Overview
The Client Attestation Service enables secure wallet authentication during credential issuance flows. It implements the OAuth 2.0 Attestation-Based Client Authentication specification, allowing issuers to verify that credential requests originate from trusted wallet applications.
What is Client Attestation?
Client attestation is a mechanism that allows an OAuth 2.0 authorization server (in this case, the Issuer2 Service) to verify the identity and integrity of a client application (wallet) before issuing credentials. This is particularly important in high-assurance credential issuance scenarios where the issuer needs to ensure that:
- The wallet application is genuine and has not been tampered with
- The wallet is authorized to receive credentials
- The credential request originates from a trusted source
How It Works
The client attestation flow involves three parties:
- Client Attester Service – A trusted backend service that issues attestation JWTs to wallets
- Wallet Service – The wallet application that obtains attestations and presents them to issuers
- Issuer2 Service – The credential issuer that verifies attestations before issuing credentials
Loading diagram...
Key Concepts
Attestation JWT
The attestation JWT is signed by the Client Attester Service and contains:
sub– The client identifier (wallet ID)exp– Expiration timestampcnf.jwk– The wallet's instance public key (used to verify the PoP)
Proof of Possession (PoP) JWT
The PoP JWT is signed by the wallet using its instance key and proves that the wallet possesses the private key corresponding to the cnf.jwk in the attestation. It contains:
aud– The issuer's RFC 8414 issuer identifier URLiat– Issuance timestampjti– Unique identifier for replay protection
HTTP Headers
Per the specification, attestation is transmitted via two HTTP headers on the token request:
OAuth-Client-Attestation– Contains the attestation JWTOAuth-Client-Attestation-PoP– Contains the PoP JWT
Verification Methods
The Issuer2 Service supports three methods for verifying attestation JWT signatures:
| Method | Description | Use Case |
|---|---|---|
| Static JWK | Verify against a static public key provided inline | Simple deployments, testing |
| KMS Key | Verify against a key stored in the KMS | When attester and issuer share the same enterprise instance |
| X.509 Chain | Verify via X.509 certificate chain validation | Regulated environments (e.g., VICAL, eIDAS) |
Service Dependencies
The Client Attestation Service requires:
- KMS Service – For storing the attestation signing key
Get Started
- Setup – How to create and configure a Client Attestation Service
- Wallet Integration – How wallets obtain and use attestations
- Issuer Integration – How to configure issuers to require attestation
Operational Endpoints
All lifecycle, configuration, dependency, and metadata operations for this service are documented under Administration → Service Operations: