServerConfig {
     }
 }
 
-#[cfg(test)]
-pub mod server_config_tests {
-    use super::test_utils::*;
-    use super::*;
-    use crate::server_config::aggregate::ServerConfig;
-    use crate::server_config::event::ServerConfigEvent;
-    use agent_secret_manager::service::Service;
-    use agent_shared::config::{Authorization, CredentialConfiguration};
-    use cqrs_es::test::TestFramework;
-    use oid4vci::credential_format_profiles::w3c_verifiable_credentials::jwt_vc_json::JwtVcJson;
-    use oid4vci::credential_format_profiles::{w3c_verifiable_credentials, CredentialFormats, Parameters};
-    use oid4vci::credential_issuer::credential_configurations_supported::{
-        CredentialConfigurationsSupportedDisplay, Logo,
-    };
-    use rstest::*;
-
-    type ServerConfigTestFramework = TestFramework<ServerConfig>;
-
-    #[rstest]
-    fn test_load_server_metadata(
-        authorization_server_metadata: Box<AuthorizationServerMetadata>,
-        credential_issuer_metadata: Box<CredentialIssuerMetadata>,
-        cryptographic_binding_methods_supported: Vec<String>,
-        signing_algorithms_supported: Vec<Algorithm>,
-    ) {
-        ServerConfigTestFramework::with(Service::default())
-            .given_no_previous_events()
-            .when(ServerConfigCommand::InitializeServerMetadata {
-                authorization_server_metadata: authorization_server_metadata.clone(),
-                credential_issuer_metadata: credential_issuer_metadata.clone(),
-                cryptographic_binding_methods_supported: cryptographic_binding_methods_supported.clone(),
-                signing_algorithms_supported: signing_algorithms_supported.clone(),
-            })
-            .then_expect_events(vec![ServerConfigEvent::ServerMetadataInitialized {
-                authorization_server_metadata,
-                credential_issuer_metadata,
-                cryptographic_binding_methods_supported,
-                signing_algorithms_supported,
-            }]);
-    }
-
-    #[rstest]
-    fn test_add_credential_configuration(
-        authorization_server_metadata: Box<AuthorizationServerMetadata>,
-        credential_issuer_metadata: Box<CredentialIssuerMetadata>,
-        cryptographic_binding_methods_supported: Vec<String>,
-        signing_algorithms_supported: Vec<Algorithm>,
-        credential_configuration_id: String,
-        credential_configurations: HashMap<String, (bool, CredentialConfigurationsSupportedObject, Authorization)>,
-        credential_issuer_metadata_with_credential_configuration: Box<CredentialIssuerMetadata>,
-    ) {
-        ServerConfigTestFramework::with(Service::default())
-            .given(vec![ServerConfigEvent::ServerMetadataInitialized {
-                authorization_server_metadata,
-                credential_issuer_metadata,
-                cryptographic_binding_methods_supported,
-                signing_algorithms_supported,
-            }])
-            .when(ServerConfigCommand::UpdateCredentialConfiguration {
-                credential_configuration: CredentialConfiguration {
-                    credential_configuration_id: credential_configuration_id.clone(),
-                    credential_format_with_parameters: CredentialFormats::JwtVcJson(Parameters::<JwtVcJson> {
-                        parameters: w3c_verifiable_credentials::jwt_vc_json::JwtVcJsonParameters {
-                            credential_definition: w3c_verifiable_credentials::jwt_vc_json::CredentialDefinition {
-                                type_: vec!["VerifiableCredential".to_string()],
-                                credential_subject: Default::default(),
-                            },
-                        },
-                    }),
-                    display: vec![CredentialConfigurationsSupportedDisplay {
-                        name: "Verifiable Credential".to_string(),
-                        locale: Some("en".to_string()),
-                        logo: Some(Logo {
-                            uri: "https://www.impierce.com/external/impierce-logo.png".parse().unwrap(),
-                            alt_text: Some("Impierce Logo".to_string()),
-                        }),
-                        description: None,
-                        background_image: None,
-                        background_color: None,
-                        text_color: None,
-                    }],
-                    claims: vec![],
-                    authorization: Authorization {
-                        pre_authorized: true,
-                        tx_code_constraints: None,
-                    },
-                },
-                provisioned: false,
-            })
-            .then_expect_events(vec![ServerConfigEvent::CredentialConfigurationUpdated {
-                credential_configuration_id,
-                credential_issuer_metadata: credential_issuer_metadata_with_credential_configuration,
-                credential_configurations,
-            }]);
-    }
-}
+// #[cfg(test)]
+// pub mod server_config_tests {
+//     use super::test_utils::*;
+//     use super::*;
+//     use crate::server_config::aggregate::ServerConfig;
+//     use crate::server_config::event::ServerConfigEvent;
+//     use agent_secret_manager::service::Service;
+//     use agent_shared::config::{Authorization, CredentialConfiguration};
+//     use cqrs_es::test::TestFramework;
+//     use oid4vci::credential_format_profiles::w3c_verifiable_credentials::jwt_vc_json::JwtVcJson;
+//     use oid4vci::credential_format_profiles::{w3c_verifiable_credentials, CredentialFormats, Parameters};
+//     use oid4vci::credential_issuer::credential_configurations_supported::{
+//         CredentialConfigurationsSupportedDisplay, Logo,
+//     };
+//     use rstest::*;
+
+//     type ServerConfigTestFramework = TestFramework<ServerConfig>;
+
+//     #[rstest]
+//     fn test_load_server_metadata(
+//         authorization_server_metadata: Box<AuthorizationServerMetadata>,
+//         credential_issuer_metadata: Box<CredentialIssuerMetadata>,
+//         cryptographic_binding_methods_supported: Vec<String>,
+//         signing_algorithms_supported: Vec<Algorithm>,
+//     ) {
+//         ServerConfigTestFramework::with(Service::default())
+//             .given_no_previous_events()
+//             .when(ServerConfigCommand::InitializeServerMetadata {
+//                 authorization_server_metadata: authorization_server_metadata.clone(),
+//                 credential_issuer_metadata: credential_issuer_metadata.clone(),
+//                 cryptographic_binding_methods_supported: cryptographic_binding_methods_supported.clone(),
+//                 signing_algorithms_supported: signing_algorithms_supported.clone(),
+//             })
+//             .then_expect_events(vec![ServerConfigEvent::ServerMetadataInitialized {
+//                 authorization_server_metadata,
+//                 credential_issuer_metadata,
+//                 cryptographic_binding_methods_supported,
+//                 signing_algorithms_supported,
+//             }]);
+//     }
+
+//     #[rstest]
+//     fn test_add_credential_configuration(
+//         authorization_server_metadata: Box<AuthorizationServerMetadata>,
+//         credential_issuer_metadata: Box<CredentialIssuerMetadata>,
+//         cryptographic_binding_methods_supported: Vec<String>,
+//         signing_algorithms_supported: Vec<Algorithm>,
+//         credential_configuration_id: String,
+//         credential_configurations: HashMap<String, (bool, CredentialConfigurationsSupportedObject, Authorization)>,
+//         credential_issuer_metadata_with_credential_configuration: Box<CredentialIssuerMetadata>,
+//     ) {
+//         ServerConfigTestFramework::with(Service::default())
+//             .given(vec![ServerConfigEvent::ServerMetadataInitialized {
+//                 authorization_server_metadata,
+//                 credential_issuer_metadata,
+//                 cryptographic_binding_methods_supported,
+//                 signing_algorithms_supported,
+//             }])
+//             .when(ServerConfigCommand::UpdateCredentialConfiguration {
+//                 credential_configuration: CredentialConfiguration {
+//                     credential_configuration_id: credential_configuration_id.clone(),
+//                     credential_format_with_parameters: CredentialFormats::JwtVcJson(Parameters::<JwtVcJson> {
+//                         parameters: w3c_verifiable_credentials::jwt_vc_json::JwtVcJsonParameters {
+//                             credential_definition: w3c_verifiable_credentials::jwt_vc_json::CredentialDefinition {
+//                                 type_: vec!["VerifiableCredential".to_string()],
+//                                 credential_subject: Default::default(),
+//                             },
+//                         },
+//                     }),
+//                     display: vec![CredentialConfigurationsSupportedDisplay {
+//                         name: "Verifiable Credential".to_string(),
+//                         locale: Some("en".to_string()),
+//                         logo: Some(Logo {
+//                             uri: "https://www.impierce.com/external/impierce-logo.png".parse().unwrap(),
+//                             alt_text: Some("Impierce Logo".to_string()),
+//                         }),
+//                         description: None,
+//                         background_image: None,
+//                         background_color: None,
+//                         text_color: None,
+//                     }],
+//                     claims: vec![],
+//                     authorization: Authorization {
+//                         pre_authorized: true,
+//                         tx_code_constraints: None,
+//                     },
+//                 },
+//                 provisioned: false,
+//             })
+//             .then_expect_events(vec![ServerConfigEvent::CredentialConfigurationUpdated {
+//                 credential_configuration_id,
+//                 credential_issuer_metadata: credential_issuer_metadata_with_credential_configuration,
+//                 credential_configurations,
+//             }]);
+//     }
+// }
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_issuance/src/services.rs b/agent_issuance/src/services.rs
index eed6171a..8151a40f 100644
--- a/agent_issuance/src/services.rs
+++ b/agent_issuance/src/services.rs
@@ -1,13 +1,18 @@
-use agent_secret_manager::{service::Service, subject::SubjectExt};
+use agent_identity::services::ThisIsTheMainService;
+use agent_secret_manager::subject::SubjectExt;
 use std::sync::Arc;
 
 /// Issuance services. This struct is used to sign credentials and validate credential requests.
 pub struct IssuanceServices {
-    pub issuer: Arc<dyn SubjectExt>,
+    issuer: Arc<dyn SubjectExt>,
+    pub this_is_the_main_service: Arc<ThisIsTheMainService>,
 }
 
-impl Service for IssuanceServices {
-    fn new(issuer: Arc<dyn SubjectExt>) -> Self {
-        Self { issuer }
+impl IssuanceServices {
+    pub fn new(issuer: Arc<dyn SubjectExt>, this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
+        Self {
+            issuer,
+            this_is_the_main_service,
+        }
     }
 }
diff --git a/agent_secret_manager/Cargo.toml b/agent_secret_manager/Cargo.toml
index 35d696c3..24d84029 100644
--- a/agent_secret_manager/Cargo.toml
+++ b/agent_secret_manager/Cargo.toml
@@ -15,16 +15,21 @@ agent_shared = { path = "../agent_shared" }
 # Future work: Migrate the remaining functionality into UniCore.
 # did_manager_consumer = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "consumer" }
 # did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "identity_stronghold_ext" }
-did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "consumer" }
-did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "identity_stronghold_ext" }
-# did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
-# did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
+# did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "consumer" }
+# did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "identity_stronghold_ext" }
+did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
+did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
 
 anyhow.workspace = true
 async-trait.workspace = true
 base64.workspace = true
+cqrs-es.workspace = true
 futures.workspace = true
+identity_core.workspace = true
+identity_credential.workspace = true
+identity_did.workspace = true
 identity_iota.workspace = true
+identity_storage.workspace = true
 iota-sdk.workspace = true
 iota-sdk-legacy.workspace = true
 iota_stronghold = { version = "2.1" }
@@ -34,9 +39,11 @@ log = "0.4"
 oid4vc-core.workspace = true
 p256 = { version = "0.13", features = ["jwk"] }
 serde.workspace = true
+serde_json.workspace = true
 strum.workspace = true
 tokio.workspace = true
 thiserror.workspace = true
+tracing.workspace = true
 url.workspace = true
 
 [dev-dependencies]
diff --git a/agent_secret_manager/src/lib.rs b/agent_secret_manager/src/lib.rs
index fa248e08..f40bfda8 100644
--- a/agent_secret_manager/src/lib.rs
+++ b/agent_secret_manager/src/lib.rs
@@ -7,7 +7,11 @@ use identity_iota::{
 use iota_sdk_legacy::client::secret::stronghold::StrongholdSecretManager;
 use log::info;
 
+// Aggregates
+pub mod managed_key;
+
 pub mod service;
+pub mod state;
 pub mod subject;
 
 pub async fn stronghold_storage() -> StrongholdExtStorage {
diff --git a/agent_identity/src/managed_key/README.md b/agent_secret_manager/src/managed_key/README.md
similarity index 100%
rename from agent_identity/src/managed_key/README.md
rename to agent_secret_manager/src/managed_key/README.md
diff --git a/agent_identity/src/managed_key/aggregate.rs b/agent_secret_manager/src/managed_key/aggregate.rs
similarity index 90%
rename from agent_identity/src/managed_key/aggregate.rs
rename to agent_secret_manager/src/managed_key/aggregate.rs
index e4e9a80d..12eea14f 100644
--- a/agent_identity/src/managed_key/aggregate.rs
+++ b/agent_secret_manager/src/managed_key/aggregate.rs
@@ -1,11 +1,10 @@
-use crate::services::IdentityServices;
-
 use super::{command::ManagedKeyCommand, error::ManagedKeyError, event::ManagedKeyEvent};
-use agent_secret_manager::subject::Subject;
+use crate::{service::SecretManagerServices, subject::Subject};
 use agent_shared::config::config;
 use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use cqrs_es::Aggregate;
+use did_manager_identity_stronghold_ext::StrongholdExtStorage;
 use identity_core::{
     common::{Duration, OrderedSet, Timestamp},
     convert::{FromJson, ToJson},
@@ -61,7 +60,7 @@ impl Aggregate for ManagedKey {
     type Command = ManagedKeyCommand;
     type Event = ManagedKeyEvent;
     type Error = ManagedKeyError;
-    type Services = Arc<IdentityServices>;
+    type Services = Arc<SecretManagerServices>;
 
     fn aggregate_type() -> String {
         "managed_key".to_string()
@@ -86,7 +85,6 @@ impl Aggregate for ManagedKey {
                 };
 
                 let key_id = services
-                    .subject
                     .stronghold_storage
                     .generate(key_type, alg)
                     .await
@@ -104,7 +102,7 @@ impl Aggregate for ManagedKey {
             RemoveKey => {
                 let key_id = KeyId::new(&self.key_id);
 
-                services.subject.stronghold_storage.delete(&key_id).await.unwrap();
+                services.stronghold_storage.delete(&key_id).await.unwrap();
                 // FIXME: services.subject.stronghold_storage.delete_key_id().await.unwrap();
 
                 Ok(vec![KeyRemoved {
@@ -164,18 +162,10 @@ impl Aggregate for ManagedKey {
 pub mod managed_key_tests {
     use super::test_utils::*;
     use super::*;
-    use crate::document::aggregate::test_utils::both_verification_methods;
-    use agent_shared::config::set_config;
     use cqrs_es::test::TestFramework;
-    use rstest::rstest;
 
     type ManagedKeyTestFramework = TestFramework<ManagedKey>;
 }
 
 #[cfg(feature = "test_utils")]
-pub mod test_utils {
-    use super::*;
-    use identity_core::{common::Url, convert::FromJson};
-    use rstest::*;
-    use serde_json::json;
-}
+pub mod test_utils {}
diff --git a/agent_identity/src/managed_key/command.rs b/agent_secret_manager/src/managed_key/command.rs
similarity index 100%
rename from agent_identity/src/managed_key/command.rs
rename to agent_secret_manager/src/managed_key/command.rs
diff --git a/agent_identity/src/managed_key/error.rs b/agent_secret_manager/src/managed_key/error.rs
similarity index 100%
rename from agent_identity/src/managed_key/error.rs
rename to agent_secret_manager/src/managed_key/error.rs
diff --git a/agent_identity/src/managed_key/event.rs b/agent_secret_manager/src/managed_key/event.rs
similarity index 100%
rename from agent_identity/src/managed_key/event.rs
rename to agent_secret_manager/src/managed_key/event.rs
diff --git a/agent_identity/src/managed_key/mod.rs b/agent_secret_manager/src/managed_key/mod.rs
similarity index 100%
rename from agent_identity/src/managed_key/mod.rs
rename to agent_secret_manager/src/managed_key/mod.rs
diff --git a/agent_identity/src/managed_key/views/all_managed_keys.rs b/agent_secret_manager/src/managed_key/views/all_managed_keys.rs
similarity index 100%
rename from agent_identity/src/managed_key/views/all_managed_keys.rs
rename to agent_secret_manager/src/managed_key/views/all_managed_keys.rs
diff --git a/agent_identity/src/managed_key/views/mod.rs b/agent_secret_manager/src/managed_key/views/mod.rs
similarity index 100%
rename from agent_identity/src/managed_key/views/mod.rs
rename to agent_secret_manager/src/managed_key/views/mod.rs
diff --git a/agent_secret_manager/src/service.rs b/agent_secret_manager/src/service.rs
index 51aa99c5..dd4d4c7b 100644
--- a/agent_secret_manager/src/service.rs
+++ b/agent_secret_manager/src/service.rs
@@ -1,4 +1,5 @@
-use crate::subject::SubjectExt;
+use crate::{stronghold_storage, subject::SubjectExt};
+use did_manager_identity_stronghold_ext::StrongholdExtStorage;
 use std::sync::Arc;
 
 /// Convenience trait for Services like `IssuanceServices`, `HolderServices`, and `VerifierServices`.
@@ -13,3 +14,15 @@ pub trait Service {
         Arc::new(Self::new(Arc::new(crate::subject::Subject::default())))
     }
 }
+
+pub struct SecretManagerServices {
+    pub stronghold_storage: StrongholdExtStorage,
+}
+
+impl SecretManagerServices {
+    pub async fn new() -> Self {
+        let stronghold_storage = stronghold_storage().await;
+
+        Self { stronghold_storage }
+    }
+}
diff --git a/agent_secret_manager/src/state.rs b/agent_secret_manager/src/state.rs
new file mode 100644
index 00000000..83dffc95
--- /dev/null
+++ b/agent_secret_manager/src/state.rs
@@ -0,0 +1,44 @@
+use crate::managed_key::aggregate::ManagedKey;
+use crate::managed_key::views::all_managed_keys::AllManagedKeysView;
+use crate::managed_key::views::ManagedKeyView;
+use agent_shared::application_state::CommandHandler;
+use cqrs_es::persist::ViewRepository;
+use std::sync::Arc;
+
+#[derive(Clone)]
+pub struct SecretManagerState {
+    pub command: CommandHandlers,
+    pub query: Queries,
+}
+
+/// The command handlers are used to execute commands on the aggregates.
+#[derive(Clone)]
+pub struct CommandHandlers {
+    pub managed_key: CommandHandler<ManagedKey>,
+}
+
+/// This type is used to define the queries that are used to query the view repositories. We make use of `dyn` here, so
+/// that any type of repository that implements the `ViewRepository` trait can be used, but the corresponding `View` and
+/// `Aggregate` types must be the same.
+type Queries = ViewRepositories<
+    dyn ViewRepository<ManagedKeyView, ManagedKey>,
+    dyn ViewRepository<AllManagedKeysView, ManagedKey>,
+>;
+
+pub struct ViewRepositories<MK1, MK2>
+where
+    MK1: ViewRepository<ManagedKeyView, ManagedKey> + ?Sized,
+    MK2: ViewRepository<AllManagedKeysView, ManagedKey> + ?Sized,
+{
+    pub managed_key: Arc<MK1>,
+    pub all_managed_keys: Arc<MK2>,
+}
+
+impl Clone for Queries {
+    fn clone(&self) -> Self {
+        ViewRepositories {
+            managed_key: self.managed_key.clone(),
+            all_managed_keys: self.all_managed_keys.clone(),
+        }
+    }
+}
diff --git a/agent_secret_manager/src/subject.rs b/agent_secret_manager/src/subject.rs
index 80f50388..31d4d721 100644
--- a/agent_secret_manager/src/subject.rs
+++ b/agent_secret_manager/src/subject.rs
@@ -5,22 +5,18 @@ use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use did_manager_consumer::resolver::Resolver;
 use did_manager_identity_stronghold_ext::StrongholdExtStorage;
-use identity_iota::did::DIDUrl;
 use identity_iota::storage::{JwkStorage, KeyId};
 use identity_iota::verification::jwk::Jwk;
 use identity_iota::{did::DID, document::DIDUrlQuery, verification::jwk::JwkParams};
 use jsonwebtoken::Algorithm;
 use oid4vc_core::{authentication::sign::ExternalSign, Sign, Verify};
-use std::collections::HashMap;
 use std::str::FromStr;
 use std::sync::Arc;
-use tokio::sync::Mutex;
 
 /// Reponsible for signing and verifying data.
 #[derive(Debug)]
 pub struct Subject {
     pub stronghold_storage: StrongholdExtStorage,
-    pub verification_method_ids: Arc<Mutex<HashMap<StorageKey, DIDUrl>>>,
 }
 
 impl Subject {
@@ -28,10 +24,7 @@ impl Subject {
     pub async fn new() -> Self {
         let stronghold_storage = stronghold_storage().await;
 
-        Self {
-            stronghold_storage,
-            verification_method_ids: Arc::new(Mutex::new(HashMap::new())),
-        }
+        Self { stronghold_storage }
     }
 
     pub async fn get_public_key(&self, key_id: KeyId, algorithm: &Algorithm) -> anyhow::Result<Jwk> {
@@ -42,22 +35,6 @@ impl Subject {
         }
         .map_err(Into::into)
     }
-
-    pub async fn insert_verification_method_id(
-        &self,
-        key: StorageKey,
-        verification_method_id: DIDUrl,
-    ) -> anyhow::Result<()> {
-        self.verification_method_ids
-            .lock()
-            .await
-            .insert(key, verification_method_id);
-        Ok(())
-    }
-
-    pub async fn get_verification_method_id(&self, key: StorageKey) -> Option<DIDUrl> {
-        self.verification_method_ids.lock().await.get(&key).cloned()
-    }
 }
 
 #[async_trait]
@@ -101,45 +78,13 @@ impl SubjectExt for Subject {
 mod default_subject {
     use super::*;
 
-    impl Subject {
-        const DID_KEY_ES256_VERIFICATION_METHOD_ID: &str = "did:key:zDnaeRwT4g6AZCHzxvNL7DLjqTaT88am4XR6TUGrKr6DXj6Tz#zDnaeRwT4g6AZCHzxvNL7DLjqTaT88am4XR6TUGrKr6DXj6Tz";
-        const DID_KEY_EDDSA_VERIFICATION_METHOD_ID: &str =
-            "did:key:z6MkgE84NCMpMeAx9jK9cf5W4G8gcZ9xuwJvG1e7wNk8KCgt#z6MkgE84NCMpMeAx9jK9cf5W4G8gcZ9xuwJvG1e7wNk8KCgt";
-        const DID_JWK_ES256_VERIFICATION_METHOD_ID: &str =
-            "did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia2lkIjoib09ZMmRNVlU3R0s1YWwxcTdFQXh1b1lsb3hNUWx2NVpOWk9hdGlVWFFIZyIsImt0eSI6IkVDIiwieCI6IkZtazEzZ08yU0dMYnVYZUwyNHFKUEhDTm5jbkk2bEJ1NlpRTDJFVlp2NEUiLCJ5IjoiZnoyS3ZNaHVmelVwTWVMOS1LMnJlOWZ3QTNtemcxYnBmYmNlSVFTdWloWSJ9#0";
-        const DID_JWK_EDDSA_VERIFICATION_METHOD_ID: &str =
-            "did:jwk:eyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJiUUtRUnphb3A3Q2dFdnFWcThVbGdMR3NkRi1SLWhuTEZrS0ZacVcyVk4wIiwia3R5IjoiT0tQIiwieCI6Ikdsbks5ZVBzODAyWHhBZ2xST1F6b0d1cm05UXB2MElGUEViZE1DSUxOX1UifQ#0";
-    }
-
     // This `Default` implementation for `Subject` returns a new `Subject` with the Verification Method IDs already preloaded.
     impl Default for Subject {
         fn default() -> Self {
             futures::executor::block_on(async {
                 let stronghold_storage = stronghold_storage().await;
 
-                let verification_method_ids = Arc::new(Mutex::new(HashMap::from_iter(vec![
-                    (
-                        StorageKey::new(SupportedDidMethod::Key, Algorithm::ES256),
-                        Self::DID_KEY_ES256_VERIFICATION_METHOD_ID.parse().unwrap(),
-                    ),
-                    (
-                        StorageKey::new(SupportedDidMethod::Key, Algorithm::EdDSA),
-                        Self::DID_KEY_EDDSA_VERIFICATION_METHOD_ID.parse().unwrap(),
-                    ),
-                    (
-                        StorageKey::new(SupportedDidMethod::Jwk, Algorithm::ES256),
-                        Self::DID_JWK_ES256_VERIFICATION_METHOD_ID.parse().unwrap(),
-                    ),
-                    (
-                        StorageKey::new(SupportedDidMethod::Jwk, Algorithm::EdDSA),
-                        Self::DID_JWK_EDDSA_VERIFICATION_METHOD_ID.parse().unwrap(),
-                    ),
-                ])));
-
-                Self {
-                    stronghold_storage,
-                    verification_method_ids,
-                }
+                Self { stronghold_storage }
             })
         }
     }
@@ -199,10 +144,12 @@ impl Sign for Subject {
     async fn key_id(&self, subject_syntax_type: &str, algorithm: Algorithm) -> Option<String> {
         let method = SupportedDidMethod::from_str(subject_syntax_type).ok()?;
 
-        self.get_verification_method_id(StorageKey::new(method, algorithm))
-            .await
-            .as_ref()
-            .map(ToString::to_string)
+        // self.get_verification_method_id(StorageKey::new(method, algorithm))
+        //     .await
+        //     .as_ref()
+        //     .map(ToString::to_string)
+
+        todo!()
     }
 
     async fn sign(&self, message: &str, _subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<Vec<u8>> {
@@ -238,24 +185,14 @@ impl oid4vc_core::Subject for Subject {
         let method = SupportedDidMethod::from_str(subject_syntax_type)
             .map_err(|e| anyhow!("Failed to parse SupportedDidMethod from string: {}", e))?;
 
-        self.get_verification_method_id(StorageKey::new(method, algorithm))
-            .await
-            .as_ref()
-            .map(DIDUrl::did)
-            .map(ToString::to_string)
-            .ok_or_else(|| anyhow!("Failed to get verification method ID"))
-    }
-}
-
-#[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub struct StorageKey {
-    pub did_method: SupportedDidMethod,
-    pub algorithm: Algorithm,
-}
+        // self.get_verification_method_id(StorageKey::new(method, algorithm))
+        //     .await
+        //     .as_ref()
+        //     .map(DIDUrl::did)
+        //     .map(ToString::to_string)
+        //     .ok_or_else(|| anyhow!("Failed to get verification method ID"))
 
-impl StorageKey {
-    pub fn new(did_method: SupportedDidMethod, algorithm: Algorithm) -> Self {
-        Self { did_method, algorithm }
+        todo!()
     }
 }
 
@@ -283,39 +220,39 @@ mod tests {
     async fn es256_signed_jwt_successfully_verified() {
         set_config().set_secret_manager_config(SECRET_MANAGER_CONFIG.clone());
 
-        let subject = Arc::new(Subject::default());
+        // let subject = Arc::new(Subject::default());
 
-        let mut split = ES256_SIGNED_JWT.rsplitn(2, '.');
-        let (signature, message) = (split.next().unwrap(), split.next().unwrap());
+        // let mut split = ES256_SIGNED_JWT.rsplitn(2, '.');
+        // let (signature, message) = (split.next().unwrap(), split.next().unwrap());
 
-        // Decode the signature.
-        let signature_bytes = URL_SAFE_NO_PAD.decode(signature).unwrap();
+        // // Decode the signature.
+        // let signature_bytes = URL_SAFE_NO_PAD.decode(signature).unwrap();
 
-        // Resolve the public key from the DID Document
-        let public_key_bytes = subject.public_key("did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia2lkIjoiNEF1WWhSQ2NGbG4ybnRnU19qOXBFQmRLdzIwUHQtbGFqWUhtWTdBME1GTSIsImt0eSI6IkVDIiwieCI6IjJMWGpORE96V3RwZVNZM2tiTlI2ZmxaTUR4YWh1azJ2UW1jdXZkQThvNDQiLCJ5IjoiZEF2RVZsWE1HUEtac2tWWTRZVzBzOEI4S3Y3c2sxYzkyT05YREpveF9IcyJ9#0").await.unwrap();
+        // // Resolve the public key from the DID Document
+        // let public_key_bytes = subject.public_key("did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia2lkIjoiNEF1WWhSQ2NGbG4ybnRnU19qOXBFQmRLdzIwUHQtbGFqWUhtWTdBME1GTSIsImt0eSI6IkVDIiwieCI6IjJMWGpORE96V3RwZVNZM2tiTlI2ZmxaTUR4YWh1azJ2UW1jdXZkQThvNDQiLCJ5IjoiZEF2RVZsWE1HUEtac2tWWTRZVzBzOEI4S3Y3c2sxYzkyT05YREpveF9IcyJ9#0").await.unwrap();
 
-        // Verify the signature
-        let public_key = UnparsedPublicKey::new(&ECDSA_P256_SHA256_FIXED, public_key_bytes);
-        assert!(public_key.verify(message.as_bytes(), &signature_bytes).is_ok());
+        // // Verify the signature
+        // let public_key = UnparsedPublicKey::new(&ECDSA_P256_SHA256_FIXED, public_key_bytes);
+        // assert!(public_key.verify(message.as_bytes(), &signature_bytes).is_ok());
     }
 
     #[tokio::test]
     async fn eddsa_signed_jwt_successfully_verified() {
         set_config().set_secret_manager_config(SECRET_MANAGER_CONFIG.clone());
 
-        let subject = Arc::new(Subject::default());
+        // let subject = Arc::new(Subject::default());
 
-        let mut split = EDDSA_SIGNED_JWT.rsplitn(2, '.');
-        let (signature, message) = (split.next().unwrap(), split.next().unwrap());
+        // let mut split = EDDSA_SIGNED_JWT.rsplitn(2, '.');
+        // let (signature, message) = (split.next().unwrap(), split.next().unwrap());
 
-        // Decode the signature.
-        let signature_bytes = URL_SAFE_NO_PAD.decode(signature).unwrap();
+        // // Decode the signature.
+        // let signature_bytes = URL_SAFE_NO_PAD.decode(signature).unwrap();
 
-        // Resolve the public key from the DID Document
-        let public_key_bytes = subject.public_key("did:jwk:eyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJJbV9ZMFFPNm9HX2s5Mm9scTVMdHQ2YVA4c19BbEFhVUIzS0dzUEcteGI0Iiwia3R5IjoiT0tQIiwieCI6IlZPakR0QnZ3cGZjSkhyTzZLV1NPdXNVUGZmQkwyR19KcXZtUTY4S3h4VjQifQ#0").await.unwrap();
+        // // Resolve the public key from the DID Document
+        // let public_key_bytes = subject.public_key("did:jwk:eyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJJbV9ZMFFPNm9HX2s5Mm9scTVMdHQ2YVA4c19BbEFhVUIzS0dzUEcteGI0Iiwia3R5IjoiT0tQIiwieCI6IlZPakR0QnZ3cGZjSkhyTzZLV1NPdXNVUGZmQkwyR19KcXZtUTY4S3h4VjQifQ#0").await.unwrap();
 
-        // Verify the signature
-        let public_key = UnparsedPublicKey::new(&ED25519, public_key_bytes);
-        assert!(public_key.verify(message.as_bytes(), &signature_bytes).is_ok());
+        // // Verify the signature
+        // let public_key = UnparsedPublicKey::new(&ED25519, public_key_bytes);
+        // assert!(public_key.verify(message.as_bytes(), &signature_bytes).is_ok());
     }
 }
diff --git a/agent_store/Cargo.toml b/agent_store/Cargo.toml
index 8fbede00..9b8d912d 100644
--- a/agent_store/Cargo.toml
+++ b/agent_store/Cargo.toml
@@ -10,6 +10,7 @@ agent_holder = { path = "../agent_holder" }
 agent_identity = { path = "../agent_identity" }
 agent_issuance = { path = "../agent_issuance" }
 agent_library = { path = "../agent_library" }
+agent_secret_manager = { path = "../agent_secret_manager" }
 agent_shared = { path = "../agent_shared" }
 agent_verification = { path = "../agent_verification" }
 
diff --git a/agent_store/src/lib.rs b/agent_store/src/lib.rs
index 6496a2d1..2d3194c7 100644
--- a/agent_store/src/lib.rs
+++ b/agent_store/src/lib.rs
@@ -22,8 +22,6 @@ use agent_holder::services::HolderServices;
 use agent_holder::state::HolderState;
 use agent_identity::connection::views::all_connections::AllConnectionsView;
 use agent_identity::document::views::all_documents::AllDocumentsView;
-use agent_identity::managed_key::aggregate::ManagedKey;
-use agent_identity::managed_key::views::all_managed_keys::AllManagedKeysView;
 use agent_identity::service::views::all_services::AllServicesView;
 use agent_identity::services::IdentityServices;
 use agent_identity::state::IdentityState;
@@ -43,6 +41,10 @@ use agent_issuance::{
 use agent_library::state::LibraryState;
 use agent_library::template::aggregate::Template;
 use agent_library::template::views::all_templates::AllTemplatesView;
+use agent_secret_manager::managed_key::aggregate::ManagedKey;
+use agent_secret_manager::managed_key::views::all_managed_keys::AllManagedKeysView;
+use agent_secret_manager::service::SecretManagerServices;
+use agent_secret_manager::state::SecretManagerState;
 use agent_shared::application_state::Command;
 use agent_shared::custom_queries::ListAllQuery;
 use agent_shared::generic_query::generic_query;
@@ -169,6 +171,32 @@ pub trait CqrsComponentBuilder {
         <A as Aggregate>::Command: Send + Sync;
 }
 
+pub async fn secret_manager_state<CCB: CqrsComponentBuilder>(
+    builder: &CCB,
+    services: Arc<SecretManagerServices>,
+    event_publishers: Vec<Box<dyn EventPublisher>>,
+) -> SecretManagerState {
+    // Partition the event_publishers into the different aggregates.
+    let Partitions {
+        managed_key_event_publishers,
+        ..
+    } = partition_event_publishers(event_publishers);
+
+    let (managed_key_command_handler, managed_key, all_managed_keys) = builder
+        .commands_and_queries::<ManagedKey, ManagedKey, AllManagedKeysView>(services, managed_key_event_publishers)
+        .await;
+
+    SecretManagerState {
+        command: agent_secret_manager::state::CommandHandlers {
+            managed_key: managed_key_command_handler,
+        },
+        query: agent_secret_manager::state::ViewRepositories {
+            managed_key,
+            all_managed_keys,
+        },
+    }
+}
+
 pub async fn identity_state<CCB: CqrsComponentBuilder>(
     builder: &CCB,
     services: Arc<IdentityServices>,
@@ -178,7 +206,6 @@ pub async fn identity_state<CCB: CqrsComponentBuilder>(
     let Partitions {
         connection_event_publishers,
         document_event_publishers,
-        managed_key_event_publishers,
         service_event_publishers,
         ..
     } = partition_event_publishers(event_publishers);
@@ -198,9 +225,6 @@ pub async fn identity_state<CCB: CqrsComponentBuilder>(
     let (service_command_handler, service, all_services) = builder
         .commands_and_queries::<Service, Service, AllServicesView>(services.clone(), service_event_publishers)
         .await;
-    let (managed_key_command_handler, managed_key, all_managed_keys) = builder
-        .commands_and_queries::<ManagedKey, ManagedKey, AllManagedKeysView>(services, managed_key_event_publishers)
-        .await;
 
     IdentityState {
         command: agent_identity::state::CommandHandlers {
@@ -208,7 +232,6 @@ pub async fn identity_state<CCB: CqrsComponentBuilder>(
             document: document_command_handler,
             profile: profile_command_handler,
             service: service_command_handler,
-            managed_key: managed_key_command_handler,
         },
         query: agent_identity::state::ViewRepositories {
             connection,
@@ -217,8 +240,6 @@ pub async fn identity_state<CCB: CqrsComponentBuilder>(
             all_documents,
             service,
             all_services,
-            managed_key,
-            all_managed_keys,
             profile,
         },
     }
@@ -350,7 +371,7 @@ pub async fn issuance_state<CCB: CqrsComponentBuilder>(
             offer,
             all_offers,
         },
-        subject: services.issuer.clone(),
+        subject: services.this_is_the_main_service.clone(),
     }
 }
 

From 02fcbb72028b9c5afceda2ffbc2f37a9892881ca Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Tue, 30 Dec 2025 19:55:24 +0100
Subject: [PATCH 07/14] refactor: code structure for improved readability and
 maintainability

---
 Cargo.lock                                    |   1 +
 agent_api_http/src/v1/identity/keys/mod.rs    |  11 +-
 agent_application/src/main.rs                 |   8 +-
 agent_authorization/Cargo.toml                |   1 +
 agent_authorization/src/services.rs           |  13 +-
 agent_holder/src/credential/aggregate.rs      |  72 +-
 agent_holder/src/presentation/aggregate.rs    |  66 +-
 agent_identity/src/document/aggregate.rs      |   3 +-
 agent_identity/src/services.rs                |  42 +-
 .../access_token_validation_service.rs        |  15 +-
 agent_secret_manager/src/lib.rs               |  37 -
 .../src/managed_key/aggregate.rs              |  14 +-
 agent_secret_manager/src/service.rs           |  18 +-
 agent_secret_manager/src/subject.rs           |  28 +-
 agent_shared/src/config/mod.rs                |   8 -
 agent_store/src/lib.rs                        |   2 +-
 .../src/authorization_request/aggregate.rs    | 906 +++++++++---------
 17 files changed, 609 insertions(+), 636 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 1e712b5f..f02d3fd4 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -164,6 +164,7 @@ version = "0.1.0"
 dependencies = [
  "agent_authorization",
  "agent_holder",
+ "agent_identity",
  "agent_issuance",
  "agent_secret_manager",
  "agent_shared",
diff --git a/agent_api_http/src/v1/identity/keys/mod.rs b/agent_api_http/src/v1/identity/keys/mod.rs
index b767b35c..f3e284d7 100644
--- a/agent_api_http/src/v1/identity/keys/mod.rs
+++ b/agent_api_http/src/v1/identity/keys/mod.rs
@@ -19,6 +19,7 @@ pub struct ManagedKeyDto {
     pub key_id: String,
     pub alias: String,
     pub signing_algorithm: Option<SigningAlgorithm>,
+    pub is_signing_key: bool,
 }
 
 impl From<ManagedKey> for ManagedKeyDto {
@@ -28,6 +29,7 @@ impl From<ManagedKey> for ManagedKeyDto {
             key_id: value.key_id,
             alias: value.alias,
             signing_algorithm: value.signing_algorithm,
+            is_signing_key: value.is_signing_key,
         }
     }
 }
@@ -149,14 +151,7 @@ pub(crate) async fn list_all(
         Some(all_keys_view) => all_keys_view
             .managed_keys
             .into_values()
-            .filter_map(|key_view| {
-                (!key_view.is_removed).then(|| ManagedKeyDto {
-                    managed_key_id: key_view.managed_key_id,
-                    key_id: key_view.key_id,
-                    alias: key_view.alias,
-                    signing_algorithm: key_view.signing_algorithm,
-                })
-            })
+            .filter_map(|key_view| (!key_view.is_removed).then(|| ManagedKeyDto::from(key_view)))
             .collect(),
         None => Vec::new(),
     };
diff --git a/agent_application/src/main.rs b/agent_application/src/main.rs
index b1af4f3b..dbd0dc4e 100644
--- a/agent_application/src/main.rs
+++ b/agent_application/src/main.rs
@@ -51,8 +51,9 @@ async fn main() -> io::Result<()> {
         vec![Box::new(EventPublisherHttp::load().unwrap())];
 
     let subject = Arc::new(Subject::new().await);
+    let stronghold_storage = subject.stronghold_storage.clone();
 
-    let secret_manager_services = Arc::new(SecretManagerServices::new().await);
+    let secret_manager_services = Arc::new(SecretManagerServices::new(stronghold_storage));
     let secret_manager_state = match config().event_store.type_ {
         EventStoreType::Postgres => {
             let builder = Postgres::new().await;
@@ -110,7 +111,10 @@ async fn main() -> io::Result<()> {
         .await,
     );
 
