Overview
Issuer2 supports two OID4VCI flows for claiming a credential offer, set via the authMethod field when creating a credential offer. This section walks through the full sequence for each so you know what's actually happening between the wallet, your issuer, and (for one of them) an external identity provider.
Which Flow Should I Use?
| Pre-Authorized Code Flow | Authorization Code Flow | |
|---|---|---|
authMethod | PRE_AUTHORIZED | AUTHORIZED |
| User authentication | None (optionally a PIN/txCode) | Required — user logs in at an external IdP |
| Best for | Known users (already logged in) and data already verified before the offer is created | Unknown users, or credential data that should come from the user's own IdP login (e.g. corporate SSO) |
| Extra setup required | None | None to try it — a hosted test provider with ready-made logins is used by default. For production, register your own OAuth/OIDC provider in authentication-service.conf |
| Credential data source | Fully defined in the profile (or runtime overrides) ahead of time | Profile defaults (or runtime overrides), enriched with claims from the IdP's ID token via idTokenClaimsMapping |
Available Flows
- Pre-Authorized Code Flow — Sequence diagram for issuing a credential with no user login.
- Authorization Code Flow — Sequence diagram for issuing a credential after the holder authenticates against an external IdP.
Last updated on July 1, 2026
