#Verifying SD-JWT VC credentials via OID4VP

This guide shows you how to verify SD-JWT VC credentials using the Verifier2 API via OID4VP (OpenID for Verifiable Presentations)

SD-JWT VCs: Credentials based on the IETF SD-JWT VC standard which support selective disclosure, allowing users to share only specific claims from their credentials.

OID4VP: A protocol specifying how parties can present VCs in a way that's consistent and secure across platforms ensuring interoperability.

If you're migrating from the original Verifier (v1), see the Migration Guide.

#Prerequisites

Before you begin, ensure you have:

Verifier2 API running — Follow the Getting Started or Setup guide
A test wallet with credentials — Use the walt.id Wallet for testing, or any OID4VP-compatible wallet
Publicly accessible URL (for local development) — Use ngrok or similar to expose http://localhost:7003 if testing with a mobile wallet

Local Development: When running locally via Docker, the API is available at http://localhost:7003 (standalone) or http://localhost:7004 (Docker Compose). Use this as your base URL in the examples below.

#Example 1: Basic Verification

This example requests an SD-JWT identity credential and verifies its signature.

CURL

Endpoint: POST /verification-session/create | API Reference

#Example Request

curl -X 'POST' \
  'http://localhost:7003/verification-session/create' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "flow_type": "cross_device",
  "core_flow": {
    "dcql_query": {
      "credentials": [
        {
          "id": "credential_1",
          "format": "dc+sd-jwt",
          "meta": {
            "vct_values": [
              "https://issuer.demo.walt.id/draft13/identity_credential"
            ]
          }
        }
      ]
    }
  }
}'

Body Parameters

flow_type: String (required) - Specifies how the credential request will be delivered to the holder's wallet. Options:
- "cross_device" — User scans a QR code on a different device (e.g. desktop browser → phone wallet)
- "same_device" — User clicks a deep link on the same device (e.g. phone browser → wallet app on same phone)
- "dc_api" — Browser/OS-native Digital Credentials API (Chrome, Safari, iOS/Android native)
core_flow: Object (required) - Defines what credentials to request and which policies to apply. Contains:
- dcql_query: Object (required) - Specifies the credential type, format, and claims to request using the DCQL query language. You can also use the DCQL builder here.
  - credentials: Array - List of credential queries. Each credential query contains:
    - id: String - Unique identifier for this credential in the request (used in policy results)
    - format: String - Credential format. For SD-JWT VCs, use the "dc+sd-jwt".
    - meta.vct_values: Array - List of of credential types. Example: ["https://issuer.demo.walt.id/draft13/identity_credential"].
    - claims: Array (optional) - Specific claims to request from the credential. Each claim has a path (JSON path to the claim). If omitted, all claims that are non-selectively disclosable are provided by the wallet.
- policies: Object (optional) - Validation rules applied to the received credential. Defaults to signature verification only if omitted.
  - vc_policies: Array - Policies applied to individual credentials. Each policy has a policy field specifying the policy name. Available policies: signature, expired, not-before, revoked-status-list, schema, and more. See Policies for the complete list.
  - vp_policies: Array (optional) - Policies applied to the entire presentation (not shown in this example)
url_config: Object (optional) - URL configuration for this session. Only applies to cross_device and same_device flows (not dc_api).
- url_prefix: String (optional) - The publicly accessible base URL where the wallet will fetch the authorization request and post its response. Overrides the urlPrefix from verifier-service.conf.
  - The service constructs: Request URI: {urlPrefix}/{sessionId}/request and Response URI: {urlPrefix}/{sessionId}/response
  - Must be reachable by the wallet (use ngrok or public URL for local development)
- url_host: String (optional) - The base URL used to construct the authorization request link. Overrides the urlHost from verifier-service.conf.
  - For standard OID4VP flows, use "openid4vp://authorize" (default)
  - For custom authorization endpoints (e.g. conformance testing), provide a full HTTPS URL
redirects: Object (optional) - Success and error redirect URLs (only for cross_device and same_device flows)
- successRedirectUri: String - URL to redirect the user after successful verification
- errorRedirectUri: String - URL to redirect the user if verification fails
Many parameters have defaults configured in verifier-service.conf. Request-level parameters override these defaults for that specific session only. See Configuration Defaults below.