-    let authorization_services = Arc::new(AuthorizationServices::new(subject.clone()));
+    let authorization_services = Arc::new(AuthorizationServices::new(
+        subject.clone(),
+        this_is_the_main_service.clone(),
+    ));
     let issuance_services = Arc::new(IssuanceServices::new(subject.clone(), this_is_the_main_service.clone()));
     let holder_services = Arc::new(HolderServices::new(subject.clone()));
     let verification_services = Arc::new(VerificationServices::new(subject.clone()));
diff --git a/agent_authorization/Cargo.toml b/agent_authorization/Cargo.toml
index 32a6e239..8cbb1f94 100644
--- a/agent_authorization/Cargo.toml
+++ b/agent_authorization/Cargo.toml
@@ -5,6 +5,7 @@ edition.workspace = true
 rust-version.workspace = true
 
 [dependencies]
+agent_identity = { path = "../agent_identity" }
 agent_issuance = { path = "../agent_issuance" }
 agent_shared = { path = "../agent_shared" }
 agent_secret_manager = { path = "../agent_secret_manager" }
diff --git a/agent_authorization/src/services.rs b/agent_authorization/src/services.rs
index 139ca76b..8c4224a7 100644
--- a/agent_authorization/src/services.rs
+++ b/agent_authorization/src/services.rs
@@ -1,12 +1,17 @@
+use agent_identity::services::ThisIsTheMainService;
 use agent_secret_manager::{service::Service, subject::SubjectExt};
 use std::sync::Arc;
 
 pub struct AuthorizationServices {
-    pub signer: Arc<dyn SubjectExt>,
+    signer: Arc<dyn SubjectExt>,
+    pub this_is_the_main_service: Arc<ThisIsTheMainService>,
 }
 
-impl Service for AuthorizationServices {
-    fn new(signer: Arc<dyn SubjectExt>) -> Self {
-        Self { signer }
+impl AuthorizationServices {
+    pub fn new(signer: Arc<dyn SubjectExt>, this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
+        Self {
+            signer,
+            this_is_the_main_service,
+        }
     }
 }
diff --git a/agent_holder/src/credential/aggregate.rs b/agent_holder/src/credential/aggregate.rs
index 011c7363..83a7572c 100644
--- a/agent_holder/src/credential/aggregate.rs
+++ b/agent_holder/src/credential/aggregate.rs
@@ -102,42 +102,42 @@ pub fn get_unverified_jwt_claims(jwt: &serde_json::Value) -> Result<serde_json::
         .ok_or(CredentialError::CredentialDecodingError)
 }
 
-#[cfg(test)]
-pub mod credential_tests {
-    use super::test_utils::*;
-    use super::*;
-    use crate::credential::aggregate::Credential;
-    use crate::credential::event::CredentialEvent;
-    use crate::offer::aggregate::test_utils::received_offer_id;
-    use agent_issuance::credential::aggregate::test_utils::OPENBADGE_VERIFIABLE_CREDENTIAL_JWT;
-    use agent_secret_manager::service::Service;
-    use cqrs_es::test::TestFramework;
-    use rstest::rstest;
-
-    type CredentialTestFramework = TestFramework<Credential>;
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_add_credential(holder_credential_id: String, received_offer_id: String) {
-        CredentialTestFramework::with(Service::default())
-            .given_no_previous_events()
-            .when(CredentialCommand::AddCredential {
-                holder_credential_id: holder_credential_id.clone(),
-                received_offer_id: Some(received_offer_id.clone()),
-                credential: Jwt::from(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT.to_string()),
-            })
-            .then_expect_events(vec![CredentialEvent::CredentialAdded {
-                holder_credential_id,
-                received_offer_id: Some(received_offer_id),
-                credential: Jwt::from(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT.to_string()),
-                data: Data {
-                    raw: get_unverified_jwt_claims(&serde_json::json!(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT)).unwrap()
-                        ["vc"]
-                        .clone(),
-                },
-            }])
-    }
-}
+// #[cfg(test)]
+// pub mod credential_tests {
+//     use super::test_utils::*;
+//     use super::*;
+//     use crate::credential::aggregate::Credential;
+//     use crate::credential::event::CredentialEvent;
+//     use crate::offer::aggregate::test_utils::received_offer_id;
+//     use agent_issuance::credential::aggregate::test_utils::OPENBADGE_VERIFIABLE_CREDENTIAL_JWT;
+//     use agent_secret_manager::service::Service;
+//     use cqrs_es::test::TestFramework;
+//     use rstest::rstest;
+
+//     type CredentialTestFramework = TestFramework<Credential>;
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_add_credential(holder_credential_id: String, received_offer_id: String) {
+//         CredentialTestFramework::with(Service::default())
+//             .given_no_previous_events()
+//             .when(CredentialCommand::AddCredential {
+//                 holder_credential_id: holder_credential_id.clone(),
+//                 received_offer_id: Some(received_offer_id.clone()),
+//                 credential: Jwt::from(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT.to_string()),
+//             })
+//             .then_expect_events(vec![CredentialEvent::CredentialAdded {
+//                 holder_credential_id,
+//                 received_offer_id: Some(received_offer_id),
+//                 credential: Jwt::from(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT.to_string()),
+//                 data: Data {
+//                     raw: get_unverified_jwt_claims(&serde_json::json!(OPENBADGE_VERIFIABLE_CREDENTIAL_JWT)).unwrap()
+//                         ["vc"]
+//                         .clone(),
+//                 },
+//             }])
+//     }
+// }
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_holder/src/presentation/aggregate.rs b/agent_holder/src/presentation/aggregate.rs
index 490aa267..c59fbff4 100644
--- a/agent_holder/src/presentation/aggregate.rs
+++ b/agent_holder/src/presentation/aggregate.rs
@@ -130,39 +130,39 @@ impl Aggregate for Presentation {
     }
 }
 
-#[cfg(test)]
-pub mod presentation_tests {
-
-    use crate::offer::aggregate::test_utils::signed_credentials;
-    use crate::offer::aggregate::OfferCredential;
-
-    use super::test_utils::*;
-    use super::*;
-    use agent_secret_manager::service::Service;
-    use cqrs_es::test::TestFramework;
-    use rstest::rstest;
-
-    type PresentationTestFramework = TestFramework<Presentation>;
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_create_presentation(
-        presentation_id: String,
-        signed_credentials: Vec<OfferCredential>,
-        signed_presentation: Jwt,
-    ) {
-        PresentationTestFramework::with(Service::default())
-            .given_no_previous_events()
-            .when(PresentationCommand::CreatePresentation {
-                presentation_id: presentation_id.clone(),
-                signed_credentials: signed_credentials.into_iter().map(|c| c.credential).collect(),
-            })
-            .then_expect_events(vec![PresentationEvent::PresentationCreated {
-                presentation_id,
-                signed_presentation,
-            }])
-    }
-}
+// #[cfg(test)]
+// pub mod presentation_tests {
+
+//     use crate::offer::aggregate::test_utils::signed_credentials;
+//     use crate::offer::aggregate::OfferCredential;
+
+//     use super::test_utils::*;
+//     use super::*;
+//     use agent_secret_manager::service::Service;
+//     use cqrs_es::test::TestFramework;
+//     use rstest::rstest;
+
+//     type PresentationTestFramework = TestFramework<Presentation>;
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_create_presentation(
+//         presentation_id: String,
+//         signed_credentials: Vec<OfferCredential>,
+//         signed_presentation: Jwt,
+//     ) {
+//         PresentationTestFramework::with(Service::default())
+//             .given_no_previous_events()
+//             .when(PresentationCommand::CreatePresentation {
+//                 presentation_id: presentation_id.clone(),
+//                 signed_credentials: signed_credentials.into_iter().map(|c| c.credential).collect(),
+//             })
+//             .then_expect_events(vec![PresentationEvent::PresentationCreated {
+//                 presentation_id,
+//                 signed_presentation,
+//             }])
+//     }
+// }
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_identity/src/document/aggregate.rs b/agent_identity/src/document/aggregate.rs
index 4df70772..07d11fcb 100644
--- a/agent_identity/src/document/aggregate.rs
+++ b/agent_identity/src/document/aggregate.rs
@@ -270,7 +270,8 @@ impl Aggregate for Document {
                         let algorithm = with_fixed_algorithm.ok_or(MissingFixedAlgorithmError(did_method))?;
                         let key_id = match algorithm {
                             Algorithm::EdDSA => config().secret_manager.issuer_eddsa_key_id.clone(),
-                            Algorithm::ES256 => config().secret_manager.issuer_es256_key_id.clone(),
+                            // FIXME
+                            // Algorithm::ES256 => config().secret_manager.issuer_es256_key_id.clone(),
                             algorithm => return Err(UnsupportedSigningAlgorithmError(algorithm)),
                         };
 
diff --git a/agent_identity/src/services.rs b/agent_identity/src/services.rs
index aff19381..8f1e7e13 100644
--- a/agent_identity/src/services.rs
+++ b/agent_identity/src/services.rs
@@ -14,10 +14,11 @@ use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use did_manager_consumer::resolver::Resolver;
 use identity_did::{DIDUrl, DID as _};
 use identity_iota::{
+    core::ToJson,
     document::DIDUrlQuery,
     verification::jwk::{Jwk, JwkParams},
 };
-use identity_storage::JwkStorage as _;
+use identity_storage::{JwkStorage as _, KeyId};
 use jsonwebtoken::Algorithm;
 use oid4vc_core::{authentication::sign::ExternalSign, Sign, Verify};
 use std::{str::FromStr as _, sync::Arc};
@@ -224,17 +225,34 @@ impl Sign for ThisIsTheMainService {
 
     async fn sign(&self, message: &str, _subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<Vec<u8>> {
         let stronghold_storage = &self.secret_manager_services.stronghold_storage;
-        let (key_id, public_key) = match algorithm {
-            Algorithm::ES256 => {
-                let es256_key_id = config().secret_manager.issuer_es256_key_id.clone();
-                let public_key = stronghold_storage.get_es256_public_key(&es256_key_id).await?;
-                (es256_key_id, public_key)
-            }
-            Algorithm::EdDSA => {
-                let ed25519_key_id = config().secret_manager.issuer_eddsa_key_id.clone();
-                let public_key = stronghold_storage.get_ed25519_public_key(&ed25519_key_id).await?;
-                (ed25519_key_id, public_key)
-            }
+
+        let signing_algorithm: SigningAlgorithm = match algorithm {
+            Algorithm::EdDSA => SigningAlgorithm::EdDSA,
+            Algorithm::ES256 => SigningAlgorithm::ES256,
+            _ => todo!(),
+        };
+
+        let all_managed_keys_view =
+            query_handler("all_managed_keys", &self.secret_manager_state.query.all_managed_keys)
+                .await
+                .unwrap()
+                .unwrap();
+
+        let managed_key_view = all_managed_keys_view
+            .managed_keys
+            .values()
+            .find(|managed_key_view| {
+                managed_key_view.signing_algorithm == Some(signing_algorithm.clone())
+                    && managed_key_view.is_signing_key
+                    && !managed_key_view.is_removed
+            })
+            .unwrap();
+
+        let key_id = KeyId::new(&managed_key_view.key_id);
+
+        let public_key = match algorithm {
+            Algorithm::ES256 => stronghold_storage.get_es256_public_key(&key_id).await?,
+            Algorithm::EdDSA => stronghold_storage.get_ed25519_public_key(&key_id).await?,
             _ => return Err(anyhow!("Unsupported algorithm")),
         };
 
diff --git a/agent_issuance/src/application/access_token_validation_service.rs b/agent_issuance/src/application/access_token_validation_service.rs
index 7c0528d6..9ec009f6 100644
--- a/agent_issuance/src/application/access_token_validation_service.rs
+++ b/agent_issuance/src/application/access_token_validation_service.rs
@@ -41,10 +41,14 @@ impl AccessTokenValidationService {
         state: &IssuanceState,
         access_token: &str,
     ) -> Result<AccessTokenClaims, AccessTokenValidationError> {
+        println!("HERE: {}:{}", file!(), line!());
         let jwt = jsonwebtoken::decode_header(access_token).map_err(|_| AccessTokenValidationError::InvalidToken)?;
+        println!("HERE: {}:{}", file!(), line!());
         let algorithm = jwt.alg;
+        println!("HERE: {}:{}", file!(), line!());
         let kid = jwt.kid.as_ref().ok_or(AccessTokenValidationError::InvalidToken)?;
 
+        println!("HERE: {}:{}", file!(), line!());
         // In a real system, you would resolve the key based on the JWT's `kid` header.
         // For now, we assume a default key known to the issuer.
         let public_key_jwk = state
@@ -53,6 +57,8 @@ impl AccessTokenValidationService {
             .await
             .map_err(|_err| AccessTokenValidationError::KidResolutionError)?;
 
+        println!("HERE: {}:{}", file!(), line!());
+
         // Convert the `IotaIdentityJwk` first into a `JsonWebTokenJwk` and then into a `DecodingKey`.
         let decoding_key = public_key_jwk
             .to_json()
@@ -61,23 +67,28 @@ impl AccessTokenValidationService {
             .and_then(|jwk| DecodingKey::from_jwk(&jwk).ok())
             .ok_or(AccessTokenValidationError::KidResolutionError)?;
 
+        println!("HERE: {}:{}", file!(), line!());
         let public_url = config().public_url.to_string();
 
+        println!("HERE: {}:{}", file!(), line!());
         // Setup validation rules. The audience and issuer are the URL of this server.
         let mut validation = Validation::new(algorithm);
 
+        println!("HERE: {}:{}", file!(), line!());
         // TODO: Could/should this be DIDs?
         // The audience is the public URL of this server.
         validation.set_audience(&[public_url.as_str()]);
 
+        println!("HERE: {}:{}", file!(), line!());
         // TODO: allow external Authorization Servers
         // The issuer is the public URL of this server.
         validation.set_issuer(&[public_url.as_str()]);
 
+        println!("HERE: {}:{}", file!(), line!());
         // Decode the token. This checks the signature and standard time-based claims (`exp`).
-        let token_data = decode::<AccessTokenClaims>(access_token, &decoding_key, &validation)
-            .map_err(|_| AccessTokenValidationError::InvalidToken)?;
+        let token_data = decode::<AccessTokenClaims>(access_token, &decoding_key, &validation).unwrap();
 
+        println!("HERE: {}:{}", file!(), line!());
         Ok(token_data.claims)
     }
 }
diff --git a/agent_secret_manager/src/lib.rs b/agent_secret_manager/src/lib.rs
index f40bfda8..be28a945 100644
--- a/agent_secret_manager/src/lib.rs
+++ b/agent_secret_manager/src/lib.rs
@@ -40,42 +40,5 @@ pub async fn stronghold_storage() -> StrongholdExtStorage {
 
     info!("Stronghold storage initialized");
 
-    let ed25519_key_id = config().secret_manager.issuer_eddsa_key_id.clone();
-    let es256_key_id = config().secret_manager.issuer_es256_key_id.clone();
-
-    // Generate keys if they don't exist
-    // TODO: currently `generate` will generate a 'static' key-ids for each keytype. In a future improvement we need to
-    // make sure that the key-ids are generated dynamically and stored in some sort of key manager.
-    if stronghold_storage
-        .get_ed25519_public_key(&ed25519_key_id)
-        .await
-        .is_err()
-    {
-        info!("Generating new key: {ed25519_key_id}",);
-        let key_id = generate(&stronghold_storage, KeyType::new("Ed25519"), JwsAlgorithm::EdDSA)
-            .await
-            .expect("Failed to generate Ed25519 key");
-        assert_eq!(key_id, ed25519_key_id);
-    }
-    if stronghold_storage.get_es256_public_key(&es256_key_id).await.is_err() {
-        info!("Generating new key: {es256_key_id}",);
-        let key_id = generate(&stronghold_storage, KeyType::new("ES256"), JwsAlgorithm::ES256)
-            .await
-            .expect("Failed to generate ES256 key");
-        assert_eq!(key_id, es256_key_id);
-    }
-
     stronghold_storage
 }
-
-pub async fn generate(
-    stronghold_ext_storage: &StrongholdExtStorage,
-    key_type: KeyType,
-    alg: JwsAlgorithm,
-) -> anyhow::Result<KeyId> {
-    let key_id = stronghold_ext_storage.generate(key_type.clone(), alg).await?.key_id;
-
-    info!("Generated new `{key_type}` key with key ID `{key_id}`");
-
-    Ok(key_id)
-}
diff --git a/agent_secret_manager/src/managed_key/aggregate.rs b/agent_secret_manager/src/managed_key/aggregate.rs
index 12eea14f..8842688e 100644
--- a/agent_secret_manager/src/managed_key/aggregate.rs
+++ b/agent_secret_manager/src/managed_key/aggregate.rs
@@ -1,5 +1,5 @@
 use super::{command::ManagedKeyCommand, error::ManagedKeyError, event::ManagedKeyEvent};
-use crate::{service::SecretManagerServices, subject::Subject};
+use crate::service::SecretManagerServices;
 use agent_shared::config::config;
 use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
@@ -84,13 +84,11 @@ impl Aggregate for ManagedKey {
                     SigningAlgorithm::ES256 => (KeyType::new("P256"), JwsAlgorithm::ES256),
                 };
 
-                let key_id = services
-                    .stronghold_storage
-                    .generate(key_type, alg)
-                    .await
-                    .unwrap()
-                    .key_id
-                    .to_string();
+                let res = services.stronghold_storage.generate(key_type, alg).await.unwrap();
+
+                println!("Generated key: {}", res.jwk.to_json_pretty().unwrap());
+
+                let key_id = res.key_id.to_string();
 
                 Ok(vec![KeyGenerated {
                     managed_key_id,
diff --git a/agent_secret_manager/src/service.rs b/agent_secret_manager/src/service.rs
index dd4d4c7b..333c399d 100644
--- a/agent_secret_manager/src/service.rs
+++ b/agent_secret_manager/src/service.rs
@@ -6,13 +6,13 @@ use std::sync::Arc;
 pub trait Service {
     fn new(subject: Arc<dyn SubjectExt>) -> Self;
 
-    #[cfg(feature = "test_utils")]
-    fn default() -> Arc<Self>
-    where
-        Self: Sized,
-    {
-        Arc::new(Self::new(Arc::new(crate::subject::Subject::default())))
-    }
+    // #[cfg(feature = "test_utils")]
+    // fn default() -> Arc<Self>
+    // where
+    //     Self: Sized,
+    // {
+    //     Arc::new(Self::new(Arc::new(crate::subject::Subject::default())))
+    // }
 }
 
 pub struct SecretManagerServices {
@@ -20,9 +20,7 @@ pub struct SecretManagerServices {
 }
 
 impl SecretManagerServices {
-    pub async fn new() -> Self {
-        let stronghold_storage = stronghold_storage().await;
-
+    pub fn new(stronghold_storage: StrongholdExtStorage) -> Self {
         Self { stronghold_storage }
     }
 }
diff --git a/agent_secret_manager/src/subject.rs b/agent_secret_manager/src/subject.rs
index 31d4d721..2a788cc7 100644
--- a/agent_secret_manager/src/subject.rs
+++ b/agent_secret_manager/src/subject.rs
@@ -154,24 +154,13 @@ impl Sign for Subject {
 
     async fn sign(&self, message: &str, _subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<Vec<u8>> {
         let stronghold_storage = &self.stronghold_storage;
-        let (key_id, public_key) = match algorithm {
-            Algorithm::ES256 => {
-                let es256_key_id = config().secret_manager.issuer_es256_key_id.clone();
-                let public_key = stronghold_storage.get_es256_public_key(&es256_key_id).await?;
-                (es256_key_id, public_key)
-            }
-            Algorithm::EdDSA => {
-                let ed25519_key_id = config().secret_manager.issuer_eddsa_key_id.clone();
-                let public_key = stronghold_storage.get_ed25519_public_key(&ed25519_key_id).await?;
-                (ed25519_key_id, public_key)
-            }
-            _ => return Err(anyhow!("Unsupported algorithm")),
-        };
 
-        stronghold_storage
-            .sign(&key_id, message.as_bytes(), &public_key)
-            .await
-            .map_err(Into::into)
+        todo!();
+
+        // stronghold_storage
+        //     .sign(&key_id, message.as_bytes(), &public_key)
+        //     .await
+        //     .map_err(Into::into)
     }
 
     fn external_signer(&self) -> Option<Arc<dyn ExternalSign>> {
@@ -199,9 +188,7 @@ impl oid4vc_core::Subject for Subject {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use agent_shared::config::{
-        default_issuer_eddsa_key_id, default_issuer_es256_key_id, set_config, SecretManagerConfig,
-    };
+    use agent_shared::config::{default_issuer_eddsa_key_id, set_config, SecretManagerConfig};
     use ring::signature::{UnparsedPublicKey, ECDSA_P256_SHA256_FIXED, ED25519};
 
     const ES256_SIGNED_JWT: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDpqd2s6ZXlKaGJHY2lPaUpGVXpJMU5pSXNJbU55ZGlJNklsQXRNalUySWl3aWEybGtJam9pTkVGMVdXaFNRMk5HYkc0eWJuUm5VMTlxT1hCRlFtUkxkekl3VUhRdGJHRnFXVWh0V1RkQk1FMUdUU0lzSW10MGVTSTZJa1ZESWl3aWVDSTZJakpNV0dwT1JFOTZWM1J3WlZOWk0ydGlUbEkyWm14YVRVUjRZV2gxYXpKMlVXMWpkWFprUVRodk5EUWlMQ0o1SWpvaVpFRjJSVlpzV0UxSFVFdGFjMnRXV1RSWlZ6QnpPRUk0UzNZM2Myc3hZemt5VDA1WVJFcHZlRjlJY3lKOSMwIn0.eyJpc3MiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaU5FRjFXV2hTUTJOR2JHNHliblJuVTE5cU9YQkZRbVJMZHpJd1VIUXRiR0ZxV1VodFdUZEJNRTFHVFNJc0ltdDBlU0k2SWtWRElpd2llQ0k2SWpKTVdHcE9SRTk2VjNSd1pWTlpNMnRpVGxJMlpteGFUVVI0WVdoMWF6SjJVVzFqZFhaa1FUaHZORFFpTENKNUlqb2laRUYyUlZac1dFMUhVRXRhYzJ0V1dUUlpWekJ6T0VJNFMzWTNjMnN4WXpreVQwNVlSRXB2ZUY5SWN5SjkiLCJzdWIiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaU5FRjFXV2hTUTJOR2JHNHliblJuVTE5cU9YQkZRbVJMZHpJd1VIUXRiR0ZxV1VodFdUZEJNRTFHVFNJc0ltdDBlU0k2SWtWRElpd2llQ0k2SWpKTVdHcE9SRTk2VjNSd1pWTlpNMnRpVGxJMlpteGFUVVI0WVdoMWF6SjJVVzFqZFhaa1FUaHZORFFpTENKNUlqb2laRUYyUlZac1dFMUhVRXRhYzJ0V1dUUlpWekJ6T0VJNFMzWTNjMnN4WXpreVQwNVlSRXB2ZUY5SWN5SjkiLCJhdWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaVlrNDNiSEpaWVhOUlZrNDNMVUpZY0MxMFdFVldTR1l0YVhkTWRsVnRiWHByVUZsc2VHWlRWRkZvVlNJc0ltdDBlU0k2SWtWRElpd2llQ0k2SW1odVkyNU5UM2sxU0dGWGJ6SmFTbmhCWW5sWU1GOW1NVTFHU1dsMlRrRmtUMjFXYjNSWGVWZG9ielFpTENKNUlqb2libE5wYkhwMllsTmFYMUp1VWpOU2RreHdkRWxITmpkVWJWVkVhR1ZQWVZGNlltczJhVFJmWDBkeVFTSjkiLCJleHAiOjE3MjMwMjkyMjUsImlhdCI6MTcyMzAyODYyNSwibm9uY2UiOiJ0aGlzIGlzIGEgbm9uY2UifQ.w202CZKOeGM9k35tysJylksBUGI3fvkOgsPPVrfXYZzurns7KF5plMiR_KHH4H_GpYg57Nf2JWa3YEcXGDTVdw";
@@ -212,7 +199,6 @@ mod tests {
             stronghold_password: "sup3rSecr3t".to_string(),
             stronghold_path: "/tmp/stronghold".to_string(),
             issuer_eddsa_key_id: default_issuer_eddsa_key_id(),
-            issuer_es256_key_id: default_issuer_es256_key_id(),
         };
     }
 
diff --git a/agent_shared/src/config/mod.rs b/agent_shared/src/config/mod.rs
index c211da90..624e4868 100644
--- a/agent_shared/src/config/mod.rs
+++ b/agent_shared/src/config/mod.rs
@@ -40,7 +40,6 @@ static STRONGHOLD_PATH: &str = "./stronghold.dat";
 // TODO: Once we have a proper state implementation for `agent_secret_manager` we can make use of randomly generated Key
 // IDs. For now we need to make use of these static variables.
 static ED25519_KEY_ID: &str = "ed25519-0";
-static ES256_KEY_ID: &str = "es256-0";
 
 // Static configuration instance
 pub static CONFIG: Lazy<RwLock<ApplicationConfiguration>> = Lazy::new(|| {
@@ -473,8 +472,6 @@ pub struct SecretManagerConfig {
     pub stronghold_password: String,
     #[serde(default = "default_issuer_eddsa_key_id")]
     pub issuer_eddsa_key_id: KeyId,
-    #[serde(default = "default_issuer_es256_key_id")]
-    pub issuer_es256_key_id: KeyId,
 }
 
 impl SecretManagerConfig {
@@ -498,7 +495,6 @@ impl SecretManagerConfig {
             stronghold_path: default_stronghold_path(),
             stronghold_password,
             issuer_eddsa_key_id: default_issuer_eddsa_key_id(),
-            issuer_es256_key_id: default_issuer_es256_key_id(),
         }
     }
 }
@@ -511,10 +507,6 @@ pub fn default_issuer_eddsa_key_id() -> KeyId {
     KeyId::new(ED25519_KEY_ID)
 }
 
-pub fn default_issuer_es256_key_id() -> KeyId {
-    KeyId::new(ES256_KEY_ID)
-}
-
 #[derive(Deserialize, Serialize, Debug, Clone)]
 pub struct CredentialConfiguration {
     pub credential_configuration_id: String,
diff --git a/agent_store/src/lib.rs b/agent_store/src/lib.rs
index 2d3194c7..b77b316b 100644
--- a/agent_store/src/lib.rs
+++ b/agent_store/src/lib.rs
@@ -325,7 +325,7 @@ pub async fn authorization_state<CCB: CqrsComponentBuilder>(
             authorization_code,
             access_token,
         },
-        signer: services.signer.clone(),
+        signer: services.this_is_the_main_service.clone(),
     }
 }
 
diff --git a/agent_verification/src/authorization_request/aggregate.rs b/agent_verification/src/authorization_request/aggregate.rs
index 8307eff3..fb44a3c9 100644
--- a/agent_verification/src/authorization_request/aggregate.rs
+++ b/agent_verification/src/authorization_request/aggregate.rs
@@ -270,456 +270,456 @@ impl Aggregate for AuthorizationRequest {
     }
 }
 
