Verifying Mobile Driver's Licenses (mDL, ISO/IEC 18013-5) via OID4VP
This guide shows you how to verify ISO/IEC 18013-5 mobile driver's licenses (mDL) using the walt.id Verifier2 API and the OID4VP protocol. The verification process sends a credential request to a holder's wallet, receives the signed presentation, and validates it against your policies.
mDL (Mobile Driver's License): A digital representation of a driver's license based on the ISO/IEC 18013-5 standard, stored securely on digital ID wallet.
OID4VP: A protocol specifying how parties can present digital credentials in a way that's consistent and secure across platforms ensuring interoperability.
If you're migrating from the original Verifier (v1), see the Migration Guide.
Prerequisites
Before you begin, ensure you have:
- Verifier2 API running — Follow the Getting Started or Setup guide
- A test wallet with credentials — Use the walt.id Wallet for testing, or any OID4VP-compatible wallet
- Publicly accessible URL (for local development) — Use ngrok or similar to expose
http://localhost:7003.
Local Development: When running locally via Docker, the API is available at http://localhost:7003 (standalone) or http://localhost:7004 (Docker Compose). Use this as your base URL in the examples below.
Example 1: Basic Verification
This example requests a mobile driver's license (mDL) and verifies its cryptographic signature using the default signature policy.
CURL
Endpoint: POST /verification-session/create | API Reference
Example Request
curl -X 'POST' \
'http://localhost:7003/verification-session/create' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"flow_type": "cross_device",
"core_flow": {
"dcql_query": {
"credentials": [
{
"id": "credential_1",
"format": "mso_mdoc",
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL"
},
"claims": [
{
"path": [
"org.iso.18013.5.1",
"family_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"given_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"birth_date"
]
}
]
}
]
},
"policies": {
"vc_policies": [
{
"policy": "signature"
}
]
}
}
}'
Body Parameters
- flow_type: String (required) - Specifies how the credential request will be delivered to the holder's wallet. Options:
"cross_device"— User scans a QR code on a different device (e.g. desktop browser → phone wallet)"same_device"— User clicks a deep link on the same device (e.g. phone browser → wallet app on same phone)"dc_api"— Browser/OS-native Digital Credentials API (Chrome, Safari, iOS/Android native) over OpenID4VP 1.0 (Annex D)."dc_api-annex-c"— Browser/OS-native Digital Credentials API (Chrome, Safari, iOS/Android native) over 18013-7 (Annex C).
- core_flow: Object (required) - Defines what credentials to request and which policies to apply. Contains:
- dcql_query: Object (required) - Specifies the credential type, format, and claims to request using the DCQL query language. You can also use the DCQL builder here.
- credentials: Array - List of credential queries. Each credential query contains:
- id: String - Unique identifier for this credential in the request (used in policy results)
- format: String - Credential format. For mDL, use
"mso_mdoc"(mobile security object document). - meta.doctype_value: String - The ISO mDL document type. For mobile driver's licenses, use
"org.iso.18013.5.1.mDL". - claims: Array (optional) - Specific claims to request from the credential. Each claim has a
patharray with namespace and claim name (e.g.["org.iso.18013.5.1", "family_name"]). If omitted, all claims that are non-selectively disclosable are provided by the wallet.
- credentials: Array - List of credential queries. Each credential query contains:
- policies: Object (optional) - Validation rules applied to the received credential. Defaults to signature verification only if omitted.
- vc_policies: Array - Policies applied to individual credentials. Each policy has a
policyfield specifying the policy name. Available policies:signature,expired,not-before,revoked-status-list,schema, and more. See Policies for the complete list. - vp_policies: Array (optional) - Policies applied to the entire presentation (not shown in this example)
- vc_policies: Array - Policies applied to individual credentials. Each policy has a
- signedRequest: Boolean (optional) - Whether to sign the authorization request JWT. Required for HAIP profile compliance and DC API Annex C (ISO 18013-7) flows. Defaults to
false. See Signed Requests to learn more. - encryptedResponse: Boolean (optional) - Whether the wallet should encrypt the VP token response. Defaults to
false. See Encrypted Responses to learn more. - key: Object (optional) - Signing key for this verification session. Overrides the service-wide default
keyconfigured via theverifier-service.conf. Must be a serialized key in the format{"type":"jwk","jwk":{...}}. Required whensignedRequest: trueorencryptedResponse: trueand no service-wide default is configured. See Signed Requests and Encrypted Responses for when this is needed. - x5c: Array of Strings (optional) - X.509 certificate chain for this verification session. Overrides the service-wide default
x5cconfigured viaverifier-service.conf. Must be an ordered chain in DER-encoded, Base64-encoded format where the first certificate corresponds to thekey. Required for X.509-based client authentication (x509_san_dns:orx509_hash:asclientId) and signed Annex C requests. See Signed Requests to learn more. - verifier_info: Object (optional) - An array of attestations about the Verifier relevant to the Credential Request. Each object is a JSON object with the following fields:
- format: String - The format of the attestation. Currently only
"jwt"is supported. - data: String - The attestation data in JWT format.
- credentialIds: Array (optional) - Specifies which credentials in your DCQL query this attestation applies to. References the
idfields from yourcredentialsarray in the DCQL query. If omitted, the attestation applies to all requested credentials.
- format: String - The format of the attestation. Currently only
- dcql_query: Object (required) - Specifies the credential type, format, and claims to request using the DCQL query language. You can also use the DCQL builder here.
- openid: Object (optional) - OpenID4VP-specific extensions
- transactionData: Array (optional) - Bind the credential presentation to a specific transaction (e.g., payment authorization, account access). Each entry references credential IDs and includes transaction details. See Transaction Data Authorization for full documentation.
- url_config: Object (optional) - URL configuration for this session. Only applies to
cross_deviceandsame_deviceflows (notdc_api).- url_prefix: String (optional) - The publicly accessible base URL where the wallet will fetch the authorization request and post its response. Overrides the
urlPrefixfromverifier-service.conf.- The service constructs: Request URI:
{urlPrefix}/{sessionId}/requestand Response URI:{urlPrefix}/{sessionId}/response - Must be reachable by the wallet (use ngrok or public URL for local development)
- The service constructs: Request URI:
- url_host: String (optional) - The base URL used to construct the authorization request link. Overrides the
urlHostfromverifier-service.conf.- For standard OID4VP flows, use
"openid4vp://authorize"(default) - For custom authorization endpoints (e.g. conformance testing), provide a full HTTPS URL
- For standard OID4VP flows, use
- url_prefix: String (optional) - The publicly accessible base URL where the wallet will fetch the authorization request and post its response. Overrides the
- redirects: Object (optional) - Success and error redirect URLs (only for
cross_deviceandsame_deviceflows)- successRedirectUri: String - URL to redirect the user after successful verification
- errorRedirectUri: String - URL to redirect the user if verification fails
Many parameters have defaults configured in
verifier-service.conf. Request-level parameters override these defaults for that specific session only. See Configuration Defaults below.
Example Response
The response contains the session ID and authorization URLs to present to the user.
{
"sessionId": "4a803c4b-1dc3-4210-806d-3fb52f1780c8",
"bootstrapAuthorizationRequestUrl": "openid4vp://authorize?client_id=verifier2&request_uri=https%3A%2F%2F575e-2a02-8388-17c1-5580-b97f-5031-3eee-c8a4.ngrok-free.app%2Fverification-session%2F4a803c4b-1dc3-4210-806d-3fb52f1780c8%2Frequest",
"fullAuthorizationRequestUrl": "openid4vp://authorize?response_type=vp_token&client_id=verifier2&state=da82aed7-ea36-4303-9c4a-3ded03cdedb4&response_mode=direct_post&nonce=74b0efc4-331c-488f-9489-7ce72b1c698f&response_uri=https%3A%2F%2F575e-2a02-8388-17c1-5580-b97f-5031-3eee-c8a4.ngrok-free.app%2Fverification-session%2F4a803c4b-1dc3-4210-806d-3fb52f1780c8%2Fresponse&dcql_query=%7B%22credentials%22%3A%5B%7B%22id%22%3A%22credential_1%22%2C%22format%22%3A%22mso_mdoc%22%2C%22meta%22%3A%7B%22doctype_value%22%3A%22org.iso.18013.5.1.mDL%22%7D%2C%22claims%22%3A%5B%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22family_name%22%5D%7D%2C%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22given_name%22%5D%7D%2C%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22birth_date%22%5D%7D%5D%7D%5D%7D&client_metadata=%7B%22vp_formats_supported%22%3A%7B%22mso_mdoc%22%3A%7B%22issuerauth_alg_values%22%3A%5B-7%2C-9%2C-50%5D%2C%22deviceauth_alg_values%22%3A%5B-7%2C-9%2C-50%2C-65537%5D%7D%7D%2C%22client_name%22%3A%22Verifier2%22%2C%22logo_uri%22%3A%22https%3A%2F%2Fimages.squarespace-cdn.com%2Fcontent%22%2C%22tos_uri%22%3A%22https%3A%2F%2Fexample.com%2Fterms%22%2C%22policy_uri%22%3A%22https%3A%2F%2Fexample.com%2Fprivacy%22%2C%22client_uri%22%3A%22https%3A%2F%2Fverifier.example.com%22%2C%22client_name%23fr-FR%22%3A%22V%C3%A9rificateur2%22%2C%22logo_uri%23fr-FR%22%3A%22https%3A%2F%2Fexample.com%2Flogo-fr.png%22%2C%22tos_uri%23fr-FR%22%3A%22https%3A%2F%2Fexample.com%2Fterms-fr%22%2C%22policy_uri%23fr-FR%22%3A%22https%3A%2F%2Fexample.com%2Fprivacy-fr%22%2C%22client_uri%23fr-FR%22%3A%22https%3A%2F%2Fverifier.example.com%2Ffr%22%7D"
}
Response Fields:
- sessionId: String - The unique ID of this verification session. Use this to query the session status.
- bootstrapAuthorizationRequestUrl: String - Shortened URL using
request_uriby reference. Use this for QR codes to minimize QR code density. - fullAuthorizationRequestUrl: String - Complete URL with all parameters embedded. Use this if the wallet doesn't support
request_uri(rare).