#Example Response

{
  "sessionId": "14d60fa2-4e7d-4a34-a291-80da0e053fab",
  "bootstrapAuthorizationRequestUrl": "openid4vp://authorize?client_id=verifier2&request_uri=https%3A%2F%2Ff5dc-2a02-8388-17c1-5580-bddd-6845-3edf-388f.ngrok-free.app%2Fverification-session%2F14d60fa2-4e7d-4a34-a291-80da0e053fab%2Frequest",
  "fullAuthorizationRequestUrl": "openid4vp://authorize?response_type=vp_token&client_id=verifier2&state=a697ef7d-fc66-4ccd-b79a-3aa1b93836df&response_mode=direct_post&nonce=4c44c117-2d26-4838-b42f-52b0e0faa070&response_uri=https%3A%2F%2Ff5dc-2a02-8388-17c1-5580-bddd-6845-3edf-388f.ngrok-free.app%2Fverification-session%2F14d60fa2-4e7d-4a34-a291-80da0e053fab%2Fresponse&dcql_query=%7B%22credentials%22%3A%5B%7B%22id%22%3A%22credential_1%22%2C%22format%22%3A%22dc%2Bsd-jwt%22%2C%22meta%22%3A%7B%22vct_values%22%3A%5B%22https%3A%2F%2Fissuer.demo.walt.id%2Fdraft13%2Fidentity_credential%22%5D%7D%7D%5D%7D&client_metadata=%7B%22vp_formats_supported%22%3A%7B%22mso_mdoc%22%3A%7B%22issuerauth_alg_values%22%3A%5B-7%2C-9%2C-50%5D%2C%22deviceauth_alg_values%22%3A%5B-7%2C-9%2C-50%2C-65537%5D%7D%7D%2C%22client_name%22%3A%22Verifier2%22%2C%22logo_uri%22%3A%22https%3A%2F%2Fimages.squarespace-cdn.com%2Fcontent%22%2C%22tos_uri%22%3A%22https%3A%2F%2Fexample.com%2Fterms%22%2C%22policy_uri%22%3A%22https%3A%2F%2Fexample.com%2Fprivacy%22%2C%22client_uri%22%3A%22https%3A%2F%2Fverifier.example.com%22%2C%22client_name%23fr-FR%22%3A%22V%C3%A9rificateur2%22%2C%22logo_uri%23fr-FR%22%3A%22https%3A%2F%2Fexample.com%2Flogo-fr.png%22%2C%22tos_uri%23fr-FR%22%3A%22https%3A%2F%2Fexample.com%2Fterms-fr%22%2C%22policy_uri%23fr-FR%22%3A%22https%3A%2F%2Fexample.com%2Fprivacy-fr%22%2C%22client_uri%23fr-FR%22%3A%22https%3A%2F%2Fverifier.example.com%2Ffr%22%7D"
}

Response Fields:

sessionId: String - The unique ID of this verification session. Use this to query the session status.
bootstrapAuthorizationRequestUrl: String - Shortened URL using request_uri by reference. Use this for QR codes to minimize QR code density.
fullAuthorizationRequestUrl: String - Complete URL with all parameters embedded. Use this if the wallet doesn't support request_uri (rare).

#Presenting the Request to the User

After creating the session, you need to present the authorization request to the user based on the flow type you chose.

#Cross-Device Flow (QR Code)

Generate a QR code from the bootstrapAuthorizationRequestUrl
Display the QR code to the user on your web page or application
User scans the QR code with their wallet app
Wallet presents the credential and posts the response to your verifier
Monitor the session status by polling the session endpoint or using SSE/callbacks (see below)

#Same-Device Flow (Deep Link)

Redirect the user to the bootstrapAuthorizationRequestUrl
User's wallet app opens automatically (via deep link)
Wallet presents the credential and posts the response to your verifier
User is redirected to your successRedirectUri or errorRedirectUri
Query the session status to retrieve the verification results

#Checking Verification Results

You can query the verification session to check if the user has presented their credential and whether validation succeeded.