-#[cfg(test)]
-pub mod tests {
-
-    use agent_secret_manager::service::Service as _;
-    use agent_secret_manager::subject::Subject;
-    use agent_shared::config::set_config;
-    use agent_shared::config::SupportedDidMethod;
-    use chrono::{Duration, Utc};
-    use cqrs_es::test::TestFramework;
-    use did_key::{generate, Ed25519KeyPair};
-    use identity_credential::{credential::Jwt, presentation::Presentation};
-    use jsonwebtoken::Algorithm;
-    use jsonwebtoken::Header;
-    use lazy_static::lazy_static;
-    use oid4vc_core::claim_path_pointer::{ClaimPathElement, ClaimPathPointer};
-    use oid4vc_core::client_metadata::ClientMetadataResource;
-    use oid4vc_core::jwt;
-    use oid4vc_core::Subject as _;
-    use oid4vc_manager::methods::key_method::KeySubject;
-    use oid4vc_manager::ProviderManager;
-    use oid4vci::VerifiableCredentialJwt;
-    use oid4vp::authorization_request::ClientId;
-    use oid4vp::dcql::dcql_query::{ClaimQuery, CredentialQuery, CredentialQueryId, DcqlQuery, Format, MetaTypes};
-    use oid4vp::token::verifiable_presentation_jwt::VerifiablePresentationJwt;
-    use oid4vp::token::vp_token::{PresentationFormat, VpToken};
-    use oid4vp::token::vp_token_builder::VpTokenBuilder;
-    use rstest::rstest;
-    use std::str::FromStr;
-    use std::sync::Arc;
-
-    use super::*;
-
-    type AuthorizationRequestTestFramework = TestFramework<AuthorizationRequest>;
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_create_authorization_request(
-        #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] verifier_did_method: SupportedDidMethod,
-    ) {
-        set_config().set_preferred_did_method(verifier_did_method);
-
-        let verification_services = VerificationServices::default();
-        let siopv2_client_metadata = verification_services.siopv2_client_metadata.clone();
-        let oid4vp_client_metadata = verification_services.oid4vp_client_metadata.clone();
-
-        AuthorizationRequestTestFramework::with(verification_services)
-            .given_no_previous_events()
-            .when(AuthorizationRequestCommand::CreateAuthorizationRequest {
-                state: "state".to_string(),
-                nonce: "nonce".to_string(),
-                dcql_query: None,
-            })
-            .then_expect_events(vec![
-                AuthorizationRequestEvent::AuthorizationRequestCreated {
-                    authorization_request: Box::new(
-                        authorization_request(
-                            "id_token",
-                            &verifier_did_method.to_string(),
-                            siopv2_client_metadata,
-                            oid4vp_client_metadata,
-                        )
-                        .await,
-                    ),
-                },
-                AuthorizationRequestEvent::FormUrlEncodedAuthorizationRequestCreated {
-                    form_url_encoded_authorization_request: form_url_encoded_authorization_request(
-                        "id_token",
-                        &verifier_did_method.to_string(),
-                    ),
-                },
-            ]);
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_sign_authorization_request_object(
-        #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] verifier_did_method: SupportedDidMethod,
-    ) {
-        set_config().set_preferred_did_method(verifier_did_method);
-
-        let verification_services = VerificationServices::default();
-        let siopv2_client_metadata = verification_services.siopv2_client_metadata.clone();
-        let oid4vp_client_metadata = verification_services.oid4vp_client_metadata.clone();
-
-        AuthorizationRequestTestFramework::with(verification_services)
-            .given(vec![
-                AuthorizationRequestEvent::AuthorizationRequestCreated {
-                    authorization_request: Box::new(
-                        authorization_request(
-                            "id_token",
-                            &verifier_did_method.to_string(),
-                            siopv2_client_metadata,
-                            oid4vp_client_metadata,
-                        )
-                        .await,
-                    ),
-                },
-                AuthorizationRequestEvent::FormUrlEncodedAuthorizationRequestCreated {
-                    form_url_encoded_authorization_request: form_url_encoded_authorization_request(
-                        "id_token",
-                        &verifier_did_method.to_string(),
-                    ),
-                },
-            ])
-            .when(AuthorizationRequestCommand::SignAuthorizationRequestObject)
-            .then_expect_events(vec![AuthorizationRequestEvent::AuthorizationRequestObjectSigned {
-                signed_authorization_request_object: signed_authorization_request_object(
-                    &verifier_did_method.to_string(),
-                ),
-            }]);
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_verify_siopv2_authorization_response(
-        // TODO: add `did:web`, check for other tests as well. Probably should be moved to E2E test.
-        #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] verifier_did_method: SupportedDidMethod,
-        #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] provider_did_method: SupportedDidMethod,
-    ) {
-        set_config().set_preferred_did_method(verifier_did_method);
-
-        let verification_services = VerificationServices::default();
-        let siopv2_client_metadata = verification_services.siopv2_client_metadata.clone();
-        let oid4vp_client_metadata = verification_services.oid4vp_client_metadata.clone();
-
-        let authorization_request = authorization_request(
-            "id_token",
-            &verifier_did_method.to_string(),
-            siopv2_client_metadata,
-            oid4vp_client_metadata,
-        )
-        .await;
-
-        let authorization_response =
-            authorization_response(&provider_did_method.to_string(), &authorization_request).await;
-
-        let id_token = match &authorization_response {
-            GenericAuthorizationResponse::SIOPv2(siopv2_response) => siopv2_response.extension.id_token.clone(),
-            _ => panic!("Expected SIOPv2 authorization response."),
-        };
-
-        AuthorizationRequestTestFramework::with(verification_services)
-            .given_no_previous_events()
-            .when(AuthorizationRequestCommand::VerifyAuthorizationResponse {
-                authorization_request,
-                authorization_response,
-            })
-            .then_expect_events(vec![AuthorizationRequestEvent::SIOPv2AuthorizationResponseVerified {
-                id_token,
-                state: Some("state".to_string()),
-            }]);
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_verify_oid4vp_authorization_response(
-        // TODO: add `did:web`, check for other tests as well. Probably should be moved to E2E test.
-        #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] verifier_did_method: SupportedDidMethod,
-        #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] provider_did_method: SupportedDidMethod,
-    ) {
-        set_config().set_preferred_did_method(verifier_did_method);
-
-        let verification_services = VerificationServices::default();
-        let oid4vp_client_metadata = verification_services.oid4vp_client_metadata.clone();
-        let siopv2_client_metadata = verification_services.siopv2_client_metadata.clone();
-
-        let authorization_request = authorization_request(
-            "vp_token",
-            &verifier_did_method.to_string(),
-            siopv2_client_metadata,
-            oid4vp_client_metadata,
-        )
-        .await;
-
-        let authorization_response =
-            authorization_response(&provider_did_method.to_string(), &authorization_request).await;
-
-        let decoded_vp_token = match &authorization_response {
-            GenericAuthorizationResponse::OID4VP(oid4vp_response) => verification_services
-                .relying_party
-                .validate_response(oid4vp_response)
-                .await
-                .unwrap(),
-            _ => panic!("Expected OID4VP response"),
-        };
-
-        AuthorizationRequestTestFramework::with(verification_services)
-            .given_no_previous_events()
-            .when(AuthorizationRequestCommand::VerifyAuthorizationResponse {
-                authorization_request,
-                authorization_response,
-            })
-            .then_expect_events(vec![AuthorizationRequestEvent::OID4VPAuthorizationResponseVerified {
-                vp_token: decoded_vp_token,
-                state: Some("state".to_string()),
-            }]);
-    }
-
-    async fn authorization_response(
-        provider_did_method: &str,
-        authorization_request: &GenericAuthorizationRequest,
-    ) -> GenericAuthorizationResponse {
-        let provider_manager = ProviderManager::new(
-            Arc::new(Subject::default()),
-            vec![provider_did_method],
-            vec![Algorithm::ES256],
-        )
-        .unwrap();
-
-        match authorization_request {
-            GenericAuthorizationRequest::SIOPv2(siopv2_authorization_request) => GenericAuthorizationResponse::SIOPv2(
-                provider_manager
-                    .generate_response(siopv2_authorization_request, Default::default())
-                    .await
-                    .unwrap(),
-            ),
-            GenericAuthorizationRequest::OID4VP(oid4vp_authorization_request) => {
-                let vp_token = create_simple_vp_token(provider_did_method).await;
-
-                GenericAuthorizationResponse::OID4VP(
-                    provider_manager
-                        .generate_response(oid4vp_authorization_request, vp_token)
-                        .await
-                        .unwrap(),
-                )
-            }
-        }
-    }
-
-    pub async fn verifier_did(did_method: &str) -> String {
-        VERIFIER.identifier(did_method, Algorithm::EdDSA).await.unwrap()
-    }
-
-    pub async fn authorization_request(
-        response_type: &str,
-        did_method: &str,
-        siopv2_client_metadata: ClientMetadataResource<siopv2::authorization_request::ClientMetadataParameters>,
-        oid4vp_client_metadata: ClientMetadataResource<oid4vp::authorization_request::ClientMetadataParameters>,
-    ) -> GenericAuthorizationRequest {
-        match response_type {
-            "id_token" => GenericAuthorizationRequest::SIOPv2(Box::new(
-                SIOPv2AuthorizationRequest::builder()
-                    .client_id(verifier_did(did_method).await)
-                    .scope(Scope::openid())
-                    .redirect_uri(REDIRECT_URI.clone())
-                    .response_mode("direct_post".to_string())
-                    .client_metadata(siopv2_client_metadata)
-                    .nonce("nonce".to_string())
-                    .state("state".to_string())
-                    .build()
-                    .unwrap(),
-            )),
-            "vp_token" => GenericAuthorizationRequest::OID4VP(Box::new(
-                OID4VPAuthorizationRequest::builder()
-                    .dcql_query(DCQL_QUERY.clone())
-                    .client_id(
-                        ClientId::from_str(&format!("decentralized_identifier:{}", verifier_did(did_method).await))
-                            .unwrap(),
-                    )
-                    .scope(Scope::openid())
-                    .response_uri(RESPONSE_URI.clone())
-                    .response_mode("direct_post".to_string())
-                    .client_metadata(oid4vp_client_metadata)
-                    .nonce("nonce".to_string())
-                    .state("state".to_string())
-                    .build()
-                    .unwrap(),
-            )),
-            _ => unimplemented!(),
-        }
-    }
-
-    async fn create_simple_vp_token(provider_did_method: &str) -> VpToken {
-        // create a simple functional vp_token
-        let issuer = KeySubject::from_keypair(generate::<Ed25519KeyPair>(Some("test-issuer-key".as_bytes())), None);
-        let issuer_did = issuer.identifier(provider_did_method, Algorithm::EdDSA).await.unwrap();
-
-        let subject = Arc::new(KeySubject::from_keypair(
-            generate::<Ed25519KeyPair>(Some("test-subject-key".as_bytes())),
-            None,
-        ));
-        let subject_did = subject.identifier(provider_did_method, Algorithm::EdDSA).await.unwrap();
-
-        let verifiable_credential = VerifiableCredentialJwt::builder()
-            .sub(&subject_did)
-            .iss(&issuer_did)
-            .iat(0)
-            .exp(9999999999i64)
-            .verifiable_credential(serde_json::json!({
-                "@context": ["https://www.w3.org/2018/credentials/v1"],
-                "type": ["VerifiableCredential", "PersonalInformation"],
-                "issuanceDate": "2022-01-01T00:00:00Z",
-                "issuer": issuer_did,
-                "credentialSubject": {
-                    "id": subject_did,
-                    "givenName": "Ferris",
-                    "familyName": "Crabman",
-                    "email": "ferris.crabman@crabmail.com",
-                    "birthdate": "1985-05-21"
-                }
-            }))
-            .build()
-            .unwrap();
-
-        // Encode as JWT with proper headers
-        let vc_jwt = jwt::encode(
-            subject.clone(),
-            Header {
-                alg: Algorithm::EdDSA,
-                ..Default::default()
-            },
-            &verifiable_credential,
-            provider_did_method,
-        )
-        .await
-        .unwrap();
-
-        let verifiable_presentation_jwt =
-            Presentation::builder(subject_did.parse().unwrap(), identity_core::common::Object::new())
-                .credential(Jwt::from(vc_jwt))
-                .build()
-                .unwrap();
-
-        let vp_jwt_claims = VerifiablePresentationJwt::builder()
-            .iss(subject_did.clone())
-            .sub(subject_did)
-            .aud("test_audience".to_string()) // might need to adjust this
-            .nonce("nonce".to_string())
-            .exp((Utc::now() + Duration::minutes(10)).timestamp())
-            .iat(Utc::now().timestamp())
-            .verifiable_presentation(verifiable_presentation_jwt)
-            .build()
-            .unwrap();
-
-        let vp_jwt = jwt::encode(
-            subject.clone(),
-            Header {
-                alg: Algorithm::EdDSA,
-                ..Default::default()
-            },
-            &vp_jwt_claims,
-            provider_did_method,
-        )
-        .await
-        .unwrap();
-
-        VpTokenBuilder::new()
-            .add_presentation(
-                CredentialQueryId::try_new("CredentialQuery".to_string()).unwrap(),
-                PresentationFormat::JwtVcJson(vp_jwt),
-            )
-            .build()
-            .unwrap()
-    }
-
-    pub fn form_url_encoded_authorization_request(response_type: &str, did_method: &str) -> String {
-        match (response_type, did_method) {
-            ("id_token", "did:key") => FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_KEY_SIOPV2.to_string(),
-            ("id_token", "did:jwk") => FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_JWK_SIOPV2.to_string(),
-            ("vp_token", "did:key") => FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_KEY_OID4VP.to_string(),
-            ("vp_token", "did:jwk") => FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_JWK_OID4VP.to_string(),
-            _ => unimplemented!("Unknown DID method: {}", did_method),
-        }
-    }
-
-    pub fn signed_authorization_request_object(did_method: &str) -> String {
-        match did_method {
-            "did:key" => SIGNED_AUTHORIZATION_REQUEST_OBJECT_DID_KEY.to_string(),
-            "did:jwk" => SIGNED_AUTHORIZATION_REQUEST_OBJECT_DID_JWK.to_string(),
-            _ => unimplemented!("Unknown DID method: {}", did_method),
-        }
-    }
-
-    lazy_static! {
-        pub static ref VERIFIER: Subject = Subject::default();
-        pub static ref REDIRECT_URI: url::Url = "https://my-domain.example.org/redirect".parse::<url::Url>().unwrap();
-        pub static ref RESPONSE_URI: url::Url = "https://my-domain.example.org/redirect".parse::<url::Url>().unwrap();
-        pub static ref DCQL_QUERY: DcqlQuery = DcqlQuery {
-            credentials: vec![CredentialQuery {
-                id: CredentialQueryId::try_new("CredentialQuery".to_string()).unwrap(),
-                format: Format::JwtVcJson,
-                multiple: None,
-                meta: Some(MetaTypes::W3CFormatMeta {
-                    type_values: vec![
-                        vec!["VerifiableCredential".to_string()],
-                        vec!["PersonalInformation".to_string()]
-                    ]
-                }),
-                trusted_authorities: None,
-                require_cryptographic_holder_binding: None,
-                claims: Some(vec![
-                    ClaimQuery {
-                        id: None,
-                        path: ClaimPathPointer::try_new(vec![
-                            ClaimPathElement::String("credentialSubject".to_string()),
-                            ClaimPathElement::String("givenName".to_string())
-                        ])
-                        .unwrap(),
-                        values: None,
-                    },
-                    ClaimQuery {
-                        id: None,
-                        path: ClaimPathPointer::try_new(vec![
-                            ClaimPathElement::String("credentialSubject".to_string()),
-                            ClaimPathElement::String("familyName".to_string())
-                        ])
-                        .unwrap(),
-                        values: None,
-                    },
-                    ClaimQuery {
-                        id: None,
-                        path: ClaimPathPointer::try_new(vec![
-                            ClaimPathElement::String("credentialSubject".to_string()),
-                            ClaimPathElement::String("email".to_string())
-                        ])
-                        .unwrap(),
-                        values: None,
-                    },
-                    ClaimQuery {
-                        id: None,
-                        path: ClaimPathPointer::try_new(vec![
-                            ClaimPathElement::String("credentialSubject".to_string()),
-                            ClaimPathElement::String("birthdate".to_string())
-                        ])
-                        .unwrap(),
-                        values: None,
-                    },
-                ]),
-                claim_sets: None,
-            }],
-            credential_sets: None,
-        };
-    }
-
-    const FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_KEY_OID4VP: &str = "\
-        openid://?\
-            client_id=decentralized_identifier%3Adid%3Akey%3Az6MkgE84NCMpMeAx9jK9cf5W4G8gcZ9xuwJvG1e7wNk8KCgt&\
-            request_uri=https%3A%2F%2Fmy-domain.example.org%2Frequest%2Fstate";
-    const FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_JWK_OID4VP: &str = "\
-        openid://?\
-            client_id=decentralized_identifier%3Adid%3Ajwk%3AeyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJiUUtRUnphb3A3Q2dFdnFWcThVbGdMR3NkRi1SLWhuTEZrS0ZacVcyVk4wIiwia3R5IjoiT0tQIiwieCI6Ikdsbks5ZVBzODAyWHhBZ2xST1F6b0d1cm05UXB2MElGUEViZE1DSUxOX1UifQ&\
-            request_uri=https%3A%2F%2Fmy-domain.example.org%2Frequest%2Fstate";
-    const FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_KEY_SIOPV2: &str = "\
-        openid://?\
-            client_id=did%3Akey%3Az6MkgE84NCMpMeAx9jK9cf5W4G8gcZ9xuwJvG1e7wNk8KCgt&\
-            request_uri=https%3A%2F%2Fmy-domain.example.org%2Frequest%2Fstate";
-    const FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_JWK_SIOPV2: &str = "\
-        openid://?\
-            client_id=did%3Ajwk%3AeyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJiUUtRUnphb3A3Q2dFdnFWcThVbGdMR3NkRi1SLWhuTEZrS0ZacVcyVk4wIiwia3R5IjoiT0tQIiwieCI6Ikdsbks5ZVBzODAyWHhBZ2xST1F6b0d1cm05UXB2MElGUEViZE1DSUxOX1UifQ&\
-            request_uri=https%3A%2F%2Fmy-domain.example.org%2Frequest%2Fstate";
-    const SIGNED_AUTHORIZATION_REQUEST_OBJECT_DID_KEY: &str = "eyJ0eXAiOiJvYXV0aC1hdXRoei1yZXErand0IiwiYWxnIjoiRVMyNTYiLCJraWQiOiJkaWQ6a2V5OnpEbmFlUndUNGc2QVpDSHp4dk5MN0RManFUYVQ4OGFtNFhSNlRVR3JLcjZEWGo2VHojekRuYWVSd1Q0ZzZBWkNIenh2Tkw3RExqcVRhVDg4YW00WFI2VFVHcktyNkRYajZUeiJ9.eyJjbGllbnRfaWQiOiJkaWQ6a2V5Ono2TWtnRTg0TkNNcE1lQXg5aks5Y2Y1VzRHOGdjWjl4dXdKdkcxZTd3Tms4S0NndCIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vbXktZG9tYWluLmV4YW1wbGUub3JnL3JlZGlyZWN0Iiwic3RhdGUiOiJzdGF0ZSIsInJlc3BvbnNlX3R5cGUiOiJpZF90b2tlbiIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfbW9kZSI6ImRpcmVjdF9wb3N0Iiwibm9uY2UiOiJub25jZSIsImNsaWVudF9tZXRhZGF0YSI6eyJjbGllbnRfbmFtZSI6IlVuaUNvcmUiLCJsb2dvX3VyaSI6Imh0dHBzOi8vd3d3LmltcGllcmNlLmNvbS9leHRlcm5hbC9pbXBpZXJjZS1pY29uLnBuZyIsInN1YmplY3Rfc3ludGF4X3R5cGVzX3N1cHBvcnRlZCI6WyJkaWQ6andrIiwiZGlkOmtleSJdLCJpZF90b2tlbl9zaWduZWRfcmVzcG9uc2VfYWxnIjoiRVMyNTYiLCJpZF90b2tlbl9zaWduaW5nX2FsZ192YWx1ZXNfc3VwcG9ydGVkIjpbIkVTMjU2IiwiRWREU0EiXX19.blBC3CrvKp2lTEsT-L_LwssLyeUm00JD0__n0TiEsDR63iQY__QOKjWG5eqEnDtmHhxgE7aRh9Nf5INo20mFEw";
-    const SIGNED_AUTHORIZATION_REQUEST_OBJECT_DID_JWK: &str = "eyJ0eXAiOiJvYXV0aC1hdXRoei1yZXErand0IiwiYWxnIjoiRVMyNTYiLCJraWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaWIwOVpNbVJOVmxVM1IwczFZV3d4Y1RkRlFYaDFiMWxzYjNoTlVXeDJOVnBPV2s5aGRHbFZXRkZJWnlJc0ltdDBlU0k2SWtWRElpd2llQ0k2SWtadGF6RXpaMDh5VTBkTVluVllaVXd5TkhGS1VFaERUbTVqYmtrMmJFSjFObHBSVERKRlZscDJORVVpTENKNUlqb2labm95UzNaTmFIVm1lbFZ3VFdWTU9TMUxNbkpsT1daM1FUTnRlbWN4WW5CbVltTmxTVkZUZFdsb1dTSjkjMCJ9.eyJjbGllbnRfaWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlpFUlRRU0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0pyYVdRaU9pSmlVVXRSVW5waGIzQTNRMmRGZG5GV2NUaFZiR2RNUjNOa1JpMVNMV2h1VEVaclMwWmFjVmN5Vms0d0lpd2lhM1I1SWpvaVQwdFFJaXdpZUNJNklrZHNia3M1WlZCek9EQXlXSGhCWjJ4U1QxRjZiMGQxY20wNVVYQjJNRWxHVUVWaVpFMURTVXhPWDFVaWZRIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9teS1kb21haW4uZXhhbXBsZS5vcmcvcmVkaXJlY3QiLCJzdGF0ZSI6InN0YXRlIiwicmVzcG9uc2VfdHlwZSI6ImlkX3Rva2VuIiwic2NvcGUiOiJvcGVuaWQiLCJyZXNwb25zZV9tb2RlIjoiZGlyZWN0X3Bvc3QiLCJub25jZSI6Im5vbmNlIiwiY2xpZW50X21ldGFkYXRhIjp7ImNsaWVudF9uYW1lIjoiVW5pQ29yZSIsImxvZ29fdXJpIjoiaHR0cHM6Ly93d3cuaW1waWVyY2UuY29tL2V4dGVybmFsL2ltcGllcmNlLWljb24ucG5nIiwic3ViamVjdF9zeW50YXhfdHlwZXNfc3VwcG9ydGVkIjpbImRpZDpqd2siLCJkaWQ6a2V5Il0sImlkX3Rva2VuX3NpZ25lZF9yZXNwb25zZV9hbGciOiJFUzI1NiIsImlkX3Rva2VuX3NpZ25pbmdfYWxnX3ZhbHVlc19zdXBwb3J0ZWQiOlsiRVMyNTYiLCJFZERTQSJdfX0.Ts-MAI9gGZcX12RtANn-3B6vvRWinElNqmfnx0YkDUIe6cLC3TudLuQLbjcLahvwyVSbz_46oIPWpll19W3ylA";
-}
+// #[cfg(test)]
+// pub mod tests {
+
+//     use agent_secret_manager::service::Service as _;
+//     use agent_secret_manager::subject::Subject;
+//     use agent_shared::config::set_config;
+//     use agent_shared::config::SupportedDidMethod;
+//     use chrono::{Duration, Utc};
+//     use cqrs_es::test::TestFramework;
+//     use did_key::{generate, Ed25519KeyPair};
+//     use identity_credential::{credential::Jwt, presentation::Presentation};
+//     use jsonwebtoken::Algorithm;
+//     use jsonwebtoken::Header;
+//     use lazy_static::lazy_static;
+//     use oid4vc_core::claim_path_pointer::{ClaimPathElement, ClaimPathPointer};
+//     use oid4vc_core::client_metadata::ClientMetadataResource;
+//     use oid4vc_core::jwt;
+//     use oid4vc_core::Subject as _;
+//     use oid4vc_manager::methods::key_method::KeySubject;
+//     use oid4vc_manager::ProviderManager;
+//     use oid4vci::VerifiableCredentialJwt;
+//     use oid4vp::authorization_request::ClientId;
+//     use oid4vp::dcql::dcql_query::{ClaimQuery, CredentialQuery, CredentialQueryId, DcqlQuery, Format, MetaTypes};
+//     use oid4vp::token::verifiable_presentation_jwt::VerifiablePresentationJwt;
+//     use oid4vp::token::vp_token::{PresentationFormat, VpToken};
+//     use oid4vp::token::vp_token_builder::VpTokenBuilder;
+//     use rstest::rstest;
+//     use std::str::FromStr;
+//     use std::sync::Arc;
+
+//     use super::*;
+
+//     type AuthorizationRequestTestFramework = TestFramework<AuthorizationRequest>;
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_create_authorization_request(
+//         #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] verifier_did_method: SupportedDidMethod,
+//     ) {
+//         set_config().set_preferred_did_method(verifier_did_method);
+
+//         let verification_services = VerificationServices::default();
+//         let siopv2_client_metadata = verification_services.siopv2_client_metadata.clone();
+//         let oid4vp_client_metadata = verification_services.oid4vp_client_metadata.clone();
+
+//         AuthorizationRequestTestFramework::with(verification_services)
+//             .given_no_previous_events()
+//             .when(AuthorizationRequestCommand::CreateAuthorizationRequest {
+//                 state: "state".to_string(),
+//                 nonce: "nonce".to_string(),
+//                 dcql_query: None,
+//             })
+//             .then_expect_events(vec![
+//                 AuthorizationRequestEvent::AuthorizationRequestCreated {
+//                     authorization_request: Box::new(
+//                         authorization_request(
+//                             "id_token",
+//                             &verifier_did_method.to_string(),
+//                             siopv2_client_metadata,
+//                             oid4vp_client_metadata,
+//                         )
+//                         .await,
+//                     ),
+//                 },
+//                 AuthorizationRequestEvent::FormUrlEncodedAuthorizationRequestCreated {
+//                     form_url_encoded_authorization_request: form_url_encoded_authorization_request(
+//                         "id_token",
+//                         &verifier_did_method.to_string(),
+//                     ),
+//                 },
+//             ]);
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_sign_authorization_request_object(
+//         #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] verifier_did_method: SupportedDidMethod,
+//     ) {
+//         set_config().set_preferred_did_method(verifier_did_method);
+
+//         let verification_services = VerificationServices::default();
+//         let siopv2_client_metadata = verification_services.siopv2_client_metadata.clone();
+//         let oid4vp_client_metadata = verification_services.oid4vp_client_metadata.clone();
+
+//         AuthorizationRequestTestFramework::with(verification_services)
+//             .given(vec![
+//                 AuthorizationRequestEvent::AuthorizationRequestCreated {
+//                     authorization_request: Box::new(
+//                         authorization_request(
+//                             "id_token",
+//                             &verifier_did_method.to_string(),
+//                             siopv2_client_metadata,
+//                             oid4vp_client_metadata,
+//                         )
+//                         .await,
+//                     ),
+//                 },
+//                 AuthorizationRequestEvent::FormUrlEncodedAuthorizationRequestCreated {
+//                     form_url_encoded_authorization_request: form_url_encoded_authorization_request(
+//                         "id_token",
+//                         &verifier_did_method.to_string(),
+//                     ),
+//                 },
+//             ])
+//             .when(AuthorizationRequestCommand::SignAuthorizationRequestObject)
+//             .then_expect_events(vec![AuthorizationRequestEvent::AuthorizationRequestObjectSigned {
+//                 signed_authorization_request_object: signed_authorization_request_object(
+//                     &verifier_did_method.to_string(),
+//                 ),
+//             }]);
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_verify_siopv2_authorization_response(
+//         // TODO: add `did:web`, check for other tests as well. Probably should be moved to E2E test.
+//         #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] verifier_did_method: SupportedDidMethod,
+//         #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] provider_did_method: SupportedDidMethod,
+//     ) {
+//         set_config().set_preferred_did_method(verifier_did_method);
+
+//         let verification_services = VerificationServices::default();
+//         let siopv2_client_metadata = verification_services.siopv2_client_metadata.clone();
+//         let oid4vp_client_metadata = verification_services.oid4vp_client_metadata.clone();
+
+//         let authorization_request = authorization_request(
+//             "id_token",
+//             &verifier_did_method.to_string(),
+//             siopv2_client_metadata,
+//             oid4vp_client_metadata,
+//         )
+//         .await;
+
+//         let authorization_response =
+//             authorization_response(&provider_did_method.to_string(), &authorization_request).await;
+
+//         let id_token = match &authorization_response {
+//             GenericAuthorizationResponse::SIOPv2(siopv2_response) => siopv2_response.extension.id_token.clone(),
+//             _ => panic!("Expected SIOPv2 authorization response."),
+//         };
+
+//         AuthorizationRequestTestFramework::with(verification_services)
+//             .given_no_previous_events()
+//             .when(AuthorizationRequestCommand::VerifyAuthorizationResponse {
+//                 authorization_request,
+//                 authorization_response,
+//             })
+//             .then_expect_events(vec![AuthorizationRequestEvent::SIOPv2AuthorizationResponseVerified {
+//                 id_token,
+//                 state: Some("state".to_string()),
+//             }]);
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_verify_oid4vp_authorization_response(
+//         // TODO: add `did:web`, check for other tests as well. Probably should be moved to E2E test.
+//         #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] verifier_did_method: SupportedDidMethod,
+//         #[values(SupportedDidMethod::Key, SupportedDidMethod::Jwk)] provider_did_method: SupportedDidMethod,
+//     ) {
+//         set_config().set_preferred_did_method(verifier_did_method);
+
+//         let verification_services = VerificationServices::default();
+//         let oid4vp_client_metadata = verification_services.oid4vp_client_metadata.clone();
+//         let siopv2_client_metadata = verification_services.siopv2_client_metadata.clone();
+
+//         let authorization_request = authorization_request(
+//             "vp_token",
+//             &verifier_did_method.to_string(),
+//             siopv2_client_metadata,
+//             oid4vp_client_metadata,
+//         )
+//         .await;
+
+//         let authorization_response =
+//             authorization_response(&provider_did_method.to_string(), &authorization_request).await;
+
+//         let decoded_vp_token = match &authorization_response {
+//             GenericAuthorizationResponse::OID4VP(oid4vp_response) => verification_services
+//                 .relying_party
+//                 .validate_response(oid4vp_response)
+//                 .await
+//                 .unwrap(),
+//             _ => panic!("Expected OID4VP response"),
+//         };
+
+//         AuthorizationRequestTestFramework::with(verification_services)
+//             .given_no_previous_events()
+//             .when(AuthorizationRequestCommand::VerifyAuthorizationResponse {
+//                 authorization_request,
+//                 authorization_response,
+//             })
+//             .then_expect_events(vec![AuthorizationRequestEvent::OID4VPAuthorizationResponseVerified {
+//                 vp_token: decoded_vp_token,
+//                 state: Some("state".to_string()),
+//             }]);
+//     }
+
+//     async fn authorization_response(
+//         provider_did_method: &str,
+//         authorization_request: &GenericAuthorizationRequest,
+//     ) -> GenericAuthorizationResponse {
+//         let provider_manager = ProviderManager::new(
+//             Arc::new(Subject::default()),
+//             vec![provider_did_method],
+//             vec![Algorithm::ES256],
+//         )
+//         .unwrap();
+
+//         match authorization_request {
+//             GenericAuthorizationRequest::SIOPv2(siopv2_authorization_request) => GenericAuthorizationResponse::SIOPv2(
+//                 provider_manager
+//                     .generate_response(siopv2_authorization_request, Default::default())
+//                     .await
+//                     .unwrap(),
+//             ),
+//             GenericAuthorizationRequest::OID4VP(oid4vp_authorization_request) => {
+//                 let vp_token = create_simple_vp_token(provider_did_method).await;
+
+//                 GenericAuthorizationResponse::OID4VP(
+//                     provider_manager
+//                         .generate_response(oid4vp_authorization_request, vp_token)
+//                         .await
+//                         .unwrap(),
+//                 )
+//             }
+//         }
+//     }
+
+//     pub async fn verifier_did(did_method: &str) -> String {
+//         VERIFIER.identifier(did_method, Algorithm::EdDSA).await.unwrap()
+//     }
+
+//     pub async fn authorization_request(
+//         response_type: &str,
+//         did_method: &str,
+//         siopv2_client_metadata: ClientMetadataResource<siopv2::authorization_request::ClientMetadataParameters>,
+//         oid4vp_client_metadata: ClientMetadataResource<oid4vp::authorization_request::ClientMetadataParameters>,
+//     ) -> GenericAuthorizationRequest {
+//         match response_type {
+//             "id_token" => GenericAuthorizationRequest::SIOPv2(Box::new(
+//                 SIOPv2AuthorizationRequest::builder()
+//                     .client_id(verifier_did(did_method).await)
+//                     .scope(Scope::openid())
+//                     .redirect_uri(REDIRECT_URI.clone())
+//                     .response_mode("direct_post".to_string())
+//                     .client_metadata(siopv2_client_metadata)
+//                     .nonce("nonce".to_string())
+//                     .state("state".to_string())
+//                     .build()
+//                     .unwrap(),
+//             )),
+//             "vp_token" => GenericAuthorizationRequest::OID4VP(Box::new(
+//                 OID4VPAuthorizationRequest::builder()
+//                     .dcql_query(DCQL_QUERY.clone())
+//                     .client_id(
+//                         ClientId::from_str(&format!("decentralized_identifier:{}", verifier_did(did_method).await))
+//                             .unwrap(),
+//                     )
+//                     .scope(Scope::openid())
+//                     .response_uri(RESPONSE_URI.clone())
+//                     .response_mode("direct_post".to_string())
+//                     .client_metadata(oid4vp_client_metadata)
+//                     .nonce("nonce".to_string())
+//                     .state("state".to_string())
+//                     .build()
+//                     .unwrap(),
+//             )),
+//             _ => unimplemented!(),
+//         }
+//     }
+
+//     async fn create_simple_vp_token(provider_did_method: &str) -> VpToken {
+//         // create a simple functional vp_token
+//         let issuer = KeySubject::from_keypair(generate::<Ed25519KeyPair>(Some("test-issuer-key".as_bytes())), None);
+//         let issuer_did = issuer.identifier(provider_did_method, Algorithm::EdDSA).await.unwrap();
+
+//         let subject = Arc::new(KeySubject::from_keypair(
+//             generate::<Ed25519KeyPair>(Some("test-subject-key".as_bytes())),
+//             None,
+//         ));
+//         let subject_did = subject.identifier(provider_did_method, Algorithm::EdDSA).await.unwrap();
+
+//         let verifiable_credential = VerifiableCredentialJwt::builder()
+//             .sub(&subject_did)
+//             .iss(&issuer_did)
+//             .iat(0)
+//             .exp(9999999999i64)
+//             .verifiable_credential(serde_json::json!({
+//                 "@context": ["https://www.w3.org/2018/credentials/v1"],
+//                 "type": ["VerifiableCredential", "PersonalInformation"],
+//                 "issuanceDate": "2022-01-01T00:00:00Z",
+//                 "issuer": issuer_did,
+//                 "credentialSubject": {
+//                     "id": subject_did,
+//                     "givenName": "Ferris",
+//                     "familyName": "Crabman",
+//                     "email": "ferris.crabman@crabmail.com",
+//                     "birthdate": "1985-05-21"
+//                 }
+//             }))
+//             .build()
+//             .unwrap();
+
+//         // Encode as JWT with proper headers
+//         let vc_jwt = jwt::encode(
+//             subject.clone(),
+//             Header {
+//                 alg: Algorithm::EdDSA,
+//                 ..Default::default()
+//             },
+//             &verifiable_credential,
+//             provider_did_method,
+//         )
+//         .await
+//         .unwrap();
+
+//         let verifiable_presentation_jwt =
+//             Presentation::builder(subject_did.parse().unwrap(), identity_core::common::Object::new())
+//                 .credential(Jwt::from(vc_jwt))
+//                 .build()
+//                 .unwrap();
+
+//         let vp_jwt_claims = VerifiablePresentationJwt::builder()
+//             .iss(subject_did.clone())
+//             .sub(subject_did)
+//             .aud("test_audience".to_string()) // might need to adjust this
+//             .nonce("nonce".to_string())
+//             .exp((Utc::now() + Duration::minutes(10)).timestamp())
+//             .iat(Utc::now().timestamp())
+//             .verifiable_presentation(verifiable_presentation_jwt)
+//             .build()
+//             .unwrap();
+
+//         let vp_jwt = jwt::encode(
+//             subject.clone(),
+//             Header {
+//                 alg: Algorithm::EdDSA,
+//                 ..Default::default()
+//             },
+//             &vp_jwt_claims,
+//             provider_did_method,
+//         )
+//         .await
+//         .unwrap();
+
+//         VpTokenBuilder::new()
+//             .add_presentation(
+//                 CredentialQueryId::try_new("CredentialQuery".to_string()).unwrap(),
+//                 PresentationFormat::JwtVcJson(vp_jwt),
+//             )
+//             .build()
+//             .unwrap()
+//     }
+
+//     pub fn form_url_encoded_authorization_request(response_type: &str, did_method: &str) -> String {
+//         match (response_type, did_method) {
+//             ("id_token", "did:key") => FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_KEY_SIOPV2.to_string(),
+//             ("id_token", "did:jwk") => FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_JWK_SIOPV2.to_string(),
+//             ("vp_token", "did:key") => FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_KEY_OID4VP.to_string(),
+//             ("vp_token", "did:jwk") => FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_JWK_OID4VP.to_string(),
+//             _ => unimplemented!("Unknown DID method: {}", did_method),
+//         }
+//     }
+
+//     pub fn signed_authorization_request_object(did_method: &str) -> String {
+//         match did_method {
+//             "did:key" => SIGNED_AUTHORIZATION_REQUEST_OBJECT_DID_KEY.to_string(),
+//             "did:jwk" => SIGNED_AUTHORIZATION_REQUEST_OBJECT_DID_JWK.to_string(),
+//             _ => unimplemented!("Unknown DID method: {}", did_method),
+//         }
+//     }
+
+//     lazy_static! {
+//         pub static ref VERIFIER: Subject = Subject::default();
+//         pub static ref REDIRECT_URI: url::Url = "https://my-domain.example.org/redirect".parse::<url::Url>().unwrap();
+//         pub static ref RESPONSE_URI: url::Url = "https://my-domain.example.org/redirect".parse::<url::Url>().unwrap();
+//         pub static ref DCQL_QUERY: DcqlQuery = DcqlQuery {
+//             credentials: vec![CredentialQuery {
+//                 id: CredentialQueryId::try_new("CredentialQuery".to_string()).unwrap(),
+//                 format: Format::JwtVcJson,
+//                 multiple: None,
+//                 meta: Some(MetaTypes::W3CFormatMeta {
+//                     type_values: vec![
+//                         vec!["VerifiableCredential".to_string()],
+//                         vec!["PersonalInformation".to_string()]
+//                     ]
+//                 }),
+//                 trusted_authorities: None,
+//                 require_cryptographic_holder_binding: None,
+//                 claims: Some(vec![
+//                     ClaimQuery {
+//                         id: None,
+//                         path: ClaimPathPointer::try_new(vec![
+//                             ClaimPathElement::String("credentialSubject".to_string()),
+//                             ClaimPathElement::String("givenName".to_string())
+//                         ])
+//                         .unwrap(),
+//                         values: None,
+//                     },
+//                     ClaimQuery {
+//                         id: None,
+//                         path: ClaimPathPointer::try_new(vec![
+//                             ClaimPathElement::String("credentialSubject".to_string()),
+//                             ClaimPathElement::String("familyName".to_string())
+//                         ])
+//                         .unwrap(),
+//                         values: None,
+//                     },
+//                     ClaimQuery {
+//                         id: None,
+//                         path: ClaimPathPointer::try_new(vec![
+//                             ClaimPathElement::String("credentialSubject".to_string()),
+//                             ClaimPathElement::String("email".to_string())
+//                         ])
+//                         .unwrap(),
+//                         values: None,
+//                     },
+//                     ClaimQuery {
+//                         id: None,
+//                         path: ClaimPathPointer::try_new(vec![
+//                             ClaimPathElement::String("credentialSubject".to_string()),
+//                             ClaimPathElement::String("birthdate".to_string())
+//                         ])
+//                         .unwrap(),
+//                         values: None,
+//                     },
+//                 ]),
+//                 claim_sets: None,
+//             }],
+//             credential_sets: None,
+//         };
+//     }
+
+//     const FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_KEY_OID4VP: &str = "\
+//         openid://?\
+//             client_id=decentralized_identifier%3Adid%3Akey%3Az6MkgE84NCMpMeAx9jK9cf5W4G8gcZ9xuwJvG1e7wNk8KCgt&\
+//             request_uri=https%3A%2F%2Fmy-domain.example.org%2Frequest%2Fstate";
+//     const FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_JWK_OID4VP: &str = "\
+//         openid://?\
+//             client_id=decentralized_identifier%3Adid%3Ajwk%3AeyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJiUUtRUnphb3A3Q2dFdnFWcThVbGdMR3NkRi1SLWhuTEZrS0ZacVcyVk4wIiwia3R5IjoiT0tQIiwieCI6Ikdsbks5ZVBzODAyWHhBZ2xST1F6b0d1cm05UXB2MElGUEViZE1DSUxOX1UifQ&\
+//             request_uri=https%3A%2F%2Fmy-domain.example.org%2Frequest%2Fstate";
+//     const FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_KEY_SIOPV2: &str = "\
+//         openid://?\
+//             client_id=did%3Akey%3Az6MkgE84NCMpMeAx9jK9cf5W4G8gcZ9xuwJvG1e7wNk8KCgt&\
+//             request_uri=https%3A%2F%2Fmy-domain.example.org%2Frequest%2Fstate";
+//     const FORM_URL_ENCODED_AUTHORIZATION_REQUEST_DID_JWK_SIOPV2: &str = "\
+//         openid://?\
+//             client_id=did%3Ajwk%3AeyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJiUUtRUnphb3A3Q2dFdnFWcThVbGdMR3NkRi1SLWhuTEZrS0ZacVcyVk4wIiwia3R5IjoiT0tQIiwieCI6Ikdsbks5ZVBzODAyWHhBZ2xST1F6b0d1cm05UXB2MElGUEViZE1DSUxOX1UifQ&\
+//             request_uri=https%3A%2F%2Fmy-domain.example.org%2Frequest%2Fstate";
+//     const SIGNED_AUTHORIZATION_REQUEST_OBJECT_DID_KEY: &str = "eyJ0eXAiOiJvYXV0aC1hdXRoei1yZXErand0IiwiYWxnIjoiRVMyNTYiLCJraWQiOiJkaWQ6a2V5OnpEbmFlUndUNGc2QVpDSHp4dk5MN0RManFUYVQ4OGFtNFhSNlRVR3JLcjZEWGo2VHojekRuYWVSd1Q0ZzZBWkNIenh2Tkw3RExqcVRhVDg4YW00WFI2VFVHcktyNkRYajZUeiJ9.eyJjbGllbnRfaWQiOiJkaWQ6a2V5Ono2TWtnRTg0TkNNcE1lQXg5aks5Y2Y1VzRHOGdjWjl4dXdKdkcxZTd3Tms4S0NndCIsInJlZGlyZWN0X3VyaSI6Imh0dHBzOi8vbXktZG9tYWluLmV4YW1wbGUub3JnL3JlZGlyZWN0Iiwic3RhdGUiOiJzdGF0ZSIsInJlc3BvbnNlX3R5cGUiOiJpZF90b2tlbiIsInNjb3BlIjoib3BlbmlkIiwicmVzcG9uc2VfbW9kZSI6ImRpcmVjdF9wb3N0Iiwibm9uY2UiOiJub25jZSIsImNsaWVudF9tZXRhZGF0YSI6eyJjbGllbnRfbmFtZSI6IlVuaUNvcmUiLCJsb2dvX3VyaSI6Imh0dHBzOi8vd3d3LmltcGllcmNlLmNvbS9leHRlcm5hbC9pbXBpZXJjZS1pY29uLnBuZyIsInN1YmplY3Rfc3ludGF4X3R5cGVzX3N1cHBvcnRlZCI6WyJkaWQ6andrIiwiZGlkOmtleSJdLCJpZF90b2tlbl9zaWduZWRfcmVzcG9uc2VfYWxnIjoiRVMyNTYiLCJpZF90b2tlbl9zaWduaW5nX2FsZ192YWx1ZXNfc3VwcG9ydGVkIjpbIkVTMjU2IiwiRWREU0EiXX19.blBC3CrvKp2lTEsT-L_LwssLyeUm00JD0__n0TiEsDR63iQY__QOKjWG5eqEnDtmHhxgE7aRh9Nf5INo20mFEw";
+//     const SIGNED_AUTHORIZATION_REQUEST_OBJECT_DID_JWK: &str = "eyJ0eXAiOiJvYXV0aC1hdXRoei1yZXErand0IiwiYWxnIjoiRVMyNTYiLCJraWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaWIwOVpNbVJOVmxVM1IwczFZV3d4Y1RkRlFYaDFiMWxzYjNoTlVXeDJOVnBPV2s5aGRHbFZXRkZJWnlJc0ltdDBlU0k2SWtWRElpd2llQ0k2SWtadGF6RXpaMDh5VTBkTVluVllaVXd5TkhGS1VFaERUbTVqYmtrMmJFSjFObHBSVERKRlZscDJORVVpTENKNUlqb2labm95UzNaTmFIVm1lbFZ3VFdWTU9TMUxNbkpsT1daM1FUTnRlbWN4WW5CbVltTmxTVkZUZFdsb1dTSjkjMCJ9.eyJjbGllbnRfaWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlpFUlRRU0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0pyYVdRaU9pSmlVVXRSVW5waGIzQTNRMmRGZG5GV2NUaFZiR2RNUjNOa1JpMVNMV2h1VEVaclMwWmFjVmN5Vms0d0lpd2lhM1I1SWpvaVQwdFFJaXdpZUNJNklrZHNia3M1WlZCek9EQXlXSGhCWjJ4U1QxRjZiMGQxY20wNVVYQjJNRWxHVUVWaVpFMURTVXhPWDFVaWZRIiwicmVkaXJlY3RfdXJpIjoiaHR0cHM6Ly9teS1kb21haW4uZXhhbXBsZS5vcmcvcmVkaXJlY3QiLCJzdGF0ZSI6InN0YXRlIiwicmVzcG9uc2VfdHlwZSI6ImlkX3Rva2VuIiwic2NvcGUiOiJvcGVuaWQiLCJyZXNwb25zZV9tb2RlIjoiZGlyZWN0X3Bvc3QiLCJub25jZSI6Im5vbmNlIiwiY2xpZW50X21ldGFkYXRhIjp7ImNsaWVudF9uYW1lIjoiVW5pQ29yZSIsImxvZ29fdXJpIjoiaHR0cHM6Ly93d3cuaW1waWVyY2UuY29tL2V4dGVybmFsL2ltcGllcmNlLWljb24ucG5nIiwic3ViamVjdF9zeW50YXhfdHlwZXNfc3VwcG9ydGVkIjpbImRpZDpqd2siLCJkaWQ6a2V5Il0sImlkX3Rva2VuX3NpZ25lZF9yZXNwb25zZV9hbGciOiJFUzI1NiIsImlkX3Rva2VuX3NpZ25pbmdfYWxnX3ZhbHVlc19zdXBwb3J0ZWQiOlsiRVMyNTYiLCJFZERTQSJdfX0.Ts-MAI9gGZcX12RtANn-3B6vvRWinElNqmfnx0YkDUIe6cLC3TudLuQLbjcLahvwyVSbz_46oIPWpll19W3ylA";
+// }

From 7922ce4aaa1916739651e8c0a307937776e42603 Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Tue, 30 Dec 2025 21:01:53 +0100
Subject: [PATCH 08/14] refactor: `agent_identity` and `agent_secret_manager`
 services

---
 Cargo.lock                                    |   2 +
 .../authorization_server/authorize.rs         |   2 +-
 .../authorization/authorization_server/par.rs |   2 +-
 .../authorization_server/token.rs             |   2 +-
 .../issuance/credential_issuer/credential.rs  |   2 +-
 .../credential_issuer/notification.rs         |   2 +-
 .../credential_issuer/token_status_list.rs    |   2 +-
 .../well_known/oauth_authorization_server.rs  |   2 +-
 .../well_known/openid_credential_issuer.rs    |   2 +-
 agent_api_http/src/v0/issuance/credentials.rs |   2 +-
 agent_api_http/src/v0/issuance/offers/mod.rs  |   2 +-
 .../v0/verification/authorization_requests.rs |   2 +-
 .../v0/verification/relying_party/redirect.rs |   2 +-
 .../v0/verification/relying_party/request.rs  |   2 +-
 agent_application/src/main.rs                 |  23 +-
 agent_authorization/src/services.rs           |   5 +-
 agent_holder/Cargo.toml                       |   1 +
 agent_holder/src/presentation/aggregate.rs    |   8 +-
 agent_holder/src/services.rs                  |  15 +-
 agent_identity/src/connection/aggregate.rs    |  72 ++--
 agent_identity/src/document/aggregate.rs      | 269 ++++++------
 agent_identity/src/service/aggregate.rs       | 385 +++++++++---------
 agent_identity/src/services.rs                |  36 +-
 agent_issuance/src/services.rs                |   5 +-
 agent_issuance/src/state.rs                   |   2 +-
 agent_secret_manager/src/lib.rs               |   3 +-
 .../src/managed_key/aggregate.rs              |   2 +-
 agent_secret_manager/src/service.rs           |  26 --
 agent_secret_manager/src/services.rs          |  14 +
 agent_secret_manager/src/subject.rs           | 244 -----------
 agent_store/src/lib.rs                        |   2 +-
 agent_verification/Cargo.toml                 |   1 +
 .../src/authorization_request/aggregate.rs    |   5 +-
 agent_verification/src/services.rs            |  12 +-
 34 files changed, 450 insertions(+), 708 deletions(-)
 delete mode 100644 agent_secret_manager/src/service.rs
 create mode 100644 agent_secret_manager/src/services.rs
 delete mode 100644 agent_secret_manager/src/subject.rs

diff --git a/Cargo.lock b/Cargo.lock
index f02d3fd4..a0507d6d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -247,6 +247,7 @@ dependencies = [
  "agent_api_http",
  "agent_authorization",
  "agent_holder",
+ "agent_identity",
  "agent_issuance",
  "agent_secret_manager",
  "agent_shared",
@@ -506,6 +507,7 @@ dependencies = [
 name = "agent_verification"
 version = "0.1.0"
 dependencies = [
+ "agent_identity",
  "agent_secret_manager",
  "agent_shared",
  "agent_verification",
diff --git a/agent_api_http/src/v0/authorization/authorization_server/authorize.rs b/agent_api_http/src/v0/authorization/authorization_server/authorize.rs
index 17f86265..5a24f8f7 100644
--- a/agent_api_http/src/v0/authorization/authorization_server/authorize.rs
+++ b/agent_api_http/src/v0/authorization/authorization_server/authorize.rs
@@ -40,7 +40,7 @@ pub mod tests {
     use crate::v0::issuance::offers::tests::offers;
     use crate::v0::{authorization, issuance};
     use agent_authorization::state::UNIME_CLIENT_ID;
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_store::in_memory::InMemory;
     use agent_store::{authorization_state, issuance_state};
     use axum::{
diff --git a/agent_api_http/src/v0/authorization/authorization_server/par.rs b/agent_api_http/src/v0/authorization/authorization_server/par.rs
index 7589d3e1..26e6b288 100644
--- a/agent_api_http/src/v0/authorization/authorization_server/par.rs
+++ b/agent_api_http/src/v0/authorization/authorization_server/par.rs
@@ -34,7 +34,7 @@ pub mod tests {
     use agent_authorization::{
         domain::oauth2_authorization_request::aggregate::test_utils::code_challenge, state::UNIME_REDIRECT_URI,
     };
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_store::{authorization_state, in_memory::InMemory, issuance_state};
     use axum::{
         body::Body,
diff --git a/agent_api_http/src/v0/authorization/authorization_server/token.rs b/agent_api_http/src/v0/authorization/authorization_server/token.rs
index 2776848e..6d329536 100644
--- a/agent_api_http/src/v0/authorization/authorization_server/token.rs
+++ b/agent_api_http/src/v0/authorization/authorization_server/token.rs
@@ -40,7 +40,7 @@ pub mod tests {
     use agent_authorization::{
         domain::oauth2_authorization_request::aggregate::test_utils::code_verifier, state::UNIME_REDIRECT_URI,
     };
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_store::{authorization_state, in_memory::InMemory, issuance_state};
     use axum::{
         body::Body,
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/credential.rs b/agent_api_http/src/v0/issuance/credential_issuer/credential.rs
index e581101d..1e8fe3f4 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/credential.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/credential.rs
@@ -150,7 +150,7 @@ pub mod tests {
     use agent_event_publisher_http::EventPublisherHttp;
     use agent_issuance::credential::aggregate::CredentialExpiry;
     use agent_issuance::offer::event::OfferEvent;
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_shared::config::{set_config, Events};
     use agent_store::authorization_state;
     use agent_store::{in_memory::InMemory, issuance_state, EventPublisher};
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/notification.rs b/agent_api_http/src/v0/issuance/credential_issuer/notification.rs
index 8af6c52f..3543a4e2 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/notification.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/notification.rs
@@ -68,7 +68,7 @@ mod tests {
     use crate::v0::issuance::credentials::tests::credentials;
     use crate::v0::issuance::offers::tests::offers;
     use crate::v0::{authorization, issuance};
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_store::in_memory::InMemory;
     use agent_store::{authorization_state, issuance_state};
     use axum::{body::Body, http::Request};
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs b/agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs
index 7bca40d1..949f633f 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs
@@ -42,7 +42,7 @@ pub mod tests {
     use std::sync::Arc;
 
     use agent_issuance::state::initialize;
-    use agent_secret_manager::{service::Service, subject::Subject};
+    use agent_secret_manager::{services::Service, subject::Subject};
     use agent_shared::config::{config, BITS_PER_STATUS, STATUS_LIST_BYTES_AMOUNT};
     use agent_store::{in_memory::InMemory, issuance_state};
     use axum::body::{self, Body};
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/well_known/oauth_authorization_server.rs b/agent_api_http/src/v0/issuance/credential_issuer/well_known/oauth_authorization_server.rs
index 9119a8e4..18a26154 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/well_known/oauth_authorization_server.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/well_known/oauth_authorization_server.rs
@@ -28,7 +28,7 @@ mod tests {
     use super::*;
     use crate::v0::issuance::router;
     use agent_issuance::state::initialize;
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_store::{in_memory::InMemory, issuance_state};
     use axum::{
         body::Body,
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/well_known/openid_credential_issuer.rs b/agent_api_http/src/v0/issuance/credential_issuer/well_known/openid_credential_issuer.rs
index f2a8b825..eb64321d 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/well_known/openid_credential_issuer.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/well_known/openid_credential_issuer.rs
@@ -35,7 +35,7 @@ mod tests {
     use super::*;
     use crate::{tests::CREDENTIAL_ISSUER_METADATA, v0::issuance::router};
     use agent_issuance::state::initialize;
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_store::{in_memory::InMemory, issuance_state};
     use axum::{
         body::Body,
diff --git a/agent_api_http/src/v0/issuance/credentials.rs b/agent_api_http/src/v0/issuance/credentials.rs
index bf9840ba..11f645f5 100644
--- a/agent_api_http/src/v0/issuance/credentials.rs
+++ b/agent_api_http/src/v0/issuance/credentials.rs
@@ -247,7 +247,7 @@ pub mod tests {
     use crate::v0::issuance::router;
     use crate::API_VERSION;
     use agent_issuance::state::initialize;
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_secret_manager::subject::Subject;
     use agent_store::in_memory::InMemory;
     use agent_store::issuance_state;
diff --git a/agent_api_http/src/v0/issuance/offers/mod.rs b/agent_api_http/src/v0/issuance/offers/mod.rs
index 425036c4..07c320bb 100644
--- a/agent_api_http/src/v0/issuance/offers/mod.rs
+++ b/agent_api_http/src/v0/issuance/offers/mod.rs
@@ -137,7 +137,7 @@ pub mod tests {
         v0::issuance::{credentials::tests::credentials, router},
     };
     use agent_issuance::state::initialize;
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_shared::config::set_config;
     use agent_store::in_memory::InMemory;
     use agent_store::issuance_state;
diff --git a/agent_api_http/src/v0/verification/authorization_requests.rs b/agent_api_http/src/v0/verification/authorization_requests.rs
index e10a996e..3e93483c 100644
--- a/agent_api_http/src/v0/verification/authorization_requests.rs
+++ b/agent_api_http/src/v0/verification/authorization_requests.rs
@@ -105,7 +105,7 @@ pub(crate) async fn authorization_requests(
 pub mod tests {
     use super::*;
     use crate::v0::verification::router;
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_store::in_memory::InMemory;
     use agent_store::verification_state;
     use axum::{
diff --git a/agent_api_http/src/v0/verification/relying_party/redirect.rs b/agent_api_http/src/v0/verification/relying_party/redirect.rs
index 8fa24a92..5d73b371 100644
--- a/agent_api_http/src/v0/verification/relying_party/redirect.rs
+++ b/agent_api_http/src/v0/verification/relying_party/redirect.rs
@@ -64,7 +64,7 @@ pub mod tests {
         authorization_requests::tests::authorization_requests, relying_party::request::tests::request, router,
     };
     use agent_event_publisher_http::EventPublisherHttp;
-    use agent_secret_manager::{service::Service, subject::Subject};
+    use agent_secret_manager::{services::Service, subject::Subject};
     use agent_shared::config::{set_config, Events};
     use agent_store::{in_memory::InMemory, verification_state, EventPublisher};
     use axum::{
diff --git a/agent_api_http/src/v0/verification/relying_party/request.rs b/agent_api_http/src/v0/verification/relying_party/request.rs
index 37ae3e7e..42007d80 100644
--- a/agent_api_http/src/v0/verification/relying_party/request.rs
+++ b/agent_api_http/src/v0/verification/relying_party/request.rs
@@ -36,7 +36,7 @@ pub mod tests {
     use super::*;
     use crate::v0::verification::authorization_requests::tests::authorization_requests;
     use crate::v0::verification::router;
-    use agent_secret_manager::service::Service;
+    use agent_secret_manager::services::Service;
     use agent_store::{in_memory::InMemory, verification_state};
     use axum::{
         body::Body,
diff --git a/agent_application/src/main.rs b/agent_application/src/main.rs
index dbd0dc4e..726de5b2 100644
--- a/agent_application/src/main.rs
+++ b/agent_application/src/main.rs
@@ -18,10 +18,7 @@ use agent_issuance::{
     application::policies::issuer_metadata_synchronization_policy::IssuerMetadataSynchronizationPolicy,
     services::IssuanceServices,
 };
-use agent_secret_manager::{
-    service::{SecretManagerServices, Service as _},
-    subject::Subject,
-};
+use agent_secret_manager::services::SecretManagerServices;
 use agent_shared::config::{config, EventStoreType};
 use agent_store::{in_memory::InMemory, mongodb::MongoDB, postgres::Postgres, EventPublisher};
 use agent_verification::services::VerificationServices;
@@ -50,10 +47,7 @@ async fn main() -> io::Result<()> {
     let verification_event_publishers: Vec<Box<dyn EventPublisher>> =
         vec![Box::new(EventPublisherHttp::load().unwrap())];
 
-    let subject = Arc::new(Subject::new().await);
-    let stronghold_storage = subject.stronghold_storage.clone();
-
-    let secret_manager_services = Arc::new(SecretManagerServices::new(stronghold_storage));
+    let secret_manager_services = Arc::new(SecretManagerServices::new().await);
     let secret_manager_state = match config().event_store.type_ {
         EventStoreType::Postgres => {
             let builder = Postgres::new().await;
@@ -87,7 +81,7 @@ async fn main() -> io::Result<()> {
         ),
     };
 
-    let identity_services = Arc::new(IdentityServices::new(subject.clone()));
+    let identity_services = Arc::new(IdentityServices::new(secret_manager_services.clone()));
     let identity_state = match config().event_store.type_ {
         EventStoreType::Postgres => {
             let builder = Postgres::new().await;
@@ -111,13 +105,10 @@ async fn main() -> io::Result<()> {
         .await,
     );
 
-    let authorization_services = Arc::new(AuthorizationServices::new(
-        subject.clone(),
-        this_is_the_main_service.clone(),
-    ));
-    let issuance_services = Arc::new(IssuanceServices::new(subject.clone(), this_is_the_main_service.clone()));
-    let holder_services = Arc::new(HolderServices::new(subject.clone()));
-    let verification_services = Arc::new(VerificationServices::new(subject.clone()));
+    let authorization_services = Arc::new(AuthorizationServices::new(this_is_the_main_service.clone()));
+    let issuance_services = Arc::new(IssuanceServices::new(this_is_the_main_service.clone()));
+    let holder_services = Arc::new(HolderServices::new(this_is_the_main_service.clone()));
+    let verification_services = Arc::new(VerificationServices::new(this_is_the_main_service.clone()));
 
     // TODO: Refactor this to reduce code duplication.
     let (library_state, authorization_state, issuance_state, holder_state, verification_state) = match config()
diff --git a/agent_authorization/src/services.rs b/agent_authorization/src/services.rs
index 8c4224a7..f38f2316 100644
--- a/agent_authorization/src/services.rs
+++ b/agent_authorization/src/services.rs
@@ -1,16 +1,13 @@
 use agent_identity::services::ThisIsTheMainService;
-use agent_secret_manager::{service::Service, subject::SubjectExt};
 use std::sync::Arc;
 
 pub struct AuthorizationServices {
-    signer: Arc<dyn SubjectExt>,
     pub this_is_the_main_service: Arc<ThisIsTheMainService>,
 }
 
 impl AuthorizationServices {
-    pub fn new(signer: Arc<dyn SubjectExt>, this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
+    pub fn new(this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
         Self {
-            signer,
             this_is_the_main_service,
         }
     }
diff --git a/agent_holder/Cargo.toml b/agent_holder/Cargo.toml
index 39ed8e4a..5cb3af66 100644
--- a/agent_holder/Cargo.toml
+++ b/agent_holder/Cargo.toml
@@ -5,6 +5,7 @@ edition.workspace = true
 rust-version.workspace = true
 
 [dependencies]
+agent_identity = { path = "../agent_identity" }
 agent_shared = { path = "../agent_shared" }
 agent_secret_manager = { path = "../agent_secret_manager" }
 
diff --git a/agent_holder/src/presentation/aggregate.rs b/agent_holder/src/presentation/aggregate.rs
index c59fbff4..caf6af76 100644
--- a/agent_holder/src/presentation/aggregate.rs
+++ b/agent_holder/src/presentation/aggregate.rs
@@ -7,6 +7,8 @@ use cqrs_es::Aggregate;
 use identity_core::convert::ToJson;
 use identity_credential::{credential::Jwt, presentation::JwtPresentationOptions};
 use jsonwebtoken::Header;
+use oid4vc_core::Sign as _;
+use oid4vc_core::Subject as _;
 use serde::{Deserialize, Serialize};
 use std::sync::Arc;
 use tracing::{debug, info};
@@ -41,8 +43,8 @@ impl Aggregate for Presentation {
                 presentation_id,
                 signed_credentials,
             } => {
-                let holder = &services.holder;
-                let subject_did = holder
+                let this_is_the_main_service = &services.this_is_the_main_service;
+                let subject_did = this_is_the_main_service
                     .identifier(
                         get_preferred_did_method().to_string().as_ref(),
                         get_preferred_signing_algorithm(),
@@ -94,7 +96,7 @@ impl Aggregate for Presentation {
                 ]
                 .join(".");
 
-                let proof_value = holder
+                let proof_value = this_is_the_main_service
                     .sign(
                         &message,
                         get_preferred_did_method().to_string().as_ref(),
diff --git a/agent_holder/src/services.rs b/agent_holder/src/services.rs
index 453c41de..f3844801 100644
--- a/agent_holder/src/services.rs
+++ b/agent_holder/src/services.rs
@@ -1,4 +1,4 @@
-use agent_secret_manager::{service::Service, subject::SubjectExt};
+use agent_identity::services::ThisIsTheMainService;
 use agent_shared::config::{
     get_all_enabled_did_methods, get_all_enabled_signing_algorithms_supported, get_preferred_did_method,
 };
@@ -8,12 +8,12 @@ use std::sync::Arc;
 
 /// Holder services. This struct is used to sign credentials and validate credential requests.
 pub struct HolderServices {
-    pub holder: Arc<dyn SubjectExt>,
+    pub this_is_the_main_service: Arc<ThisIsTheMainService>,
     pub wallet: Wallet,
 }
 
-impl Service for HolderServices {
-    fn new(holder: Arc<dyn SubjectExt>) -> Self {
+impl HolderServices {
+    pub fn new(this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
         let signing_algorithms_supported = get_all_enabled_signing_algorithms_supported();
 
         let mut enabled_did_methods = get_all_enabled_did_methods();
@@ -32,13 +32,16 @@ impl Service for HolderServices {
             enabled_did_methods.into_iter().map(Into::into).collect();
 
         let wallet = Wallet::new(
-            holder.clone(),
+            this_is_the_main_service.clone(),
             supported_subject_syntax_types,
             signing_algorithms_supported,
         )
         // TODO: make `Wallet::new` return `Wallet` instead of `Result<Self, _>`
         .expect("Failed to create wallet");
 
-        Self { holder, wallet }
+        Self {
+            this_is_the_main_service,
+            wallet,
+        }
     }
 }
diff --git a/agent_identity/src/connection/aggregate.rs b/agent_identity/src/connection/aggregate.rs
index 61554309..290563a5 100644
--- a/agent_identity/src/connection/aggregate.rs
+++ b/agent_identity/src/connection/aggregate.rs
@@ -88,42 +88,42 @@ impl Aggregate for Connection {
     }
 }
 
-#[cfg(test)]
-pub mod document_tests {
-    use super::test_utils::*;
-    use super::*;
-    use cqrs_es::test::TestFramework;
-    use rstest::rstest;
-
-    type ConnectionTestFramework = TestFramework<Connection>;
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_add_connection(
-        connection_id: String,
-        alias: String,
-        domain: Url,
-        dids: Vec<DIDUrl>,
-        credential_offer_endpoint: Url,
-    ) {
-        ConnectionTestFramework::with(IdentityServices::default())
-            .given_no_previous_events()
-            .when(ConnectionCommand::AddConnection {
-                connection_id: connection_id.clone(),
-                alias: Some(alias.clone()),
-                domain: Some(domain.clone()),
-                dids: dids.clone(),
-                credential_offer_endpoint: Some(credential_offer_endpoint.clone()),
-            })
-            .then_expect_events(vec![ConnectionEvent::ConnectionAdded {
-                connection_id: connection_id.clone(),
-                alias: Some(alias),
-                domain: Some(domain.clone()),
-                dids: dids.clone(),
-                credential_offer_endpoint: Some(credential_offer_endpoint.clone()),
-            }])
-    }
-}
+// #[cfg(test)]
+// pub mod document_tests {
+//     use super::test_utils::*;
+//     use super::*;
+//     use cqrs_es::test::TestFramework;
+//     use rstest::rstest;
+
+//     type ConnectionTestFramework = TestFramework<Connection>;
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_add_connection(
+//         connection_id: String,
+//         alias: String,
+//         domain: Url,
+//         dids: Vec<DIDUrl>,
+//         credential_offer_endpoint: Url,
+//     ) {
+//         ConnectionTestFramework::with(IdentityServices::default())
+//             .given_no_previous_events()
+//             .when(ConnectionCommand::AddConnection {
+//                 connection_id: connection_id.clone(),
+//                 alias: Some(alias.clone()),
+//                 domain: Some(domain.clone()),
+//                 dids: dids.clone(),
+//                 credential_offer_endpoint: Some(credential_offer_endpoint.clone()),
+//             })
+//             .then_expect_events(vec![ConnectionEvent::ConnectionAdded {
+//                 connection_id: connection_id.clone(),
+//                 alias: Some(alias),
+//                 domain: Some(domain.clone()),
+//                 dids: dids.clone(),
+//                 credential_offer_endpoint: Some(credential_offer_endpoint.clone()),
+//             }])
+//     }
+// }
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_identity/src/document/aggregate.rs b/agent_identity/src/document/aggregate.rs
index 07d11fcb..081bf02a 100644
--- a/agent_identity/src/document/aggregate.rs
+++ b/agent_identity/src/document/aggregate.rs
@@ -105,8 +105,8 @@ impl Aggregate for Document {
                 did_method,
                 with_fixed_algorithm,
             } => {
-                let subject = &services.subject;
-                let stronghold_storage = &subject.stronghold_storage;
+                let secret_manager_services = &services.secret_manager_services;
+                let stronghold_storage = &secret_manager_services.stronghold_storage;
 
                 let mut iota_metadata = self.iota_metadata.clone().unwrap_or_default();
 
@@ -268,34 +268,31 @@ impl Aggregate for Document {
                     }
                     SupportedDidMethod::Jwk | SupportedDidMethod::Key => {
                         let algorithm = with_fixed_algorithm.ok_or(MissingFixedAlgorithmError(did_method))?;
-                        let key_id = match algorithm {
-                            Algorithm::EdDSA => config().secret_manager.issuer_eddsa_key_id.clone(),
-                            // FIXME
-                            // Algorithm::ES256 => config().secret_manager.issuer_es256_key_id.clone(),
-                            algorithm => return Err(UnsupportedSigningAlgorithmError(algorithm)),
-                        };
 
-                        // Retrieve the public key from Stronghold.
-                        let public_key_jwk = subject
-                            .get_public_key(key_id.clone(), &algorithm)
-                            .await
-                            .map_err(|err| MissingKeyError(err.to_string()))?;
-
-                        // Generate a DID from the public key.
-                        let controller = serde_json::from_value::<ssi_jwk::JWK>(json!(public_key_jwk))
-                            .ok()
-                            .and_then(|jwk| match did_method {
-                                SupportedDidMethod::Jwk => did_jwk_extern::DIDJWK.generate(&Source::Key(&jwk)),
-                                SupportedDidMethod::Key => did_key_extern::DIDKey.generate(&Source::Key(&jwk)),
-                                _ => None,
-                            })
-                            .and_then(|did| did.parse().ok())
-                            .ok_or(GenerateDidError(key_id))?;
-
-                        CoreDocument::builder(Default::default())
-                            .id(controller)
-                            .build()
-                            .map_err(ProduceDocumentError)?
+                        // FIXME
+                        // // Retrieve the public key from Stronghold.
+                        // let public_key_jwk = secret_manager_services
+                        //     .get_public_key(key_id.clone(), &algorithm)
+                        //     .await
+                        //     .map_err(|err| MissingKeyError(err.to_string()))?;
+
+                        todo!();
+
+                        // // Generate a DID from the public key.
+                        // let controller = serde_json::from_value::<ssi_jwk::JWK>(json!(public_key_jwk))
+                        //     .ok()
+                        //     .and_then(|jwk| match did_method {
+                        //         SupportedDidMethod::Jwk => did_jwk_extern::DIDJWK.generate(&Source::Key(&jwk)),
+                        //         SupportedDidMethod::Key => did_key_extern::DIDKey.generate(&Source::Key(&jwk)),
+                        //         _ => None,
+                        //     })
+                        //     .and_then(|did| did.parse().ok())
+                        //     .unwrap();
+
+                        // CoreDocument::builder(Default::default())
+                        //     .id(controller)
+                        //     .build()
+                        //     .map_err(ProduceDocumentError)?
                     }
                 };
 
@@ -323,8 +320,8 @@ impl Aggregate for Document {
                 key_id,
                 signing_algorithm,
             } => {
-                let subject = &services.subject;
-                let stronghold_storage = &subject.stronghold_storage;
+                let secret_manager_services = &services.secret_manager_services;
+                let stronghold_storage = &secret_manager_services.stronghold_storage;
 
                 let mut document = self.document.clone().ok_or(MissingDocumentError)?;
                 let did = document.id().clone();
@@ -410,7 +407,7 @@ impl Aggregate for Document {
                 // Create a new IOTA client to interact with the IOTA ledger.
                 let iota_client = get_iota_client(api_endpoint).await?;
 
-                let stronghold_storage = &services.subject.stronghold_storage;
+                let stronghold_storage = &services.secret_manager_services.stronghold_storage;
 
                 let key_id = config().secret_manager.issuer_eddsa_key_id.clone();
 
@@ -845,110 +842,110 @@ pub fn get_properties(method_type: MethodType) -> BTreeMap<String, serde_json::V
     properties
 }
 
-#[cfg(test)]
-pub mod document_tests {
-    use crate::state::DOMAIN_LINKAGE_SERVICE_ID;
-
-    use super::test_utils::*;
-    use super::*;
-    use cqrs_es::test::TestFramework;
-    use identity_document::service::Service;
-    use rstest::rstest;
-
-    type DocumentTestFramework = TestFramework<Document>;
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_create_document(document_id: String, did_method: SupportedDidMethod, document: CoreDocument) {
-        DocumentTestFramework::with(IdentityServices::default())
-            .given_no_previous_events()
-            .when(DocumentCommand::CreateDocument {
-                document_id: document_id.clone(),
-                did_method,
-                with_fixed_algorithm: None,
-            })
-            .then_expect_events(vec![DocumentEvent::DocumentCreated {
-                document_id,
-                did_method,
-                document,
-                status: Status::SignAndValidate,
-                with_fixed_algorithm: None,
-                iota_metadata: None,
-            }])
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_add_service(
-        document_id: String,
-        did_method: SupportedDidMethod,
-        document: CoreDocument,
-        domain_linkage_service: Service,
-        document_with_multiple_verification_methods: CoreDocument,
-        document_with_domain_linkage_service: CoreDocument,
-    ) {
-        DocumentTestFramework::with(IdentityServices::default())
-            .given(vec![
-                DocumentEvent::DocumentCreated {
-                    document_id: document_id.clone(),
-                    did_method,
-                    document,
-                    status: Status::SignAndValidate,
-                    with_fixed_algorithm: None,
-                    iota_metadata: None,
-                },
-                DocumentEvent::PublicKeyUpdated {
-                    document_id: document_id.clone(),
-                    document: document_with_multiple_verification_methods,
-                },
-            ])
-            .when(DocumentCommand::AddService {
-                service: Box::new(domain_linkage_service),
-                service_id: DOMAIN_LINKAGE_SERVICE_ID.to_string(),
-            })
-            .then_expect_events(vec![DocumentEvent::ServiceAdded {
-                document_id: document_id.clone(),
-                document: document_with_domain_linkage_service,
-            }])
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_set_status(
-        document_id: String,
-        did_method: SupportedDidMethod,
-        document: CoreDocument,
-        document_with_multiple_verification_methods: CoreDocument,
-        document_with_domain_linkage_service: CoreDocument,
-    ) {
-        DocumentTestFramework::with(IdentityServices::default())
-            .given(vec![
-                DocumentEvent::DocumentCreated {
-                    document_id: document_id.clone(),
-                    did_method,
-                    document,
-                    status: Status::SignAndValidate,
-                    with_fixed_algorithm: None,
-                    iota_metadata: None,
-                },
-                DocumentEvent::PublicKeyUpdated {
-                    document_id: document_id.clone(),
-                    document: document_with_multiple_verification_methods.clone(),
-                },
-                DocumentEvent::ServiceAdded {
-                    document_id: document_id.clone(),
-                    document: document_with_domain_linkage_service,
-                },
-            ])
-            .when(DocumentCommand::UpdateDocumentStatus {
-                status: Status::Disabled,
-            })
-            .then_expect_events(vec![DocumentEvent::DocumentStatusUpdated {
-                document_id,
-                status: Status::Disabled,
-            }])
-    }
-}
+// #[cfg(test)]
+// pub mod document_tests {
+//     use crate::state::DOMAIN_LINKAGE_SERVICE_ID;
+
+//     use super::test_utils::*;
+//     use super::*;
+//     use cqrs_es::test::TestFramework;
+//     use identity_document::service::Service;
+//     use rstest::rstest;
+
+//     type DocumentTestFramework = TestFramework<Document>;
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_create_document(document_id: String, did_method: SupportedDidMethod, document: CoreDocument) {
+//         DocumentTestFramework::with(IdentityServices::default())
+//             .given_no_previous_events()
+//             .when(DocumentCommand::CreateDocument {
+//                 document_id: document_id.clone(),
+//                 did_method,
+//                 with_fixed_algorithm: None,
+//             })
+//             .then_expect_events(vec![DocumentEvent::DocumentCreated {
+//                 document_id,
+//                 did_method,
+//                 document,
+//                 status: Status::SignAndValidate,
+//                 with_fixed_algorithm: None,
+//                 iota_metadata: None,
+//             }])
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_add_service(
+//         document_id: String,
+//         did_method: SupportedDidMethod,
+//         document: CoreDocument,
+//         domain_linkage_service: Service,
+//         document_with_multiple_verification_methods: CoreDocument,
+//         document_with_domain_linkage_service: CoreDocument,
+//     ) {
+//         DocumentTestFramework::with(IdentityServices::default())
+//             .given(vec![
+//                 DocumentEvent::DocumentCreated {
+//                     document_id: document_id.clone(),
+//                     did_method,
+//                     document,
+//                     status: Status::SignAndValidate,
+//                     with_fixed_algorithm: None,
+//                     iota_metadata: None,
+//                 },
+//                 DocumentEvent::PublicKeyUpdated {
+//                     document_id: document_id.clone(),
+//                     document: document_with_multiple_verification_methods,
+//                 },
+//             ])
+//             .when(DocumentCommand::AddService {
+//                 service: Box::new(domain_linkage_service),
+//                 service_id: DOMAIN_LINKAGE_SERVICE_ID.to_string(),
+//             })
+//             .then_expect_events(vec![DocumentEvent::ServiceAdded {
+//                 document_id: document_id.clone(),
+//                 document: document_with_domain_linkage_service,
+//             }])
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_set_status(
+//         document_id: String,
+//         did_method: SupportedDidMethod,
+//         document: CoreDocument,
+//         document_with_multiple_verification_methods: CoreDocument,
+//         document_with_domain_linkage_service: CoreDocument,
+//     ) {
+//         DocumentTestFramework::with(IdentityServices::default())
+//             .given(vec![
+//                 DocumentEvent::DocumentCreated {
+//                     document_id: document_id.clone(),
+//                     did_method,
+//                     document,
+//                     status: Status::SignAndValidate,
+//                     with_fixed_algorithm: None,
+//                     iota_metadata: None,
+//                 },
+//                 DocumentEvent::PublicKeyUpdated {
+//                     document_id: document_id.clone(),
+//                     document: document_with_multiple_verification_methods.clone(),
+//                 },
+//                 DocumentEvent::ServiceAdded {
+//                     document_id: document_id.clone(),
+//                     document: document_with_domain_linkage_service,
+//                 },
+//             ])
+//             .when(DocumentCommand::UpdateDocumentStatus {
+//                 status: Status::Disabled,
+//             })
+//             .then_expect_events(vec![DocumentEvent::DocumentStatusUpdated {
+//                 document_id,
+//                 status: Status::Disabled,
+//             }])
+//     }
+// }
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_identity/src/service/aggregate.rs b/agent_identity/src/service/aggregate.rs
index 8d727ea0..65df5d77 100644
--- a/agent_identity/src/service/aggregate.rs
+++ b/agent_identity/src/service/aggregate.rs
@@ -59,115 +59,116 @@ impl Aggregate for Service {
                 service_id,
                 verification_methods,
             } => {
-                let subject = &services.subject;
-
-                let origin = identity_core::common::Url::parse(config().public_url.origin().ascii_serialization())
-                    .map_err(|err| InvalidUrlError(err.to_string()))?;
-
-                #[cfg(feature = "test_utils")]
-                let (issuance_date, expiration_date) = {
-                    let issuance_date = test_utils::issuance_date();
-                    let expiration_date = test_utils::expiration_date();
-                    (issuance_date, expiration_date)
-                };
-                #[cfg(not(feature = "test_utils"))]
-                let (issuance_date, expiration_date) = {
-                    let issuance_date = Timestamp::now_utc();
-                    let expiration_date = issuance_date
-                        // TODO: make this configurable
-                        .checked_add(Duration::days(365))
-                        .ok_or(InvalidTimestampError)?;
-
-                    (issuance_date, expiration_date)
-                };
-
-                let mut linked_dids = vec![];
-
-                // For each Verification Method, create a new linked DID JWT token.
-                for verification_method in verification_methods {
-                    let subject_did = verification_method.id().did();
-
-                    let verification_method_id = verification_method.id();
-                    let alg = verification_method
-                        .data()
-                        .public_key_jwk()
-                        .and_then(|jwk| jwk.alg())
-                        .ok_or_else(|| MissingVerificationMethodAlgorithm(verification_method_id.to_string()))?;
-                    let algorithm = Algorithm::from_str(alg)
-                        .map_err(|_| UnsupportedVerificationMethodAlgorithm(alg.to_string()))?;
-
-                    let domain_linkage_credential = DomainLinkageCredentialBuilder::new()
-                        .issuer(subject_did.clone())
-                        .origin(origin.clone())
-                        .issuance_date(issuance_date)
-                        .expiration_date(expiration_date)
-                        .build()
-                        .map_err(|err| DomainLinkageCredentialBuilderError(err.to_string()))?
-                        .serialize_jwt(Default::default())
-                        .map_err(|err| SerializationError(err.to_string()))?;
-
-                    // Compose JWT
-                    let header = Header {
-                        alg: algorithm,
-                        typ: None,
-                        kid: Some(verification_method.id().to_string()),
-                        ..Default::default()
-                    };
-
-                    let linked_did = [
-                        URL_SAFE_NO_PAD.encode(
-                            header
-                                .to_json_vec()
-                                .map_err(|err| SerializationError(err.to_string()))?,
-                        ),
-                        URL_SAFE_NO_PAD.encode(domain_linkage_credential.as_bytes()),
-                    ]
-                    .join(".");
-
-                    let proof_value = subject
-                        // TODO: Currently UniCore always uses the same keys for signing regardless of the DID method.
-                        // Once we implement DID method-specific keys, then we should supply the appropriate
-                        // `subject_syntax_type` here instead of this `placeholder` value.
-                        .sign(linked_did.as_str(), "placeholder", algorithm)
-                        .await
-                        .map_err(|err| SigningError(err.to_string()))?;
-                    let signature = URL_SAFE_NO_PAD.encode(proof_value.as_slice());
-                    let linked_did = [linked_did, signature].join(".");
-
-                    linked_dids.push(Jwt::from(linked_did))
-                }
-
-                if linked_dids.is_empty() {
-                    return Err(EmptyLinkedDidsError);
-                }
-
-                let domain_linkage_configuration = DomainLinkageConfiguration::new(linked_dids);
-
-                info!("Configuration Resource: {domain_linkage_configuration:#}");
-
-                let service_endpoint = ServiceEndpoint::from_json_value(json!({
-                    "origins": [origin]
-                }))
-                .map_err(|err| InvalidServiceEndpointError(err.to_string()))?;
-
-                // Create a new service.
-                let service = DocumentService::builder(Default::default())
-                    // This service is DID method-agnostic. When added to an enabled DID Document,
-                    // its placeholder value is replaced with the appropriate DID method-specific identifier.
-                    .id(format!("did:place:holder#{service_id}")
-                        .parse::<DIDUrl>()
-                        .map_err(|err| InvalidDidError(err.to_string()))?)
-                    .type_("LinkedDomains")
-                    .service_endpoint(service_endpoint)
-                    .build()
-                    .map_err(|err| ServiceBuilderError(err.to_string()))?;
-
-                Ok(vec![DomainLinkageServiceCreated {
-                    service_id,
-                    service,
-                    resource: ServiceResource::DomainLinkage(domain_linkage_configuration),
-                    is_deleted: false,
-                }])
+                // let secret_manager_services = &services.secret_manager_services;
+
+                // let origin = identity_core::common::Url::parse(config().public_url.origin().ascii_serialization())
+                //     .map_err(|err| InvalidUrlError(err.to_string()))?;
+
+                // #[cfg(feature = "test_utils")]
+                // let (issuance_date, expiration_date) = {
+                //     let issuance_date = test_utils::issuance_date();
+                //     let expiration_date = test_utils::expiration_date();
+                //     (issuance_date, expiration_date)
+                // };
+                // #[cfg(not(feature = "test_utils"))]
+                // let (issuance_date, expiration_date) = {
+                //     let issuance_date = Timestamp::now_utc();
+                //     let expiration_date = issuance_date
+                //         // TODO: make this configurable
+                //         .checked_add(Duration::days(365))
+                //         .ok_or(InvalidTimestampError)?;
+
+                //     (issuance_date, expiration_date)
+                // };
+
+                // let mut linked_dids = vec![];
+
+                // // For each Verification Method, create a new linked DID JWT token.
+                // for verification_method in verification_methods {
+                //     let subject_did = verification_method.id().did();
+
+                //     let verification_method_id = verification_method.id();
+                //     let alg = verification_method
+                //         .data()
+                //         .public_key_jwk()
+                //         .and_then(|jwk| jwk.alg())
+                //         .ok_or_else(|| MissingVerificationMethodAlgorithm(verification_method_id.to_string()))?;
+                //     let algorithm = Algorithm::from_str(alg)
+                //         .map_err(|_| UnsupportedVerificationMethodAlgorithm(alg.to_string()))?;
+
+                //     let domain_linkage_credential = DomainLinkageCredentialBuilder::new()
+                //         .issuer(subject_did.clone())
+                //         .origin(origin.clone())
+                //         .issuance_date(issuance_date)
+                //         .expiration_date(expiration_date)
+                //         .build()
+                //         .map_err(|err| DomainLinkageCredentialBuilderError(err.to_string()))?
+                //         .serialize_jwt(Default::default())
+                //         .map_err(|err| SerializationError(err.to_string()))?;
+
+                //     // Compose JWT
+                //     let header = Header {
+                //         alg: algorithm,
+                //         typ: None,
+                //         kid: Some(verification_method.id().to_string()),
+                //         ..Default::default()
+                //     };
+
+                //     let linked_did = [
+                //         URL_SAFE_NO_PAD.encode(
+                //             header
+                //                 .to_json_vec()
+                //                 .map_err(|err| SerializationError(err.to_string()))?,
+                //         ),
+                //         URL_SAFE_NO_PAD.encode(domain_linkage_credential.as_bytes()),
+                //     ]
+                //     .join(".");
+
+                //     let proof_value = secret_manager_services
+                //         // TODO: Currently UniCore always uses the same keys for signing regardless of the DID method.
+                //         // Once we implement DID method-specific keys, then we should supply the appropriate
+                //         // `subject_syntax_type` here instead of this `placeholder` value.
+                //         .sign(linked_did.as_str(), "placeholder", algorithm)
+                //         .await
+                //         .map_err(|err| SigningError(err.to_string()))?;
+                //     let signature = URL_SAFE_NO_PAD.encode(proof_value.as_slice());
+                //     let linked_did = [linked_did, signature].join(".");
+
+                //     linked_dids.push(Jwt::from(linked_did))
+                // }
+
+                // if linked_dids.is_empty() {
+                //     return Err(EmptyLinkedDidsError);
+                // }
+
+                // let domain_linkage_configuration = DomainLinkageConfiguration::new(linked_dids);
+
+                // info!("Configuration Resource: {domain_linkage_configuration:#}");
+
+                // let service_endpoint = ServiceEndpoint::from_json_value(json!({
+                //     "origins": [origin]
+                // }))
+                // .map_err(|err| InvalidServiceEndpointError(err.to_string()))?;
+
+                // // Create a new service.
+                // let service = DocumentService::builder(Default::default())
+                //     // This service is DID method-agnostic. When added to an enabled DID Document,
+                //     // its placeholder value is replaced with the appropriate DID method-specific identifier.
+                //     .id(format!("did:place:holder#{service_id}")
+                //         .parse::<DIDUrl>()
+                //         .map_err(|err| InvalidDidError(err.to_string()))?)
+                //     .type_("LinkedDomains")
+                //     .service_endpoint(service_endpoint)
+                //     .build()
+                //     .map_err(|err| ServiceBuilderError(err.to_string()))?;
+
+                // Ok(vec![DomainLinkageServiceCreated {
+                //     service_id,
+                //     service,
+                //     resource: ServiceResource::DomainLinkage(domain_linkage_configuration),
+                //     is_deleted: false,
+                // }])
+                todo!()
             }
             DeleteDomainLinkageService { service_id } => Ok(vec![DomainLinkageServiceDeleted {
                 service_id,
@@ -257,89 +258,89 @@ impl Aggregate for Service {
     }
 }
 
-#[cfg(test)]
-pub mod service_tests {
-    use super::test_utils::*;
-    use super::*;
-    use crate::document::aggregate::test_utils::both_verification_methods;
-    use agent_shared::config::set_config;
-    use cqrs_es::test::TestFramework;
-    use identity_document::service::Service as DocumentService;
-    use identity_iota::verification::VerificationMethod;
-    use rstest::rstest;
-
-    type ServiceTestFramework = TestFramework<Service>;
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_create_domain_linkage_service(
-        domain_linkage_service_id: String,
-        both_verification_methods: Vec<VerificationMethod>,
-        domain_linkage_service: DocumentService,
-        domain_linkage_resource: ServiceResource,
-    ) {
-        set_config().set_preferred_did_method(agent_shared::config::SupportedDidMethod::Web);
-
-        ServiceTestFramework::with(IdentityServices::default())
-            .given_no_previous_events()
-            .when(ServiceCommand::CreateDomainLinkageService {
-                service_id: domain_linkage_service_id.clone(),
-                verification_methods: both_verification_methods,
-            })
-            .then_expect_events(vec![ServiceEvent::DomainLinkageServiceCreated {
-                service_id: domain_linkage_service_id,
-                service: domain_linkage_service,
-                resource: domain_linkage_resource,
-                is_deleted: false,
-            }])
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_delete_domain_linkage_service(
-        domain_linkage_service_id: String,
-        domain_linkage_service: DocumentService,
-        domain_linkage_resource: ServiceResource,
-    ) {
-        set_config().set_preferred_did_method(agent_shared::config::SupportedDidMethod::Web);
-
-        ServiceTestFramework::with(IdentityServices::default())
-            .given(vec![ServiceEvent::DomainLinkageServiceCreated {
-                service_id: domain_linkage_service_id.clone(),
-                service: domain_linkage_service.clone(),
-                resource: domain_linkage_resource.clone(),
-                is_deleted: false,
-            }])
-            .when(ServiceCommand::DeleteDomainLinkageService {
-                service_id: domain_linkage_service_id.clone(),
-            })
-            .then_expect_events(vec![ServiceEvent::DomainLinkageServiceDeleted {
-                service_id: domain_linkage_service_id,
-                service: None,
-                resource: None,
-                is_deleted: true,
-            }])
-    }
-
-    #[rstest]
-    #[serial_test::serial]
-    async fn test_create_linked_verifiable_presentation_service(
-        linked_verifiable_presentation_service_id: String,
-        linked_verifiable_presentation_service: DocumentService,
-    ) {
-        ServiceTestFramework::with(IdentityServices::default())
-            .given_no_previous_events()
-            .when(ServiceCommand::CreateLinkedVerifiablePresentationService {
-                service_id: linked_verifiable_presentation_service_id.clone(),
-                presentation_ids: vec!["presentation-1".to_string()],
-            })
-            .then_expect_events(vec![ServiceEvent::LinkedVerifiablePresentationServiceCreated {
-                service_id: linked_verifiable_presentation_service_id,
-                presentation_ids: vec!["presentation-1".to_string()],
-                service: linked_verifiable_presentation_service,
-            }])
-    }
-}
+// #[cfg(test)]
+// pub mod service_tests {
+//     use super::test_utils::*;
+//     use super::*;
+//     use crate::document::aggregate::test_utils::both_verification_methods;
+//     use agent_shared::config::set_config;
+//     use cqrs_es::test::TestFramework;
+//     use identity_document::service::Service as DocumentService;
+//     use identity_iota::verification::VerificationMethod;
+//     use rstest::rstest;
+
+//     type ServiceTestFramework = TestFramework<Service>;
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_create_domain_linkage_service(
+//         domain_linkage_service_id: String,
+//         both_verification_methods: Vec<VerificationMethod>,
+//         domain_linkage_service: DocumentService,
+//         domain_linkage_resource: ServiceResource,
+//     ) {
+//         set_config().set_preferred_did_method(agent_shared::config::SupportedDidMethod::Web);
+
+//         ServiceTestFramework::with(IdentityServices::default())
+//             .given_no_previous_events()
+//             .when(ServiceCommand::CreateDomainLinkageService {
+//                 service_id: domain_linkage_service_id.clone(),
+//                 verification_methods: both_verification_methods,
+//             })
+//             .then_expect_events(vec![ServiceEvent::DomainLinkageServiceCreated {
+//                 service_id: domain_linkage_service_id,
+//                 service: domain_linkage_service,
+//                 resource: domain_linkage_resource,
+//                 is_deleted: false,
+//             }])
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_delete_domain_linkage_service(
+//         domain_linkage_service_id: String,
+//         domain_linkage_service: DocumentService,
+//         domain_linkage_resource: ServiceResource,
+//     ) {
+//         set_config().set_preferred_did_method(agent_shared::config::SupportedDidMethod::Web);
+
+//         ServiceTestFramework::with(IdentityServices::default())
+//             .given(vec![ServiceEvent::DomainLinkageServiceCreated {
+//                 service_id: domain_linkage_service_id.clone(),
+//                 service: domain_linkage_service.clone(),
+//                 resource: domain_linkage_resource.clone(),
+//                 is_deleted: false,
+//             }])
+//             .when(ServiceCommand::DeleteDomainLinkageService {
+//                 service_id: domain_linkage_service_id.clone(),
+//             })
+//             .then_expect_events(vec![ServiceEvent::DomainLinkageServiceDeleted {
+//                 service_id: domain_linkage_service_id,
+//                 service: None,
+//                 resource: None,
+//                 is_deleted: true,
+//             }])
+//     }
+
+//     #[rstest]
+//     #[serial_test::serial]
+//     async fn test_create_linked_verifiable_presentation_service(
+//         linked_verifiable_presentation_service_id: String,
+//         linked_verifiable_presentation_service: DocumentService,
+//     ) {
+//         ServiceTestFramework::with(IdentityServices::default())
+//             .given_no_previous_events()
+//             .when(ServiceCommand::CreateLinkedVerifiablePresentationService {
+//                 service_id: linked_verifiable_presentation_service_id.clone(),
+//                 presentation_ids: vec!["presentation-1".to_string()],
+//             })
+//             .then_expect_events(vec![ServiceEvent::LinkedVerifiablePresentationServiceCreated {
+//                 service_id: linked_verifiable_presentation_service_id,
+//                 presentation_ids: vec!["presentation-1".to_string()],
+//                 service: linked_verifiable_presentation_service,
+//             }])
+//     }
+// }
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_identity/src/services.rs b/agent_identity/src/services.rs
index 8f1e7e13..04744b95 100644
--- a/agent_identity/src/services.rs
+++ b/agent_identity/src/services.rs
@@ -1,8 +1,7 @@
 use agent_secret_manager::{
     managed_key::{self, aggregate::SigningAlgorithm},
-    service::SecretManagerServices,
+    services::SecretManagerServices,
     state::SecretManagerState,
-    subject::{Subject, SubjectExt},
 };
 use agent_shared::{
     config::{config, SupportedDidMethod},
@@ -27,24 +26,26 @@ use crate::state::IdentityState;
 