Presenting the Request to the User
After creating the session, you need to present the authorization request to the user based on the flow type you chose.
Cross-Device Flow (QR Code)
- Generate a QR code from the
bootstrapAuthorizationRequestUrl - Display the QR code to the user on your web page or application
- User scans the QR code with their wallet app
- Wallet presents the credential and posts the response to your verifier
- Monitor the session status by polling the session endpoint or using SSE/callbacks (see below)
Same-Device Flow (Deep Link)
- Redirect the user to the
bootstrapAuthorizationRequestUrl - User's wallet app opens automatically (via deep link)
- Wallet presents the credential and posts the response to your verifier
- User is redirected to your
successRedirectUriorerrorRedirectUri - Query the session status to retrieve the verification results
Checking Verification Results
You can query the verification session to check if the user has presented their credential and whether validation succeeded.
CURL
Endpoint: GET /verification-session/{sessionId}/info | API Reference
Example Request
curl -X 'GET' \
'http://localhost:7003/verification-session/{sessionId}/info' \
-H 'accept: application/json'
Path Parameters
- sessionId: String (required) - The unique ID of the verification session returned when you created the session. Use this to query the current status and results.
Example Response
The response contains the complete session information including setup, status, policy results, and presented credentials.
{
"id": "4a803c4b-1dc3-4210-806d-3fb52f1780c8",
"setup": {
"flow_type": "cross_device",
"core_flow": {
"dcql_query": {
"credentials": [
{
"id": "credential_1",
"format": "mso_mdoc",
"multiple": false,
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL",
"format": "mso_mdoc"
},
"require_cryptographic_holder_binding": true,
"claims": [
{
"path": [
"org.iso.18013.5.1",
"family_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"given_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"birth_date"
]
}
]
}
]
},
"signed_request": false,
"encrypted_response": false,
"policies": {
"vc_policies": [
{
"policy": "signature",
"id": "signature"
}
]
}
},
"url_config": {}
},
"creationDate": "2026-05-18T07:48:39.335523256Z",
"expirationDate": "2026-05-18T07:53:39.335523256Z",
"retentionDate": "2036-05-18T07:48:39.335523256Z",
"status": "SUCCESSFUL",
"attempted": true,
"reattemptable": true,
"bootstrapAuthorizationRequest": {
"client_id": "verifier2",
"request_uri": "https://575e-2a02-8388-17c1-5580-b97f-5031-3eee-c8a4.ngrok-free.app/verification-session/4a803c4b-1dc3-4210-806d-3fb52f1780c8/request"
},
"bootstrapAuthorizationRequestUrl": "openid4vp://authorize?client_id=verifier2&request_uri=https%3A%2F%2F575e-2a02-8388-17c1-5580-b97f-5031-3eee-c8a4.ngrok-free.app%2Fverification-session%2F4a803c4b-1dc3-4210-806d-3fb52f1780c8%2Frequest",
"authorizationRequest": {
"response_type": "vp_token",
"client_id": "verifier2",
"state": "da82aed7-ea36-4303-9c4a-3ded03cdedb4",
"response_mode": "direct_post",
"nonce": "74b0efc4-331c-488f-9489-7ce72b1c698f",
"response_uri": "https://575e-2a02-8388-17c1-5580-b97f-5031-3eee-c8a4.ngrok-free.app/verification-session/4a803c4b-1dc3-4210-806d-3fb52f1780c8/response",
"dcql_query": {
"credentials": [
{
"id": "credential_1",
"format": "mso_mdoc",
"multiple": false,
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL",
"format": "mso_mdoc"
},
"require_cryptographic_holder_binding": true,
"claims": [
{
"path": [
"org.iso.18013.5.1",
"family_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"given_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"birth_date"
]
}
]
}
]
},
"client_metadata": {
"vp_formats_supported": {
"mso_mdoc": {
"issuerauth_alg_values": [
-7,
-9,
-50
],
"deviceauth_alg_values": [
-7,
-9,
-50,
-65537
]
}
},
"client_name": "Verifier2",
"logo_uri": "https://images.squarespace-cdn.com/content",
"tos_uri": "https://example.com/terms",
"policy_uri": "https://example.com/privacy",
"client_uri": "https://verifier.example.com",
"client_name#fr-FR": "Vérificateur2",
"logo_uri#fr-FR": "https://example.com/logo-fr.png",
"tos_uri#fr-FR": "https://example.com/terms-fr",
"policy_uri#fr-FR": "https://example.com/privacy-fr",
"client_uri#fr-FR": "https://verifier.example.com/fr"
}
},
"authorizationRequestUrl": "openid4vp://authorize?response_type=vp_token&client_id=verifier2&state=da82aed7-ea36-4303-9c4a-3ded03cdedb4&response_mode=direct_post&nonce=74b0efc4-331c-488f-9489-7ce72b1c698f&response_uri=https%3A%2F%2F575e-2a02-8388-17c1-5580-b97f-5031-3eee-c8a4.ngrok-free.app%2Fverification-session%2F4a803c4b-1dc3-4210-806d-3fb52f1780c8%2Fresponse&dcql_query=%7B%22credentials%22%3A%5B%7B%22id%22%3A%22credential_1%22%2C%22format%22%3A%22mso_mdoc%22%2C%22meta%22%3A%7B%22doctype_value%22%3A%22org.iso.18013.5.1.mDL%22%7D%2C%22claims%22%3A%5B%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22family_name%22%5D%7D%2C%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22given_name%22%5D%7D%2C%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22birth_date%22%5D%7D%5D%7D%5D%7D&client_metadata=%7B%22vp_formats_supported%22%3A%7B%22mso_mdoc%22%3A%7B%22issuerauth_alg_values%22%3A%5B-7%2C-9%2C-50%5D%2C%22deviceauth_alg_values%22%3A%5B-7%2C-9%2C-50%2C-65537%5D%7D%7D%2C%22client_name%22%3A%22Verifier2%22%2C%22logo_uri%22%3A%22https%3A%2F%2Fimages.squarespace-cdn.com%2Fcontent%22%2C%22tos_uri%22%3A%22https%3A%2F%2Fexample.com%2Fterms%22%2C%22policy_uri%22%3A%22https%3A%2F%2Fexample.com%2Fprivacy%22%2C%22client_uri%22%3A%22https%3A%2F%2Fverifier.example.com%22%2C%22client_name%23fr-FR%22%3A%22V%C3%A9rificateur2%22%2C%22logo_uri%23fr-FR%22%3A%22https%3A%2F%2Fexample.com%2Flogo-fr.png%22%2C%22tos_uri%23fr-FR%22%3A%22https%3A%2F%2Fexample.com%2Fterms-fr%22%2C%22policy_uri%23fr-FR%22%3A%22https%3A%2F%2Fexample.com%2Fprivacy-fr%22%2C%22client_uri%23fr-FR%22%3A%22https%3A%2F%2Fverifier.example.com%2Ffr%22%7D",
"requestMode": "REQUEST_URI",
"policies": {
"vp_policies": {
"jwt_vc_json": [
"jwt_vc_json/audience-check",
"jwt_vc_json/nonce-check",
"jwt_vc_json/envelope_signature"
],
"dc+sd-jwt": [
"dc+sd-jwt/audience-check",
"dc+sd-jwt/kb-jwt_signature",
"dc+sd-jwt/nonce-check",
"dc+sd-jwt/sd_hash-check"
],
"mso_mdoc": [
"mso_mdoc/device-auth",
"mso_mdoc/device_key_auth",
"mso_mdoc/issuer_auth",