CURL

Endpoint: GET /verification-session/{sessionId}/info | API Reference

#Example Request

curl -X 'GET' \
  'http://localhost:7003/verification-session/14d60fa2-4e7d-4a34-a291-80da0e053fab/info' \
  -H 'accept: application/json'

Path Parameters

sessionId: String (required) - The unique ID of the verification session returned when you created the session. Use this to query the current status and results.

#Example Response

{
  "id": "14d60fa2-4e7d-4a34-a291-80da0e053fab",
  "setup": {
    "flow_type": "cross_device",
    "core_flow": {
      "dcql_query": {
        "credentials": [
          {
            "id": "credential_1",
            "format": "dc+sd-jwt",
            "multiple": false,
            "meta": {
              "vct_values": [
                "https://issuer.demo.walt.id/draft13/identity_credential"
              ],
              "format": "dc+sd-jwt"
            },
            "require_cryptographic_holder_binding": true
          }
        ]
      },
      "signed_request": false,
      "encrypted_response": false,
      "policies": {}
    },
    "url_config": {}
  },
  "creationDate": "2026-05-13T14:14:52.688020004Z",
  "expirationDate": "2026-05-13T14:19:52.688020004Z",
  "retentionDate": "2036-05-13T14:14:52.688020004Z",
  "status": "SUCCESSFUL",
  "attempted": true,
  "reattemptable": true,
  "bootstrapAuthorizationRequest": {
    "client_id": "verifier2",
    "request_uri": "https://f5dc-2a02-8388-17c1-5580-bddd-6845-3edf-388f.ngrok-free.app/verification-session/14d60fa2-4e7d-4a34-a291-80da0e053fab/request"
  },
  "bootstrapAuthorizationRequestUrl": "openid4vp://authorize?client_id=verifier2&request_uri=https%3A%2F%2Ff5dc-2a02-8388-17c1-5580-bddd-6845-3edf-388f.ngrok-free.app%2Fverification-session%2F14d60fa2-4e7d-4a34-a291-80da0e053fab%2Frequest",
  "authorizationRequest": {
    "response_type": "vp_token",
    "client_id": "verifier2",
    "state": "a697ef7d-fc66-4ccd-b79a-3aa1b93836df",
    "response_mode": "direct_post",
    "nonce": "4c44c117-2d26-4838-b42f-52b0e0faa070",
    "response_uri": "https://f5dc-2a02-8388-17c1-5580-bddd-6845-3edf-388f.ngrok-free.app/verification-session/14d60fa2-4e7d-4a34-a291-80da0e053fab/response",
    "dcql_query": {
      "credentials": [
        {
          "id": "credential_1",
          "format": "dc+sd-jwt",
          "multiple": false,
          "meta": {
            "vct_values": [
              "https://issuer.demo.walt.id/draft13/identity_credential"
            ],
            "format": "dc+sd-jwt"
          },
          "require_cryptographic_holder_binding": true
        }
      ]
    },
    "client_metadata": {
      "vp_formats_supported": {
        "mso_mdoc": {
          "issuerauth_alg_values": [-7, -9, -50],
          "deviceauth_alg_values": [-7, -9, -50, -65537]
        }
      },
      "client_name": "Verifier2",
      "logo_uri": "https://images.squarespace-cdn.com/content",
      "tos_uri": "https://example.com/terms",
      "policy_uri": "https://example.com/privacy",
      "client_uri": "https://verifier.example.com"
    }
  },
  "authorizationRequestUrl": "openid4vp://authorize?response_type=vp_token&client_id=verifier2&state=a697ef7d-fc66-4ccd-b79a-3aa1b93836df&response_mode=direct_post&nonce=4c44c117-2d26-4838-b42f-52b0e0faa070&response_uri=https%3A%2F%2Ff5dc-2a02-8388-17c1-5580-bddd-6845-3edf-388f.ngrok-free.app%2Fverification-session%2F14d60fa2-4e7d-4a34-a291-80da0e053fab%2Fresponse&dcql_query=%7B%22credentials%22%3A%5B%7B%22id%22%3A%22credential_1%22%2C%22format%22%3A%22dc%2Bsd-jwt%22%2C%22meta%22%3A%7B%22vct_values%22%3A%5B%22https%3A%2F%2Fissuer.demo.walt.id%2Fdraft13%2Fidentity_credential%22%5D%7D%7D%5D%7D&client_metadata=%7B%22vp_formats_supported%22%3A%7B%22mso_mdoc%22%3A%7B%22issuerauth_alg_values%22%3A%5B-7%2C-9%2C-50%5D%2C%22deviceauth_alg_values%22%3A%5B-7%2C-9%2C-50%2C-65537%5D%7D%7D%2C%22client_name%22%3A%22Verifier2%22%2C%22logo_uri%22%3A%22https%3A%2F%2Fimages.squarespace-cdn.com%2Fcontent%22%2C%22tos_uri%22%3A%22https%3A%2F%2Fexample.com%2Fterms%22%2C%22policy_uri%22%3A%22https%3A%2F%2Fexample.com%2Fprivacy%22%2C%22client_uri%22%3A%22https%3A%2F%2Fverifier.example.com%22%7D",