 /// Identity services.
 pub struct IdentityServices {
-    pub subject: Arc<Subject>,
+    pub secret_manager_services: Arc<SecretManagerServices>,
 }
 
 impl IdentityServices {
-    pub fn new(subject: Arc<Subject>) -> Self {
-        Self { subject }
+    pub fn new(secret_manager_services: Arc<SecretManagerServices>) -> Self {
+        Self {
+            secret_manager_services,
+        }
     }
 
-    #[cfg(feature = "test_utils")]
-    #[allow(clippy::should_implement_trait)]
-    pub fn default() -> Arc<Self>
-    where
-        Self: Sized,
-    {
-        Arc::new(Self::new(Arc::new(futures::executor::block_on(async {
-            Subject::new().await
-        }))))
-    }
+    // #[cfg(feature = "test_utils")]
+    // #[allow(clippy::should_implement_trait)]
+    // pub fn default() -> Arc<Self>
+    // where
+    //     Self: Sized,
+    // {
+    //     Arc::new(Self::new(Arc::new(futures::executor::block_on(async {
+    //         Subject::new().await
+    //     }))))
+    // }
 }
 
 pub struct ThisIsTheMainService {
@@ -77,6 +78,11 @@ impl std::fmt::Debug for ThisIsTheMainService {
     }
 }
 
+#[async_trait]
+pub trait SubjectExt: oid4vc_core::Subject {
+    async fn resolve_public_key(&self, did_url: &str) -> anyhow::Result<Jwk>;
+}
+
 /// Extension trait for `Subject` to provide additional functionality.
 #[async_trait]
 impl SubjectExt for ThisIsTheMainService {
diff --git a/agent_issuance/src/services.rs b/agent_issuance/src/services.rs
index 8151a40f..c67a3634 100644
--- a/agent_issuance/src/services.rs
+++ b/agent_issuance/src/services.rs
@@ -1,17 +1,14 @@
 use agent_identity::services::ThisIsTheMainService;
-use agent_secret_manager::subject::SubjectExt;
 use std::sync::Arc;
 
 /// Issuance services. This struct is used to sign credentials and validate credential requests.
 pub struct IssuanceServices {
-    issuer: Arc<dyn SubjectExt>,
     pub this_is_the_main_service: Arc<ThisIsTheMainService>,
 }
 
 impl IssuanceServices {
-    pub fn new(issuer: Arc<dyn SubjectExt>, this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
+    pub fn new(this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
         Self {
-            issuer,
             this_is_the_main_service,
         }
     }
diff --git a/agent_issuance/src/state.rs b/agent_issuance/src/state.rs
index 11a0eb62..c42471e5 100644
--- a/agent_issuance/src/state.rs
+++ b/agent_issuance/src/state.rs
@@ -1,4 +1,4 @@
-use agent_secret_manager::subject::SubjectExt;
+use agent_identity::services::SubjectExt;
 use agent_shared::application_state::CommandHandler;
 use agent_shared::config::{
     config, get_all_enabled_did_methods, get_all_enabled_signing_algorithms_supported, CredentialConfiguration,
diff --git a/agent_secret_manager/src/lib.rs b/agent_secret_manager/src/lib.rs
index be28a945..fdf5382f 100644
--- a/agent_secret_manager/src/lib.rs
+++ b/agent_secret_manager/src/lib.rs
@@ -10,9 +10,8 @@ use log::info;
 // Aggregates
 pub mod managed_key;
 
-pub mod service;
+pub mod services;
 pub mod state;
-pub mod subject;
 
 pub async fn stronghold_storage() -> StrongholdExtStorage {
     #[cfg(feature = "test_utils")]
diff --git a/agent_secret_manager/src/managed_key/aggregate.rs b/agent_secret_manager/src/managed_key/aggregate.rs
index 8842688e..97d13e9e 100644
--- a/agent_secret_manager/src/managed_key/aggregate.rs
+++ b/agent_secret_manager/src/managed_key/aggregate.rs
@@ -1,5 +1,5 @@
 use super::{command::ManagedKeyCommand, error::ManagedKeyError, event::ManagedKeyEvent};
-use crate::service::SecretManagerServices;
+use crate::services::SecretManagerServices;
 use agent_shared::config::config;
 use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
diff --git a/agent_secret_manager/src/service.rs b/agent_secret_manager/src/service.rs
deleted file mode 100644
index 333c399d..00000000
--- a/agent_secret_manager/src/service.rs
+++ /dev/null
@@ -1,26 +0,0 @@
-use crate::{stronghold_storage, subject::SubjectExt};
-use did_manager_identity_stronghold_ext::StrongholdExtStorage;
-use std::sync::Arc;
-
-/// Convenience trait for Services like `IssuanceServices`, `HolderServices`, and `VerifierServices`.
-pub trait Service {
-    fn new(subject: Arc<dyn SubjectExt>) -> Self;
-
-    // #[cfg(feature = "test_utils")]
-    // fn default() -> Arc<Self>
-    // where
-    //     Self: Sized,
-    // {
-    //     Arc::new(Self::new(Arc::new(crate::subject::Subject::default())))
-    // }
-}
-
-pub struct SecretManagerServices {
-    pub stronghold_storage: StrongholdExtStorage,
-}
-
-impl SecretManagerServices {
-    pub fn new(stronghold_storage: StrongholdExtStorage) -> Self {
-        Self { stronghold_storage }
-    }
-}
diff --git a/agent_secret_manager/src/services.rs b/agent_secret_manager/src/services.rs
new file mode 100644
index 00000000..71d772ae
--- /dev/null
+++ b/agent_secret_manager/src/services.rs
@@ -0,0 +1,14 @@
+use crate::stronghold_storage;
+use did_manager_identity_stronghold_ext::StrongholdExtStorage;
+
+pub struct SecretManagerServices {
+    pub stronghold_storage: StrongholdExtStorage,
+}
+
+impl SecretManagerServices {
+    pub async fn new() -> Self {
+        let stronghold_storage = stronghold_storage().await;
+
+        Self { stronghold_storage }
+    }
+}
diff --git a/agent_secret_manager/src/subject.rs b/agent_secret_manager/src/subject.rs
deleted file mode 100644
index 2a788cc7..00000000
--- a/agent_secret_manager/src/subject.rs
+++ /dev/null
@@ -1,244 +0,0 @@
-use crate::stronghold_storage;
-use agent_shared::config::{config, SupportedDidMethod};
-use anyhow::anyhow;
-use async_trait::async_trait;
-use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
-use did_manager_consumer::resolver::Resolver;
-use did_manager_identity_stronghold_ext::StrongholdExtStorage;
-use identity_iota::storage::{JwkStorage, KeyId};
-use identity_iota::verification::jwk::Jwk;
-use identity_iota::{did::DID, document::DIDUrlQuery, verification::jwk::JwkParams};
-use jsonwebtoken::Algorithm;
-use oid4vc_core::{authentication::sign::ExternalSign, Sign, Verify};
-use std::str::FromStr;
-use std::sync::Arc;
-
-/// Reponsible for signing and verifying data.
-#[derive(Debug)]
-pub struct Subject {
-    pub stronghold_storage: StrongholdExtStorage,
-}
-
-impl Subject {
-    /// Create a new Subject.
-    pub async fn new() -> Self {
-        let stronghold_storage = stronghold_storage().await;
-
-        Self { stronghold_storage }
-    }
-
-    pub async fn get_public_key(&self, key_id: KeyId, algorithm: &Algorithm) -> anyhow::Result<Jwk> {
-        match algorithm {
-            Algorithm::EdDSA => self.stronghold_storage.get_ed25519_public_key(&key_id).await,
-            Algorithm::ES256 => self.stronghold_storage.get_es256_public_key(&key_id).await,
-            _ => anyhow::bail!("Unsuported algorithm"),
-        }
-        .map_err(Into::into)
-    }
-}
-
-#[async_trait]
-pub trait SubjectExt: oid4vc_core::Subject {
-    async fn resolve_public_key(&self, did_url: &str) -> anyhow::Result<Jwk>;
-}
-
-/// Extension trait for `Subject` to provide additional functionality.
-#[async_trait]
-impl SubjectExt for Subject {
-    /// Resolves the public key for a given DID URL.
-    async fn resolve_public_key(&self, did_url: &str) -> anyhow::Result<Jwk> {
-        let did_url =
-            identity_iota::did::DIDUrl::parse(did_url).map_err(|err| anyhow!("Failed to parse DID URL: {err}"))?;
-
-        // TODO: Make sure the resolver only needs to be created once.
-        let resolver = Resolver::new().await;
-
-        let document = resolver
-            .resolve(did_url.did().as_str())
-            .await
-            .map_err(|err| anyhow!("Failed to resolve DID Document for DID: `{did_url}`, error: {err}"))?;
-
-        let verification_method = document
-            .resolve_method(DIDUrlQuery::from(&did_url), None)
-            .ok_or(anyhow!(
-                "Failed to resolve verification method for DID URL: `{did_url}`"
-            ))?;
-
-        verification_method
-            .data()
-            .public_key_jwk()
-            .ok_or_else(|| anyhow!("Failed to resolve public key for DID URL: `{did_url}`"))
-            .cloned()
-    }
-}
-
-/// This module contains implementations for `Subject` for testing purposes.
-/// It is only available when the `test_utils` feature is enabled.
-#[cfg(feature = "test_utils")]
-mod default_subject {
-    use super::*;
-
-    // This `Default` implementation for `Subject` returns a new `Subject` with the Verification Method IDs already preloaded.
-    impl Default for Subject {
-        fn default() -> Self {
-            futures::executor::block_on(async {
-                let stronghold_storage = stronghold_storage().await;
-
-                Self { stronghold_storage }
-            })
-        }
-    }
-}
-
-#[async_trait]
-impl Verify for Subject {
-    async fn public_key(&self, did_url: &str) -> anyhow::Result<Vec<u8>> {
-        let did_url =
-            identity_iota::did::DIDUrl::parse(did_url).map_err(|err| anyhow!("Failed to parse DID URL: {err}"))?;
-
-        // TODO: Make sure the resolver only needs to be created once.
-        let resolver = Resolver::new().await;
-
-        let document = resolver
-            .resolve(did_url.did().as_str())
-            .await
-            .map_err(|err| anyhow!("Failed to resolve DID Document for DID: `{did_url}`, error: {err}"))?;
-
-        let verification_method = document
-            .resolve_method(DIDUrlQuery::from(&did_url), None)
-            .ok_or(anyhow!(
-                "Failed to resolve verification method for DID URL: `{did_url}`"
-            ))?;
-
-        // Try decode from `MethodData` directly, else use public JWK params.
-        verification_method.data().try_decode().or_else(|_| {
-            verification_method
-                .data()
-                .public_key_jwk()
-                .and_then(|public_key_jwk| match public_key_jwk.params() {
-                    JwkParams::Okp(okp_params) => URL_SAFE_NO_PAD.decode(&okp_params.x).ok(),
-                    JwkParams::Ec(ec_params) => {
-                        let x_bytes = URL_SAFE_NO_PAD.decode(&ec_params.x).ok()?;
-                        let y_bytes = URL_SAFE_NO_PAD.decode(&ec_params.y).ok()?;
-
-                        let encoded_point = p256::EncodedPoint::from_affine_coordinates(
-                            p256::FieldBytes::from_slice(&x_bytes),
-                            p256::FieldBytes::from_slice(&y_bytes),
-                            false, // false for uncompressed point
-                        );
-
-                        let verifying_key = p256::ecdsa::VerifyingKey::from_encoded_point(&encoded_point)
-                            .expect("Failed to create verifying key from encoded point");
-
-                        Some(verifying_key.to_encoded_point(false).as_bytes().to_vec())
-                    }
-                    _ => None,
-                })
-                .ok_or(anyhow!("Failed to decode public key for DID URL: `{did_url}`"))
-        })
-    }
-}
-
-#[async_trait]
-impl Sign for Subject {
-    async fn key_id(&self, subject_syntax_type: &str, algorithm: Algorithm) -> Option<String> {
-        let method = SupportedDidMethod::from_str(subject_syntax_type).ok()?;
-
-        // self.get_verification_method_id(StorageKey::new(method, algorithm))
-        //     .await
-        //     .as_ref()
-        //     .map(ToString::to_string)
-
-        todo!()
-    }
-
-    async fn sign(&self, message: &str, _subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<Vec<u8>> {
-        let stronghold_storage = &self.stronghold_storage;
-
-        todo!();
-
-        // stronghold_storage
-        //     .sign(&key_id, message.as_bytes(), &public_key)
-        //     .await
-        //     .map_err(Into::into)
-    }
-
-    fn external_signer(&self) -> Option<Arc<dyn ExternalSign>> {
-        None
-    }
-}
-
-#[async_trait]
-impl oid4vc_core::Subject for Subject {
-    async fn identifier(&self, subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<String> {
-        let method = SupportedDidMethod::from_str(subject_syntax_type)
-            .map_err(|e| anyhow!("Failed to parse SupportedDidMethod from string: {}", e))?;
-
-        // self.get_verification_method_id(StorageKey::new(method, algorithm))
-        //     .await
-        //     .as_ref()
-        //     .map(DIDUrl::did)
-        //     .map(ToString::to_string)
-        //     .ok_or_else(|| anyhow!("Failed to get verification method ID"))
-
-        todo!()
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use agent_shared::config::{default_issuer_eddsa_key_id, set_config, SecretManagerConfig};
-    use ring::signature::{UnparsedPublicKey, ECDSA_P256_SHA256_FIXED, ED25519};
-
-    const ES256_SIGNED_JWT: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDpqd2s6ZXlKaGJHY2lPaUpGVXpJMU5pSXNJbU55ZGlJNklsQXRNalUySWl3aWEybGtJam9pTkVGMVdXaFNRMk5HYkc0eWJuUm5VMTlxT1hCRlFtUkxkekl3VUhRdGJHRnFXVWh0V1RkQk1FMUdUU0lzSW10MGVTSTZJa1ZESWl3aWVDSTZJakpNV0dwT1JFOTZWM1J3WlZOWk0ydGlUbEkyWm14YVRVUjRZV2gxYXpKMlVXMWpkWFprUVRodk5EUWlMQ0o1SWpvaVpFRjJSVlpzV0UxSFVFdGFjMnRXV1RSWlZ6QnpPRUk0UzNZM2Myc3hZemt5VDA1WVJFcHZlRjlJY3lKOSMwIn0.eyJpc3MiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaU5FRjFXV2hTUTJOR2JHNHliblJuVTE5cU9YQkZRbVJMZHpJd1VIUXRiR0ZxV1VodFdUZEJNRTFHVFNJc0ltdDBlU0k2SWtWRElpd2llQ0k2SWpKTVdHcE9SRTk2VjNSd1pWTlpNMnRpVGxJMlpteGFUVVI0WVdoMWF6SjJVVzFqZFhaa1FUaHZORFFpTENKNUlqb2laRUYyUlZac1dFMUhVRXRhYzJ0V1dUUlpWekJ6T0VJNFMzWTNjMnN4WXpreVQwNVlSRXB2ZUY5SWN5SjkiLCJzdWIiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaU5FRjFXV2hTUTJOR2JHNHliblJuVTE5cU9YQkZRbVJMZHpJd1VIUXRiR0ZxV1VodFdUZEJNRTFHVFNJc0ltdDBlU0k2SWtWRElpd2llQ0k2SWpKTVdHcE9SRTk2VjNSd1pWTlpNMnRpVGxJMlpteGFUVVI0WVdoMWF6SjJVVzFqZFhaa1FUaHZORFFpTENKNUlqb2laRUYyUlZac1dFMUhVRXRhYzJ0V1dUUlpWekJ6T0VJNFMzWTNjMnN4WXpreVQwNVlSRXB2ZUY5SWN5SjkiLCJhdWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaVlrNDNiSEpaWVhOUlZrNDNMVUpZY0MxMFdFVldTR1l0YVhkTWRsVnRiWHByVUZsc2VHWlRWRkZvVlNJc0ltdDBlU0k2SWtWRElpd2llQ0k2SW1odVkyNU5UM2sxU0dGWGJ6SmFTbmhCWW5sWU1GOW1NVTFHU1dsMlRrRmtUMjFXYjNSWGVWZG9ielFpTENKNUlqb2libE5wYkhwMllsTmFYMUp1VWpOU2RreHdkRWxITmpkVWJWVkVhR1ZQWVZGNlltczJhVFJmWDBkeVFTSjkiLCJleHAiOjE3MjMwMjkyMjUsImlhdCI6MTcyMzAyODYyNSwibm9uY2UiOiJ0aGlzIGlzIGEgbm9uY2UifQ.w202CZKOeGM9k35tysJylksBUGI3fvkOgsPPVrfXYZzurns7KF5plMiR_KHH4H_GpYg57Nf2JWa3YEcXGDTVdw";
-    const EDDSA_SIGNED_JWT: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDpqd2s6ZXlKaGJHY2lPaUpGWkVSVFFTSXNJbU55ZGlJNklrVmtNalUxTVRraUxDSnJhV1FpT2lKSmJWOVpNRkZQTm05SFgyczVNbTlzY1RWTWRIUTJZVkE0YzE5QmJFRmhWVUl6UzBkelVFY3RlR0kwSWl3aWEzUjVJam9pVDB0UUlpd2llQ0k2SWxaUGFrUjBRblozY0daalNraHlUelpMVjFOUGRYTlZVR1ptUWt3eVIxOUtjWFp0VVRZNFMzaDRWalFpZlEjMCJ9.eyJpc3MiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlpFUlRRU0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0pyYVdRaU9pSkpiVjlaTUZGUE5tOUhYMnM1TW05c2NUVk1kSFEyWVZBNGMxOUJiRUZoVlVJelMwZHpVRWN0ZUdJMElpd2lhM1I1SWpvaVQwdFFJaXdpZUNJNklsWlBha1IwUW5aM2NHWmpTa2h5VHpaTFYxTlBkWE5WVUdabVFrd3lSMTlLY1hadFVUWTRTM2g0VmpRaWZRIiwic3ViIjoiZGlkOmp3azpleUpoYkdjaU9pSkZaRVJUUVNJc0ltTnlkaUk2SWtWa01qVTFNVGtpTENKcmFXUWlPaUpKYlY5Wk1GRlBObTlIWDJzNU1tOXNjVFZNZEhRMllWQTRjMTlCYkVGaFZVSXpTMGR6VUVjdGVHSTBJaXdpYTNSNUlqb2lUMHRRSWl3aWVDSTZJbFpQYWtSMFFuWjNjR1pqU2toeVR6WkxWMU5QZFhOVlVHWm1Ra3d5UjE5S2NYWnRVVFk0UzNoNFZqUWlmUSIsImF1ZCI6ImRpZDpqd2s6ZXlKaGJHY2lPaUpGWkVSVFFTSXNJbU55ZGlJNklrVmtNalUxTVRraUxDSnJhV1FpT2lKdFFqSXhUV2t5Y1V0WVZtTTFOREpVWWt0U09UZ3lUelpUWjFKWVZrWlFaVzV3TTNGWWRIRlRla3R2SWl3aWEzUjVJam9pVDB0UUlpd2llQ0k2SWprM1JVRXpSSE5vUmpONlIwSllTVjlVYnpObVJrUnJNVTFxV1VaYVV6bFZiMUpVYmxCT1NIUlpVV01pZlEiLCJleHAiOjE3MjMwMzE3MTQsImlhdCI6MTcyMzAzMTExNCwibm9uY2UiOiJ0aGlzIGlzIGEgbm9uY2UifQ.oGRYpwH4QvWZs0bZkgAuxq6MqNYdoX44KxNfRl7GzXCnv_0D_c19rhYMwzn04R7udNCthFDr7GUhXLQgROlUDw";
-
-    lazy_static::lazy_static! {
-        static ref SECRET_MANAGER_CONFIG: SecretManagerConfig = SecretManagerConfig {
-            stronghold_password: "sup3rSecr3t".to_string(),
-            stronghold_path: "/tmp/stronghold".to_string(),
-            issuer_eddsa_key_id: default_issuer_eddsa_key_id(),
-        };
-    }
-
-    #[tokio::test]
-    async fn es256_signed_jwt_successfully_verified() {
-        set_config().set_secret_manager_config(SECRET_MANAGER_CONFIG.clone());
-
-        // let subject = Arc::new(Subject::default());
-
-        // let mut split = ES256_SIGNED_JWT.rsplitn(2, '.');
-        // let (signature, message) = (split.next().unwrap(), split.next().unwrap());
-
-        // // Decode the signature.
-        // let signature_bytes = URL_SAFE_NO_PAD.decode(signature).unwrap();
-
-        // // Resolve the public key from the DID Document
-        // let public_key_bytes = subject.public_key("did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia2lkIjoiNEF1WWhSQ2NGbG4ybnRnU19qOXBFQmRLdzIwUHQtbGFqWUhtWTdBME1GTSIsImt0eSI6IkVDIiwieCI6IjJMWGpORE96V3RwZVNZM2tiTlI2ZmxaTUR4YWh1azJ2UW1jdXZkQThvNDQiLCJ5IjoiZEF2RVZsWE1HUEtac2tWWTRZVzBzOEI4S3Y3c2sxYzkyT05YREpveF9IcyJ9#0").await.unwrap();
-
-        // // Verify the signature
-        // let public_key = UnparsedPublicKey::new(&ECDSA_P256_SHA256_FIXED, public_key_bytes);
-        // assert!(public_key.verify(message.as_bytes(), &signature_bytes).is_ok());
-    }
-
-    #[tokio::test]
-    async fn eddsa_signed_jwt_successfully_verified() {
-        set_config().set_secret_manager_config(SECRET_MANAGER_CONFIG.clone());
-
-        // let subject = Arc::new(Subject::default());
-
-        // let mut split = EDDSA_SIGNED_JWT.rsplitn(2, '.');
-        // let (signature, message) = (split.next().unwrap(), split.next().unwrap());
-
-        // // Decode the signature.
-        // let signature_bytes = URL_SAFE_NO_PAD.decode(signature).unwrap();
-
-        // // Resolve the public key from the DID Document
-        // let public_key_bytes = subject.public_key("did:jwk:eyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJJbV9ZMFFPNm9HX2s5Mm9scTVMdHQ2YVA4c19BbEFhVUIzS0dzUEcteGI0Iiwia3R5IjoiT0tQIiwieCI6IlZPakR0QnZ3cGZjSkhyTzZLV1NPdXNVUGZmQkwyR19KcXZtUTY4S3h4VjQifQ#0").await.unwrap();
-
-        // // Verify the signature
-        // let public_key = UnparsedPublicKey::new(&ED25519, public_key_bytes);
-        // assert!(public_key.verify(message.as_bytes(), &signature_bytes).is_ok());
-    }
-}
diff --git a/agent_store/src/lib.rs b/agent_store/src/lib.rs
index b77b316b..9d7eae02 100644
--- a/agent_store/src/lib.rs
+++ b/agent_store/src/lib.rs
@@ -43,7 +43,7 @@ use agent_library::template::aggregate::Template;
 use agent_library::template::views::all_templates::AllTemplatesView;
 use agent_secret_manager::managed_key::aggregate::ManagedKey;
 use agent_secret_manager::managed_key::views::all_managed_keys::AllManagedKeysView;
-use agent_secret_manager::service::SecretManagerServices;
+use agent_secret_manager::services::SecretManagerServices;
 use agent_secret_manager::state::SecretManagerState;
 use agent_shared::application_state::Command;
 use agent_shared::custom_queries::ListAllQuery;
diff --git a/agent_verification/Cargo.toml b/agent_verification/Cargo.toml
index f911c074..5d6bfadf 100644
--- a/agent_verification/Cargo.toml
+++ b/agent_verification/Cargo.toml
@@ -5,6 +5,7 @@ edition.workspace = true
 rust-version.workspace = true
 
 [dependencies]
+agent_identity = { path = "../agent_identity" }
 agent_secret_manager = { path = "../agent_secret_manager" }
 agent_shared = { path = "../agent_shared" }
 
diff --git a/agent_verification/src/authorization_request/aggregate.rs b/agent_verification/src/authorization_request/aggregate.rs
index fb44a3c9..cb523358 100644
--- a/agent_verification/src/authorization_request/aggregate.rs
+++ b/agent_verification/src/authorization_request/aggregate.rs
@@ -10,6 +10,7 @@ use agent_shared::config::{config, get_preferred_signing_algorithm};
 use async_trait::async_trait;
 use cqrs_es::Aggregate;
 use oid4vc_core::client_metadata::ClientMetadataResource;
+use oid4vc_core::Subject as _;
 use oid4vc_core::{authorization_request::ByReference, scope::Scope};
 use oid4vp::token::vp_token_builder::VpTokenBuilder;
 use oid4vp::{authorization_request::ClientId, oid4vp::DecodedVpToken};
@@ -53,8 +54,8 @@ impl Aggregate for AuthorizationRequest {
                 dcql_query,
             } => {
                 let default_subject_syntax_type = services.relying_party.default_subject_syntax_type().to_string();
-                let verifier = &services.verifier;
-                let verifier_did = verifier
+                let this_is_the_main_service = &services.this_is_the_main_service;
+                let verifier_did = this_is_the_main_service
                     .identifier(&default_subject_syntax_type, get_preferred_signing_algorithm())
                     .await
                     .unwrap();
diff --git a/agent_verification/src/services.rs b/agent_verification/src/services.rs
index 8fb8ba0d..1c5a2b1f 100644
--- a/agent_verification/src/services.rs
+++ b/agent_verification/src/services.rs
@@ -1,4 +1,4 @@
-use agent_secret_manager::{service::Service, subject::SubjectExt};
+use agent_identity::services::ThisIsTheMainService;
 use agent_shared::config::{
     config, get_all_enabled_did_methods, get_all_enabled_signing_algorithms_supported, get_preferred_did_method,
 };
@@ -9,14 +9,14 @@ use std::{collections::HashMap, str::FromStr, sync::Arc};
 
 /// Verification services. This struct is used to generate authorization requests and validate authorization responses.
 pub struct VerificationServices {
-    pub verifier: Arc<dyn SubjectExt>,
+    pub this_is_the_main_service: Arc<ThisIsTheMainService>,
     pub relying_party: RelyingPartyManager,
     pub siopv2_client_metadata: ClientMetadataResource<siopv2::authorization_request::ClientMetadataParameters>,
     pub oid4vp_client_metadata: ClientMetadataResource<oid4vp::authorization_request::ClientMetadataParameters>,
 }
 
-impl Service for VerificationServices {
-    fn new(verifier: Arc<dyn SubjectExt>) -> Self {
+impl VerificationServices {
+    pub fn new(this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
         let client_name = config().display.first().as_ref().map(|display| display.name.clone());
 
         let logo_uri = config()
@@ -59,9 +59,9 @@ impl Service for VerificationServices {
         let default_subject_syntax_type = get_preferred_did_method();
 
         Self {
-            verifier: verifier.clone(),
+            this_is_the_main_service: this_is_the_main_service.clone(),
             relying_party: RelyingPartyManager::new(
-                verifier,
+                this_is_the_main_service,
                 default_subject_syntax_type.to_string(),
                 signing_algorithms_supported,
             )

From b0e5d48d49cb828f48813e0d3a0e7b5724fafbac Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Wed, 31 Dec 2025 00:29:40 +0100
Subject: [PATCH 09/14] refactor: test modules and enable test utilities

---
 Cargo.lock                                    |   2 +
 agent_api_http/src/utils.rs                   |  67 ++++-
 .../authorization_server/authorize.rs         |  12 +-
 .../authorization/authorization_server/par.rs |  17 +-
 .../authorization_server/token.rs             |   9 +-
 .../issuance/credential_issuer/credential.rs  |  10 +-
 .../credential_issuer/notification.rs         |  17 +-
 .../credential_issuer/token_status_list.rs    |   9 +-
 .../well_known/oauth_authorization_server.rs  |   9 +-
 .../well_known/openid_credential_issuer.rs    |  10 +-
 agent_api_http/src/v0/issuance/credentials.rs |   9 +-
 agent_api_http/src/v0/issuance/offers/mod.rs  |   6 +-
 .../v0/verification/authorization_requests.rs |   8 +-
 .../v0/verification/relying_party/redirect.rs |  11 +-
 .../v0/verification/relying_party/request.rs  |   6 +-
 agent_identity/src/connection/aggregate.rs    |  72 +++---
 agent_identity/src/document/aggregate.rs      | 208 +++++++--------
 agent_identity/src/service/aggregate.rs       | 167 ++++++------
 agent_identity/src/services.rs                |  20 +-
 agent_issuance/Cargo.toml                     |  11 +-
 agent_issuance/src/credential/aggregate.rs    |   1 -
 agent_issuance/src/lib.rs                     |  12 -
 agent_issuance/src/offer/aggregate.rs         |  21 +-
 agent_secret_manager/src/lib.rs               |  30 +++
 agent_secret_manager/src/subject.rs           | 244 ++++++++++++++++++
 agent_shared/src/custom_queries.rs            |  13 +
 agent_store/src/lib.rs                        |   5 +-
 27 files changed, 694 insertions(+), 312 deletions(-)
 create mode 100644 agent_secret_manager/src/subject.rs

diff --git a/Cargo.lock b/Cargo.lock
index a0507d6d..10d597c3 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -356,12 +356,14 @@ dependencies = [
  "chrono",
  "cqrs-es",
  "derivative",
+ "did-key",
  "identity_core",
  "identity_credential",
  "jsonwebtoken",
  "lazy_static",
  "oauth_tsl",
  "oid4vc-core",
+ "oid4vc-manager",
  "oid4vci",
  "once_cell",
  "rand 0.9.1",
diff --git a/agent_api_http/src/utils.rs b/agent_api_http/src/utils.rs
index 356e65a5..6d421c44 100644
--- a/agent_api_http/src/utils.rs
+++ b/agent_api_http/src/utils.rs
@@ -162,13 +162,78 @@ pub(crate) mod serde_explicit_null {
 }
 
 #[cfg(test)]
-mod tests {
+pub mod tests {
     use super::*;
+    use agent_authorization::services::AuthorizationServices;
+    use agent_authorization::state::AuthorizationState;
+    use agent_identity::services::{IdentityServices, ThisIsTheMainService};
+    use agent_issuance::services::IssuanceServices;
+    use agent_issuance::state::IssuanceState;
+    use agent_secret_manager::services::SecretManagerServices;
+    use agent_store::in_memory::InMemory;
+    use agent_store::{issuance_state, EventPublisher};
+    use agent_verification::services::VerificationServices;
+    use agent_verification::state::VerificationState;
     use axum::body::Body;
     use axum::http::{Method, Request};
     use oid4vc_core::utils::form_urlencoded::to_form_urlencoded_string;
     use serde::{Deserialize, Serialize};
     use serde_json::json;
+    use std::sync::Arc;
+
+    pub(crate) async fn main_service() -> Arc<ThisIsTheMainService> {
+        let secret_manager_services = Arc::new(SecretManagerServices::new().await);
+        let secret_manager_state =
+            Arc::new(agent_store::secret_manager_state(&InMemory, secret_manager_services.clone(), vec![]).await);
+
+        let identity_services = Arc::new(IdentityServices::new(secret_manager_services.clone()));
+        let identity_state = Arc::new(agent_store::identity_state(&InMemory, identity_services, vec![]).await);
+
+        let this_is_the_main_service = Arc::new(
+            ThisIsTheMainService::new(
+                secret_manager_state.clone(),
+                secret_manager_services.clone(),
+                identity_state.clone(),
+            )
+            .await,
+        );
+        this_is_the_main_service
+    }
+
+    pub(crate) async fn test_issuance_state(
+        main_service: Arc<ThisIsTheMainService>,
+        event_publishers: Vec<Box<dyn EventPublisher>>,
+    ) -> Arc<IssuanceState> {
+        Arc::new(
+            issuance_state(
+                &InMemory,
+                Arc::new(IssuanceServices::new(main_service)),
+                event_publishers,
+            )
+            .await,
+        )
+    }
+
+    pub(crate) async fn test_authorization_state(main_service: Arc<ThisIsTheMainService>) -> Arc<AuthorizationState> {
+        Arc::new(
+            agent_store::authorization_state(&InMemory, Arc::new(AuthorizationServices::new(main_service)), vec![])
+                .await,
+        )
+    }
+
+    pub(crate) async fn test_verification_state(
+        main_service: Arc<ThisIsTheMainService>,
+        event_publishers: Vec<Box<dyn EventPublisher>>,
+    ) -> Arc<VerificationState> {
+        Arc::new(
+            agent_store::verification_state(
+                &InMemory,
+                Arc::new(VerificationServices::new(main_service)),
+                event_publishers,
+            )
+            .await,
+        )
+    }
 
     #[derive(Debug, Serialize, Deserialize, PartialEq)]
     struct TestObject {
diff --git a/agent_api_http/src/v0/authorization/authorization_server/authorize.rs b/agent_api_http/src/v0/authorization/authorization_server/authorize.rs
index 5a24f8f7..aa4f299c 100644
--- a/agent_api_http/src/v0/authorization/authorization_server/authorize.rs
+++ b/agent_api_http/src/v0/authorization/authorization_server/authorize.rs
@@ -34,13 +34,15 @@ pub(crate) async fn authorize(
 #[cfg(test)]
 pub mod tests {
     use super::*;
+    use crate::utils::tests::{main_service, test_authorization_state, test_issuance_state};
     use crate::v0::authorization::authorization_server::consent::tests::{get_consent, post_consent};
     use crate::v0::authorization::authorization_server::par::tests::par;
     use crate::v0::issuance::credentials::tests::credentials;
     use crate::v0::issuance::offers::tests::offers;
     use crate::v0::{authorization, issuance};
+    use agent_authorization::services::AuthorizationServices;
     use agent_authorization::state::UNIME_CLIENT_ID;
-    use agent_secret_manager::services::Service;
+    use agent_issuance::services::IssuanceServices;
     use agent_store::in_memory::InMemory;
     use agent_store::{authorization_state, issuance_state};
     use axum::{
@@ -110,7 +112,9 @@ pub mod tests {
     #[serial_test::serial]
     #[tokio::test]
     async fn test_authorization_endpoint() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let main_service = main_service().await;
+
+        let issuance_state = test_issuance_state(main_service.clone(), vec![]).await;
 
         agent_issuance::state::initialize(&issuance_state).await.unwrap();
 
@@ -121,8 +125,8 @@ pub mod tests {
         let AuthorizationCode { issuer_state, .. } = authorization_code.unwrap();
         let issuer_state = issuer_state.unwrap();
 
-        let authorization_state =
-            Arc::new(authorization_state(&InMemory, Service::default(), Default::default()).await);
+        let authorization_state = test_authorization_state(main_service).await;
+
         agent_authorization::state::initialize(&authorization_state)
             .await
             .unwrap();
diff --git a/agent_api_http/src/v0/authorization/authorization_server/par.rs b/agent_api_http/src/v0/authorization/authorization_server/par.rs
index 26e6b288..d0ee4050 100644
--- a/agent_api_http/src/v0/authorization/authorization_server/par.rs
+++ b/agent_api_http/src/v0/authorization/authorization_server/par.rs
@@ -26,15 +26,17 @@ pub(crate) async fn par(
 #[cfg(test)]
 pub mod tests {
     use super::*;
-    use crate::v0::{
-        authorization,
-        issuance::{self, credentials::tests::credentials, offers::tests::offers},
+    use crate::{
+        utils::tests::{main_service, test_authorization_state, test_issuance_state},
+        v0::{
+            authorization,
+            issuance::{self, credentials::tests::credentials, offers::tests::offers},
+        },
     };
     use agent_authorization::state::UNIME_CLIENT_ID;
     use agent_authorization::{
         domain::oauth2_authorization_request::aggregate::test_utils::code_challenge, state::UNIME_REDIRECT_URI,
     };
-    use agent_secret_manager::services::Service;
     use agent_store::{authorization_state, in_memory::InMemory, issuance_state};
     use axum::{
         body::Body,
@@ -104,7 +106,9 @@ pub mod tests {
     #[serial_test::serial]
     #[tokio::test]
     async fn test_pushed_authorization_request_endpoint() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let main_service = main_service().await;
+
+        let issuance_state = test_issuance_state(main_service.clone(), vec![]).await;
 
         agent_issuance::state::initialize(&issuance_state).await.unwrap();
 
@@ -115,8 +119,7 @@ pub mod tests {
         let AuthorizationCode { issuer_state, .. } = authorization_code.unwrap();
         let issuer_state = issuer_state.unwrap();
 
-        let authorization_state =
-            Arc::new(authorization_state(&InMemory, Service::default(), Default::default()).await);
+        let authorization_state = test_authorization_state(main_service).await;
         agent_authorization::state::initialize(&authorization_state)
             .await
             .unwrap();
diff --git a/agent_api_http/src/v0/authorization/authorization_server/token.rs b/agent_api_http/src/v0/authorization/authorization_server/token.rs
index 6d329536..9f090e7d 100644
--- a/agent_api_http/src/v0/authorization/authorization_server/token.rs
+++ b/agent_api_http/src/v0/authorization/authorization_server/token.rs
@@ -25,6 +25,7 @@ pub(crate) async fn token(
 #[cfg(test)]
 pub mod tests {
     use super::*;
+    use crate::utils::tests::{main_service, test_authorization_state, test_issuance_state};
     use crate::v0::{
         authorization::{
             self,
@@ -40,7 +41,6 @@ pub mod tests {
     use agent_authorization::{
         domain::oauth2_authorization_request::aggregate::test_utils::code_verifier, state::UNIME_REDIRECT_URI,
     };
-    use agent_secret_manager::services::Service;
     use agent_store::{authorization_state, in_memory::InMemory, issuance_state};
     use axum::{
         body::Body,
@@ -139,7 +139,9 @@ pub mod tests {
     #[serial_test::serial]
     #[tokio::test]
     async fn test_token_endpoint(#[case] is_pre_authorized: bool) {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let main_service = main_service().await;
+
+        let issuance_state = test_issuance_state(main_service.clone(), vec![]).await;
 
         agent_issuance::state::initialize(&issuance_state).await.unwrap();
 
@@ -154,8 +156,7 @@ pub mod tests {
         credentials(&mut app, &credential_configuration_id).await;
         let grants = offers(&mut app, &credential_configuration_id).await.unwrap();
 
-        let authorization_state =
-            Arc::new(authorization_state(&InMemory, Service::default(), Default::default()).await);
+        let authorization_state = test_authorization_state(main_service).await;
 
         agent_authorization::state::initialize(&authorization_state)
             .await
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/credential.rs b/agent_api_http/src/v0/issuance/credential_issuer/credential.rs
index 1e8fe3f4..2a2ed59a 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/credential.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/credential.rs
@@ -147,10 +147,10 @@ pub mod tests {
         v0::issuance::{credentials::CredentialsEndpointRequest, offers::tests::offers},
     };
 
+    use crate::utils::tests::{main_service, test_authorization_state, test_issuance_state};
     use agent_event_publisher_http::EventPublisherHttp;
     use agent_issuance::credential::aggregate::CredentialExpiry;
     use agent_issuance::offer::event::OfferEvent;
-    use agent_secret_manager::services::Service;
     use agent_shared::config::{set_config, Events};
     use agent_store::authorization_state;
     use agent_store::{in_memory::InMemory, issuance_state, EventPublisher};
@@ -159,6 +159,7 @@ pub mod tests {
         http::{self, Request},
         Router,
     };
+
     use rstest::rstest;
     use serde_json::{json, Value};
     use std::sync::Arc;
@@ -352,7 +353,9 @@ pub mod tests {
             (None, Default::default())
         };
 