"mso_mdoc/issuer_signed_integrity",
"mso_mdoc/mso"
]
},
"vc_policies": [
{
"policy": "signature",
"id": "signature"
}
]
},
"policy_results": {
"vp_policies": {
"credential_1": {
"mso_mdoc/device-auth": {
"policy_executed": {
"policy": "mso_mdoc/device-auth",
"id": "mso_mdoc/device-auth",
"description": "Verify device authentication"
},
"success": true,
"results": {
"device_public_jwk": {
"kty": "OKP",
"crv": "Ed25519",
"x": "jxQwRV7tHc3W_JkKVsDZL7_DtP4zyNJtQ4Yr1z7-Md4"
},
"device_auth_bytes_hex": "d8185868847444657669636541757468656e7469636174696f6e83f6f682714f70656e494434565048616e646f7665725820bdb670da65dae163a8fe31c591c82da53c6da1b38232c8f4d3657405e4220a43756f72672e69736f2e31383031332e352e312e6d444cd81841a0"
},
"errors": [],
"execution_time": "PT0.002658542S"
},
"mso_mdoc/device_key_auth": {
"policy_executed": {
"policy": "mso_mdoc/device_key_auth",
"id": "mso_mdoc/device_key_auth",
"description": "Verify holder-verified data"
},
"success": true,
"results": {
"empty_device_signed_namespaces": true
},
"errors": [],
"execution_time": "PT0.000800334S"
},
"mso_mdoc/issuer_auth": {
"policy_executed": {
"policy": "mso_mdoc/issuer_auth",
"id": "mso_mdoc/issuer_auth",
"description": "Verify issuer authentication"
},
"success": true,
"results": {
"certificate_chain": [
"3082022b308201d1a0030201020214440fe81f511c691ef21f46d51ef752bbde666996300a06082a8648ce3d040302302c310b3009060355040613024154311d301b06035504030c146d444c20497373756572204941434120526f6f74301e170d3236303531383036313932365a170d3237303831383036313932365a3032310b30090603550406130241543123302106035504030c1a6d444c2049737375657220446f63756d656e74205369676e65723059301306072a8648ce3d020106082a8648ce3d03010703420004c9f99bb42b1d410ff81033e0d06b7df20258935ce434ea4633d6c76048b8f667301080b22778927ef1e8a3f7d5bc33469d3cd03e9795b4761b19a673bec228f9a381ca3081c7301f0603551d2304183016801472b2f76f49d0bcb3dd70cc2d6499a3378002e8e3301d0603551d0e041604145c64d6b94b4538b14534525b3942eef8f841827d300e0603551d0f0101ff04040302078030270603551d120420301e861c68747470733a2f2f696163612e74656e616e74312e77616c742e696430150603551d250101ff040b3009060728818c5d05010230350603551d1f042e302c302aa028a026862468747470733a2f2f63726c2e74656e616e74312e77616c742e69642f696163612e63726c300a06082a8648ce3d0403020348003045022006c7eaed38d41d53d35224d5b420ca41109d5f3a7afde473a8e287ed8688a3d7022100eb7882937823711f9bc909e3f88861436da296b882066ced7fdf66f057f0af39"
],
"signer_pem": "-----BEGIN CERTIFICATE-----\nMIICKzCCAdGgAwIBAgIURA/oH1EcaR7yH0bVHvdSu95maZYwCgYIKoZIzj0EAwIw\r\nLDELMAkGA1UEBhMCQVQxHTAbBgNVBAMMFG1ETCBJc3N1ZXIgSUFDQSBSb290MB4X\r\nDTI2MDUxODA2MTkyNloXDTI3MDgxODA2MTkyNlowMjELMAkGA1UEBhMCQVQxIzAh\r\nBgNVBAMMGm1ETCBJc3N1ZXIgRG9jdW1lbnQgU2lnbmVyMFkwEwYHKoZIzj0CAQYI\r\nKoZIzj0DAQcDQgAEyfmbtCsdQQ/4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mcwEICy\r\nJ3iSfvHoo/fVvDNGnTzQPpeVtHYbGaZzvsIo+aOByjCBxzAfBgNVHSMEGDAWgBRy\r\nsvdvSdC8s91wzC1kmaM3gALo4zAdBgNVHQ4EFgQUXGTWuUtFOLFFNFJbOULu+PhB\r\ngn0wDgYDVR0PAQH/BAQDAgeAMCcGA1UdEgQgMB6GHGh0dHBzOi8vaWFjYS50ZW5h\r\nbnQxLndhbHQuaWQwFQYDVR0lAQH/BAswCQYHKIGMXQUBAjA1BgNVHR8ELjAsMCqg\r\nKKAmhiRodHRwczovL2NybC50ZW5hbnQxLndhbHQuaWQvaWFjYS5jcmwwCgYIKoZI\r\nzj0EAwIDSAAwRQIgBsfq7TjUHVPTUiTVtCDKQRCdXzp6/eRzqOKH7YaIo9cCIQDr\r\neIKTeCNxH5vJCeP4iGFDbaKWuIIGbO1/32bwV/CvOQ==\n-----END CERTIFICATE-----",
"signer_jwk": {
"kty": "EC",
"crv": "P-256",
"x": "yfmbtCsdQQ_4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mc",
"y": "MBCAsid4kn7x6KP31bwzRp080D6XlbR2Gxmmc77CKPk"
}
},
"errors": [],
"execution_time": "PT0.004215542S"
},
"mso_mdoc/issuer_signed_integrity": {
"policy_executed": {
"policy": "mso_mdoc/issuer_signed_integrity",
"id": "mso_mdoc/issuer_signed_integrity",
"description": "Verify issuer-verified data integrity"
},
"success": true,
"results": {
"namespace": {
"org.iso.18013.5.1": [
{
"id": "family_name",
"digest_id": 0,
"value": "Doe",
"value_type": "CborString",
"random_hex": "736b060d21fa4e37f17b0b0568285add9d064ba883eb6c35",
"serialized_hex": "a4686469676573744944006672616e646f6d5818736b060d21fa4e37f17b0b0568285add9d064ba883eb6c3571656c656d656e744964656e7469666965726b66616d696c795f6e616d656c656c656d656e7456616c756563446f65"
},
{
"id": "given_name",
"digest_id": 1,
"value": "John",
"value_type": "CborString",
"random_hex": "312e734c986fdf279c7d75130b0da4794d16d44bbb3cfd61",
"serialized_hex": "a4686469676573744944016672616e646f6d5818312e734c986fdf279c7d75130b0da4794d16d44bbb3cfd6171656c656d656e744964656e7469666965726a676976656e5f6e616d656c656c656d656e7456616c7565644a6f686e"
},
{
"id": "birth_date",
"digest_id": 2,
"value": "1986-03-22",
"value_type": "CborString",
"random_hex": "e6864d13d13a9fb1a7fccb729a6330dec975bac5e79fa023",
"serialized_hex": "a4686469676573744944026672616e646f6d5818e6864d13d13a9fb1a7fccb729a6330dec975bac5e79fa02371656c656d656e744964656e7469666965726a62697274685f646174656c656c656d656e7456616c7565d903ec6a313938362d30332d3232"
}
]
},
"matching_digest": {
"org.iso.18013.5.1": [
"family_name",
"given_name",
"birth_date"
]
}
},
"errors": [],
"execution_time": "PT0.003104834S"
},
"mso_mdoc/mso": {
"policy_executed": {
"policy": "mso_mdoc/mso",
"id": "mso_mdoc/mso",
"description": "Verify MSO"
},
"success": true,
"results": {
"signed": "2026-05-18T07:48:27.870905006Z",
"valid_from": "2027-05-18T07:48:27.852289522Z"
},
"errors": [],
"execution_time": "PT0.004245834S"
}
}
},
"vc_policies": [
{
"policy": {
"policy": "signature",
"id": "signature"
},
"success": true,
"result": {
"verification_result": true,
"signed_credential": "o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xg9gYWFukaGRpZ2VzdElEAGZyYW5kb21YGHNrBg0h-k438XsLBWgoWt2dBkuog-tsNXFlbGVtZW50SWRlbnRpZmllcmtmYW1pbHlfbmFtZWxlbGVtZW50VmFsdWVjRG9l2BhYW6RoZGlnZXN0SUQBZnJhbmRvbVgYMS5zTJhv3yecfXUTCw2keU0W1Eu7PP1hcWVsZW1lbnRJZGVudGlmaWVyamdpdmVuX25hbWVsZWxlbWVudFZhbHVlZEpvaG7YGFhkpGhkaWdlc3RJRAJmcmFuZG9tWBjmhk0T0Tqfsaf8y3KaYzDeyXW6xeefoCNxZWxlbWVudElkZW50aWZpZXJqYmlydGhfZGF0ZWxlbGVtZW50VmFsdWXZA-xqMTk4Ni0wMy0yMmppc3N1ZXJBdXRohEOhASahGCFZAi8wggIrMIIB0aADAgECAhRED-gfURxpHvIfRtUe91K73mZpljAKBggqhkjOPQQDAjAsMQswCQYDVQQGEwJBVDEdMBsGA1UEAwwUbURMIElzc3VlciBJQUNBIFJvb3QwHhcNMjYwNTE4MDYxOTI2WhcNMjcwODE4MDYxOTI2WjAyMQswCQYDVQQGEwJBVDEjMCEGA1UEAwwabURMIElzc3VlciBEb2N1bWVudCBTaWduZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATJ-Zu0Kx1BD_gQM-DQa33yAliTXOQ06kYz1sdgSLj2ZzAQgLIneJJ-8eij99W8M0adPNA-l5W0dhsZpnO-wij5o4HKMIHHMB8GA1UdIwQYMBaAFHKy929J0Lyz3XDMLWSZozeAAujjMB0GA1UdDgQWBBRcZNa5S0U4sUU0Uls5Qu74-EGCfTAOBgNVHQ8BAf8EBAMCB4AwJwYDVR0SBCAwHoYcaHR0cHM6Ly9pYWNhLnRlbmFudDEud2FsdC5pZDAVBgNVHSUBAf8ECzAJBgcogYxdBQECMDUGA1UdHwQuMCwwKqAooCaGJGh0dHBzOi8vY3JsLnRlbmFudDEud2FsdC5pZC9pYWNhLmNybDAKBggqhkjOPQQDAgNIADBFAiAGx-rtONQdU9NSJNW0IMpBEJ1fOnr95HOo4ofthoij1wIhAOt4gpN4I3Efm8kJ4_iIYUNtopa4ggZs7X_fZvBX8K85WQKV2BhZApCmZ3ZlcnNpb25jMS4wb2RpZ2VzdEFsZ29yaXRobWdTSEEtMjU2bHZhbHVlRGlnZXN0c6Fxb3JnLmlzby4xODAxMy41LjGqAFgglIt2JC3rDbrr6azX5GWPMGyGqyD5gTnyASk37pDhZQYBWCCMQ7Ph45igVnLbvCtlSqLPlaMTXSk2kLoy4Mxn1x37kwJYIOjGjCHBlfvZi74lANZXAWt_FDdDf6NU591eYMGbFladA1ggcdl99l7hzcOFDYUeghGX0gDXYYgEN7WyRFrgSSFVvv4EWCCKwt6H37DEK8kJFcs__AiFZzLDc-4GPFKuYYEJzv_X1QVYIMybLDIPi3G7go7Bq4ggn0UYXEpmKMazxXZH25mnl0RQBlggofgVz7C7i4z0Iz8zrEPhNBRMlZcr4EhqQCR2pjo3qsoHWCDaJ4DszfMYhI0HfyOcSgMEgx_K12dx34khKW6ohKRhZghYIPTE7TeLsXVDSX9l3DTPB4zDhzF1WDTmCw3Ecxv1deNJCVggqueG-PUmdP8sJdsQ6XbuByQzAZXoRdwB-7dn0hxtkCdtZGV2aWNlS2V5SW5mb6FpZGV2aWNlS2V5owEBIAYhWCCPFDBFXu0dzdb8mQpWwNkvv8O0_jPI0m1DhivXPv4x3mdkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGx2YWxpZGl0eUluZm-jZnNpZ25lZMB4HjIwMjYtMDUtMThUMDc6NDg6MjcuODcwOTA1MDA2Wml2YWxpZEZyb23AeB4yMDI2LTA1LTE4VDA3OjQ4OjI3Ljg3MDkwNTAwNlpqdmFsaWRVbnRpbMB4HjIwMjctMDUtMThUMDc6NDg6MjcuODUyMjg5NTIyWlhAmRC5DQjAwaNaozniXwKmOoMscEyNwA65Y31zyoCJpiGiZxs-fk9bcsZnrDSu5ATPVEIKrf_4hjY8ODArK76q2WxkZXZpY2VTaWduZWSiam5hbWVTcGFjZXPYGEGgamRldmljZUF1dGihb2RldmljZVNpZ25hdHVyZYRDoQEnoPZYQGQUayxOBk2Wp7g7UhumPbtFSQ5h1h4jArb60UGZOsFMvG6MXHBBPd4JdOX40auhbmKNmBjinPfw96QN9XfV-Q9mc3RhdHVzAA",
"credential_signature": {
"type": "signature-cose",
"signerKey": {
"type": "jwk",
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "yfmbtCsdQQ_4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mc",
"y": "MBCAsid4kn7x6KP31bwzRp080D6XlbR2Gxmmc77CKPk"
}
},
"x5cList": [
"MIICKzCCAdGgAwIBAgIURA/oH1EcaR7yH0bVHvdSu95maZYwCgYIKoZIzj0EAwIwLDELMAkGA1UEBhMCQVQxHTAbBgNVBAMMFG1ETCBJc3N1ZXIgSUFDQSBSb290MB4XDTI2MDUxODA2MTkyNloXDTI3MDgxODA2MTkyNlowMjELMAkGA1UEBhMCQVQxIzAhBgNVBAMMGm1ETCBJc3N1ZXIgRG9jdW1lbnQgU2lnbmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyfmbtCsdQQ/4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mcwEICyJ3iSfvHoo/fVvDNGnTzQPpeVtHYbGaZzvsIo+aOByjCBxzAfBgNVHSMEGDAWgBRysvdvSdC8s91wzC1kmaM3gALo4zAdBgNVHQ4EFgQUXGTWuUtFOLFFNFJbOULu+PhBgn0wDgYDVR0PAQH/BAQDAgeAMCcGA1UdEgQgMB6GHGh0dHBzOi8vaWFjYS50ZW5hbnQxLndhbHQuaWQwFQYDVR0lAQH/BAswCQYHKIGMXQUBAjA1BgNVHR8ELjAsMCqgKKAmhiRodHRwczovL2NybC50ZW5hbnQxLndhbHQuaWQvaWFjYS5jcmwwCgYIKoZIzj0EAwIDSAAwRQIgBsfq7TjUHVPTUiTVtCDKQRCdXzp6/eRzqOKH7YaIo9cCIQDreIKTeCNxH5vJCeP4iGFDbaKWuIIGbO1/32bwV/CvOQ=="
]
},
"verified_data": {
"docType": "org.iso.18013.5.1.mDL",
"org.iso.18013.5.1": {
"family_name": "Doe",
"given_name": "John",
"birth_date": "1986-03-22"
}
},
"successful_issuer_public_key": {
"kty": "EC",
"crv": "P-256",
"x": "yfmbtCsdQQ_4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mc",
"y": "MBCAsid4kn7x6KP31bwzRp080D6XlbR2Gxmmc77CKPk"
},
"successful_issuer_public_key_id": "FOWc2X5ZSle6u66RwXQoVUwm86vnTnbZ61s_Golepz0"
}
}
],
"specific_vc_policies": {},
"overallSuccess": true
},
"presentation_validation_results": {
"credential_1": {
"mso_mdoc/device-auth": {
"policy_executed": {
"policy": "mso_mdoc/device-auth",
"id": "mso_mdoc/device-auth",
"description": "Verify device authentication"
},
"success": true,
"results": {
"device_public_jwk": {
"kty": "OKP",
"crv": "Ed25519",
"x": "jxQwRV7tHc3W_JkKVsDZL7_DtP4zyNJtQ4Yr1z7-Md4"
},
"device_auth_bytes_hex": "d8185868847444657669636541757468656e7469636174696f6e83f6f682714f70656e494434565048616e646f7665725820bdb670da65dae163a8fe31c591c82da53c6da1b38232c8f4d3657405e4220a43756f72672e69736f2e31383031332e352e312e6d444cd81841a0"
},
"errors": [],
"execution_time": "PT0.002658542S"
},
"mso_mdoc/device_key_auth": {
"policy_executed": {
"policy": "mso_mdoc/device_key_auth",
"id": "mso_mdoc/device_key_auth",
"description": "Verify holder-verified data"
},
"success": true,
"results": {
"empty_device_signed_namespaces": true
},
"errors": [],
"execution_time": "PT0.000800334S"
},
"mso_mdoc/issuer_auth": {
"policy_executed": {
"policy": "mso_mdoc/issuer_auth",
"id": "mso_mdoc/issuer_auth",
"description": "Verify issuer authentication"
},
"success": true,
"results": {
"certificate_chain": [
"3082022b308201d1a0030201020214440fe81f511c691ef21f46d51ef752bbde666996300a06082a8648ce3d040302302c310b3009060355040613024154311d301b06035504030c146d444c20497373756572204941434120526f6f74301e170d3236303531383036313932365a170d3237303831383036313932365a3032310b30090603550406130241543123302106035504030c1a6d444c2049737375657220446f63756d656e74205369676e65723059301306072a8648ce3d020106082a8648ce3d03010703420004c9f99bb42b1d410ff81033e0d06b7df20258935ce434ea4633d6c76048b8f667301080b22778927ef1e8a3f7d5bc33469d3cd03e9795b4761b19a673bec228f9a381ca3081c7301f0603551d2304183016801472b2f76f49d0bcb3dd70cc2d6499a3378002e8e3301d0603551d0e041604145c64d6b94b4538b14534525b3942eef8f841827d300e0603551d0f0101ff04040302078030270603551d120420301e861c68747470733a2f2f696163612e74656e616e74312e77616c742e696430150603551d250101ff040b3009060728818c5d05010230350603551d1f042e302c302aa028a026862468747470733a2f2f63726c2e74656e616e74312e77616c742e69642f696163612e63726c300a06082a8648ce3d0403020348003045022006c7eaed38d41d53d35224d5b420ca41109d5f3a7afde473a8e287ed8688a3d7022100eb7882937823711f9bc909e3f88861436da296b882066ced7fdf66f057f0af39"
],
"signer_pem": "-----BEGIN CERTIFICATE-----\nMIICKzCCAdGgAwIBAgIURA/oH1EcaR7yH0bVHvdSu95maZYwCgYIKoZIzj0EAwIw\r\nLDELMAkGA1UEBhMCQVQxHTAbBgNVBAMMFG1ETCBJc3N1ZXIgSUFDQSBSb290MB4X\r\nDTI2MDUxODA2MTkyNloXDTI3MDgxODA2MTkyNlowMjELMAkGA1UEBhMCQVQxIzAh\r\nBgNVBAMMGm1ETCBJc3N1ZXIgRG9jdW1lbnQgU2lnbmVyMFkwEwYHKoZIzj0CAQYI\r\nKoZIzj0DAQcDQgAEyfmbtCsdQQ/4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mcwEICy\r\nJ3iSfvHoo/fVvDNGnTzQPpeVtHYbGaZzvsIo+aOByjCBxzAfBgNVHSMEGDAWgBRy\r\nsvdvSdC8s91wzC1kmaM3gALo4zAdBgNVHQ4EFgQUXGTWuUtFOLFFNFJbOULu+PhB\r\ngn0wDgYDVR0PAQH/BAQDAgeAMCcGA1UdEgQgMB6GHGh0dHBzOi8vaWFjYS50ZW5h\r\nbnQxLndhbHQuaWQwFQYDVR0lAQH/BAswCQYHKIGMXQUBAjA1BgNVHR8ELjAsMCqg\r\nKKAmhiRodHRwczovL2NybC50ZW5hbnQxLndhbHQuaWQvaWFjYS5jcmwwCgYIKoZI\r\nzj0EAwIDSAAwRQIgBsfq7TjUHVPTUiTVtCDKQRCdXzp6/eRzqOKH7YaIo9cCIQDr\r\neIKTeCNxH5vJCeP4iGFDbaKWuIIGbO1/32bwV/CvOQ==\n-----END CERTIFICATE-----",
"signer_jwk": {
"kty": "EC",
"crv": "P-256",