  "requestMode": "REQUEST_URI",
  "policies": {
    "vp_policies": {
      "dc+sd-jwt": [
        "dc+sd-jwt/audience-check",
        "dc+sd-jwt/kb-jwt_signature",
        "dc+sd-jwt/nonce-check",
        "dc+sd-jwt/sd_hash-check"
      ]
    },
    "vc_policies": [
      {
        "policy": "signature",
        "id": "signature"
      }
    ]
  },
  "policy_results": {
    "vp_policies": {
      "credential_1": {
        "dc+sd-jwt/audience-check": {
          "policy_executed": {
            "policy": "dc+sd-jwt/audience-check",
            "id": "dc+sd-jwt/audience-check",
            "description": "Check if presentation audience matches expected audience for session"
          },
          "success": true,
          "results": {
            "presentation_audience": "verifier2",
            "expected_audience": "verifier2"
          },
          "errors": [],
          "execution_time": "PT0.000992042S"
        },
        "dc+sd-jwt/kb-jwt_signature": {
          "policy_executed": {
            "policy": "dc+sd-jwt/kb-jwt_signature",
            "id": "dc+sd-jwt/kb-jwt_signature",
            "description": "Verify the KB-JWTs signature with the holders key"
          },
          "success": true,
          "results": {
            "holder_key_jwk": {
              "kty": "OKP",
              "crv": "Ed25519",
              "kid": "v1sbluyFJrMT6Lt46S4N_CBH1g7OWHpm_f3uK93dSLE",
              "x": "jxQwRV7tHc3W_JkKVsDZL7_DtP4zyNJtQ4Yr1z7-Md4"
            }
          },
          "errors": [],
          "execution_time": "PT0.002432834S"
        },
        "dc+sd-jwt/nonce-check": {
          "policy_executed": {
            "policy": "dc+sd-jwt/nonce-check",
            "description": "Check if presentation nonce matches expected nonce for session"
          },
          "success": true,
          "results": {},
          "errors": [],
          "execution_time": "PT0.001029042S"
        },
        "dc+sd-jwt/sd_hash-check": {
          "policy_executed": {
            "policy": "dc+sd-jwt/sd_hash-check",
            "description": "Verify SD-JWT Key Binding by recalculating SD Hashes"
          },
          "success": true,
          "results": {
            "presentation_sdhash": "KQKyptFb7obYaGPDRQvNHEKCSispCoFYGmbe1WUR_wI",
            "recalculated_sdhash": "KQKyptFb7obYaGPDRQvNHEKCSispCoFYGmbe1WUR_wI"
          },
          "errors": [],
          "execution_time": "PT0.003427750S"
        }
      }
    },
    "vc_policies": [
      {
        "policy": {
          "policy": "signature",
          "id": "signature"
        },
        "success": true,
        "result": {
          "verification_result": true,
          "verified_data": {
            "given_name": "John",
            "family_name": "Doe",
            "email": "johndoe@example.com",
            "phone_number": "+1-202-555-0101",
            "address": {
              "street_address": "123 Main St",
              "locality": "Anytown",
              "region": "Anystate",
              "country": "US"
            },
            "is_over_18": true,
            "is_over_21": true,
            "is_over_65": true,
            "vct": "https://issuer.demo.walt.id/draft13/identity_credential"
          }
        }
      }
    ],
    "overallSuccess": true
  },
  "presented_credentials": {
    "credential_1": [
      {
        "type": "vc-sd_jwt",
        "format": "dc+sd-jwt",
        "credentialData": {
          "given_name": "John",
          "family_name": "Doe",
          "email": "johndoe@example.com",
          "phone_number": "+1-202-555-0101",
          "address": {
            "street_address": "123 Main St",
            "locality": "Anytown",
            "region": "Anystate",
            "country": "US"
          },
          "is_over_18": true,
          "is_over_21": true,
          "is_over_65": true,
          "vct": "https://issuer.demo.walt.id/draft13/identity_credential"
        },
        "issuer": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp"
      }
    ]
  }
}