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), issuance_event_publishers).await);
+        let main_service = main_service().await;
+
+        let issuance_state = test_issuance_state(main_service.clone(), issuance_event_publishers).await;
         agent_issuance::state::initialize(&issuance_state).await.unwrap();
 
         let mut issuance_app = router(issuance_state.clone());
@@ -382,8 +385,7 @@ pub mod tests {
 
         let grants = offers(&mut issuance_app, &credential_configuration_id).await.unwrap();
 
-        let authorization_state =
-            Arc::new(authorization_state(&InMemory, Service::default(), Default::default()).await);
+        let authorization_state = test_authorization_state(main_service).await;
         agent_authorization::state::initialize(&authorization_state)
             .await
             .unwrap();
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/notification.rs b/agent_api_http/src/v0/issuance/credential_issuer/notification.rs
index 3543a4e2..77d08a7a 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/notification.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/notification.rs
@@ -63,12 +63,12 @@ pub async fn notification(
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::utils::tests::{main_service, test_authorization_state, test_issuance_state};
     use crate::v0::authorization::authorization_server::token::tests::token;
     use crate::v0::issuance::credential_issuer::credential::tests::credential;
     use crate::v0::issuance::credentials::tests::credentials;
     use crate::v0::issuance::offers::tests::offers;
     use crate::v0::{authorization, issuance};
-    use agent_secret_manager::services::Service;
     use agent_store::in_memory::InMemory;
     use agent_store::{authorization_state, issuance_state};
     use axum::{body::Body, http::Request};
@@ -80,15 +80,16 @@ mod tests {
     #[serial_test::serial]
     #[tokio::test]
     async fn test_valid_notification_request() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let main_service = main_service().await;
+        let issuance_state = test_issuance_state(main_service.clone(), vec![]).await;
+
         agent_issuance::state::initialize(&issuance_state).await.unwrap();
         let mut issuance_app = issuance::router(issuance_state.clone());
 
         credentials(&mut issuance_app, "001").await;
         let grants = offers(&mut issuance_app, "001").await.unwrap();
 
-        let authorization_state =
-            Arc::new(authorization_state(&InMemory, Service::default(), Default::default()).await);
+        let authorization_state = test_authorization_state(main_service).await;
         agent_authorization::state::initialize(&authorization_state)
             .await
             .unwrap();
@@ -119,15 +120,17 @@ mod tests {
 
     #[tokio::test]
     async fn test_invalid_notification_request() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let main_service = main_service().await;
+        let issuance_state = test_issuance_state(main_service.clone(), vec![]).await;
+
         agent_issuance::state::initialize(&issuance_state).await.unwrap();
         let mut issuance_app = issuance::router(issuance_state.clone());
 
         credentials(&mut issuance_app, "001").await;
         let grants = offers(&mut issuance_app, "001").await.unwrap();
 
-        let authorization_state =
-            Arc::new(authorization_state(&InMemory, Service::default(), Default::default()).await);
+        let authorization_state = test_authorization_state(main_service).await;
+
         agent_authorization::state::initialize(&authorization_state)
             .await
             .unwrap();
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs b/agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs
index 949f633f..5781b752 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/token_status_list.rs
@@ -42,7 +42,7 @@ pub mod tests {
     use std::sync::Arc;
 
     use agent_issuance::state::initialize;
-    use agent_secret_manager::{services::Service, subject::Subject};
+    use agent_secret_manager::subject::Subject;
     use agent_shared::config::{config, BITS_PER_STATUS, STATUS_LIST_BYTES_AMOUNT};
     use agent_store::{in_memory::InMemory, issuance_state};
     use axum::body::{self, Body};
@@ -54,14 +54,17 @@ pub mod tests {
     };
     use oid4vc_core::authentication::verify::Verify;
 
-    use crate::v0::issuance::router;
+    use crate::{
+        utils::tests::{main_service, test_issuance_state},
+        v0::issuance::router,
+    };
     use tower::Service as _;
 
     /// This test calls the token status list endpoint which in turn calls the function above.
     /// The remainder of the test breaks down the Token Status List response in various steps and checks these steps one by one.
     #[tokio::test]
     pub async fn test_token_status_list() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let issuance_state = test_issuance_state(main_service().await, vec![]).await;
         initialize(&issuance_state).await.unwrap();
 
         let relying_party_state = Subject::default();
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/well_known/oauth_authorization_server.rs b/agent_api_http/src/v0/issuance/credential_issuer/well_known/oauth_authorization_server.rs
index 18a26154..4f2dc498 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/well_known/oauth_authorization_server.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/well_known/oauth_authorization_server.rs
@@ -26,9 +26,11 @@ pub(crate) async fn oauth_authorization_server(State(state): State<Arc<IssuanceS
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::v0::issuance::router;
+    use crate::{
+        utils::tests::{main_service, test_issuance_state},
+        v0::issuance::router,
+    };
     use agent_issuance::state::initialize;
-    use agent_secret_manager::services::Service;
     use agent_store::{in_memory::InMemory, issuance_state};
     use axum::{
         body::Body,
@@ -74,7 +76,8 @@ mod tests {
 
     #[tokio::test]
     async fn test_oauth_authorization_server_endpoint() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let issuance_state = test_issuance_state(main_service().await, vec![]).await;
+
         initialize(&issuance_state).await.unwrap();
 
         let mut app = router(issuance_state);
diff --git a/agent_api_http/src/v0/issuance/credential_issuer/well_known/openid_credential_issuer.rs b/agent_api_http/src/v0/issuance/credential_issuer/well_known/openid_credential_issuer.rs
index eb64321d..97e2cdb8 100644
--- a/agent_api_http/src/v0/issuance/credential_issuer/well_known/openid_credential_issuer.rs
+++ b/agent_api_http/src/v0/issuance/credential_issuer/well_known/openid_credential_issuer.rs
@@ -33,9 +33,12 @@ pub(crate) async fn openid_credential_issuer(State(state): State<Arc<IssuanceSta
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::{tests::CREDENTIAL_ISSUER_METADATA, v0::issuance::router};
+    use crate::{
+        tests::CREDENTIAL_ISSUER_METADATA,
+        utils::tests::{main_service, test_issuance_state},
+        v0::issuance::router,
+    };
     use agent_issuance::state::initialize;
-    use agent_secret_manager::services::Service;
     use agent_store::{in_memory::InMemory, issuance_state};
     use axum::{
         body::Body,
@@ -71,7 +74,8 @@ mod tests {
 
     #[tokio::test]
     async fn test_openid_credential_issuer_endpoint() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let issuance_state = test_issuance_state(main_service().await, vec![]).await;
+
         initialize(&issuance_state).await.unwrap();
 
         let mut app = router(issuance_state);
diff --git a/agent_api_http/src/v0/issuance/credentials.rs b/agent_api_http/src/v0/issuance/credentials.rs
index 11f645f5..f263276d 100644
--- a/agent_api_http/src/v0/issuance/credentials.rs
+++ b/agent_api_http/src/v0/issuance/credentials.rs
@@ -243,11 +243,11 @@ pub async fn patch_credential(
 #[cfg(test)]
 pub mod tests {
     use super::*;
-    use crate::tests::OFFER_ID;
+    use crate::utils::tests::test_issuance_state;
     use crate::v0::issuance::router;
     use crate::API_VERSION;
+    use crate::{tests::OFFER_ID, utils::tests::main_service};
     use agent_issuance::state::initialize;
-    use agent_secret_manager::services::Service;
     use agent_secret_manager::subject::Subject;
     use agent_store::in_memory::InMemory;
     use agent_store::issuance_state;
@@ -411,7 +411,7 @@ pub mod tests {
 
     #[tokio::test]
     async fn test_patch_credential() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let issuance_state = test_issuance_state(main_service().await, vec![]).await;
         initialize(&issuance_state).await.unwrap();
 
         let mut app = router(issuance_state);
@@ -422,7 +422,8 @@ pub mod tests {
     #[tokio::test]
     #[tracing_test::traced_test]
     async fn test_credentials_endpoint() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let issuance_state = test_issuance_state(main_service().await, vec![]).await;
+
         initialize(&issuance_state).await.unwrap();
 
         let mut app = router(issuance_state);
diff --git a/agent_api_http/src/v0/issuance/offers/mod.rs b/agent_api_http/src/v0/issuance/offers/mod.rs
index 07c320bb..b0cbe202 100644
--- a/agent_api_http/src/v0/issuance/offers/mod.rs
+++ b/agent_api_http/src/v0/issuance/offers/mod.rs
@@ -131,13 +131,13 @@ pub(crate) async fn offer(
 #[cfg(test)]
 pub mod tests {
     use super::*;
+    use crate::utils::tests::{main_service, test_issuance_state};
     use crate::API_VERSION;
     use crate::{
         tests::OFFER_ID,
         v0::issuance::{credentials::tests::credentials, router},
     };
     use agent_issuance::state::initialize;
-    use agent_secret_manager::services::Service;
     use agent_shared::config::set_config;
     use agent_store::in_memory::InMemory;
     use agent_store::issuance_state;
@@ -223,7 +223,7 @@ pub mod tests {
     #[tokio::test]
     #[tracing_test::traced_test]
     async fn test_offers_endpoint() {
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let issuance_state = test_issuance_state(main_service().await, vec![]).await;
         initialize(&issuance_state).await.unwrap();
 
         let mut app = router(issuance_state);
@@ -237,7 +237,7 @@ pub mod tests {
     #[tracing_test::traced_test]
     async fn test_offers_endpoint_by_reference() {
         set_config().credential_offer_by_value_enabled = false;
-        let issuance_state = Arc::new(issuance_state(&InMemory, Service::default(), Default::default()).await);
+        let issuance_state = test_issuance_state(main_service().await, vec![]).await;
         initialize(&issuance_state).await.unwrap();
 
         let mut app = router(issuance_state);
diff --git a/agent_api_http/src/v0/verification/authorization_requests.rs b/agent_api_http/src/v0/verification/authorization_requests.rs
index 3e93483c..be382f2a 100644
--- a/agent_api_http/src/v0/verification/authorization_requests.rs
+++ b/agent_api_http/src/v0/verification/authorization_requests.rs
@@ -104,8 +104,10 @@ pub(crate) async fn authorization_requests(
 #[cfg(test)]
 pub mod tests {
     use super::*;
-    use crate::v0::verification::router;
-    use agent_secret_manager::services::Service;
+    use crate::{
+        utils::tests::{main_service, test_verification_state},
+        v0::verification::router,
+    };
     use agent_store::in_memory::InMemory;
     use agent_store::verification_state;
     use axum::{
@@ -196,7 +198,7 @@ pub mod tests {
     #[tracing_test::traced_test]
     #[tokio::test]
     async fn test_authorization_requests_endpoint() {
-        let verification_state = Arc::new(verification_state(&InMemory, Service::default(), Default::default()).await);
+        let verification_state = test_verification_state(main_service().await, vec![]).await;
         let mut app = router(verification_state);
 
         let result = authorization_requests(&mut app).await;
diff --git a/agent_api_http/src/v0/verification/relying_party/redirect.rs b/agent_api_http/src/v0/verification/relying_party/redirect.rs
index 5d73b371..215e606a 100644
--- a/agent_api_http/src/v0/verification/relying_party/redirect.rs
+++ b/agent_api_http/src/v0/verification/relying_party/redirect.rs
@@ -60,11 +60,14 @@ pub mod tests {
     use std::{str::FromStr, sync::Arc};
 
     use super::*;
-    use crate::v0::verification::{
-        authorization_requests::tests::authorization_requests, relying_party::request::tests::request, router,
+    use crate::{
+        utils::tests::{main_service, test_verification_state},
+        v0::verification::{
+            authorization_requests::tests::authorization_requests, relying_party::request::tests::request, router,
+        },
     };
     use agent_event_publisher_http::EventPublisherHttp;
-    use agent_secret_manager::{services::Service, subject::Subject};
+    use agent_secret_manager::subject::Subject;
     use agent_shared::config::{set_config, Events};
     use agent_store::{in_memory::InMemory, verification_state, EventPublisher};
     use axum::{
@@ -158,7 +161,7 @@ pub mod tests {
 
         let event_publishers = vec![Box::new(EventPublisherHttp::load().unwrap()) as Box<dyn EventPublisher>];
 
-        let verification_state = Arc::new(verification_state(&InMemory, Service::default(), event_publishers).await);
+        let verification_state = test_verification_state(main_service().await, event_publishers).await;
 
         let mut app = router(verification_state);
 
diff --git a/agent_api_http/src/v0/verification/relying_party/request.rs b/agent_api_http/src/v0/verification/relying_party/request.rs
index 42007d80..ebf04a9b 100644
--- a/agent_api_http/src/v0/verification/relying_party/request.rs
+++ b/agent_api_http/src/v0/verification/relying_party/request.rs
@@ -34,9 +34,9 @@ pub(crate) async fn request(
 #[cfg(test)]
 pub mod tests {
     use super::*;
-    use crate::v0::verification::authorization_requests::tests::authorization_requests;
+    use crate::utils::tests::test_verification_state;
     use crate::v0::verification::router;
-    use agent_secret_manager::services::Service;
+    use crate::{utils::tests::main_service, v0::verification::authorization_requests::tests::authorization_requests};
     use agent_store::{in_memory::InMemory, verification_state};
     use axum::{
         body::Body,
@@ -74,7 +74,7 @@ pub mod tests {
     #[tokio::test]
     #[tracing_test::traced_test]
     async fn test_request_endpoint() {
-        let verification_state = Arc::new(verification_state(&InMemory, Service::default(), Default::default()).await);
+        let verification_state = test_verification_state(main_service().await, vec![]).await;
 
         let mut app = router(verification_state);
 
diff --git a/agent_identity/src/connection/aggregate.rs b/agent_identity/src/connection/aggregate.rs
index 290563a5..61554309 100644
--- a/agent_identity/src/connection/aggregate.rs
+++ b/agent_identity/src/connection/aggregate.rs
@@ -88,42 +88,42 @@ impl Aggregate for Connection {
     }
 }
 
-// #[cfg(test)]
-// pub mod document_tests {
-//     use super::test_utils::*;
-//     use super::*;
-//     use cqrs_es::test::TestFramework;
-//     use rstest::rstest;
-
-//     type ConnectionTestFramework = TestFramework<Connection>;
-
-//     #[rstest]
-//     #[serial_test::serial]
-//     async fn test_add_connection(
-//         connection_id: String,
-//         alias: String,
-//         domain: Url,
-//         dids: Vec<DIDUrl>,
-//         credential_offer_endpoint: Url,
-//     ) {
-//         ConnectionTestFramework::with(IdentityServices::default())
-//             .given_no_previous_events()
-//             .when(ConnectionCommand::AddConnection {
-//                 connection_id: connection_id.clone(),
-//                 alias: Some(alias.clone()),
-//                 domain: Some(domain.clone()),
-//                 dids: dids.clone(),
-//                 credential_offer_endpoint: Some(credential_offer_endpoint.clone()),
-//             })
-//             .then_expect_events(vec![ConnectionEvent::ConnectionAdded {
-//                 connection_id: connection_id.clone(),
-//                 alias: Some(alias),
-//                 domain: Some(domain.clone()),
-//                 dids: dids.clone(),
-//                 credential_offer_endpoint: Some(credential_offer_endpoint.clone()),
-//             }])
-//     }
-// }
+#[cfg(test)]
+pub mod document_tests {
+    use super::test_utils::*;
+    use super::*;
+    use cqrs_es::test::TestFramework;
+    use rstest::rstest;
+
+    type ConnectionTestFramework = TestFramework<Connection>;
+
+    #[rstest]
+    #[serial_test::serial]
+    async fn test_add_connection(
+        connection_id: String,
+        alias: String,
+        domain: Url,
+        dids: Vec<DIDUrl>,
+        credential_offer_endpoint: Url,
+    ) {
+        ConnectionTestFramework::with(IdentityServices::default())
+            .given_no_previous_events()
+            .when(ConnectionCommand::AddConnection {
+                connection_id: connection_id.clone(),
+                alias: Some(alias.clone()),
+                domain: Some(domain.clone()),
+                dids: dids.clone(),
+                credential_offer_endpoint: Some(credential_offer_endpoint.clone()),
+            })
+            .then_expect_events(vec![ConnectionEvent::ConnectionAdded {
+                connection_id: connection_id.clone(),
+                alias: Some(alias),
+                domain: Some(domain.clone()),
+                dids: dids.clone(),
+                credential_offer_endpoint: Some(credential_offer_endpoint.clone()),
+            }])
+    }
+}
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_identity/src/document/aggregate.rs b/agent_identity/src/document/aggregate.rs
index 081bf02a..2230c583 100644
--- a/agent_identity/src/document/aggregate.rs
+++ b/agent_identity/src/document/aggregate.rs
@@ -842,110 +842,110 @@ pub fn get_properties(method_type: MethodType) -> BTreeMap<String, serde_json::V
     properties
 }
 
-// #[cfg(test)]
-// pub mod document_tests {
-//     use crate::state::DOMAIN_LINKAGE_SERVICE_ID;
-
-//     use super::test_utils::*;
-//     use super::*;
-//     use cqrs_es::test::TestFramework;
-//     use identity_document::service::Service;
-//     use rstest::rstest;
-
-//     type DocumentTestFramework = TestFramework<Document>;
-
-//     #[rstest]
-//     #[serial_test::serial]
-//     async fn test_create_document(document_id: String, did_method: SupportedDidMethod, document: CoreDocument) {
-//         DocumentTestFramework::with(IdentityServices::default())
-//             .given_no_previous_events()
-//             .when(DocumentCommand::CreateDocument {
-//                 document_id: document_id.clone(),
-//                 did_method,
-//                 with_fixed_algorithm: None,
-//             })
-//             .then_expect_events(vec![DocumentEvent::DocumentCreated {
-//                 document_id,
-//                 did_method,
-//                 document,
-//                 status: Status::SignAndValidate,
-//                 with_fixed_algorithm: None,
-//                 iota_metadata: None,
-//             }])
-//     }
-
-//     #[rstest]
-//     #[serial_test::serial]
-//     async fn test_add_service(
-//         document_id: String,
-//         did_method: SupportedDidMethod,
-//         document: CoreDocument,
-//         domain_linkage_service: Service,
-//         document_with_multiple_verification_methods: CoreDocument,
-//         document_with_domain_linkage_service: CoreDocument,
-//     ) {
-//         DocumentTestFramework::with(IdentityServices::default())
-//             .given(vec![
-//                 DocumentEvent::DocumentCreated {
-//                     document_id: document_id.clone(),
-//                     did_method,
-//                     document,
-//                     status: Status::SignAndValidate,
-//                     with_fixed_algorithm: None,
-//                     iota_metadata: None,
-//                 },
-//                 DocumentEvent::PublicKeyUpdated {
-//                     document_id: document_id.clone(),
-//                     document: document_with_multiple_verification_methods,
-//                 },
-//             ])
-//             .when(DocumentCommand::AddService {
-//                 service: Box::new(domain_linkage_service),
-//                 service_id: DOMAIN_LINKAGE_SERVICE_ID.to_string(),
-//             })
-//             .then_expect_events(vec![DocumentEvent::ServiceAdded {
-//                 document_id: document_id.clone(),
-//                 document: document_with_domain_linkage_service,
-//             }])
-//     }
-
-//     #[rstest]
-//     #[serial_test::serial]
-//     async fn test_set_status(
-//         document_id: String,
-//         did_method: SupportedDidMethod,
-//         document: CoreDocument,
-//         document_with_multiple_verification_methods: CoreDocument,
-//         document_with_domain_linkage_service: CoreDocument,
-//     ) {
-//         DocumentTestFramework::with(IdentityServices::default())
-//             .given(vec![
-//                 DocumentEvent::DocumentCreated {
-//                     document_id: document_id.clone(),
-//                     did_method,
-//                     document,
-//                     status: Status::SignAndValidate,
-//                     with_fixed_algorithm: None,
-//                     iota_metadata: None,
-//                 },
-//                 DocumentEvent::PublicKeyUpdated {
-//                     document_id: document_id.clone(),
-//                     document: document_with_multiple_verification_methods.clone(),
-//                 },
-//                 DocumentEvent::ServiceAdded {
-//                     document_id: document_id.clone(),
-//                     document: document_with_domain_linkage_service,
-//                 },
-//             ])
-//             .when(DocumentCommand::UpdateDocumentStatus {
-//                 status: Status::Disabled,
-//             })
-//             .then_expect_events(vec![DocumentEvent::DocumentStatusUpdated {
-//                 document_id,
-//                 status: Status::Disabled,
-//             }])
-//     }
-// }
+#[cfg(test)]
+pub mod document_tests {
+    use crate::state::DOMAIN_LINKAGE_SERVICE_ID;
+
+    use super::test_utils::*;
+    use super::*;
+    use cqrs_es::test::TestFramework;
+    use identity_document::service::Service;
+    use rstest::rstest;
+
+    type DocumentTestFramework = TestFramework<Document>;
+
+    #[rstest]
+    #[serial_test::serial]
+    async fn test_create_document(document_id: String, did_method: SupportedDidMethod, document: CoreDocument) {
+        DocumentTestFramework::with(IdentityServices::default())
+            .given_no_previous_events()
+            .when(DocumentCommand::CreateDocument {
+                document_id: document_id.clone(),
+                did_method,
+                with_fixed_algorithm: None,
+            })
+            .then_expect_events(vec![DocumentEvent::DocumentCreated {
+                document_id,
+                did_method,
+                document,
+                status: Status::SignAndValidate,
+                with_fixed_algorithm: None,
+                iota_metadata: None,
+            }])
+    }
+
+    #[rstest]
+    #[serial_test::serial]
+    async fn test_add_service(
+        document_id: String,
+        did_method: SupportedDidMethod,
+        document: CoreDocument,
+        domain_linkage_service: Service,
+        document_with_multiple_verification_methods: CoreDocument,
+        document_with_domain_linkage_service: CoreDocument,
+    ) {
+        DocumentTestFramework::with(IdentityServices::default())
+            .given(vec![
+                DocumentEvent::DocumentCreated {
+                    document_id: document_id.clone(),
+                    did_method,
+                    document,
+                    status: Status::SignAndValidate,
+                    with_fixed_algorithm: None,
+                    iota_metadata: None,
+                },
+                DocumentEvent::PublicKeyUpdated {
+                    document_id: document_id.clone(),
+                    document: document_with_multiple_verification_methods,
+                },
+            ])
+            .when(DocumentCommand::AddService {
+                service: Box::new(domain_linkage_service),
+                service_id: DOMAIN_LINKAGE_SERVICE_ID.to_string(),
+            })
+            .then_expect_events(vec![DocumentEvent::ServiceAdded {
+                document_id: document_id.clone(),
+                document: document_with_domain_linkage_service,
+            }])
+    }
+
+    #[rstest]
+    #[serial_test::serial]
+    async fn test_set_status(
+        document_id: String,
+        did_method: SupportedDidMethod,
+        document: CoreDocument,
+        document_with_multiple_verification_methods: CoreDocument,
+        document_with_domain_linkage_service: CoreDocument,
+    ) {
+        DocumentTestFramework::with(IdentityServices::default())
+            .given(vec![
+                DocumentEvent::DocumentCreated {
+                    document_id: document_id.clone(),
+                    did_method,
+                    document,
+                    status: Status::SignAndValidate,
+                    with_fixed_algorithm: None,
+                    iota_metadata: None,
+                },
+                DocumentEvent::PublicKeyUpdated {
+                    document_id: document_id.clone(),
+                    document: document_with_multiple_verification_methods.clone(),
+                },
+                DocumentEvent::ServiceAdded {
+                    document_id: document_id.clone(),
+                    document: document_with_domain_linkage_service,
+                },
+            ])
+            .when(DocumentCommand::UpdateDocumentStatus {
+                status: Status::Disabled,
+            })
+            .then_expect_events(vec![DocumentEvent::DocumentStatusUpdated {
+                document_id,
+                status: Status::Disabled,
+            }])
+    }
+}
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_identity/src/service/aggregate.rs b/agent_identity/src/service/aggregate.rs
index 65df5d77..c937eb84 100644
--- a/agent_identity/src/service/aggregate.rs
+++ b/agent_identity/src/service/aggregate.rs
@@ -258,89 +258,90 @@ impl Aggregate for Service {
     }
 }
 
-// #[cfg(test)]
-// pub mod service_tests {
-//     use super::test_utils::*;
-//     use super::*;
-//     use crate::document::aggregate::test_utils::both_verification_methods;
-//     use agent_shared::config::set_config;
-//     use cqrs_es::test::TestFramework;
-//     use identity_document::service::Service as DocumentService;
-//     use identity_iota::verification::VerificationMethod;
-//     use rstest::rstest;
-
-//     type ServiceTestFramework = TestFramework<Service>;
-
-//     #[rstest]
-//     #[serial_test::serial]
-//     async fn test_create_domain_linkage_service(
-//         domain_linkage_service_id: String,
-//         both_verification_methods: Vec<VerificationMethod>,
-//         domain_linkage_service: DocumentService,
-//         domain_linkage_resource: ServiceResource,
-//     ) {
-//         set_config().set_preferred_did_method(agent_shared::config::SupportedDidMethod::Web);
-
-//         ServiceTestFramework::with(IdentityServices::default())
-//             .given_no_previous_events()
-//             .when(ServiceCommand::CreateDomainLinkageService {
-//                 service_id: domain_linkage_service_id.clone(),
-//                 verification_methods: both_verification_methods,
-//             })
-//             .then_expect_events(vec![ServiceEvent::DomainLinkageServiceCreated {
-//                 service_id: domain_linkage_service_id,
-//                 service: domain_linkage_service,
-//                 resource: domain_linkage_resource,
-//                 is_deleted: false,
-//             }])
-//     }
-
-//     #[rstest]
-//     #[serial_test::serial]
-//     async fn test_delete_domain_linkage_service(
-//         domain_linkage_service_id: String,
-//         domain_linkage_service: DocumentService,
-//         domain_linkage_resource: ServiceResource,
-//     ) {
-//         set_config().set_preferred_did_method(agent_shared::config::SupportedDidMethod::Web);
-
-//         ServiceTestFramework::with(IdentityServices::default())
-//             .given(vec![ServiceEvent::DomainLinkageServiceCreated {
-//                 service_id: domain_linkage_service_id.clone(),
-//                 service: domain_linkage_service.clone(),
-//                 resource: domain_linkage_resource.clone(),
-//                 is_deleted: false,
-//             }])
-//             .when(ServiceCommand::DeleteDomainLinkageService {
-//                 service_id: domain_linkage_service_id.clone(),
-//             })
-//             .then_expect_events(vec![ServiceEvent::DomainLinkageServiceDeleted {
-//                 service_id: domain_linkage_service_id,
-//                 service: None,
-//                 resource: None,
-//                 is_deleted: true,
-//             }])
-//     }
-
-//     #[rstest]
-//     #[serial_test::serial]
-//     async fn test_create_linked_verifiable_presentation_service(
-//         linked_verifiable_presentation_service_id: String,
-//         linked_verifiable_presentation_service: DocumentService,
-//     ) {
-//         ServiceTestFramework::with(IdentityServices::default())
-//             .given_no_previous_events()
-//             .when(ServiceCommand::CreateLinkedVerifiablePresentationService {
-//                 service_id: linked_verifiable_presentation_service_id.clone(),
-//                 presentation_ids: vec!["presentation-1".to_string()],
-//             })
-//             .then_expect_events(vec![ServiceEvent::LinkedVerifiablePresentationServiceCreated {
-//                 service_id: linked_verifiable_presentation_service_id,
-//                 presentation_ids: vec!["presentation-1".to_string()],
-//                 service: linked_verifiable_presentation_service,
-//             }])
-//     }
-// }
+#[cfg(test)]
+pub mod service_tests {
+    use super::test_utils::*;
+    use super::*;
+    use crate::document::aggregate::test_utils::both_verification_methods;
+    use agent_shared::config::set_config;
+    use cqrs_es::test::TestFramework;
+    use identity_document::service::Service as DocumentService;
+    use identity_iota::verification::VerificationMethod;
+    use rstest::rstest;
+
+    type ServiceTestFramework = TestFramework<Service>;
+
+    // FIXME
+    // #[rstest]
+    // #[serial_test::serial]
+    // async fn test_create_domain_linkage_service(
+    //     domain_linkage_service_id: String,
+    //     both_verification_methods: Vec<VerificationMethod>,
+    //     domain_linkage_service: DocumentService,
+    //     domain_linkage_resource: ServiceResource,
+    // ) {
+    //     set_config().set_preferred_did_method(agent_shared::config::SupportedDidMethod::Web);
+
+    //     ServiceTestFramework::with(IdentityServices::default())
+    //         .given_no_previous_events()
+    //         .when(ServiceCommand::CreateDomainLinkageService {
+    //             service_id: domain_linkage_service_id.clone(),
+    //             verification_methods: both_verification_methods,
+    //         })
+    //         .then_expect_events(vec![ServiceEvent::DomainLinkageServiceCreated {
+    //             service_id: domain_linkage_service_id,
+    //             service: domain_linkage_service,
+    //             resource: domain_linkage_resource,
+    //             is_deleted: false,
+    //         }])
+    // }
+
+    // #[rstest]
+    // #[serial_test::serial]
+    // async fn test_delete_domain_linkage_service(
+    //     domain_linkage_service_id: String,
+    //     domain_linkage_service: DocumentService,
+    //     domain_linkage_resource: ServiceResource,
+    // ) {
+    //     set_config().set_preferred_did_method(agent_shared::config::SupportedDidMethod::Web);
+
+    //     ServiceTestFramework::with(IdentityServices::default())
+    //         .given(vec![ServiceEvent::DomainLinkageServiceCreated {
+    //             service_id: domain_linkage_service_id.clone(),
+    //             service: domain_linkage_service.clone(),
+    //             resource: domain_linkage_resource.clone(),
+    //             is_deleted: false,
+    //         }])
+    //         .when(ServiceCommand::DeleteDomainLinkageService {
+    //             service_id: domain_linkage_service_id.clone(),
+    //         })
+    //         .then_expect_events(vec![ServiceEvent::DomainLinkageServiceDeleted {
+    //             service_id: domain_linkage_service_id,
+    //             service: None,
+    //             resource: None,
+    //             is_deleted: true,
+    //         }])
+    // }
+
+    #[rstest]
+    #[serial_test::serial]
+    async fn test_create_linked_verifiable_presentation_service(
+        linked_verifiable_presentation_service_id: String,
+        linked_verifiable_presentation_service: DocumentService,
+    ) {
+        ServiceTestFramework::with(IdentityServices::default())
+            .given_no_previous_events()
+            .when(ServiceCommand::CreateLinkedVerifiablePresentationService {
+                service_id: linked_verifiable_presentation_service_id.clone(),
+                presentation_ids: vec!["presentation-1".to_string()],
+            })
+            .then_expect_events(vec![ServiceEvent::LinkedVerifiablePresentationServiceCreated {
+                service_id: linked_verifiable_presentation_service_id,
+                presentation_ids: vec!["presentation-1".to_string()],
+                service: linked_verifiable_presentation_service,
+            }])
+    }
+}
 
 #[cfg(feature = "test_utils")]
 pub mod test_utils {
diff --git a/agent_identity/src/services.rs b/agent_identity/src/services.rs
index 04744b95..00ff70a9 100644
--- a/agent_identity/src/services.rs
+++ b/agent_identity/src/services.rs
@@ -36,16 +36,16 @@ impl IdentityServices {
         }
     }
 
-    // #[cfg(feature = "test_utils")]
-    // #[allow(clippy::should_implement_trait)]
-    // pub fn default() -> Arc<Self>
-    // where
-    //     Self: Sized,
-    // {
-    //     Arc::new(Self::new(Arc::new(futures::executor::block_on(async {
-    //         Subject::new().await
-    //     }))))
-    // }
+    #[cfg(feature = "test_utils")]
+    #[allow(clippy::should_implement_trait)]
+    pub fn default() -> Arc<Self>
+    where
+        Self: Sized,
+    {
+        Arc::new(Self::new(Arc::new(futures::executor::block_on(async {
+            SecretManagerServices::new().await
+        }))))
+    }
 }
 
 pub struct ThisIsTheMainService {
diff --git a/agent_issuance/Cargo.toml b/agent_issuance/Cargo.toml
index 644e7491..373103e7 100644
--- a/agent_issuance/Cargo.toml
+++ b/agent_issuance/Cargo.toml
@@ -34,8 +34,9 @@ thiserror.workspace = true
 tracing.workspace = true
 url.workspace = true
 
-# `test_utils` dependencies
+did-key = { version = "0.2", optional = true }         # `test_utils` dependencies
 lazy_static = { workspace = true, optional = true }
+oid4vc-manager = { workspace = true, optional = true }
 once_cell = { workspace = true, optional = true }
 rstest = { workspace = true, optional = true }
 
@@ -51,4 +52,10 @@ serial_test = "3.0"
 tracing-test.workspace = true
 
 [features]
-test_utils = ["dep:lazy_static", "dep:once_cell", "dep:rstest"]
+test_utils = [
+    "dep:did-key",
+    "dep:lazy_static",
+    "dep:oid4vc-manager",
+    "dep:once_cell",
+    "dep:rstest",
+]
diff --git a/agent_issuance/src/credential/aggregate.rs b/agent_issuance/src/credential/aggregate.rs
index 7b836c22..3a6047b8 100644
--- a/agent_issuance/src/credential/aggregate.rs
+++ b/agent_issuance/src/credential/aggregate.rs
@@ -572,7 +572,6 @@ fn get_status_list_url(index: usize) -> Result<Url, CredentialError> {
 //     use crate::credential::aggregate::Credential;
 //     use crate::credential::event::CredentialEvent;
 //     use crate::offer::aggregate::test_utils::holder;
-//     use agent_secret_manager::service::Service;
 //     use oid4vc_core::Subject;
 
 //     type CredentialTestFramework = TestFramework<Credential>;
diff --git a/agent_issuance/src/lib.rs b/agent_issuance/src/lib.rs
index d18387e8..f761d6a6 100644
--- a/agent_issuance/src/lib.rs
+++ b/agent_issuance/src/lib.rs
@@ -11,15 +11,3 @@ pub mod utils;
 pub mod application;
 pub mod services;
 pub mod state;
-
-pub struct SimpleLoggingQuery {}
-
-#[async_trait]
-impl<A: Aggregate> Query<A> for SimpleLoggingQuery {
-    async fn dispatch(&self, aggregate_id: &str, events: &[EventEnvelope<A>]) {
-        for event in events {
-            let payload = serde_json::to_string_pretty(&event.payload).unwrap();
-            info!("{}-{} - {}", aggregate_id, event.sequence, payload);
-        }
-    }
-}
diff --git a/agent_issuance/src/offer/aggregate.rs b/agent_issuance/src/offer/aggregate.rs
index 0b1fe539..7aa57351 100644
--- a/agent_issuance/src/offer/aggregate.rs
+++ b/agent_issuance/src/offer/aggregate.rs
@@ -379,7 +379,6 @@ impl Aggregate for Offer {
 //         credential::aggregate::test_utils::OPENBADGE_VERIFIABLE_CREDENTIAL_JWT, offer,
 //         server_config::aggregate::test_utils::*,
 //     };
-//     use agent_secret_manager::service::Service;
 //     use cqrs_es::test::TestFramework;
 //     use jsonwebtoken::Algorithm;
 //     use oid4vc_core::Subject;
@@ -406,7 +405,7 @@ impl Aggregate for Offer {
 //         #[future(awt)] credential_offer_uri: CredentialOffer,
 //         #[future(awt)] form_url_encoded_credential_offer: String,
 //     ) {
-//         OfferTestFramework::with(Service::default())
+//         OfferTestFramework::with(IssuanceServices::default())
 //             .given_no_previous_events()
 //             .when(OfferCommand::CreateCredentialOffer {
 //                 offer_id: offer_id.clone(),
@@ -446,7 +445,7 @@ impl Aggregate for Offer {
 //         #[future(awt)] form_url_encoded_credential_offer: String,
 //         delivery_options: DeliveryOptions,
 //     ) {
-//         OfferTestFramework::with(Service::default())
+//         OfferTestFramework::with(IssuanceServices::default())
 //             .given_no_previous_events()
 //             .when(OfferCommand::CreateCredentialOffer {
 //                 offer_id: offer_id.clone(),
@@ -487,7 +486,7 @@ impl Aggregate for Offer {
 //         #[future(awt)] credential_offer_with_credential_configuration_ids: CredentialOffer,
 //         #[future(awt)] form_url_encoded_credential_offer_with_credential_configuration_ids: String,
 //     ) {
-//         OfferTestFramework::with(Service::default())
+//         OfferTestFramework::with(IssuanceServices::default())
 //             .given(vec![OfferEvent::CredentialOfferCreated {
 //                 offer_id: offer_id.clone(),
 //                 grant_types,
@@ -534,7 +533,7 @@ impl Aggregate for Offer {
 //         credential_issuer_metadata: Box<CredentialIssuerMetadata>,
 //         authorization_server_metadata: Box<AuthorizationServerMetadata>,
 //     ) {
-//         OfferTestFramework::with(Service::default())
+//         OfferTestFramework::with(IssuanceServices::default())
 //             .given(vec![
 //                 OfferEvent::CredentialOfferCreated {
 //                     offer_id: offer_id.clone(),
@@ -585,7 +584,7 @@ impl Aggregate for Offer {
 //         credential_response: CredentialResponse,
 //         notification_id: String,
 //     ) {
-//         OfferTestFramework::with(Service::default())
+//         OfferTestFramework::with(IssuanceServices::default())
 //             .given(vec![
 //                 OfferEvent::CredentialOfferCreated {
 //                     offer_id: offer_id.clone(),
@@ -642,7 +641,7 @@ impl Aggregate for Offer {
 //         credential_response: CredentialResponse,
 //         notification_id: String,
 //     ) {
-//         OfferTestFramework::with(Service::default())
+//         OfferTestFramework::with(IssuanceServices::default())
 //             .given(vec![
 //                 OfferEvent::CredentialOfferCreated {
 //                     offer_id: offer_id.clone(),
@@ -696,6 +695,7 @@ pub mod test_utils {
     use agent_shared::generate_random_string;
     use jsonwebtoken::Algorithm;
     use oid4vc_core::Subject;
+    use oid4vc_manager::methods::key_method::KeySubject;
     use oid4vci::credential_issuer::credential_configurations_supported::CredentialConfigurationsSupportedObject;
     use oid4vci::credential_request::CredentialIdentifierOrCredentialConfigurationId::CredentialConfigurationId;
     use oid4vci::proof::ProofType;
@@ -724,7 +724,12 @@ pub mod test_utils {
 
     #[fixture]
     pub async fn holder() -> Arc<dyn oid4vc_core::Subject> {
-        Arc::new(agent_secret_manager::subject::Subject::default())
+        Arc::new(KeySubject::from_keypair(
+            did_key::generate::<did_key::Ed25519KeyPair>(Some(
+                "this-is-a-very-UNSAFE-holder-secret-key".as_bytes().try_into().unwrap(),
+            )),
+            None,
+        ))
     }
 
     #[fixture]
diff --git a/agent_secret_manager/src/lib.rs b/agent_secret_manager/src/lib.rs
index fdf5382f..8ea8f98e 100644
--- a/agent_secret_manager/src/lib.rs
+++ b/agent_secret_manager/src/lib.rs
@@ -12,6 +12,7 @@ pub mod managed_key;
 
 pub mod services;
 pub mod state;
+pub mod subject;
 
 pub async fn stronghold_storage() -> StrongholdExtStorage {
     #[cfg(feature = "test_utils")]
@@ -37,7 +38,36 @@ pub async fn stronghold_storage() -> StrongholdExtStorage {
 
     let stronghold_storage = StrongholdExtStorage::new(stronghold_adapter);
 