"x": "yfmbtCsdQQ_4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mc",
"y": "MBCAsid4kn7x6KP31bwzRp080D6XlbR2Gxmmc77CKPk"
}
},
"errors": [],
"execution_time": "PT0.004215542S"
},
"mso_mdoc/issuer_signed_integrity": {
"policy_executed": {
"policy": "mso_mdoc/issuer_signed_integrity",
"id": "mso_mdoc/issuer_signed_integrity",
"description": "Verify issuer-verified data integrity"
},
"success": true,
"results": {
"namespace": {
"org.iso.18013.5.1": [
{
"id": "family_name",
"digest_id": 0,
"value": "Doe",
"value_type": "CborString",
"random_hex": "736b060d21fa4e37f17b0b0568285add9d064ba883eb6c35",
"serialized_hex": "a4686469676573744944006672616e646f6d5818736b060d21fa4e37f17b0b0568285add9d064ba883eb6c3571656c656d656e744964656e7469666965726b66616d696c795f6e616d656c656c656d656e7456616c756563446f65"
},
{
"id": "given_name",
"digest_id": 1,
"value": "John",
"value_type": "CborString",
"random_hex": "312e734c986fdf279c7d75130b0da4794d16d44bbb3cfd61",
"serialized_hex": "a4686469676573744944016672616e646f6d5818312e734c986fdf279c7d75130b0da4794d16d44bbb3cfd6171656c656d656e744964656e7469666965726a676976656e5f6e616d656c656c656d656e7456616c7565644a6f686e"
},
{
"id": "birth_date",
"digest_id": 2,
"value": "1986-03-22",
"value_type": "CborString",
"random_hex": "e6864d13d13a9fb1a7fccb729a6330dec975bac5e79fa023",
"serialized_hex": "a4686469676573744944026672616e646f6d5818e6864d13d13a9fb1a7fccb729a6330dec975bac5e79fa02371656c656d656e744964656e7469666965726a62697274685f646174656c656c656d656e7456616c7565d903ec6a313938362d30332d3232"
}
]
},
"matching_digest": {
"org.iso.18013.5.1": [
"family_name",
"given_name",
"birth_date"
]
}
},
"errors": [],
"execution_time": "PT0.003104834S"
},
"mso_mdoc/mso": {
"policy_executed": {
"policy": "mso_mdoc/mso",
"id": "mso_mdoc/mso",
"description": "Verify MSO"
},
"success": true,
"results": {
"signed": "2026-05-18T07:48:27.870905006Z",
"valid_from": "2027-05-18T07:48:27.852289522Z"
},
"errors": [],
"execution_time": "PT0.004245834S"
}
}
},
"presented_raw_data": {
"vpToken": {
"credential_1": [
"o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xg9gYWFukaGRpZ2VzdElEAGZyYW5kb21YGHNrBg0h-k438XsLBWgoWt2dBkuog-tsNXFlbGVtZW50SWRlbnRpZmllcmtmYW1pbHlfbmFtZWxlbGVtZW50VmFsdWVjRG9l2BhYW6RoZGlnZXN0SUQBZnJhbmRvbVgYMS5zTJhv3yecfXUTCw2keU0W1Eu7PP1hcWVsZW1lbnRJZGVudGlmaWVyamdpdmVuX25hbWVsZWxlbWVudFZhbHVlZEpvaG7YGFhkpGhkaWdlc3RJRAJmcmFuZG9tWBjmhk0T0Tqfsaf8y3KaYzDeyXW6xeefoCNxZWxlbWVudElkZW50aWZpZXJqYmlydGhfZGF0ZWxlbGVtZW50VmFsdWXZA-xqMTk4Ni0wMy0yMmppc3N1ZXJBdXRohEOhASahGCFZAi8wggIrMIIB0aADAgECAhRED-gfURxpHvIfRtUe91K73mZpljAKBggqhkjOPQQDAjAsMQswCQYDVQQGEwJBVDEdMBsGA1UEAwwUbURMIElzc3VlciBJQUNBIFJvb3QwHhcNMjYwNTE4MDYxOTI2WhcNMjcwODE4MDYxOTI2WjAyMQswCQYDVQQGEwJBVDEjMCEGA1UEAwwabURMIElzc3VlciBEb2N1bWVudCBTaWduZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATJ-Zu0Kx1BD_gQM-DQa33yAliTXOQ06kYz1sdgSLj2ZzAQgLIneJJ-8eij99W8M0adPNA-l5W0dhsZpnO-wij5o4HKMIHHMB8GA1UdIwQYMBaAFHKy929J0Lyz3XDMLWSZozeAAujjMB0GA1UdDgQWBBRcZNa5S0U4sUU0Uls5Qu74-EGCfTAOBgNVHQ8BAf8EBAMCB4AwJwYDVR0SBCAwHoYcaHR0cHM6Ly9pYWNhLnRlbmFudDEud2FsdC5pZDAVBgNVHSUBAf8ECzAJBgcogYxdBQECMDUGA1UdHwQuMCwwKqAooCaGJGh0dHBzOi8vY3JsLnRlbmFudDEud2FsdC5pZC9pYWNhLmNybDAKBggqhkjOPQQDAgNIADBFAiAGx-rtONQdU9NSJNW0IMpBEJ1fOnr95HOo4ofthoij1wIhAOt4gpN4I3Efm8kJ4_iIYUNtopa4ggZs7X_fZvBX8K85WQKV2BhZApCmZ3ZlcnNpb25jMS4wb2RpZ2VzdEFsZ29yaXRobWdTSEEtMjU2bHZhbHVlRGlnZXN0c6Fxb3JnLmlzby4xODAxMy41LjGqAFgglIt2JC3rDbrr6azX5GWPMGyGqyD5gTnyASk37pDhZQYBWCCMQ7Ph45igVnLbvCtlSqLPlaMTXSk2kLoy4Mxn1x37kwJYIOjGjCHBlfvZi74lANZXAWt_FDdDf6NU591eYMGbFladA1ggcdl99l7hzcOFDYUeghGX0gDXYYgEN7WyRFrgSSFVvv4EWCCKwt6H37DEK8kJFcs__AiFZzLDc-4GPFKuYYEJzv_X1QVYIMybLDIPi3G7go7Bq4ggn0UYXEpmKMazxXZH25mnl0RQBlggofgVz7C7i4z0Iz8zrEPhNBRMlZcr4EhqQCR2pjo3qsoHWCDaJ4DszfMYhI0HfyOcSgMEgx_K12dx34khKW6ohKRhZghYIPTE7TeLsXVDSX9l3DTPB4zDhzF1WDTmCw3Ecxv1deNJCVggqueG-PUmdP8sJdsQ6XbuByQzAZXoRdwB-7dn0hxtkCdtZGV2aWNlS2V5SW5mb6FpZGV2aWNlS2V5owEBIAYhWCCPFDBFXu0dzdb8mQpWwNkvv8O0_jPI0m1DhivXPv4x3mdkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGx2YWxpZGl0eUluZm-jZnNpZ25lZMB4HjIwMjYtMDUtMThUMDc6NDg6MjcuODcwOTA1MDA2Wml2YWxpZEZyb23AeB4yMDI2LTA1LTE4VDA3OjQ4OjI3Ljg3MDkwNTAwNlpqdmFsaWRVbnRpbMB4HjIwMjctMDUtMThUMDc6NDg6MjcuODUyMjg5NTIyWlhAmRC5DQjAwaNaozniXwKmOoMscEyNwA65Y31zyoCJpiGiZxs-fk9bcsZnrDSu5ATPVEIKrf_4hjY8ODArK76q2WxkZXZpY2VTaWduZWSiam5hbWVTcGFjZXPYGEGgamRldmljZUF1dGihb2RldmljZVNpZ25hdHVyZYRDoQEnoPZYQGQUayxOBk2Wp7g7UhumPbtFSQ5h1h4jArb60UGZOsFMvG6MXHBBPd4JdOX40auhbmKNmBjinPfw96QN9XfV-Q9mc3RhdHVzAA"
]
},
"state": "da82aed7-ea36-4303-9c4a-3ded03cdedb4"
},
"presented_presentations": {
"credential_1": {
"type": "mso_mdoc",
"format": "mso_mdoc",
"mdoc": {
"credentialData": {
"docType": "org.iso.18013.5.1.mDL",
"org.iso.18013.5.1": {
"family_name": "Doe",
"given_name": "John",
"birth_date": "1986-03-22"
}
},
"signed": "o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xg9gYWFukaGRpZ2VzdElEAGZyYW5kb21YGHNrBg0h-k438XsLBWgoWt2dBkuog-tsNXFlbGVtZW50SWRlbnRpZmllcmtmYW1pbHlfbmFtZWxlbGVtZW50VmFsdWVjRG9l2BhYW6RoZGlnZXN0SUQBZnJhbmRvbVgYMS5zTJhv3yecfXUTCw2keU0W1Eu7PP1hcWVsZW1lbnRJZGVudGlmaWVyamdpdmVuX25hbWVsZWxlbWVudFZhbHVlZEpvaG7YGFhkpGhkaWdlc3RJRAJmcmFuZG9tWBjmhk0T0Tqfsaf8y3KaYzDeyXW6xeefoCNxZWxlbWVudElkZW50aWZpZXJqYmlydGhfZGF0ZWxlbGVtZW50VmFsdWXZA-xqMTk4Ni0wMy0yMmppc3N1ZXJBdXRohEOhASahGCFZAi8wggIrMIIB0aADAgECAhRED-gfURxpHvIfRtUe91K73mZpljAKBggqhkjOPQQDAjAsMQswCQYDVQQGEwJBVDEdMBsGA1UEAwwUbURMIElzc3VlciBJQUNBIFJvb3QwHhcNMjYwNTE4MDYxOTI2WhcNMjcwODE4MDYxOTI2WjAyMQswCQYDVQQGEwJBVDEjMCEGA1UEAwwabURMIElzc3VlciBEb2N1bWVudCBTaWduZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATJ-Zu0Kx1BD_gQM-DQa33yAliTXOQ06kYz1sdgSLj2ZzAQgLIneJJ-8eij99W8M0adPNA-l5W0dhsZpnO-wij5o4HKMIHHMB8GA1UdIwQYMBaAFHKy929J0Lyz3XDMLWSZozeAAujjMB0GA1UdDgQWBBRcZNa5S0U4sUU0Uls5Qu74-EGCfTAOBgNVHQ8BAf8EBAMCB4AwJwYDVR0SBCAwHoYcaHR0cHM6Ly9pYWNhLnRlbmFudDEud2FsdC5pZDAVBgNVHSUBAf8ECzAJBgcogYxdBQECMDUGA1UdHwQuMCwwKqAooCaGJGh0dHBzOi8vY3JsLnRlbmFudDEud2FsdC5pZC9pYWNhLmNybDAKBggqhkjOPQQDAgNIADBFAiAGx-rtONQdU9NSJNW0IMpBEJ1fOnr95HOo4ofthoij1wIhAOt4gpN4I3Efm8kJ4_iIYUNtopa4ggZs7X_fZvBX8K85WQKV2BhZApCmZ3ZlcnNpb25jMS4wb2RpZ2VzdEFsZ29yaXRobWdTSEEtMjU2bHZhbHVlRGlnZXN0c6Fxb3JnLmlzby4xODAxMy41LjGqAFgglIt2JC3rDbrr6azX5GWPMGyGqyD5gTnyASk37pDhZQYBWCCMQ7Ph45igVnLbvCtlSqLPlaMTXSk2kLoy4Mxn1x37kwJYIOjGjCHBlfvZi74lANZXAWt_FDdDf6NU591eYMGbFladA1ggcdl99l7hzcOFDYUeghGX0gDXYYgEN7WyRFrgSSFVvv4EWCCKwt6H37DEK8kJFcs__AiFZzLDc-4GPFKuYYEJzv_X1QVYIMybLDIPi3G7go7Bq4ggn0UYXEpmKMazxXZH25mnl0RQBlggofgVz7C7i4z0Iz8zrEPhNBRMlZcr4EhqQCR2pjo3qsoHWCDaJ4DszfMYhI0HfyOcSgMEgx_K12dx34khKW6ohKRhZghYIPTE7TeLsXVDSX9l3DTPB4zDhzF1WDTmCw3Ecxv1deNJCVggqueG-PUmdP8sJdsQ6XbuByQzAZXoRdwB-7dn0hxtkCdtZGV2aWNlS2V5SW5mb6FpZGV2aWNlS2V5owEBIAYhWCCPFDBFXu0dzdb8mQpWwNkvv8O0_jPI0m1DhivXPv4x3mdkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGx2YWxpZGl0eUluZm-jZnNpZ25lZMB4HjIwMjYtMDUtMThUMDc6NDg6MjcuODcwOTA1MDA2Wml2YWxpZEZyb23AeB4yMDI2LTA1LTE4VDA3OjQ4OjI3Ljg3MDkwNTAwNlpqdmFsaWRVbnRpbMB4HjIwMjctMDUtMThUMDc6NDg6MjcuODUyMjg5NTIyWlhAmRC5DQjAwaNaozniXwKmOoMscEyNwA65Y31zyoCJpiGiZxs-fk9bcsZnrDSu5ATPVEIKrf_4hjY8ODArK76q2WxkZXZpY2VTaWduZWSiam5hbWVTcGFjZXPYGEGgamRldmljZUF1dGihb2RldmljZVNpZ25hdHVyZYRDoQEnoPZYQGQUayxOBk2Wp7g7UhumPbtFSQ5h1h4jArb60UGZOsFMvG6MXHBBPd4JdOX40auhbmKNmBjinPfw96QN9XfV-Q9mc3RhdHVzAA",