Key Response Fields:

id: String - The verification session ID
setup: Object - The complete session configuration that was used to create this verification session (the VerificationSessionSetup from the create request)
creationDate: String - ISO 8601 timestamp when the session was created
expirationDate: String - ISO 8601 timestamp when the session expires (default: 10 minutes after creation). Session will expire if left unused (no presentation pushed). Once a presentation is received, the session is no longer eligible for expiry.
status: String - The current status of the verification session. Possible values:
- "UNKNOWN" — Session ended up in unknown flow (should be avoided)
- "ACTIVE" — Session was created and is active (can be used)
- "UNUSED" — Session was not used yet, but not expired (can be used)
- "IN_USE" — AuthorizationRequest was requested by wallet
- "VALIDATING_RECEIVED_REQUEST" — Checking if received presentation will be processed
- "PROCESSING_FLOW" — Received presentation is being processed (validation + policy execution)
- "EXPIRED" — Verification request expired without being utilized
- "SUCCESSFUL" — Verification completed fully successfully (all validation & policies passed)
- "FAILED" — Verification was unsuccessful (presentation validation or policies failed)
attempted: Boolean - Whether the wallet has attempted to respond to the verification request
reattemptable: Boolean - Whether the user can retry this verification session if it failed
policies: Object - The policies configured for this session:
- vp_policies: Object (optional) - Policies to run on presentations
- vc_policies: Array (optional) - Policies to run on credentials
- specific_vc_policies: Object (optional) - Policies to run on specific credential IDs
policy_results: Object (optional) - Detailed results for all policies applied to the verification (only present after presentation is received):
- vp_policies: Object - Results for presentation-level policies (audience check, nonce check, envelope signature), organized by credential ID. Structure: { "credential_id": { "policy_name": { ... } } }
- vc_policies: Array - Results for credential-level policies (signature, expiry, schema, etc.). Each item contains policy, success, and result.
- specific_vc_policies: Object - Results for credential-specific policies
- overallSuccess: Boolean (computed) - Whether all policies passed
redirects: Object (optional) - Success and error redirect URIs if configured

Instead of polling the session status, you can use callbacks or Server Sent Events (SSE) to be notified when the verification completes. See Callbacks & SSE for details.

#Example 2: Requesting Multiple Credentials

You can request multiple credentials in a single verification session. The wallet will present all matching credentials, and policies will be applied to each one.

This example requests both an Identity and a Education credential.

CURL

Endpoint: POST /verification-session/create | API Reference

#Example Request

curl -X 'POST' \
  'http://localhost:7003/verification-session/create' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "flow_type": "cross_device",
  "core_flow": {
    "dcql_query": {
      "credentials": [
        {
          "id": "identity",
          "format": "dc+sd-jwt",
          "meta": {
            "vct_values": [
              "https://issuer.demo.walt.id/draft13/identity_credential"
            ]
          }
        },
        {
          "id": "education",
          "format": "dc+sd-jwt",
          "meta": {
            "vct_values": [
              "https://issuer.demo.walt.id/draft13/educational_credential"
            ]
          }
        }
      ]
    },
    "policies": {
      "vc_policies": [
        {
          "policy": "signature"
        }
      ]
    }
  }
}'

The wallet will present both credentials (if available), and the signature policy will be applied to each one. The policyResults in the session info response will contain separate results for each credential using their id values.

#Understanding Flow Types and Core Concepts

Now that you've seen verification in action, let's understand the underlying structure.