+    let ed25519_key_id = config().secret_manager.issuer_eddsa_key_id.clone();
+
+    // Generate keys if they don't exist
+    // TODO: currently `generate` will generate a 'static' key-ids for each keytype. In a future improvement we need to
+    // make sure that the key-ids are generated dynamically and stored in some sort of key manager.
+    if stronghold_storage
+        .get_ed25519_public_key(&ed25519_key_id)
+        .await
+        .is_err()
+    {
+        info!("Generating new key: {ed25519_key_id}",);
+        let key_id = generate(&stronghold_storage, KeyType::new("Ed25519"), JwsAlgorithm::EdDSA)
+            .await
+            .expect("Failed to generate Ed25519 key");
+        assert_eq!(key_id, ed25519_key_id);
+    }
+
     info!("Stronghold storage initialized");
 
     stronghold_storage
 }
+
+pub async fn generate(
+    stronghold_ext_storage: &StrongholdExtStorage,
+    key_type: KeyType,
+    alg: JwsAlgorithm,
+) -> anyhow::Result<KeyId> {
+    let key_id = stronghold_ext_storage.generate(key_type.clone(), alg).await?.key_id;
+
+    info!("Generated new `{key_type}` key with key ID `{key_id}`");
+
+    Ok(key_id)
+}
diff --git a/agent_secret_manager/src/subject.rs b/agent_secret_manager/src/subject.rs
new file mode 100644
index 00000000..2a788cc7
--- /dev/null
+++ b/agent_secret_manager/src/subject.rs
@@ -0,0 +1,244 @@
+use crate::stronghold_storage;
+use agent_shared::config::{config, SupportedDidMethod};
+use anyhow::anyhow;
+use async_trait::async_trait;
+use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
+use did_manager_consumer::resolver::Resolver;
+use did_manager_identity_stronghold_ext::StrongholdExtStorage;
+use identity_iota::storage::{JwkStorage, KeyId};
+use identity_iota::verification::jwk::Jwk;
+use identity_iota::{did::DID, document::DIDUrlQuery, verification::jwk::JwkParams};
+use jsonwebtoken::Algorithm;
+use oid4vc_core::{authentication::sign::ExternalSign, Sign, Verify};
+use std::str::FromStr;
+use std::sync::Arc;
+
+/// Reponsible for signing and verifying data.
+#[derive(Debug)]
+pub struct Subject {
+    pub stronghold_storage: StrongholdExtStorage,
+}
+
+impl Subject {
+    /// Create a new Subject.
+    pub async fn new() -> Self {
+        let stronghold_storage = stronghold_storage().await;
+
+        Self { stronghold_storage }
+    }
+
+    pub async fn get_public_key(&self, key_id: KeyId, algorithm: &Algorithm) -> anyhow::Result<Jwk> {
+        match algorithm {
+            Algorithm::EdDSA => self.stronghold_storage.get_ed25519_public_key(&key_id).await,
+            Algorithm::ES256 => self.stronghold_storage.get_es256_public_key(&key_id).await,
+            _ => anyhow::bail!("Unsuported algorithm"),
+        }
+        .map_err(Into::into)
+    }
+}
+
+#[async_trait]
+pub trait SubjectExt: oid4vc_core::Subject {
+    async fn resolve_public_key(&self, did_url: &str) -> anyhow::Result<Jwk>;
+}
+
+/// Extension trait for `Subject` to provide additional functionality.
+#[async_trait]
+impl SubjectExt for Subject {
+    /// Resolves the public key for a given DID URL.
+    async fn resolve_public_key(&self, did_url: &str) -> anyhow::Result<Jwk> {
+        let did_url =
+            identity_iota::did::DIDUrl::parse(did_url).map_err(|err| anyhow!("Failed to parse DID URL: {err}"))?;
+
+        // TODO: Make sure the resolver only needs to be created once.
+        let resolver = Resolver::new().await;
+
+        let document = resolver
+            .resolve(did_url.did().as_str())
+            .await
+            .map_err(|err| anyhow!("Failed to resolve DID Document for DID: `{did_url}`, error: {err}"))?;
+
+        let verification_method = document
+            .resolve_method(DIDUrlQuery::from(&did_url), None)
+            .ok_or(anyhow!(
+                "Failed to resolve verification method for DID URL: `{did_url}`"
+            ))?;
+
+        verification_method
+            .data()
+            .public_key_jwk()
+            .ok_or_else(|| anyhow!("Failed to resolve public key for DID URL: `{did_url}`"))
+            .cloned()
+    }
+}
+
+/// This module contains implementations for `Subject` for testing purposes.
+/// It is only available when the `test_utils` feature is enabled.
+#[cfg(feature = "test_utils")]
+mod default_subject {
+    use super::*;
+
+    // This `Default` implementation for `Subject` returns a new `Subject` with the Verification Method IDs already preloaded.
+    impl Default for Subject {
+        fn default() -> Self {
+            futures::executor::block_on(async {
+                let stronghold_storage = stronghold_storage().await;
+
+                Self { stronghold_storage }
+            })
+        }
+    }
+}
+
+#[async_trait]
+impl Verify for Subject {
+    async fn public_key(&self, did_url: &str) -> anyhow::Result<Vec<u8>> {
+        let did_url =
+            identity_iota::did::DIDUrl::parse(did_url).map_err(|err| anyhow!("Failed to parse DID URL: {err}"))?;
+
+        // TODO: Make sure the resolver only needs to be created once.
+        let resolver = Resolver::new().await;
+
+        let document = resolver
+            .resolve(did_url.did().as_str())
+            .await
+            .map_err(|err| anyhow!("Failed to resolve DID Document for DID: `{did_url}`, error: {err}"))?;
+
+        let verification_method = document
+            .resolve_method(DIDUrlQuery::from(&did_url), None)
+            .ok_or(anyhow!(
+                "Failed to resolve verification method for DID URL: `{did_url}`"
+            ))?;
+
+        // Try decode from `MethodData` directly, else use public JWK params.
+        verification_method.data().try_decode().or_else(|_| {
+            verification_method
+                .data()
+                .public_key_jwk()
+                .and_then(|public_key_jwk| match public_key_jwk.params() {
+                    JwkParams::Okp(okp_params) => URL_SAFE_NO_PAD.decode(&okp_params.x).ok(),
+                    JwkParams::Ec(ec_params) => {
+                        let x_bytes = URL_SAFE_NO_PAD.decode(&ec_params.x).ok()?;
+                        let y_bytes = URL_SAFE_NO_PAD.decode(&ec_params.y).ok()?;
+
+                        let encoded_point = p256::EncodedPoint::from_affine_coordinates(
+                            p256::FieldBytes::from_slice(&x_bytes),
+                            p256::FieldBytes::from_slice(&y_bytes),
+                            false, // false for uncompressed point
+                        );
+
+                        let verifying_key = p256::ecdsa::VerifyingKey::from_encoded_point(&encoded_point)
+                            .expect("Failed to create verifying key from encoded point");
+
+                        Some(verifying_key.to_encoded_point(false).as_bytes().to_vec())
+                    }
+                    _ => None,
+                })
+                .ok_or(anyhow!("Failed to decode public key for DID URL: `{did_url}`"))
+        })
+    }
+}
+
+#[async_trait]
+impl Sign for Subject {
+    async fn key_id(&self, subject_syntax_type: &str, algorithm: Algorithm) -> Option<String> {
+        let method = SupportedDidMethod::from_str(subject_syntax_type).ok()?;
+
+        // self.get_verification_method_id(StorageKey::new(method, algorithm))
+        //     .await
+        //     .as_ref()
+        //     .map(ToString::to_string)
+
+        todo!()
+    }
+
+    async fn sign(&self, message: &str, _subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<Vec<u8>> {
+        let stronghold_storage = &self.stronghold_storage;
+
+        todo!();
+
+        // stronghold_storage
+        //     .sign(&key_id, message.as_bytes(), &public_key)
+        //     .await
+        //     .map_err(Into::into)
+    }
+
+    fn external_signer(&self) -> Option<Arc<dyn ExternalSign>> {
+        None
+    }
+}
+
+#[async_trait]
+impl oid4vc_core::Subject for Subject {
+    async fn identifier(&self, subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<String> {
+        let method = SupportedDidMethod::from_str(subject_syntax_type)
+            .map_err(|e| anyhow!("Failed to parse SupportedDidMethod from string: {}", e))?;
+
+        // self.get_verification_method_id(StorageKey::new(method, algorithm))
+        //     .await
+        //     .as_ref()
+        //     .map(DIDUrl::did)
+        //     .map(ToString::to_string)
+        //     .ok_or_else(|| anyhow!("Failed to get verification method ID"))
+
+        todo!()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use agent_shared::config::{default_issuer_eddsa_key_id, set_config, SecretManagerConfig};
+    use ring::signature::{UnparsedPublicKey, ECDSA_P256_SHA256_FIXED, ED25519};
+
+    const ES256_SIGNED_JWT: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDpqd2s6ZXlKaGJHY2lPaUpGVXpJMU5pSXNJbU55ZGlJNklsQXRNalUySWl3aWEybGtJam9pTkVGMVdXaFNRMk5HYkc0eWJuUm5VMTlxT1hCRlFtUkxkekl3VUhRdGJHRnFXVWh0V1RkQk1FMUdUU0lzSW10MGVTSTZJa1ZESWl3aWVDSTZJakpNV0dwT1JFOTZWM1J3WlZOWk0ydGlUbEkyWm14YVRVUjRZV2gxYXpKMlVXMWpkWFprUVRodk5EUWlMQ0o1SWpvaVpFRjJSVlpzV0UxSFVFdGFjMnRXV1RSWlZ6QnpPRUk0UzNZM2Myc3hZemt5VDA1WVJFcHZlRjlJY3lKOSMwIn0.eyJpc3MiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaU5FRjFXV2hTUTJOR2JHNHliblJuVTE5cU9YQkZRbVJMZHpJd1VIUXRiR0ZxV1VodFdUZEJNRTFHVFNJc0ltdDBlU0k2SWtWRElpd2llQ0k2SWpKTVdHcE9SRTk2VjNSd1pWTlpNMnRpVGxJMlpteGFUVVI0WVdoMWF6SjJVVzFqZFhaa1FUaHZORFFpTENKNUlqb2laRUYyUlZac1dFMUhVRXRhYzJ0V1dUUlpWekJ6T0VJNFMzWTNjMnN4WXpreVQwNVlSRXB2ZUY5SWN5SjkiLCJzdWIiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaU5FRjFXV2hTUTJOR2JHNHliblJuVTE5cU9YQkZRbVJMZHpJd1VIUXRiR0ZxV1VodFdUZEJNRTFHVFNJc0ltdDBlU0k2SWtWRElpd2llQ0k2SWpKTVdHcE9SRTk2VjNSd1pWTlpNMnRpVGxJMlpteGFUVVI0WVdoMWF6SjJVVzFqZFhaa1FUaHZORFFpTENKNUlqb2laRUYyUlZac1dFMUhVRXRhYzJ0V1dUUlpWekJ6T0VJNFMzWTNjMnN4WXpreVQwNVlSRXB2ZUY5SWN5SjkiLCJhdWQiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlV6STFOaUlzSW1OeWRpSTZJbEF0TWpVMklpd2lhMmxrSWpvaVlrNDNiSEpaWVhOUlZrNDNMVUpZY0MxMFdFVldTR1l0YVhkTWRsVnRiWHByVUZsc2VHWlRWRkZvVlNJc0ltdDBlU0k2SWtWRElpd2llQ0k2SW1odVkyNU5UM2sxU0dGWGJ6SmFTbmhCWW5sWU1GOW1NVTFHU1dsMlRrRmtUMjFXYjNSWGVWZG9ielFpTENKNUlqb2libE5wYkhwMllsTmFYMUp1VWpOU2RreHdkRWxITmpkVWJWVkVhR1ZQWVZGNlltczJhVFJmWDBkeVFTSjkiLCJleHAiOjE3MjMwMjkyMjUsImlhdCI6MTcyMzAyODYyNSwibm9uY2UiOiJ0aGlzIGlzIGEgbm9uY2UifQ.w202CZKOeGM9k35tysJylksBUGI3fvkOgsPPVrfXYZzurns7KF5plMiR_KHH4H_GpYg57Nf2JWa3YEcXGDTVdw";
+    const EDDSA_SIGNED_JWT: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSIsImtpZCI6ImRpZDpqd2s6ZXlKaGJHY2lPaUpGWkVSVFFTSXNJbU55ZGlJNklrVmtNalUxTVRraUxDSnJhV1FpT2lKSmJWOVpNRkZQTm05SFgyczVNbTlzY1RWTWRIUTJZVkE0YzE5QmJFRmhWVUl6UzBkelVFY3RlR0kwSWl3aWEzUjVJam9pVDB0UUlpd2llQ0k2SWxaUGFrUjBRblozY0daalNraHlUelpMVjFOUGRYTlZVR1ptUWt3eVIxOUtjWFp0VVRZNFMzaDRWalFpZlEjMCJ9.eyJpc3MiOiJkaWQ6andrOmV5SmhiR2NpT2lKRlpFUlRRU0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0pyYVdRaU9pSkpiVjlaTUZGUE5tOUhYMnM1TW05c2NUVk1kSFEyWVZBNGMxOUJiRUZoVlVJelMwZHpVRWN0ZUdJMElpd2lhM1I1SWpvaVQwdFFJaXdpZUNJNklsWlBha1IwUW5aM2NHWmpTa2h5VHpaTFYxTlBkWE5WVUdabVFrd3lSMTlLY1hadFVUWTRTM2g0VmpRaWZRIiwic3ViIjoiZGlkOmp3azpleUpoYkdjaU9pSkZaRVJUUVNJc0ltTnlkaUk2SWtWa01qVTFNVGtpTENKcmFXUWlPaUpKYlY5Wk1GRlBObTlIWDJzNU1tOXNjVFZNZEhRMllWQTRjMTlCYkVGaFZVSXpTMGR6VUVjdGVHSTBJaXdpYTNSNUlqb2lUMHRRSWl3aWVDSTZJbFpQYWtSMFFuWjNjR1pqU2toeVR6WkxWMU5QZFhOVlVHWm1Ra3d5UjE5S2NYWnRVVFk0UzNoNFZqUWlmUSIsImF1ZCI6ImRpZDpqd2s6ZXlKaGJHY2lPaUpGWkVSVFFTSXNJbU55ZGlJNklrVmtNalUxTVRraUxDSnJhV1FpT2lKdFFqSXhUV2t5Y1V0WVZtTTFOREpVWWt0U09UZ3lUelpUWjFKWVZrWlFaVzV3TTNGWWRIRlRla3R2SWl3aWEzUjVJam9pVDB0UUlpd2llQ0k2SWprM1JVRXpSSE5vUmpONlIwSllTVjlVYnpObVJrUnJNVTFxV1VaYVV6bFZiMUpVYmxCT1NIUlpVV01pZlEiLCJleHAiOjE3MjMwMzE3MTQsImlhdCI6MTcyMzAzMTExNCwibm9uY2UiOiJ0aGlzIGlzIGEgbm9uY2UifQ.oGRYpwH4QvWZs0bZkgAuxq6MqNYdoX44KxNfRl7GzXCnv_0D_c19rhYMwzn04R7udNCthFDr7GUhXLQgROlUDw";
+
+    lazy_static::lazy_static! {
+        static ref SECRET_MANAGER_CONFIG: SecretManagerConfig = SecretManagerConfig {
+            stronghold_password: "sup3rSecr3t".to_string(),
+            stronghold_path: "/tmp/stronghold".to_string(),
+            issuer_eddsa_key_id: default_issuer_eddsa_key_id(),
+        };
+    }
+
+    #[tokio::test]
+    async fn es256_signed_jwt_successfully_verified() {
+        set_config().set_secret_manager_config(SECRET_MANAGER_CONFIG.clone());
+
+        // let subject = Arc::new(Subject::default());
+
+        // let mut split = ES256_SIGNED_JWT.rsplitn(2, '.');
+        // let (signature, message) = (split.next().unwrap(), split.next().unwrap());
+
+        // // Decode the signature.
+        // let signature_bytes = URL_SAFE_NO_PAD.decode(signature).unwrap();
+
+        // // Resolve the public key from the DID Document
+        // let public_key_bytes = subject.public_key("did:jwk:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia2lkIjoiNEF1WWhSQ2NGbG4ybnRnU19qOXBFQmRLdzIwUHQtbGFqWUhtWTdBME1GTSIsImt0eSI6IkVDIiwieCI6IjJMWGpORE96V3RwZVNZM2tiTlI2ZmxaTUR4YWh1azJ2UW1jdXZkQThvNDQiLCJ5IjoiZEF2RVZsWE1HUEtac2tWWTRZVzBzOEI4S3Y3c2sxYzkyT05YREpveF9IcyJ9#0").await.unwrap();
+
+        // // Verify the signature
+        // let public_key = UnparsedPublicKey::new(&ECDSA_P256_SHA256_FIXED, public_key_bytes);
+        // assert!(public_key.verify(message.as_bytes(), &signature_bytes).is_ok());
+    }
+
+    #[tokio::test]
+    async fn eddsa_signed_jwt_successfully_verified() {
+        set_config().set_secret_manager_config(SECRET_MANAGER_CONFIG.clone());
+
+        // let subject = Arc::new(Subject::default());
+
+        // let mut split = EDDSA_SIGNED_JWT.rsplitn(2, '.');
+        // let (signature, message) = (split.next().unwrap(), split.next().unwrap());
+
+        // // Decode the signature.
+        // let signature_bytes = URL_SAFE_NO_PAD.decode(signature).unwrap();
+
+        // // Resolve the public key from the DID Document
+        // let public_key_bytes = subject.public_key("did:jwk:eyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJJbV9ZMFFPNm9HX2s5Mm9scTVMdHQ2YVA4c19BbEFhVUIzS0dzUEcteGI0Iiwia3R5IjoiT0tQIiwieCI6IlZPakR0QnZ3cGZjSkhyTzZLV1NPdXNVUGZmQkwyR19KcXZtUTY4S3h4VjQifQ#0").await.unwrap();
+
+        // // Verify the signature
+        // let public_key = UnparsedPublicKey::new(&ED25519, public_key_bytes);
+        // assert!(public_key.verify(message.as_bytes(), &signature_bytes).is_ok());
+    }
+}
diff --git a/agent_shared/src/custom_queries.rs b/agent_shared/src/custom_queries.rs
index f327e0a5..8317fffa 100644
--- a/agent_shared/src/custom_queries.rs
+++ b/agent_shared/src/custom_queries.rs
@@ -5,6 +5,19 @@ use cqrs_es::{
 };
 use std::marker::PhantomData;
 use std::sync::Arc;
+use tracing::info;
+
+pub struct SimpleLoggingQuery {}
+
+#[async_trait]
+impl<A: Aggregate> Query<A> for SimpleLoggingQuery {
+    async fn dispatch(&self, aggregate_id: &str, events: &[EventEnvelope<A>]) {
+        for event in events {
+            let payload = serde_json::to_string_pretty(&event.payload).unwrap();
+            info!("{}-{} - {}", aggregate_id, event.sequence, payload);
+        }
+    }
+}
 
 /// A custom query trait. This trait is used to define custom queries for the Aggregates that do not make use of
 /// `GenericQuery`.
diff --git a/agent_store/src/lib.rs b/agent_store/src/lib.rs
index 9d7eae02..c02aef2c 100644
--- a/agent_store/src/lib.rs
+++ b/agent_store/src/lib.rs
@@ -34,7 +34,6 @@ use agent_issuance::credential::views::CredentialView;
 use agent_issuance::offer::views::all_offers::AllOffersView;
 use agent_issuance::offer::views::OfferView;
 use agent_issuance::server_config::views::ServerConfigView;
-use agent_issuance::SimpleLoggingQuery;
 use agent_issuance::{
     credential::aggregate::Credential, offer::aggregate::Offer, server_config::aggregate::ServerConfig,
 };
@@ -46,7 +45,7 @@ use agent_secret_manager::managed_key::views::all_managed_keys::AllManagedKeysVi
 use agent_secret_manager::services::SecretManagerServices;
 use agent_secret_manager::state::SecretManagerState;
 use agent_shared::application_state::Command;
-use agent_shared::custom_queries::ListAllQuery;
+use agent_shared::custom_queries::{ListAllQuery, SimpleLoggingQuery};
 use agent_shared::generic_query::generic_query;
 use agent_verification::authorization_request::aggregate::AuthorizationRequest;
 use agent_verification::authorization_request::views::all_authorization_requests::AllAuthorizationRequestsView;
@@ -164,7 +163,7 @@ pub type CqrsComponents<A, V, AV> = (
 pub trait CqrsComponentBuilder {
     fn commands_and_queries<V: View<A> + 'static, A: Aggregate + 'static, AV: View<A> + 'static>(
         &self,
-        identity_services: A::Services,
+        services: A::Services,
         event_publishers: Vec<Box<dyn Query<A>>>,
     ) -> impl std::future::Future<Output = CqrsComponents<A, V, AV>> + Send
     where

From ad96c011d4a16a8b3d952f42c7021cee87316596 Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Wed, 31 Dec 2025 15:52:36 +0100
Subject: [PATCH 10/14] feat: implement default key generation and domain
 linkage service initialization

---
 .../src/sagas/key_generation_saga.rs          |  61 +++++++-
 agent_application/src/main.rs                 |   9 +-
 agent_identity/src/document/aggregate.rs      |   1 +
 agent_identity/src/service/aggregate.rs       | 146 +++++-------------
 agent_identity/src/services.rs                | 110 ++++++++++++-
 agent_identity/src/state.rs                   |  86 -----------
 6 files changed, 209 insertions(+), 204 deletions(-)

diff --git a/agent_api_http/src/sagas/key_generation_saga.rs b/agent_api_http/src/sagas/key_generation_saga.rs
index 0918c4aa..276cc1a4 100644
--- a/agent_api_http/src/sagas/key_generation_saga.rs
+++ b/agent_api_http/src/sagas/key_generation_saga.rs
@@ -8,7 +8,12 @@ use cqrs_es::{EventEnvelope, Query};
 use identity_iota::verification::VerificationMethod;
 use identity_storage::KeyId;
 
-use agent_identity::{document::command::DocumentCommand, services::IdentityServices, state::IdentityState};
+use agent_identity::{
+    document::command::DocumentCommand,
+    service::command::ServiceCommand,
+    services::IdentityServices,
+    state::{IdentityState, DOMAIN_LINKAGE_SERVICE_ID},
+};
 use std::sync::Arc;
 
 #[derive(Clone)]
@@ -31,6 +36,22 @@ impl KeyGenerationSaga {
         }
     }
 
+    pub async fn generate_default_keys(&self) -> Result<(), Box<dyn std::error::Error>> {
+        let current_keys_n = query_handler("all_managed_keys", &self.secret_manager_state.query.all_managed_keys)
+            .await?
+            .map(|all_managed_keys_view| all_managed_keys_view.managed_keys.len())
+            .unwrap_or_default();
+
+        if current_keys_n == 0 {
+            self.generate_key("EdDSA Key".to_string(), SigningAlgorithm::EdDSA)
+                .await?;
+            self.generate_key("ES256 Key".to_string(), SigningAlgorithm::ES256)
+                .await?;
+        }
+
+        Ok(())
+    }
+
     pub async fn generate_key(
         &self,
         alias: String,
@@ -57,7 +78,7 @@ impl KeyGenerationSaga {
             if let Some(all_documents_view) =
                 query_handler("all_documents", &self.identity_state.query.all_documents).await?
             {
-                for (document_id, document_view) in all_documents_view.documents {
+                for (document_id, document_view) in &all_documents_view.documents {
                     if document_view
                         .did_method
                         .map(|did_method| did_method.supports_update())
@@ -69,6 +90,42 @@ impl KeyGenerationSaga {
                         };
 
                         command_handler(&document_id, &self.identity_state.command.document, command).await?;
+                    }
+                }
+
+                let command = ServiceCommand::CreateDomainLinkageService {
+                    service_id: DOMAIN_LINKAGE_SERVICE_ID.to_string(),
+                    verification_methods: vec![],
+                };
+
+                command_handler(
+                    &DOMAIN_LINKAGE_SERVICE_ID,
+                    &self.identity_state.command.service,
+                    command,
+                )
+                .await
+                .ok();
+
+                let domain_linkage_service =
+                    query_handler(DOMAIN_LINKAGE_SERVICE_ID, &self.identity_state.query.service).await?;
+
+                for (document_id, document_view) in all_documents_view.documents {
+                    if document_view
+                        .did_method
+                        .map(|did_method| did_method.supports_update())
+                        .unwrap_or(false)
+                    {
+                        if let Some(domain_linkage_service) = domain_linkage_service
+                            .as_ref()
+                            .and_then(|domain_linkage_service| domain_linkage_service.service.clone())
+                        {
+                            let command = DocumentCommand::AddService {
+                                service_id: DOMAIN_LINKAGE_SERVICE_ID.to_string(),
+                                service: Box::new(domain_linkage_service),
+                            };
+
+                            command_handler(&document_id, &self.identity_state.command.document, command).await?;
+                        }
 
                         if document_view
                             .did_method
diff --git a/agent_application/src/main.rs b/agent_application/src/main.rs
index 726de5b2..c0cf7612 100644
--- a/agent_application/src/main.rs
+++ b/agent_application/src/main.rs
@@ -13,7 +13,7 @@ use agent_authorization::services::AuthorizationServices;
 use agent_event_publisher_http::EventPublisherHttp;
 use agent_event_publisher_nats::EventPublisherNats;
 use agent_holder::services::HolderServices;
-use agent_identity::services::{IdentityServices, ThisIsTheMainService};
+use agent_identity::services::{IdentityServices, ThisIsTheMainService, GLOBAL_SERVICE};
 use agent_issuance::{
     application::policies::issuer_metadata_synchronization_policy::IssuerMetadataSynchronizationPolicy,
     services::IssuanceServices,
@@ -105,6 +105,8 @@ async fn main() -> io::Result<()> {
         .await,
     );
 
+    GLOBAL_SERVICE.set(this_is_the_main_service.clone()).unwrap();
+
     let authorization_services = Arc::new(AuthorizationServices::new(this_is_the_main_service.clone()));
     let issuance_services = Arc::new(IssuanceServices::new(this_is_the_main_service.clone()));
     let holder_services = Arc::new(HolderServices::new(this_is_the_main_service.clone()));
@@ -214,7 +216,7 @@ async fn main() -> io::Result<()> {
     agent_authorization::state::initialize(&authorization_state)
         .await
         .unwrap();
-    agent_identity::state::initialize(&identity_state).await.unwrap();
+    agent_identity::state::initialize(&identity_state).await.ok();
     agent_issuance::state::initialize(&issuance_state).await.unwrap();
 
     let key_generation_saga = KeyGenerationSaga::new(
@@ -222,6 +224,9 @@ async fn main() -> io::Result<()> {
         identity_state.clone(),
         identity_services.clone(),
     );
+
+    key_generation_saga.generate_default_keys().await.ok();
+
     let key_removal_saga = KeyRemovalSaga::new(
         secret_manager_state.clone(),
         identity_state.clone(),
diff --git a/agent_identity/src/document/aggregate.rs b/agent_identity/src/document/aggregate.rs
index 2230c583..5de8a98b 100644
--- a/agent_identity/src/document/aggregate.rs
+++ b/agent_identity/src/document/aggregate.rs
@@ -7,6 +7,7 @@ use async_trait::async_trait;
 use cqrs_es::Aggregate;
 use identity_did::{CoreDID, DIDUrl, DID as _};
 use identity_document::document::CoreDocument;
+use identity_iota::core::{Duration, Timestamp};
 use identity_iota::iota::rebased::client::{
     get_object_id_from_did, IdentityClient, IdentityClientReadOnly, PublishDidDocument,
 };
diff --git a/agent_identity/src/service/aggregate.rs b/agent_identity/src/service/aggregate.rs
index c937eb84..39aee917 100644
--- a/agent_identity/src/service/aggregate.rs
+++ b/agent_identity/src/service/aggregate.rs
@@ -1,5 +1,5 @@
 use super::{command::ServiceCommand, error::ServiceError, event::ServiceEvent};
-use crate::services::IdentityServices;
+use crate::services::{IdentityServices, GLOBAL_SERVICE};
 use agent_shared::config::config;
 use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
@@ -59,116 +59,40 @@ impl Aggregate for Service {
                 service_id,
                 verification_methods,
             } => {
-                // let secret_manager_services = &services.secret_manager_services;
-
-                // let origin = identity_core::common::Url::parse(config().public_url.origin().ascii_serialization())
-                //     .map_err(|err| InvalidUrlError(err.to_string()))?;
-
-                // #[cfg(feature = "test_utils")]
-                // let (issuance_date, expiration_date) = {
-                //     let issuance_date = test_utils::issuance_date();
-                //     let expiration_date = test_utils::expiration_date();
-                //     (issuance_date, expiration_date)
-                // };
-                // #[cfg(not(feature = "test_utils"))]
-                // let (issuance_date, expiration_date) = {
-                //     let issuance_date = Timestamp::now_utc();
-                //     let expiration_date = issuance_date
-                //         // TODO: make this configurable
-                //         .checked_add(Duration::days(365))
-                //         .ok_or(InvalidTimestampError)?;
-
-                //     (issuance_date, expiration_date)
-                // };
-
-                // let mut linked_dids = vec![];
-
-                // // For each Verification Method, create a new linked DID JWT token.
-                // for verification_method in verification_methods {
-                //     let subject_did = verification_method.id().did();
-
-                //     let verification_method_id = verification_method.id();
-                //     let alg = verification_method
-                //         .data()
-                //         .public_key_jwk()
-                //         .and_then(|jwk| jwk.alg())
-                //         .ok_or_else(|| MissingVerificationMethodAlgorithm(verification_method_id.to_string()))?;
-                //     let algorithm = Algorithm::from_str(alg)
-                //         .map_err(|_| UnsupportedVerificationMethodAlgorithm(alg.to_string()))?;
-
-                //     let domain_linkage_credential = DomainLinkageCredentialBuilder::new()
-                //         .issuer(subject_did.clone())
-                //         .origin(origin.clone())
-                //         .issuance_date(issuance_date)
-                //         .expiration_date(expiration_date)
-                //         .build()
-                //         .map_err(|err| DomainLinkageCredentialBuilderError(err.to_string()))?
-                //         .serialize_jwt(Default::default())
-                //         .map_err(|err| SerializationError(err.to_string()))?;
-
-                //     // Compose JWT
-                //     let header = Header {
-                //         alg: algorithm,
-                //         typ: None,
-                //         kid: Some(verification_method.id().to_string()),
-                //         ..Default::default()
-                //     };
-
-                //     let linked_did = [
-                //         URL_SAFE_NO_PAD.encode(
-                //             header
-                //                 .to_json_vec()
-                //                 .map_err(|err| SerializationError(err.to_string()))?,
-                //         ),
-                //         URL_SAFE_NO_PAD.encode(domain_linkage_credential.as_bytes()),
-                //     ]
-                //     .join(".");
-
-                //     let proof_value = secret_manager_services
-                //         // TODO: Currently UniCore always uses the same keys for signing regardless of the DID method.
-                //         // Once we implement DID method-specific keys, then we should supply the appropriate
-                //         // `subject_syntax_type` here instead of this `placeholder` value.
-                //         .sign(linked_did.as_str(), "placeholder", algorithm)
-                //         .await
-                //         .map_err(|err| SigningError(err.to_string()))?;
-                //     let signature = URL_SAFE_NO_PAD.encode(proof_value.as_slice());
-                //     let linked_did = [linked_did, signature].join(".");
-
-                //     linked_dids.push(Jwt::from(linked_did))
-                // }
-
-                // if linked_dids.is_empty() {
-                //     return Err(EmptyLinkedDidsError);
-                // }
-
-                // let domain_linkage_configuration = DomainLinkageConfiguration::new(linked_dids);
-
-                // info!("Configuration Resource: {domain_linkage_configuration:#}");
-
-                // let service_endpoint = ServiceEndpoint::from_json_value(json!({
-                //     "origins": [origin]
-                // }))
-                // .map_err(|err| InvalidServiceEndpointError(err.to_string()))?;
-
-                // // Create a new service.
-                // let service = DocumentService::builder(Default::default())
-                //     // This service is DID method-agnostic. When added to an enabled DID Document,
-                //     // its placeholder value is replaced with the appropriate DID method-specific identifier.
-                //     .id(format!("did:place:holder#{service_id}")
-                //         .parse::<DIDUrl>()
-                //         .map_err(|err| InvalidDidError(err.to_string()))?)
-                //     .type_("LinkedDomains")
-                //     .service_endpoint(service_endpoint)
-                //     .build()
-                //     .map_err(|err| ServiceBuilderError(err.to_string()))?;
-
-                // Ok(vec![DomainLinkageServiceCreated {
-                //     service_id,
-                //     service,
-                //     resource: ServiceResource::DomainLinkage(domain_linkage_configuration),
-                //     is_deleted: false,
-                // }])
-                todo!()
+                let this_is_the_main_service = GLOBAL_SERVICE.get().unwrap().clone();
+                let domain_linkage_configuration = this_is_the_main_service
+                    .create_domain_linkage_configuration()
+                    .await
+                    .map_err(|_| EmptyLinkedDidsError)?;
+
+                let origin = identity_core::common::Url::parse(config().public_url.origin().ascii_serialization())
+                    .map_err(|err| InvalidUrlError(err.to_string()))?;
+
+                info!("Configuration Resource: {domain_linkage_configuration:#}");
+
+                let service_endpoint = ServiceEndpoint::from_json_value(json!({
+                    "origins": [origin]
+                }))
+                .map_err(|err| InvalidServiceEndpointError(err.to_string()))?;
+
+                // Create a new service.
+                let service = DocumentService::builder(Default::default())
+                    // This service is DID method-agnostic. When added to an enabled DID Document,
+                    // its placeholder value is replaced with the appropriate DID method-specific identifier.
+                    .id(format!("did:place:holder#{service_id}")
+                        .parse::<DIDUrl>()
+                        .map_err(|err| InvalidDidError(err.to_string()))?)
+                    .type_("LinkedDomains")
+                    .service_endpoint(service_endpoint)
+                    .build()
+                    .map_err(|err| ServiceBuilderError(err.to_string()))?;
+
+                Ok(vec![DomainLinkageServiceCreated {
+                    service_id,
+                    service,
+                    resource: ServiceResource::DomainLinkage(domain_linkage_configuration),
+                    is_deleted: false,
+                }])
             }
             DeleteDomainLinkageService { service_id } => Ok(vec![DomainLinkageServiceDeleted {
                 service_id,
diff --git a/agent_identity/src/services.rs b/agent_identity/src/services.rs
index 00ff70a9..94c6813b 100644
--- a/agent_identity/src/services.rs
+++ b/agent_identity/src/services.rs
@@ -11,16 +11,21 @@ use anyhow::anyhow;
 use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use did_manager_consumer::resolver::Resolver;
+use identity_credential::domain_linkage::{DomainLinkageConfiguration, DomainLinkageCredentialBuilder};
 use identity_did::{DIDUrl, DID as _};
 use identity_iota::{
-    core::ToJson,
+    core::{Duration, Timestamp, ToJson},
+    credential::Jwt,
     document::DIDUrlQuery,
     verification::jwk::{Jwk, JwkParams},
 };
 use identity_storage::{JwkStorage as _, KeyId};
-use jsonwebtoken::Algorithm;
+use jsonwebtoken::{Algorithm, Header};
 use oid4vc_core::{authentication::sign::ExternalSign, Sign, Verify};
-use std::{str::FromStr as _, sync::Arc};
+use std::{
+    str::FromStr as _,
+    sync::{Arc, OnceLock},
+};
 
 use crate::state::IdentityState;
 
@@ -48,6 +53,8 @@ impl IdentityServices {
     }
 }
 
+pub static GLOBAL_SERVICE: OnceLock<Arc<ThisIsTheMainService>> = OnceLock::new();
+
 pub struct ThisIsTheMainService {
     pub secret_manager_state: Arc<SecretManagerState>,
     pub secret_manager_services: Arc<SecretManagerServices>,
@@ -70,6 +77,103 @@ impl ThisIsTheMainService {
             resolver,
         }
     }
+
+    pub async fn create_domain_linkage_configuration(&self) -> anyhow::Result<DomainLinkageConfiguration> {
+        let stronghold_storage = &self.secret_manager_services.stronghold_storage;
+
+        let origin = identity_core::common::Url::parse(config().public_url.origin().ascii_serialization()).unwrap();
+        // .map_err(|err| InvalidUrlError(err.to_string()))?;
+
+        // #[cfg(feature = "test_utils")]
+        // let (issuance_date, expiration_date) = {
+        //     let issuance_date = test_utils::issuance_date();
+        //     let expiration_date = test_utils::expiration_date();
+        //     (issuance_date, expiration_date)
+        // };
+        // #[cfg(not(feature = "test_utils"))]
+        let (issuance_date, expiration_date) = {
+            let issuance_date = Timestamp::now_utc();
+            let expiration_date = issuance_date
+                // TODO: make this configurable
+                .checked_add(Duration::days(365))
+                .unwrap();
+            // .ok_or(InvalidTimestampError)?;
+
+            (issuance_date, expiration_date)
+        };
+
+        let all_documents_view = query_handler("all_documents", &self.identity_state.query.all_documents)
+            .await
+            .unwrap()
+            .unwrap();
+
+        let did_method_and_verification_method_ids = all_documents_view
+            .documents
+            .into_values()
+            .filter_map(|document_view| {
+                Some((document_view.did_method.unwrap(), document_view.verification_method_ids))
+            })
+            .collect::<Vec<_>>();
+
+        let mut linked_dids = vec![];
+
+        for (_did_method, verification_method_ids) in did_method_and_verification_method_ids {
+            for (key_id, verification_method_id) in verification_method_ids {
+                let key_id = KeyId::new(&key_id);
+
+                // FIXME: terrible temporary logic to determine key type
+                let public_key = if let Ok(public_key) = stronghold_storage.get_es256_public_key(&key_id).await {
+                    public_key
+                } else {
+                    stronghold_storage.get_ed25519_public_key(&key_id).await?
+                };
+
+                let subject_did = verification_method_id.did();
+                let algorithm = Algorithm::from_str(public_key.alg().unwrap()).unwrap();
+
+                let domain_linkage_credential = DomainLinkageCredentialBuilder::new()
+                    .issuer(subject_did.clone())
+                    .origin(origin.clone())
+                    .issuance_date(issuance_date)
+                    .expiration_date(expiration_date)
+                    .build()
+                    .unwrap()
+                    // .map_err(|err| DomainLinkageCredentialBuilderError(err.to_string()))?
+                    .serialize_jwt(Default::default())
+                    .unwrap();
+                // .map_err(|err| SerializationError(err.to_string()))?;
+
+                // Compose JWT
+                let header = Header {
+                    alg: algorithm,
+                    typ: None,
+                    kid: Some(verification_method_id.to_string()),
+                    ..Default::default()
+                };
+
+                let linked_did = [
+                    URL_SAFE_NO_PAD.encode(
+                        header.to_json_vec().unwrap(), // .map_err(|err| SerializationError(err.to_string()))?,
+                    ),
+                    URL_SAFE_NO_PAD.encode(domain_linkage_credential.as_bytes()),
+                ]
+                .join(".");
+
+                stronghold_storage
+                    .sign(&key_id, linked_did.as_bytes(), &public_key)
+                    .await
+                    .unwrap();
+
+                linked_dids.push(Jwt::from(linked_did));
+            }
+        }
+
+        if linked_dids.is_empty() {
+            return Err(anyhow!("No linked DIDs found"));
+        }
+
+        Ok(DomainLinkageConfiguration::new(linked_dids))
+    }
 }
 
 impl std::fmt::Debug for ThisIsTheMainService {
diff --git a/agent_identity/src/state.rs b/agent_identity/src/state.rs
index 36396269..f37d50b4 100644
--- a/agent_identity/src/state.rs
+++ b/agent_identity/src/state.rs
@@ -103,7 +103,6 @@ pub async fn initialize(state: &IdentityState) -> anyhow::Result<()> {
 
     initialize_display(state).await?;
     initialize_documents(state).await?;
-    initialize_domain_linkage(state).await?;
     initialize_linked_verifiable_presentations(state).await?;
     publish_decentrally_hosted_documents(state).await?;
 
@@ -399,91 +398,6 @@ fn get_did_methods_with_or_without_fixed_algorithm() -> Vec<((SupportedDidMethod
         .collect()
 }
 