"docType": "org.iso.18013.5.1.mDL",
"signature": {
"type": "signature-cose",
"signerKey": {
"type": "jwk",
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "yfmbtCsdQQ_4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mc",
"y": "MBCAsid4kn7x6KP31bwzRp080D6XlbR2Gxmmc77CKPk"
}
},
"x5cList": [
"MIICKzCCAdGgAwIBAgIURA/oH1EcaR7yH0bVHvdSu95maZYwCgYIKoZIzj0EAwIwLDELMAkGA1UEBhMCQVQxHTAbBgNVBAMMFG1ETCBJc3N1ZXIgSUFDQSBSb290MB4XDTI2MDUxODA2MTkyNloXDTI3MDgxODA2MTkyNlowMjELMAkGA1UEBhMCQVQxIzAhBgNVBAMMGm1ETCBJc3N1ZXIgRG9jdW1lbnQgU2lnbmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyfmbtCsdQQ/4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mcwEICyJ3iSfvHoo/fVvDNGnTzQPpeVtHYbGaZzvsIo+aOByjCBxzAfBgNVHSMEGDAWgBRysvdvSdC8s91wzC1kmaM3gALo4zAdBgNVHQ4EFgQUXGTWuUtFOLFFNFJbOULu+PhBgn0wDgYDVR0PAQH/BAQDAgeAMCcGA1UdEgQgMB6GHGh0dHBzOi8vaWFjYS50ZW5hbnQxLndhbHQuaWQwFQYDVR0lAQH/BAswCQYHKIGMXQUBAjA1BgNVHR8ELjAsMCqgKKAmhiRodHRwczovL2NybC50ZW5hbnQxLndhbHQuaWQvaWFjYS5jcmwwCgYIKoZIzj0EAwIDSAAwRQIgBsfq7TjUHVPTUiTVtCDKQRCdXzp6/eRzqOKH7YaIo9cCIQDreIKTeCNxH5vJCeP4iGFDbaKWuIIGbO1/32bwV/CvOQ=="
]
},
"format": "mso_mdoc",
"mso": {
"version": "1.0",
"digestAlgorithm": "SHA-256",
"valueDigests": {
"org.iso.18013.5.1": {
"0": [
-108,
-117,
118,
36,
45,
-21,
13,
-70,
-21,
-23,
-84,
-41,
-28,
101,
-113,
48,
108,
-122,
-85,
32,
-7,
-127,
57,
-14,
1,
41,
55,
-18,
-112,
-31,
101,
6
],
"1": [
-116,
67,
-77,
-31,
-29,
-104,
-96,
86,
114,
-37,
-68,
43,
101,
74,
-94,
-49,
-107,
-93,
19,
93,
41,
54,
-112,
-70,
50,
-32,
-52,
103,
-41,
29,
-5,
-109
],
"2": [
-24,
-58,
-116,
33,
-63,
-107,
-5,
-39,
-117,
-66,
37,
0,
-42,
87,
1,
107,
127,
20,
55,
67,
127,
-93,
84,
-25,
-35,
94,
96,
-63,
-101,
22,
86,
-99
],
"3": [
113,
-39,
125,
-10,
94,
-31,
-51,
-61,
-123,
13,
-123,
30,
-126,
17,
-105,
-46,
0,
-41,
97,
-120,
4,
55,
-75,
-78,
68,
90,
-32,
73,
33,
85,
-66,
-2
],
"4": [
-118,
-62,
-34,
-121,
-33,
-80,
-60,
43,
-55,
9,
21,
-53,
63,
-4,
8,
-123,
103,
50,
-61,
115,
-18,
6,
60,
82,
-82,
97,
-127,
9,
-50,
-1,
-41,
-43
],
"5": [
-52,
-101,
44,
50,
15,
-117,
113,
-69,
-126,
-114,
-63,
-85,
-120,
32,
-97,
69,
24,
92,
74,
102,
40,
-58,
-77,
-59,
118,
71,
-37,
-103,
-89,
-105,
68,
80
],
"6": [
-95,
-8,
21,
-49,
-80,
-69,
-117,
-116,
-12,
35,
63,
51,
-84,
67,
-31,
52,
20,
76,
-107,
-105,
43,
-32,
72,
106,
64,
36,
118,
-90,
58,
55,
-86,
-54
],
"7": [
-38,
39,
-128,
-20,
-51,
-13,
24,
-124,
-115,
7,
127,
35,
-100,
74,
3,
4,
-125,
31,
-54,
-41,
103,
113,
-33,
-119,
33,
41,
110,
-88,
-124,
-92,
97,
102
],
"8": [
-12,
-60,
-19,
55,
-117,
-79,
117,
67,
73,
127,
101,
-36,
52,
-49,
7,
-116,
-61,
-121,
49,
117,
88,
52,
-26,
11,
13,
-60,
115,
27,
-11,
117,
-29,
73
],
"9": [
-86,
-25,
-122,
-8,
-11,
38,
116,
-1,
44,
37,
-37,
16,
-23,
118,
-18,
7,
36,
51,
1,
-107,
-24,
69,
-36,
1,
-5,
-73,
103,
-46,
28,
109,
-112,
39
]
}
},
"deviceKeyInfo": {
"deviceKey": {
"kty": 1,
"crv": 6,
"x": [
-113,
20,
48,
69,
94,
-19,
29,
-51,
-42,
-4,
-103,
10,
86,
-64,
-39,
47,
-65,
-61,
-76,
-2,
51,
-56,
-46,
109,
67,
-122,
43,
-41,
62,
-2,
49,
-34
]
}
},
"docType": "org.iso.18013.5.1.mDL",
"validityInfo": {
"signed": "2026-05-18T07:48:27.870905006Z",
"validFrom": "2026-05-18T07:48:27.870905006Z",
"validUntil": "2027-05-18T07:48:27.852289522Z"
}
}
}
}
},
"presented_credentials": {
"credential_1": [
{
"type": "vc-mdocs",
"credentialData": {
"docType": "org.iso.18013.5.1.mDL",
"org.iso.18013.5.1": {
"family_name": "Doe",
"given_name": "John",
"birth_date": "1986-03-22"
}
},
"signed": "o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xg9gYWFukaGRpZ2VzdElEAGZyYW5kb21YGHNrBg0h-k438XsLBWgoWt2dBkuog-tsNXFlbGVtZW50SWRlbnRpZmllcmtmYW1pbHlfbmFtZWxlbGVtZW50VmFsdWVjRG9l2BhYW6RoZGlnZXN0SUQBZnJhbmRvbVgYMS5zTJhv3yecfXUTCw2keU0W1Eu7PP1hcWVsZW1lbnRJZGVudGlmaWVyamdpdmVuX25hbWVsZWxlbWVudFZhbHVlZEpvaG7YGFhkpGhkaWdlc3RJRAJmcmFuZG9tWBjmhk0T0Tqfsaf8y3KaYzDeyXW6xeefoCNxZWxlbWVudElkZW50aWZpZXJqYmlydGhfZGF0ZWxlbGVtZW50VmFsdWXZA-xqMTk4Ni0wMy0yMmppc3N1ZXJBdXRohEOhASahGCFZAi8wggIrMIIB0aADAgECAhRED-gfURxpHvIfRtUe91K73mZpljAKBggqhkjOPQQDAjAsMQswCQYDVQQGEwJBVDEdMBsGA1UEAwwUbURMIElzc3VlciBJQUNBIFJvb3QwHhcNMjYwNTE4MDYxOTI2WhcNMjcwODE4MDYxOTI2WjAyMQswCQYDVQQGEwJBVDEjMCEGA1UEAwwabURMIElzc3VlciBEb2N1bWVudCBTaWduZXIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATJ-Zu0Kx1BD_gQM-DQa33yAliTXOQ06kYz1sdgSLj2ZzAQgLIneJJ-8eij99W8M0adPNA-l5W0dhsZpnO-wij5o4HKMIHHMB8GA1UdIwQYMBaAFHKy929J0Lyz3XDMLWSZozeAAujjMB0GA1UdDgQWBBRcZNa5S0U4sUU0Uls5Qu74-EGCfTAOBgNVHQ8BAf8EBAMCB4AwJwYDVR0SBCAwHoYcaHR0cHM6Ly9pYWNhLnRlbmFudDEud2FsdC5pZDAVBgNVHSUBAf8ECzAJBgcogYxdBQECMDUGA1UdHwQuMCwwKqAooCaGJGh0dHBzOi8vY3JsLnRlbmFudDEud2FsdC5pZC9pYWNhLmNybDAKBggqhkjOPQQDAgNIADBFAiAGx-rtONQdU9NSJNW0IMpBEJ1fOnr95HOo4ofthoij1wIhAOt4gpN4I3Efm8kJ4_iIYUNtopa4ggZs7X_fZvBX8K85WQKV2BhZApCmZ3ZlcnNpb25jMS4wb2RpZ2VzdEFsZ29yaXRobWdTSEEtMjU2bHZhbHVlRGlnZXN0c6Fxb3JnLmlzby4xODAxMy41LjGqAFgglIt2JC3rDbrr6azX5GWPMGyGqyD5gTnyASk37pDhZQYBWCCMQ7Ph45igVnLbvCtlSqLPlaMTXSk2kLoy4Mxn1x37kwJYIOjGjCHBlfvZi74lANZXAWt_FDdDf6NU591eYMGbFladA1ggcdl99l7hzcOFDYUeghGX0gDXYYgEN7WyRFrgSSFVvv4EWCCKwt6H37DEK8kJFcs__AiFZzLDc-4GPFKuYYEJzv_X1QVYIMybLDIPi3G7go7Bq4ggn0UYXEpmKMazxXZH25mnl0RQBlggofgVz7C7i4z0Iz8zrEPhNBRMlZcr4EhqQCR2pjo3qsoHWCDaJ4DszfMYhI0HfyOcSgMEgx_K12dx34khKW6ohKRhZghYIPTE7TeLsXVDSX9l3DTPB4zDhzF1WDTmCw3Ecxv1deNJCVggqueG-PUmdP8sJdsQ6XbuByQzAZXoRdwB-7dn0hxtkCdtZGV2aWNlS2V5SW5mb6FpZGV2aWNlS2V5owEBIAYhWCCPFDBFXu0dzdb8mQpWwNkvv8O0_jPI0m1DhivXPv4x3mdkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGx2YWxpZGl0eUluZm-jZnNpZ25lZMB4HjIwMjYtMDUtMThUMDc6NDg6MjcuODcwOTA1MDA2Wml2YWxpZEZyb23AeB4yMDI2LTA1LTE4VDA3OjQ4OjI3Ljg3MDkwNTAwNlpqdmFsaWRVbnRpbMB4HjIwMjctMDUtMThUMDc6NDg6MjcuODUyMjg5NTIyWlhAmRC5DQjAwaNaozniXwKmOoMscEyNwA65Y31zyoCJpiGiZxs-fk9bcsZnrDSu5ATPVEIKrf_4hjY8ODArK76q2WxkZXZpY2VTaWduZWSiam5hbWVTcGFjZXPYGEGgamRldmljZUF1dGihb2RldmljZVNpZ25hdHVyZYRDoQEnoPZYQGQUayxOBk2Wp7g7UhumPbtFSQ5h1h4jArb60UGZOsFMvG6MXHBBPd4JdOX40auhbmKNmBjinPfw96QN9XfV-Q9mc3RhdHVzAA",