#Verification Session Structure

A VerificationSession defines the full lifecycle: authorization request → user presentation → policy validation → final result.

Every verification request follows this structure:

{
  "flow_type": "cross_device | same_device | dc_api",
  "core_flow": { /* common to all flows */ },
  "url_config": { /* specific to cross_device and same_device */ },
  "redirects": { /* optional */ }
}

Why this structure?

flow_type determines how the credential request is delivered (QR code vs deep link vs browser API)
core_flow contains the credential query and policies (same regardless of delivery method)
url_config and redirects are flow-specific attributes

This separation makes it easy to switch between flows without changing your credential requirements.

#Flow Type Comparison

Flow Type	Use Case	Required Attributes	User Experience
`cross_device`	User scans QR code from desktop	None beyond core flow	Desktop shows QR → User scans with phone → Phone wallet opens
`same_device`	User clicks link on mobile	`redirects` (success/error URLs)	Browser redirects to wallet → Wallet opens → User returns to browser
`dc_api`	Browser-native credential exchange	`expectedOrigins` (array of allowed origins)	Browser shows native credential picker → User selects → Instant return

#Configuration Defaults

Many session parameters can be configured globally in verifier-service.conf and overridden per-request when needed.

Parameter	Config File Location	Request Override Path	When to Override
`urlPrefix`	`verifier-service.conf` → `urlPrefix`	`url_config.url_prefix`	Testing with ngrok, different environments per session
`urlHost`	`verifier-service.conf` → `urlHost`	`url_config.url_host`	Custom authorization endpoints, conformance testing
`clientId`	`verifier-service.conf` → `clientId`	`core_flow.clientId`	Different verifier identities per use case
`clientMetadata`	`verifier-service.conf` → `clientMetadata`	`core_flow.client_metadata`	Session-specific branding, multi-tenant scenarios
Signing key	`verifier-service.conf` → `key`	`core_flow.key`	Different signing keys per session (advanced)
Certificate chain	`verifier-service.conf` → `x5c`	`core_flow.x5c`	Different certificate chains per session (x509 flows)

Best Practice: Set defaults in verifier-service.conf for your primary use case, and override per-request only when necessary. This keeps your API calls clean and reduces duplication.

See Verifier Service Configuration for detailed configuration documentation.

#Advanced Options

#Requesting Specific Claims

SD-JWT VCs support selective disclosure. You can request specific claims using the claims array:

{
  "flow_type": "cross_device",
  "core_flow": {
    "dcql_query": {
      "credentials": [
        {
          "id": "credential_1",
          "format": "dc+sd-jwt",
          "meta": {
            "vct_values": [
              "https://issuer.demo.walt.id/draft13/identity_credential"
            ]
          },
          "claims": [
            {
              "path": ["given_name"]
            },
            {
              "path": ["family_name"]
            },
            {
              "path": ["address", "street_address"]
            }
          ]
        }
      ]
    }
  }
}

This requests only given_name, family_name, and address.street_address from the identity credential. The user's wallet will only disclose these specific claims.

#Custom Policies

Override default validation policies:

{
  "flow_type": "cross_device",
  "core_flow": {
    "dcql_query": { /* ... */ },
    "policies": {
      "vc_policies": [
        {
          "policy": "signature"
        },
        {
          "policy": "expired"
        },
        {
          "policy": "not-before"
        }
      ]
    }
  }
}

See Policies overview for all available policies.

#Signed Requests

Sign the authorization request JWT using a verifier signing key. This is required for:

HAIP profile compliance
DC API Annex C (ISO 18013-7) flows

Enable by setting core_flow.signed_request: true and providing a key and x5c (certificate chain).

#Encrypted Responses

The wallet can encrypt the VP token response. Enable by setting core_flow.encrypted_response: true.

#Next Steps

Apply custom policies — See Policies for validation rules beyond signature verification
Set up notifications — Use Callbacks & SSE instead of polling for session status
Verify other credential types — Try W3C VC or mDL
Use DC API — Try the Digital Credentials API for browser-native credential exchange

Last updated on May 20, 2026

Verifying Verifiable Credentials (W3C) via OID4VP Verifying Mobile Driver's Licenses (mDL, ISO/IEC 18013-5) via OID4VP