-/// Initializes or disables the Domain Linkage Service based on the current configuration and document state.
-///
-/// This asynchronous function performs the following steps:
-///
-/// 1. Query Documents: It retrieves all documents that are not disabled and whose DID methods support updates.
-/// 2. Conditional Service Creation:
-///    - If domain linkage is enabled in the configuration and there exists at least one update-supporting document,
-///      it creates the Domain Linkage Service.
-///    - It then queries for the created service. If found, it adds the service to all update-supporting documents.
-/// 3. Service Deletion:
-///    - If domain linkage is disabled or no update-supporting documents exist, the function sends a command
-///      to disable the Domain Linkage Service.
-pub async fn initialize_domain_linkage(state: &IdentityState) -> anyhow::Result<()> {
-    // Get all the Documents that are not disabled and support updates.
-    let update_supporting_documents = query_all_documents(state, |(_, document)| {
-        document.status != Status::Disabled
-            && document
-                .did_method
-                .as_ref()
-                .map(SupportedDidMethod::supports_update)
-                .unwrap_or_default()
-            && document
-                .iota_metadata
-                .as_ref()
-                .map(|iota_metadata| iota_metadata.is_funded)
-                .unwrap_or(true)
-    })
-    .await?;
-
-    // Check whether Domain Linkage is enabled and whether there are any enabled update-supporting Documents.
-    if config().domain_linkage_enabled && !update_supporting_documents.is_empty() {
-        info!(
-            "Creating domain linkage service with documents: {:?}",
-            update_supporting_documents
-        );
-
-        // Collect all Verification Methods from update-supporting documents.
-        let verification_methods = update_supporting_documents
-            .values()
-            .filter_map(|document| document.document.as_ref())
-            .flat_map(|core_document| core_document.methods(None).into_iter().cloned())
-            .collect();
-
-        // Create the Domain Linkage Service.
-        let command = ServiceCommand::CreateDomainLinkageService {
-            service_id: DOMAIN_LINKAGE_SERVICE_ID.to_string(),
-            verification_methods,
-        };
-
-        command_handler(DOMAIN_LINKAGE_SERVICE_ID, &state.command.service, command).await?;
-
-        info!("Created Linked Domain service");
-
-        match query_handler(DOMAIN_LINKAGE_SERVICE_ID, &state.query.service).await {
-            Ok(Some(Service {
-                service: Some(service), ..
-            })) => {
-                info!("Found Linked Domains service: {service}");
-
-                // Add the Domain Linkage service to all the enabled update supporting Documents.
-                for document_id in update_supporting_documents.keys() {
-                    let command = DocumentCommand::AddService {
-                        service_id: DOMAIN_LINKAGE_SERVICE_ID.to_string(),
-                        service: Box::new(service.clone()),
-                    };
-
-                    command_handler(document_id, &state.command.document, command).await?;
-                }
-            }
-            _ => anyhow::bail!("Failed to retrieve Linked Domains service"),
-        };
-    } else {
-        // If Domain Linkage is disabled and/or there are no enabled update supporting Documents, then disable the Domain Linkage Service.
-        let command = ServiceCommand::DeleteDomainLinkageService {
-            service_id: DOMAIN_LINKAGE_SERVICE_ID.to_string(),
-        };
-
-        command_handler(DOMAIN_LINKAGE_SERVICE_ID, &state.command.service, command).await?;
-
-        info!("Disabled Domain Linkage service");
-    }
-
-    Ok(())
-}
-
 /// Initializes the Linked Verifiable Presentations service for DID Web Document.
 pub async fn initialize_linked_verifiable_presentations(state: &IdentityState) -> anyhow::Result<()> {
     // TODO: We currently only support Linked Verifiable Presentations for DID Web. In the future we should also support

From 7c417f85f0d66968c16eb0db4ee500bb10d8bc3e Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Wed, 31 Dec 2025 16:46:49 +0100
Subject: [PATCH 11/14] refactor: update document initialization logic to
 handle multiple commands

---
 agent_identity/src/state.rs | 45 +++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/agent_identity/src/state.rs b/agent_identity/src/state.rs
index f37d50b4..4e986726 100644
--- a/agent_identity/src/state.rs
+++ b/agent_identity/src/state.rs
@@ -309,7 +309,7 @@ async fn initialize_documents(state: &IdentityState) -> anyhow::Result<()> {
     for ((did_method, ToggleOptions { enabled, .. }), with_fixed_algorithm) in
         did_methods_with_or_without_fixed_algorithm
     {
-        let document_id_and_command = match all_documents.values().find(|document| {
+        let document_id_and_commands = match all_documents.values().find(|document| {
             document.did_method == Some(did_method) && document.with_fixed_algorithm == with_fixed_algorithm
         }) {
             // If the Document already exists, but the DID method is not enabled, then update the Document's status to `Disabled`.
@@ -319,25 +319,32 @@ async fn initialize_documents(state: &IdentityState) -> anyhow::Result<()> {
                 ..
             }) if !enabled => Some((
                 document_id.clone(),
-                DocumentCommand::UpdateDocumentStatus {
+                vec![DocumentCommand::UpdateDocumentStatus {
                     status: Status::Disabled,
-                },
+                }],
             )),
-            // If the DID method is enabled, then create the Document regardless of whether it already exists or not.
-            document if enabled => {
-                let document_id = document
-                    // Extract the `document_id` from the Document if it exists.
-                    .map(|document| document.document_id.clone())
-                    // Otherwise, generate a new `document_id`.
-                    .unwrap_or_else(|| uuid::Uuid::new_v4().to_string());
+            // If the Document already exists, but the DID method is not enabled, then update the Document's status to `SignAndValidate`.
+            Some(Document {
+                document_id,
+                status: Status::Disabled,
+                ..
+            }) if enabled => Some((
+                document_id.clone(),
+                vec![DocumentCommand::UpdateDocumentStatus {
+                    status: Status::SignAndValidate,
+                }],
+            )),
+            // If the Document does not exist and the DID method is enabled, then create the Document.
+            None if enabled => {
+                let document_id = uuid::Uuid::new_v4().to_string();
 
                 Some((
                     document_id.clone(),
-                    DocumentCommand::CreateDocument {
+                    vec![DocumentCommand::CreateDocument {
                         document_id: document_id.clone(),
                         did_method,
                         with_fixed_algorithm,
-                    },
+                    }],
                 ))
             }
             // In all other cases, the DID method is disabled and therefore no action is required.
@@ -345,16 +352,10 @@ async fn initialize_documents(state: &IdentityState) -> anyhow::Result<()> {
         };
 
         // If a Document command was generated, then execute the command and update the Document's Public Keys.
-        if let Some((document_id, command)) = document_id_and_command {
-            command_handler(&document_id, &state.command.document, command).await?;
-
-            // if enabled {
-            //     let command = DocumentCommand::UpdatePublicKeys {
-            //         public_key_jwks: vec![],
-            //     };
-
-            //     command_handler(&document_id, &state.command.document, command).await?;
-            // }
+        if let Some((document_id, commands)) = document_id_and_commands {
+            for command in commands {
+                command_handler(&document_id, &state.command.document, command).await?;
+            }
         }
     }
 

From 8d42e3b12ca526ebf4476033bee20d55dcdeef0f Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Thu, 1 Jan 2026 14:26:53 +0100
Subject: [PATCH 12/14] refactor: rename `ThisIsTheMainService` to
 `IdentityApplicationService` for clarity and consistency

---
 agent_api_http/src/utils.rs                   | 18 +++++++------
 agent_application/src/main.rs                 | 25 ++++++++++++-------
 agent_authorization/src/services.rs           |  8 +++---
 agent_holder/src/presentation/aggregate.rs    |  6 ++---
 agent_holder/src/services.rs                  | 10 ++++----
 agent_identity/src/service/aggregate.rs       |  6 ++---
 agent_identity/src/services.rs                | 16 ++++++------
 agent_issuance/src/credential/aggregate.rs    |  4 +--
 agent_issuance/src/offer/aggregate.rs         |  4 +--
 agent_issuance/src/services.rs                |  8 +++---
 agent_secret_manager/src/services.rs          | 21 +++++++++++++++-
 agent_store/src/lib.rs                        |  4 +--
 .../src/authorization_request/aggregate.rs    |  4 +--
 agent_verification/src/services.rs            | 10 ++++----
 14 files changed, 86 insertions(+), 58 deletions(-)

diff --git a/agent_api_http/src/utils.rs b/agent_api_http/src/utils.rs
index 6d421c44..c26f5035 100644
--- a/agent_api_http/src/utils.rs
+++ b/agent_api_http/src/utils.rs
@@ -166,7 +166,7 @@ pub mod tests {
     use super::*;
     use agent_authorization::services::AuthorizationServices;
     use agent_authorization::state::AuthorizationState;
-    use agent_identity::services::{IdentityServices, ThisIsTheMainService};
+    use agent_identity::services::{IdentityApplicationService, IdentityServices};
     use agent_issuance::services::IssuanceServices;
     use agent_issuance::state::IssuanceState;
     use agent_secret_manager::services::SecretManagerServices;
@@ -181,7 +181,7 @@ pub mod tests {
     use serde_json::json;
     use std::sync::Arc;
 
-    pub(crate) async fn main_service() -> Arc<ThisIsTheMainService> {
+    pub(crate) async fn main_service() -> Arc<IdentityApplicationService> {
         let secret_manager_services = Arc::new(SecretManagerServices::new().await);
         let secret_manager_state =
             Arc::new(agent_store::secret_manager_state(&InMemory, secret_manager_services.clone(), vec![]).await);
@@ -189,19 +189,19 @@ pub mod tests {
         let identity_services = Arc::new(IdentityServices::new(secret_manager_services.clone()));
         let identity_state = Arc::new(agent_store::identity_state(&InMemory, identity_services, vec![]).await);
 
-        let this_is_the_main_service = Arc::new(
-            ThisIsTheMainService::new(
+        let identity_application_service = Arc::new(
+            IdentityApplicationService::new(
                 secret_manager_state.clone(),
                 secret_manager_services.clone(),
                 identity_state.clone(),
             )
             .await,
         );
-        this_is_the_main_service
+        identity_application_service
     }
 
     pub(crate) async fn test_issuance_state(
-        main_service: Arc<ThisIsTheMainService>,
+        main_service: Arc<IdentityApplicationService>,
         event_publishers: Vec<Box<dyn EventPublisher>>,
     ) -> Arc<IssuanceState> {
         Arc::new(
@@ -214,7 +214,9 @@ pub mod tests {
         )
     }
 
-    pub(crate) async fn test_authorization_state(main_service: Arc<ThisIsTheMainService>) -> Arc<AuthorizationState> {
+    pub(crate) async fn test_authorization_state(
+        main_service: Arc<IdentityApplicationService>,
+    ) -> Arc<AuthorizationState> {
         Arc::new(
             agent_store::authorization_state(&InMemory, Arc::new(AuthorizationServices::new(main_service)), vec![])
                 .await,
@@ -222,7 +224,7 @@ pub mod tests {
     }
 
     pub(crate) async fn test_verification_state(
-        main_service: Arc<ThisIsTheMainService>,
+        main_service: Arc<IdentityApplicationService>,
         event_publishers: Vec<Box<dyn EventPublisher>>,
     ) -> Arc<VerificationState> {
         Arc::new(
diff --git a/agent_application/src/main.rs b/agent_application/src/main.rs
index c0cf7612..3f184ddd 100644
--- a/agent_application/src/main.rs
+++ b/agent_application/src/main.rs
@@ -13,12 +13,14 @@ use agent_authorization::services::AuthorizationServices;
 use agent_event_publisher_http::EventPublisherHttp;
 use agent_event_publisher_nats::EventPublisherNats;
 use agent_holder::services::HolderServices;
-use agent_identity::services::{IdentityServices, ThisIsTheMainService, GLOBAL_SERVICE};
+use agent_identity::services::{IdentityApplicationService, IdentityServices, IDENTITY_APPLICATION_SERVICE};
 use agent_issuance::{
     application::policies::issuer_metadata_synchronization_policy::IssuerMetadataSynchronizationPolicy,
     services::IssuanceServices,
 };
-use agent_secret_manager::services::SecretManagerServices;
+use agent_secret_manager::services::{
+    SecretManagerDomainService, SecretManagerServices, SECRET_MANAGER_DOMAIN_SERVICE,
+};
 use agent_shared::config::{config, EventStoreType};
 use agent_store::{in_memory::InMemory, mongodb::MongoDB, postgres::Postgres, EventPublisher};
 use agent_verification::services::VerificationServices;
@@ -96,8 +98,8 @@ async fn main() -> io::Result<()> {
         }
     };
 
-    let this_is_the_main_service = Arc::new(
-        ThisIsTheMainService::new(
+    let identity_application_service = Arc::new(
+        IdentityApplicationService::new(
             secret_manager_state.clone(),
             secret_manager_services.clone(),
             identity_state.clone(),
@@ -105,12 +107,17 @@ async fn main() -> io::Result<()> {
         .await,
     );
 
-    GLOBAL_SERVICE.set(this_is_the_main_service.clone()).unwrap();
+    IDENTITY_APPLICATION_SERVICE
+        .set(identity_application_service.clone())
+        .unwrap();
+    SECRET_MANAGER_DOMAIN_SERVICE
+        .set(Arc::new(SecretManagerDomainService::new(secret_manager_state.clone())))
+        .unwrap();
 
-    let authorization_services = Arc::new(AuthorizationServices::new(this_is_the_main_service.clone()));
-    let issuance_services = Arc::new(IssuanceServices::new(this_is_the_main_service.clone()));
-    let holder_services = Arc::new(HolderServices::new(this_is_the_main_service.clone()));
-    let verification_services = Arc::new(VerificationServices::new(this_is_the_main_service.clone()));
+    let authorization_services = Arc::new(AuthorizationServices::new(identity_application_service.clone()));
+    let issuance_services = Arc::new(IssuanceServices::new(identity_application_service.clone()));
+    let holder_services = Arc::new(HolderServices::new(identity_application_service.clone()));
+    let verification_services = Arc::new(VerificationServices::new(identity_application_service.clone()));
 
     // TODO: Refactor this to reduce code duplication.
     let (library_state, authorization_state, issuance_state, holder_state, verification_state) = match config()
diff --git a/agent_authorization/src/services.rs b/agent_authorization/src/services.rs
index f38f2316..696d96e2 100644
--- a/agent_authorization/src/services.rs
+++ b/agent_authorization/src/services.rs
@@ -1,14 +1,14 @@
-use agent_identity::services::ThisIsTheMainService;
+use agent_identity::services::IdentityApplicationService;
 use std::sync::Arc;
 
 pub struct AuthorizationServices {
-    pub this_is_the_main_service: Arc<ThisIsTheMainService>,
+    pub identity_application_service: Arc<IdentityApplicationService>,
 }
 
 impl AuthorizationServices {
-    pub fn new(this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
+    pub fn new(identity_application_service: Arc<IdentityApplicationService>) -> Self {
         Self {
-            this_is_the_main_service,
+            identity_application_service,
         }
     }
 }
diff --git a/agent_holder/src/presentation/aggregate.rs b/agent_holder/src/presentation/aggregate.rs
index caf6af76..894dc659 100644
--- a/agent_holder/src/presentation/aggregate.rs
+++ b/agent_holder/src/presentation/aggregate.rs
@@ -43,8 +43,8 @@ impl Aggregate for Presentation {
                 presentation_id,
                 signed_credentials,
             } => {
-                let this_is_the_main_service = &services.this_is_the_main_service;
-                let subject_did = this_is_the_main_service
+                let identity_application_service = &services.identity_application_service;
+                let subject_did = identity_application_service
                     .identifier(
                         get_preferred_did_method().to_string().as_ref(),
                         get_preferred_signing_algorithm(),
@@ -96,7 +96,7 @@ impl Aggregate for Presentation {
                 ]
                 .join(".");
 
-                let proof_value = this_is_the_main_service
+                let proof_value = identity_application_service
                     .sign(
                         &message,
                         get_preferred_did_method().to_string().as_ref(),
diff --git a/agent_holder/src/services.rs b/agent_holder/src/services.rs
index f3844801..1fd9e107 100644
--- a/agent_holder/src/services.rs
+++ b/agent_holder/src/services.rs
@@ -1,4 +1,4 @@
-use agent_identity::services::ThisIsTheMainService;
+use agent_identity::services::IdentityApplicationService;
 use agent_shared::config::{
     get_all_enabled_did_methods, get_all_enabled_signing_algorithms_supported, get_preferred_did_method,
 };
@@ -8,12 +8,12 @@ use std::sync::Arc;
 
 /// Holder services. This struct is used to sign credentials and validate credential requests.
 pub struct HolderServices {
-    pub this_is_the_main_service: Arc<ThisIsTheMainService>,
+    pub identity_application_service: Arc<IdentityApplicationService>,
     pub wallet: Wallet,
 }
 
 impl HolderServices {
-    pub fn new(this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
+    pub fn new(identity_application_service: Arc<IdentityApplicationService>) -> Self {
         let signing_algorithms_supported = get_all_enabled_signing_algorithms_supported();
 
         let mut enabled_did_methods = get_all_enabled_did_methods();
@@ -32,7 +32,7 @@ impl HolderServices {
             enabled_did_methods.into_iter().map(Into::into).collect();
 
         let wallet = Wallet::new(
-            this_is_the_main_service.clone(),
+            identity_application_service.clone(),
             supported_subject_syntax_types,
             signing_algorithms_supported,
         )
@@ -40,7 +40,7 @@ impl HolderServices {
         .expect("Failed to create wallet");
 
         Self {
-            this_is_the_main_service,
+            identity_application_service,
             wallet,
         }
     }
diff --git a/agent_identity/src/service/aggregate.rs b/agent_identity/src/service/aggregate.rs
index 39aee917..21a8cd80 100644
--- a/agent_identity/src/service/aggregate.rs
+++ b/agent_identity/src/service/aggregate.rs
@@ -1,5 +1,5 @@
 use super::{command::ServiceCommand, error::ServiceError, event::ServiceEvent};
-use crate::services::{IdentityServices, GLOBAL_SERVICE};
+use crate::services::{IdentityServices, IDENTITY_APPLICATION_SERVICE};
 use agent_shared::config::config;
 use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
@@ -59,8 +59,8 @@ impl Aggregate for Service {
                 service_id,
                 verification_methods,
             } => {
-                let this_is_the_main_service = GLOBAL_SERVICE.get().unwrap().clone();
-                let domain_linkage_configuration = this_is_the_main_service
+                let identity_application_service = IDENTITY_APPLICATION_SERVICE.get().unwrap().clone();
+                let domain_linkage_configuration = identity_application_service
                     .create_domain_linkage_configuration()
                     .await
                     .map_err(|_| EmptyLinkedDidsError)?;
diff --git a/agent_identity/src/services.rs b/agent_identity/src/services.rs
index 94c6813b..3c977932 100644
--- a/agent_identity/src/services.rs
+++ b/agent_identity/src/services.rs
@@ -53,16 +53,16 @@ impl IdentityServices {
     }
 }
 
-pub static GLOBAL_SERVICE: OnceLock<Arc<ThisIsTheMainService>> = OnceLock::new();
+pub static IDENTITY_APPLICATION_SERVICE: OnceLock<Arc<IdentityApplicationService>> = OnceLock::new();
 
-pub struct ThisIsTheMainService {
+pub struct IdentityApplicationService {
     pub secret_manager_state: Arc<SecretManagerState>,
     pub secret_manager_services: Arc<SecretManagerServices>,
     pub identity_state: Arc<IdentityState>,
     pub resolver: Resolver,
 }
 
-impl ThisIsTheMainService {
+impl IdentityApplicationService {
     pub async fn new(
         secret_manager_state: Arc<SecretManagerState>,
         secret_manager_services: Arc<SecretManagerServices>,
@@ -176,7 +176,7 @@ impl ThisIsTheMainService {
     }
 }
 
-impl std::fmt::Debug for ThisIsTheMainService {
+impl std::fmt::Debug for IdentityApplicationService {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         f.debug_struct("ThisIsTheMainService").finish()
     }
@@ -189,7 +189,7 @@ pub trait SubjectExt: oid4vc_core::Subject {
 
 /// Extension trait for `Subject` to provide additional functionality.
 #[async_trait]
-impl SubjectExt for ThisIsTheMainService {
+impl SubjectExt for IdentityApplicationService {
     /// Resolves the public key for a given DID URL.
     async fn resolve_public_key(&self, did_url: &str) -> anyhow::Result<Jwk> {
         let did_url =
@@ -235,7 +235,7 @@ impl SubjectExt for ThisIsTheMainService {
 // }
 
 #[async_trait]
-impl Verify for ThisIsTheMainService {
+impl Verify for IdentityApplicationService {
     async fn public_key(&self, did_url: &str) -> anyhow::Result<Vec<u8>> {
         let did_url =
             identity_iota::did::DIDUrl::parse(did_url).map_err(|err| anyhow!("Failed to parse DID URL: {err}"))?;
@@ -284,7 +284,7 @@ impl Verify for ThisIsTheMainService {
 }
 
 #[async_trait]
-impl Sign for ThisIsTheMainService {
+impl Sign for IdentityApplicationService {
     async fn key_id(&self, subject_syntax_type: &str, algorithm: Algorithm) -> Option<String> {
         let method = SupportedDidMethod::from_str(subject_syntax_type).ok()?;
 
@@ -378,7 +378,7 @@ impl Sign for ThisIsTheMainService {
 }
 
 #[async_trait]
-impl oid4vc_core::Subject for ThisIsTheMainService {
+impl oid4vc_core::Subject for IdentityApplicationService {
     async fn identifier(&self, subject_syntax_type: &str, algorithm: Algorithm) -> anyhow::Result<String> {
         let did_url: DIDUrl = self
             .key_id(subject_syntax_type, algorithm)
diff --git a/agent_issuance/src/credential/aggregate.rs b/agent_issuance/src/credential/aggregate.rs
index 3a6047b8..d12aff3b 100644
--- a/agent_issuance/src/credential/aggregate.rs
+++ b/agent_issuance/src/credential/aggregate.rs
@@ -357,7 +357,7 @@ impl Aggregate for Credential {
                 let default_did_method = get_preferred_did_method();
 
                 let issuer_did = services
-                    .this_is_the_main_service
+                    .identity_application_service
                     .identifier(&default_did_method.to_string(), get_preferred_signing_algorithm())
                     .await
                     .unwrap();
@@ -455,7 +455,7 @@ impl Aggregate for Credential {
                     );
 
                     json!(jwt::encode(
-                        services.this_is_the_main_service.clone(),
+                        services.identity_application_service.clone(),
                         Header::new(get_preferred_signing_algorithm()),
                         vc_jwt_object,
                         &default_did_method.to_string()
diff --git a/agent_issuance/src/offer/aggregate.rs b/agent_issuance/src/offer/aggregate.rs
index 7aa57351..62c6b771 100644
--- a/agent_issuance/src/offer/aggregate.rs
+++ b/agent_issuance/src/offer/aggregate.rs
@@ -265,7 +265,7 @@ impl Aggregate for Offer {
                 credential_request,
             } => {
                 let credential_issuer = CredentialIssuer {
-                    subject: services.this_is_the_main_service.clone(),
+                    subject: services.identity_application_service.clone(),
                     metadata: *credential_issuer_metadata,
                     authorization_server_metadata: *authorization_server_metadata,
                 };
@@ -273,7 +273,7 @@ impl Aggregate for Offer {
                 let proof = credential_issuer
                     .validate_proof(
                         credential_request.proof.ok_or(MissingProofError)?,
-                        Validator::Subject(services.this_is_the_main_service.clone()),
+                        Validator::Subject(services.identity_application_service.clone()),
                     )
                     .await
                     .map_err(|e| InvalidProofError(e.to_string()))?;
diff --git a/agent_issuance/src/services.rs b/agent_issuance/src/services.rs
index c67a3634..985f3394 100644
--- a/agent_issuance/src/services.rs
+++ b/agent_issuance/src/services.rs
@@ -1,15 +1,15 @@
-use agent_identity::services::ThisIsTheMainService;
+use agent_identity::services::IdentityApplicationService;
 use std::sync::Arc;
 
 /// Issuance services. This struct is used to sign credentials and validate credential requests.
 pub struct IssuanceServices {
-    pub this_is_the_main_service: Arc<ThisIsTheMainService>,
+    pub identity_application_service: Arc<IdentityApplicationService>,
 }
 
 impl IssuanceServices {
-    pub fn new(this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
+    pub fn new(identity_application_service: Arc<IdentityApplicationService>) -> Self {
         Self {
-            this_is_the_main_service,
+            identity_application_service,
         }
     }
 }
diff --git a/agent_secret_manager/src/services.rs b/agent_secret_manager/src/services.rs
index 71d772ae..72257eef 100644
--- a/agent_secret_manager/src/services.rs
+++ b/agent_secret_manager/src/services.rs
@@ -1,5 +1,6 @@
-use crate::stronghold_storage;
+use crate::{state::SecretManagerState, stronghold_storage};
 use did_manager_identity_stronghold_ext::StrongholdExtStorage;
+use std::sync::{Arc, OnceLock};
 
 pub struct SecretManagerServices {
     pub stronghold_storage: StrongholdExtStorage,
@@ -12,3 +13,21 @@ impl SecretManagerServices {
         Self { stronghold_storage }
     }
 }
+
+pub static SECRET_MANAGER_DOMAIN_SERVICE: OnceLock<Arc<SecretManagerDomainService>> = OnceLock::new();
+
+pub struct SecretManagerDomainService {
+    pub secret_manager_state: Arc<SecretManagerState>,
+}
+
+impl SecretManagerDomainService {
+    pub fn new(secret_manager_state: Arc<SecretManagerState>) -> Self {
+        Self { secret_manager_state }
+    }
+}
+
+impl std::fmt::Debug for SecretManagerDomainService {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("SecretManagerDomainService").finish()
+    }
+}
diff --git a/agent_store/src/lib.rs b/agent_store/src/lib.rs
index c02aef2c..50f9b2c8 100644
--- a/agent_store/src/lib.rs
+++ b/agent_store/src/lib.rs
@@ -324,7 +324,7 @@ pub async fn authorization_state<CCB: CqrsComponentBuilder>(
             authorization_code,
             access_token,
         },
-        signer: services.this_is_the_main_service.clone(),
+        signer: services.identity_application_service.clone(),
     }
 }
 
@@ -370,7 +370,7 @@ pub async fn issuance_state<CCB: CqrsComponentBuilder>(
             offer,
             all_offers,
         },
-        subject: services.this_is_the_main_service.clone(),
+        subject: services.identity_application_service.clone(),
     }
 }
 
diff --git a/agent_verification/src/authorization_request/aggregate.rs b/agent_verification/src/authorization_request/aggregate.rs
index cb523358..2473eefb 100644
--- a/agent_verification/src/authorization_request/aggregate.rs
+++ b/agent_verification/src/authorization_request/aggregate.rs
@@ -54,8 +54,8 @@ impl Aggregate for AuthorizationRequest {
                 dcql_query,
             } => {
                 let default_subject_syntax_type = services.relying_party.default_subject_syntax_type().to_string();
-                let this_is_the_main_service = &services.this_is_the_main_service;
-                let verifier_did = this_is_the_main_service
+                let identity_application_service = &services.identity_application_service;
+                let verifier_did = identity_application_service
                     .identifier(&default_subject_syntax_type, get_preferred_signing_algorithm())
                     .await
                     .unwrap();
diff --git a/agent_verification/src/services.rs b/agent_verification/src/services.rs
index 1c5a2b1f..7a81324b 100644
--- a/agent_verification/src/services.rs
+++ b/agent_verification/src/services.rs
@@ -1,4 +1,4 @@
-use agent_identity::services::ThisIsTheMainService;
+use agent_identity::services::IdentityApplicationService;
 use agent_shared::config::{
     config, get_all_enabled_did_methods, get_all_enabled_signing_algorithms_supported, get_preferred_did_method,
 };
@@ -9,14 +9,14 @@ use std::{collections::HashMap, str::FromStr, sync::Arc};
 
 /// Verification services. This struct is used to generate authorization requests and validate authorization responses.
 pub struct VerificationServices {
-    pub this_is_the_main_service: Arc<ThisIsTheMainService>,
+    pub identity_application_service: Arc<IdentityApplicationService>,
     pub relying_party: RelyingPartyManager,
     pub siopv2_client_metadata: ClientMetadataResource<siopv2::authorization_request::ClientMetadataParameters>,
     pub oid4vp_client_metadata: ClientMetadataResource<oid4vp::authorization_request::ClientMetadataParameters>,
 }
 
 impl VerificationServices {
-    pub fn new(this_is_the_main_service: Arc<ThisIsTheMainService>) -> Self {
+    pub fn new(identity_application_service: Arc<IdentityApplicationService>) -> Self {
         let client_name = config().display.first().as_ref().map(|display| display.name.clone());
 
         let logo_uri = config()
@@ -59,9 +59,9 @@ impl VerificationServices {
         let default_subject_syntax_type = get_preferred_did_method();
 
         Self {
-            this_is_the_main_service: this_is_the_main_service.clone(),
+            identity_application_service: identity_application_service.clone(),
             relying_party: RelyingPartyManager::new(
-                this_is_the_main_service,
+                identity_application_service,
                 default_subject_syntax_type.to_string(),
                 signing_algorithms_supported,
             )

From 4d3573ee3aea2d3480d431db62563e976ad1145b Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Thu, 1 Jan 2026 15:42:21 +0100
Subject: [PATCH 13/14] feat: add support for unsetting signing keys and update
 related event handling

---
 Cargo.lock                                    |  1 -
 .../src/managed_key/aggregate.rs              | 37 +++++++++++--
 .../src/managed_key/command.rs                |  1 +
 agent_secret_manager/src/managed_key/event.rs |  3 ++
 .../src/managed_key/views/mod.rs              |  3 ++
 agent_secret_manager/src/services.rs          | 52 ++++++++++++++++++-
 6 files changed, 90 insertions(+), 7 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 10d597c3..2cffa4af 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -5308,7 +5308,6 @@ dependencies = [
  "k256",
  "log",
  "p256 0.13.2",
- "rand 0.8.5",
  "secret-storage",
  "serde_json",
  "stronghold_ext",
diff --git a/agent_secret_manager/src/managed_key/aggregate.rs b/agent_secret_manager/src/managed_key/aggregate.rs
index 97d13e9e..6a96f85b 100644
--- a/agent_secret_manager/src/managed_key/aggregate.rs
+++ b/agent_secret_manager/src/managed_key/aggregate.rs
@@ -1,5 +1,5 @@
 use super::{command::ManagedKeyCommand, error::ManagedKeyError, event::ManagedKeyEvent};
-use crate::services::SecretManagerServices;
+use crate::services::{SecretManagerServices, SECRET_MANAGER_DOMAIN_SERVICE};
 use agent_shared::config::config;
 use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
@@ -17,6 +17,7 @@ use identity_did::DIDUrl;
 use identity_iota::{storage::JwkStorage as _, verification::jws::JwsAlgorithm};
 use identity_storage::KeyIdStorage;
 use identity_storage::{KeyId, KeyType};
+use iota_sdk::types::event;
 use jsonwebtoken::{Algorithm, Header};
 use oid4vc_core::Sign as _;
 use serde::{Deserialize, Serialize};
@@ -84,18 +85,33 @@ impl Aggregate for ManagedKey {
                     SigningAlgorithm::ES256 => (KeyType::new("P256"), JwsAlgorithm::ES256),
                 };
 
+                let secret_manager_domain_service = SECRET_MANAGER_DOMAIN_SERVICE.get().unwrap();
+
+                let is_signing_key = !secret_manager_domain_service
+                    .current_signing_key(&signing_algorithm)
+                    .await
+                    .is_some();
+
                 let res = services.stronghold_storage.generate(key_type, alg).await.unwrap();
 
                 println!("Generated key: {}", res.jwk.to_json_pretty().unwrap());
 
                 let key_id = res.key_id.to_string();
 
-                Ok(vec![KeyGenerated {
-                    managed_key_id,
+                let mut events = vec![];
+
+                events.push(KeyGenerated {
+                    managed_key_id: managed_key_id.clone(),
                     key_id,
                     alias,
                     signing_algorithm,
-                }])
+                });
+
+                if is_signing_key {
+                    events.push(SigningKeySet { managed_key_id });
+                }
+
+                Ok(events)
             }
             RemoveKey => {
                 let key_id = KeyId::new(&self.key_id);
@@ -112,11 +128,19 @@ impl Aggregate for ManagedKey {
                 new_alias,
             }]),
             SetSigningKey => {
-                // TODO: Unset other signing keys?
+                let secret_manager_domain_service = SECRET_MANAGER_DOMAIN_SERVICE.get().unwrap();
+
+                secret_manager_domain_service
+                    .unset_signing_keys(self.signing_algorithm.as_ref().unwrap())
+                    .await;
+
                 Ok(vec![SigningKeySet {
                     managed_key_id: self.managed_key_id.clone(),
                 }])
             }
+            UnsetSigningKey => Ok(vec![SigningKeyUnset {
+                managed_key_id: self.managed_key_id.clone(),
+            }]),
         }
     }
 
@@ -152,6 +176,9 @@ impl Aggregate for ManagedKey {
             SigningKeySet { managed_key_id: _ } => {
                 self.is_signing_key = true;
             }
+            SigningKeyUnset { managed_key_id: _ } => {
+                self.is_signing_key = false;
+            }
         }
     }
 }
diff --git a/agent_secret_manager/src/managed_key/command.rs b/agent_secret_manager/src/managed_key/command.rs
index 00e43e8b..b08403c2 100644
--- a/agent_secret_manager/src/managed_key/command.rs
+++ b/agent_secret_manager/src/managed_key/command.rs
@@ -12,4 +12,5 @@ pub enum ManagedKeyCommand {
         new_alias: String,
     },
     SetSigningKey,
+    UnsetSigningKey,
 }
diff --git a/agent_secret_manager/src/managed_key/event.rs b/agent_secret_manager/src/managed_key/event.rs
index 536b6dcb..38b544d9 100644
--- a/agent_secret_manager/src/managed_key/event.rs
+++ b/agent_secret_manager/src/managed_key/event.rs
@@ -21,6 +21,9 @@ pub enum ManagedKeyEvent {
     SigningKeySet {
         managed_key_id: String,
     },
+    SigningKeyUnset {
+        managed_key_id: String,
+    },
 }
 
 impl DomainEvent for ManagedKeyEvent {
diff --git a/agent_secret_manager/src/managed_key/views/mod.rs b/agent_secret_manager/src/managed_key/views/mod.rs
index 554c5160..ee674712 100644
--- a/agent_secret_manager/src/managed_key/views/mod.rs
+++ b/agent_secret_manager/src/managed_key/views/mod.rs
@@ -34,6 +34,9 @@ impl View<ManagedKey> for ManagedKey {
             SigningKeySet { managed_key_id: _ } => {
                 self.is_signing_key = true;
             }
+            SigningKeyUnset { managed_key_id: _ } => {
+                self.is_signing_key = false;
+            }
         }
     }
 }
diff --git a/agent_secret_manager/src/services.rs b/agent_secret_manager/src/services.rs
index 72257eef..7fc8c47c 100644
--- a/agent_secret_manager/src/services.rs
+++ b/agent_secret_manager/src/services.rs
@@ -1,4 +1,9 @@
-use crate::{state::SecretManagerState, stronghold_storage};
+use crate::{
+    managed_key::{aggregate::SigningAlgorithm, command::ManagedKeyCommand, views::ManagedKeyView},
+    state::SecretManagerState,
+    stronghold_storage,
+};
+use agent_shared::handlers::query_handler;
 use did_manager_identity_stronghold_ext::StrongholdExtStorage;
 use std::sync::{Arc, OnceLock};
 
@@ -24,6 +29,51 @@ impl SecretManagerDomainService {
     pub fn new(secret_manager_state: Arc<SecretManagerState>) -> Self {
         Self { secret_manager_state }
     }
+
+    pub async fn current_signing_key(&self, signing_algorithm: &SigningAlgorithm) -> Option<ManagedKeyView> {
+        let all_managed_keys_view =
+            query_handler("all_managed_keys", &self.secret_manager_state.query.all_managed_keys)
+                .await
+                .unwrap()?;
+
+        all_managed_keys_view
+            .managed_keys
+            .into_iter()
+            .find_map(|(_, managed_key_view)| {
+                if managed_key_view.signing_algorithm.as_ref() == Some(signing_algorithm)
+                    && managed_key_view.is_signing_key
+                    && !managed_key_view.is_removed
+                {
+                    Some(managed_key_view.clone())
+                } else {
+                    None
+                }
+            })
+    }
+
+    pub async fn unset_signing_keys(&self, signing_algorithm: &SigningAlgorithm) {
+        if let Some(all_managed_keys_view) =
+            query_handler("all_managed_keys", &self.secret_manager_state.query.all_managed_keys)
+                .await
+                .unwrap()
+        {
+            for (_, managed_key_view) in all_managed_keys_view.managed_keys.into_iter() {
+                if managed_key_view.signing_algorithm.as_ref() == Some(signing_algorithm)
+                    && managed_key_view.is_signing_key
+                    && !managed_key_view.is_removed
+                {
+                    let command = ManagedKeyCommand::UnsetSigningKey;
+
+                    let _ = agent_shared::handlers::command_handler(
+                        &managed_key_view.managed_key_id,
+                        &self.secret_manager_state.command.managed_key,
+                        command,
+                    )
+                    .await;
+                }
+            }
+        }
+    }
 }
 
 impl std::fmt::Debug for SecretManagerDomainService {

From 1103e733302cbbe4d9543f8383dcab4c7d2f51d8 Mon Sep 17 00:00:00 2001
From: Nander Stabel <nander.stabel@impierce.com>
Date: Fri, 2 Jan 2026 14:26:32 +0100
Subject: [PATCH 14/14] refactor: update dependency paths to use git sources
 for did-manager packages

---
 Cargo.lock                      | 8 ++++++++
 agent_identity/Cargo.toml       | 8 ++++----
 agent_secret_manager/Cargo.toml | 8 ++++----
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 2cffa4af..50c5fcf8 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2455,6 +2455,7 @@ checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6"
 [[package]]
 name = "consumer"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did_iota",
  "did_jwk",
@@ -3213,6 +3214,7 @@ dependencies = [
 [[package]]
 name = "did_iota"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "anyhow",
  "identity_iota",
@@ -3227,6 +3229,7 @@ dependencies = [
 [[package]]
 name = "did_jwk"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did-jwk",
  "identity_iota",
@@ -3243,6 +3246,7 @@ dependencies = [
 [[package]]
 name = "did_key"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did-method-key",
  "identity_iota",
@@ -3289,6 +3293,7 @@ dependencies = [
 [[package]]
 name = "did_web"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "did-web",
  "identity_iota",
@@ -5298,6 +5303,7 @@ dependencies = [
 [[package]]
 name = "identity_stronghold_ext"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "async-trait",
  "elliptic-curve 0.13.8",
@@ -5308,6 +5314,7 @@ dependencies = [
  "k256",
  "log",
  "p256 0.13.2",
+ "rand 0.8.5",
  "secret-storage",
  "serde_json",
  "stronghold_ext",
@@ -11200,6 +11207,7 @@ dependencies = [
 [[package]]
 name = "shared"
 version = "0.1.0"
+source = "git+https://github.com/impierce/did-manager?rev=d730318#d730318136c82b4ecb2c61839ab24f8cc52ff58c"
 dependencies = [
  "identity_iota",
  "identity_storage",
diff --git a/agent_identity/Cargo.toml b/agent_identity/Cargo.toml
index 7d4c20d6..76a382cd 100644
--- a/agent_identity/Cargo.toml
+++ b/agent_identity/Cargo.toml
@@ -49,10 +49,10 @@ uuid.workspace = true
 # Future work: Migrate the remaining functionality into UniCore.
 # did_manager_consumer = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "consumer" }
 # did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "identity_stronghold_ext" }
-# did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "consumer" }
-# did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "identity_stronghold_ext" }
-did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
-did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
+did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "consumer" }
+did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "identity_stronghold_ext" }
+# did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
+# did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
 
 # `test_utils` dependencies
 futures = { workspace = true, optional = true }
diff --git a/agent_secret_manager/Cargo.toml b/agent_secret_manager/Cargo.toml
index 24d84029..c122edbb 100644
--- a/agent_secret_manager/Cargo.toml
+++ b/agent_secret_manager/Cargo.toml
@@ -15,10 +15,10 @@ agent_shared = { path = "../agent_shared" }
 # Future work: Migrate the remaining functionality into UniCore.
 # did_manager_consumer = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "consumer" }
 # did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", tag = "v1.0.0-beta.6", package = "identity_stronghold_ext" }
-# did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "consumer" }
-# did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "identity_stronghold_ext" }
-did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
-did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
+did_manager_consumer = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "consumer" }
+did_manager_identity_stronghold_ext = { git = "https://github.com/impierce/did-manager", rev = "d730318", package = "identity_stronghold_ext" }
+# did_manager_consumer = { path = "../../did-manager/consumer", package = "consumer" }
+# did_manager_identity_stronghold_ext = { path = "../../did-manager/identity_stronghold_ext", package = "identity_stronghold_ext" }
 
 anyhow.workspace = true
 async-trait.workspace = true