"docType": "org.iso.18013.5.1.mDL",
"signature": {
"type": "signature-cose",
"signerKey": {
"type": "jwk",
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "yfmbtCsdQQ_4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mc",
"y": "MBCAsid4kn7x6KP31bwzRp080D6XlbR2Gxmmc77CKPk"
}
},
"x5cList": [
"MIICKzCCAdGgAwIBAgIURA/oH1EcaR7yH0bVHvdSu95maZYwCgYIKoZIzj0EAwIwLDELMAkGA1UEBhMCQVQxHTAbBgNVBAMMFG1ETCBJc3N1ZXIgSUFDQSBSb290MB4XDTI2MDUxODA2MTkyNloXDTI3MDgxODA2MTkyNlowMjELMAkGA1UEBhMCQVQxIzAhBgNVBAMMGm1ETCBJc3N1ZXIgRG9jdW1lbnQgU2lnbmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEyfmbtCsdQQ/4EDPg0Gt98gJYk1zkNOpGM9bHYEi49mcwEICyJ3iSfvHoo/fVvDNGnTzQPpeVtHYbGaZzvsIo+aOByjCBxzAfBgNVHSMEGDAWgBRysvdvSdC8s91wzC1kmaM3gALo4zAdBgNVHQ4EFgQUXGTWuUtFOLFFNFJbOULu+PhBgn0wDgYDVR0PAQH/BAQDAgeAMCcGA1UdEgQgMB6GHGh0dHBzOi8vaWFjYS50ZW5hbnQxLndhbHQuaWQwFQYDVR0lAQH/BAswCQYHKIGMXQUBAjA1BgNVHR8ELjAsMCqgKKAmhiRodHRwczovL2NybC50ZW5hbnQxLndhbHQuaWQvaWFjYS5jcmwwCgYIKoZIzj0EAwIDSAAwRQIgBsfq7TjUHVPTUiTVtCDKQRCdXzp6/eRzqOKH7YaIo9cCIQDreIKTeCNxH5vJCeP4iGFDbaKWuIIGbO1/32bwV/CvOQ=="
]
},
"format": "mso_mdoc",
"mso": {
"version": "1.0",
"digestAlgorithm": "SHA-256",
"valueDigests": {
"org.iso.18013.5.1": {
"0": [
-108,
-117,
118,
36,
45,
-21,
13,
-70,
-21,
-23,
-84,
-41,
-28,
101,
-113,
48,
108,
-122,
-85,
32,
-7,
-127,
57,
-14,
1,
41,
55,
-18,
-112,
-31,
101,
6
],
"1": [
-116,
67,
-77,
-31,
-29,
-104,
-96,
86,
114,
-37,
-68,
43,
101,
74,
-94,
-49,
-107,
-93,
19,
93,
41,
54,
-112,
-70,
50,
-32,
-52,
103,
-41,
29,
-5,
-109
],
"2": [
-24,
-58,
-116,
33,
-63,
-107,
-5,
-39,
-117,
-66,
37,
0,
-42,
87,
1,
107,
127,
20,
55,
67,
127,
-93,
84,
-25,
-35,
94,
96,
-63,
-101,
22,
86,
-99
],
"3": [
113,
-39,
125,
-10,
94,
-31,
-51,
-61,
-123,
13,
-123,
30,
-126,
17,
-105,
-46,
0,
-41,
97,
-120,
4,
55,
-75,
-78,
68,
90,
-32,
73,
33,
85,
-66,
-2
],
"4": [
-118,
-62,
-34,
-121,
-33,
-80,
-60,
43,
-55,
9,
21,
-53,
63,
-4,
8,
-123,
103,
50,
-61,
115,
-18,
6,
60,
82,
-82,
97,
-127,
9,
-50,
-1,
-41,
-43
],
"5": [
-52,
-101,
44,
50,
15,
-117,
113,
-69,
-126,
-114,
-63,
-85,
-120,
32,
-97,
69,
24,
92,
74,
102,
40,
-58,
-77,
-59,
118,
71,
-37,
-103,
-89,
-105,
68,
80
],
"6": [
-95,
-8,
21,
-49,
-80,
-69,
-117,
-116,
-12,
35,
63,
51,
-84,
67,
-31,
52,
20,
76,
-107,
-105,
43,
-32,
72,
106,
64,
36,
118,
-90,
58,
55,
-86,
-54
],
"7": [
-38,
39,
-128,
-20,
-51,
-13,
24,
-124,
-115,
7,
127,
35,
-100,
74,
3,
4,
-125,
31,
-54,
-41,
103,
113,
-33,
-119,
33,
41,
110,
-88,
-124,
-92,
97,
102
],
"8": [
-12,
-60,
-19,
55,
-117,
-79,
117,
67,
73,
127,
101,
-36,
52,
-49,
7,
-116,
-61,
-121,
49,
117,
88,
52,
-26,
11,
13,
-60,
115,
27,
-11,
117,
-29,
73
],
"9": [
-86,
-25,
-122,
-8,
-11,
38,
116,
-1,
44,
37,
-37,
16,
-23,
118,
-18,
7,
36,
51,
1,
-107,
-24,
69,
-36,
1,
-5,
-73,
103,
-46,
28,
109,
-112,
39
]
}
},
"deviceKeyInfo": {
"deviceKey": {
"kty": 1,
"crv": 6,
"x": [
-113,
20,
48,
69,
94,
-19,
29,
-51,
-42,
-4,
-103,
10,
86,
-64,
-39,
47,
-65,
-61,
-76,
-2,
51,
-56,
-46,
109,
67,
-122,
43,
-41,
62,
-2,
49,
-34
]
}
},
"docType": "org.iso.18013.5.1.mDL",
"validityInfo": {
"signed": "2026-05-18T07:48:27.870905006Z",
"validFrom": "2026-05-18T07:48:27.870905006Z",
"validUntil": "2027-05-18T07:48:27.852289522Z"
}
}
}
]
}
}
Key Response Fields:
- id: String - The verification session ID
- setup: Object - The complete session configuration that was used to create this verification session (the
VerificationSessionSetupfrom the create request) - creationDate: String - ISO 8601 timestamp when the session was created
- expirationDate: String - ISO 8601 timestamp when the session expires (default: 10 minutes after creation). Session will expire if left unused (no presentation pushed). Once a presentation is received, the session is no longer eligible for expiry.
- status: String - The current status of the verification session. Possible values:
"UNKNOWN"— Session ended up in unknown flow (should be avoided)"ACTIVE"— Session was created and is active (can be used)"UNUSED"— Session was not used yet, but not expired (can be used)"IN_USE"— AuthorizationRequest was requested by wallet"VALIDATING_RECEIVED_REQUEST"— Checking if received presentation will be processed"PROCESSING_FLOW"— Received presentation is being processed (validation + policy execution)"EXPIRED"— Verification request expired without being utilized"SUCCESSFUL"— Verification completed fully successfully (all validation & policies passed)"FAILED"— Verification was unsuccessful (presentation validation or policies failed)
- attempted: Boolean - Whether the wallet has attempted to respond to the verification request
- reattemptable: Boolean - Whether the user can retry this verification session if it failed
- policies: Object - The policies configured for this session:
- vp_policies: Object (optional) - Policies to run on presentations
- vc_policies: Array (optional) - Policies to run on credentials
- specific_vc_policies: Object (optional) - Policies to run on specific credential IDs
- policy_results: Object (optional) - Detailed results for all policies applied to the verification (only present after presentation is received):
- vp_policies: Object - Results for presentation-level policies (audience check, nonce check, envelope signature), organized by credential ID. Structure:
{ "credential_id": { "policy_name": { ... } } } - vc_policies: Array - Results for credential-level policies (signature, expiry, schema, etc.). Each item contains
policy,success, andresult. - specific_vc_policies: Object - Results for credential-specific policies
- overallSuccess: Boolean (computed) - Whether all policies passed
- vp_policies: Object - Results for presentation-level policies (audience check, nonce check, envelope signature), organized by credential ID. Structure:
- redirects: Object (optional) - Success and error redirect URIs if configured
Instead of polling the session status, you can use callbacks or Server Sent Events (SSE) to be notified when the verification completes. See Callbacks & SSE for details.
Understanding Flow Types and Core Concepts
Now that you've seen verification in action, let's understand the underlying structure.
Verification Session Structure
A VerificationSession defines the full lifecycle: authorization request → user presentation → policy validation → final result.
Every verification request follows this structure:
{
"flow_type": "cross_device | same_device | dc_api",
"core_flow": { /* common to all flows */ },
"url_config": { /* specific to cross_device and same_device */ },
"redirects": { /* optional */ }
}
Why this structure?
- flow_type determines how the credential request is delivered (QR code vs deep link vs browser API)
- core_flow contains the credential query and policies (same regardless of delivery method)
- url_config and redirects are flow-specific attributes
This separation makes it easy to switch between flows without changing your credential requirements.
Flow Type Comparison
| Flow Type | Use Case | Required Attributes | User Experience |
|---|---|---|---|
cross_device | User scans QR code from desktop | None beyond core flow | Desktop shows QR → User scans with phone → Phone wallet opens |
same_device | User clicks link on mobile | redirects (success/error URLs) | Browser redirects to wallet → Wallet opens → User returns to browser |
dc_api | Browser-native credential exchange | expectedOrigins (array of allowed origins) | Browser shows native credential picker → User selects → Instant return |
Configuration Defaults
Many session parameters can be configured globally in verifier-service.conf and overridden per-request when needed.
| Parameter | Config File Location | Request Override Path | When to Override |
|---|---|---|---|
urlPrefix | verifier-service.conf → urlPrefix | url_config.url_prefix | Testing with ngrok, different environments per session |
urlHost | verifier-service.conf → urlHost | url_config.url_host | Custom authorization endpoints, conformance testing |
clientId | verifier-service.conf → clientId | core_flow.clientId | Different verifier identities per use case |
clientMetadata | verifier-service.conf → clientMetadata | core_flow.client_metadata | Session-specific branding, multi-tenant scenarios |
| Signing key | verifier-service.conf → key | core_flow.key | Different signing keys per session (advanced) |
| Certificate chain | verifier-service.conf → x5c | core_flow.x5c | Different certificate chains per session (x509 flows) |
Best Practice: Set defaults in verifier-service.conf for your primary use case, and override per-request only when necessary. This keeps your API calls clean and reduces duplication.
See Verifier Service Configuration for detailed configuration documentation.
Advanced Options
Requesting Specific Claims
Mobile driver's licenses support selective disclosure. You can request specific claims using the claims array with namespace-qualified paths:
{
"flow_type": "cross_device",
"core_flow": {
"dcql_query": {
"credentials": [
{
"id": "credential_1",
"format": "mso_mdoc",
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL"
},
"claims": [
{
"path": ["org.iso.18013.5.1", "family_name"]
},
{
"path": ["org.iso.18013.5.1", "given_name"]
},
{
"path": ["org.iso.18013.5.1", "birth_date"]
},
{
"path": ["org.iso.18013.5.1", "portrait"]
}
]
}
]
}
}
}
This requests only specific claims from the mDL. The user's wallet will only disclose these specific data elements.
Claim Values
You can also request claims with specific values (for filtering):
{
"claims": [
{
"path": ["org.iso.18013.5.1", "issuing_country"],
"values": ["US", "CA"]
}
]
}
This requests only mDLs issued by US or Canadian authorities.
Custom Policies
Beyond signature verification, you can apply additional policies:
"policies": {
"vc_policies": [
{ "policy": "signature" },
{ "policy": "expired" },
{ "policy": "not-before" }
]
}
See Policies for the complete list and configuration options.
VICAL Trust Validation
For mDL credentials, you can apply the VICAL (Verifiable Issuer Certificate Authority List) policy for trust validation:
"policies": {
"vc_policies": [
{
"policy": "signature"
},
{
"policy": "vical",
"vical": "<base64 encoded VICAL file>",
"enableDocumentTypeValidation": false,
"enableTrustedChainRoot": false,
"enableSystemTrustAnchors": false,
"enableRevocation": false
}
]
}
See the VICAL policy documentation for detailed parameter descriptions and configuration examples.
Transaction Data Authorization
Verifier2 supports OpenID4VP transaction_data to bind credential presentations to specific transactions (e.g., payment authorization, account access).
For mDL credentials, the wallet embeds transaction data hashes in the DeviceSigned namespaces, and the verifier evaluates the mso_mdoc/transaction-data-hash-check policy automatically to validate the binding.
Example Request
{
"flow_type": "cross_device",
"core_flow": {
"dcql_query": {
"credentials": [
{
"id": "mdl",
"format": "mso_mdoc",
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL"
},
"claims": [
{
"path": ["org.iso.18013.5.1", "family_name"]
},
{
"path": ["org.iso.18013.5.1", "given_name"]
}
]
}
]
}
},
"openid": {
"transactionData": [
{
"type": "org.waltid.transaction-data.payment-authorization",
"credential_ids": ["mdl"],
"require_cryptographic_holder_binding": true,
"transaction_data_hashes_alg": ["sha-256"],
"amount": "42.00",
"currency": "EUR",
"payee": "ACME Corp"
}
]
}
}
Parameters
- type: String (required) - The transaction data type identifier. Must match a profile registered via the
transaction-data-profilesconfiguration. Common types:"org.waltid.transaction-data.payment-authorization"— For payment transactions (fields:amount,currency,payee)"org.waltid.transaction-data.account-access"— For account access requests (fields:account_identifier,access_scope)
- credential_ids: Array of Strings (required) - References one or more credential IDs from your DCQL query (
credentials[].id). The wallet will bind this transaction data to presentations of these credentials. For mDL credentials, use the credential ID you assigned (e.g.,"mdl"). - require_cryptographic_holder_binding: Boolean (optional) - If provided, it must be set to
true. Transaction data requires cryptographic holder binding (KB-JWT for SD-JWT VC, DeviceAuth for mDL). Requests withfalseare rejected per OpenID4VP §B.3.3. - transaction_data_hashes_alg: Array of Strings (optional) — Hash algorithms the wallet uses to bind transaction data. e.g.
["sha-256"]. If omitted "sha-256" is used.
Type-Specific Parameters:
For "org.waltid.transaction-data.payment-authorization":
- amount: String (required) - Payment amount (e.g.,
"42.00") - currency: String (required) - Currency code (e.g.,
"EUR","USD") - payee: String (required) - Payee identifier (e.g.,
"ACME Corp")
For "org.waltid.transaction-data.account-access":
- account_identifier: String (required) - Account identifier (e.g., account number, user ID)
- access_scope: String (required) - Scope of access being requested (e.g.,
"read","write","admin")
Encoding Behavior: You pass transaction data entries as plain JSON objects in your verification request. The verifier service automatically base64url-encodes each entry before placing it in the authorization request sent to the wallet. Do not base64-encode the entries yourself.
Constraints
transaction_datarequires adcql_query. Requests without one are rejected withinvalid_request.- Each entry's
credential_idsmust reference DCQL credential query ids declared in the same request. - Each referenced credential query must use a transaction-data-capable format:
dc+sd-jwtormso_mdoc. - Transaction data with
require_cryptographic_holder_binding: falseis rejected. See OpenID4VP §B.3.3. - Transaction-data types are configurable via profiles (e.g.
payment-authorization,account-access). Custom types can be added through thetransaction-data-profilesconfiguration, and the active profiles are exposed viaGET /transaction-data-profiles. - Available on
cross_device,same_device, anddc_api(Annex D) flows via theopenid.transactionDatafield.
Automatic Policy Enforcement: When transactionData is present, the verifier automatically adds the appropriate transaction-data hash-check policy (dc+sd-jwt/transaction-data-hash-check for SD-JWT, mso_mdoc/transaction-data-hash-check for mDL) to ensure the wallet properly binds the transaction data. This happens even if you specify custom vp_policies. Your custom policies are preserved; the hash-check policy is added on top.
Discovery & Configuration
Transaction data types are configurable via profiles. To see which transaction data types your verifier instance supports:
curl -X 'GET' \
'http://localhost:7003/transaction-data-profiles' \
-H 'accept: application/json'
Custom transaction data types can be added through the transaction-data-profiles configuration.
Signed Requests
Sign the authorization request JWT using a verifier signing key. This is required for:
- HAIP profile compliance
- DC API Annex C (ISO 18013-7) flows
Enable by setting signedRequest: true in the request body.
Key Configuration Required: Signed requests require a signing key (key) to be configured. You can either:
- Set the
keyparameter in theverifier-service.confas a service-wide default - Override or provide the
keydirectly in the verification request body
Certificate Chain (x5c) Required for:
- X.509-based client authentication when using
x509_san_dns:orx509_hash:as theclientIdformat - Signed Annex C (ISO 18013-7) requests
The x5c parameter can be configured the same way as key — as a service-wide default or per-session override.
Encrypted Responses
The wallet can encrypt the VP token response. Enable by setting encryptedResponse: true in the request body.
Key Configuration Required: Encrypted responses require a key (key) for decrypting the VP token response. Configure it via verifier-service.conf or provide it in the verification request body.
Next Steps
- Apply custom policies — See Policies for validation rules beyond signature verification
- Set up notifications — Use Callbacks & SSE instead of polling for session status
- Verify other credential types — Try W3C VC or SD-JWT VC
- Use DC API — Try the Digital Credentials API for browser-native credential exchange
Last updated on June 17, 2026