#OpenID Metadata

Via the openid-metadata config, the verifier service can be configured to expose details such as verifier name and logo in a standardized way with other services such as digital wallets. These services can then use this information to display a human-readable verifier name and logo to the end-user during credential exchange.

Learn more about the client_name and logo_uri info exposure in the OAuth 2.0 standard here.

The configured info will be exposed via the public endpoint /.well-known/openid-configuration.

The Verifier API 2 supports RFC 7591 internationalized client metadata fields, allowing you to provide localized versions of client information for different languages. This enables wallets to display verifier information in the user's preferred language.

#Supported Internationalized Fields

The following fields support internationalization using BCP 47 language tags:

• client_name → client_name#language-tag (e.g., client_name#fr-FR)
• logo_uri → logo_uri#language-tag (e.g., logo_uri#de)
• tos_uri → tos_uri#language-tag (Terms of Service URI)
• policy_uri → policy_uri#language-tag (Privacy Policy URI)
• client_uri → client_uri#language-tag (Client URI)

Language tags follow BCP 47 format:

• Simple language: en, fr, de, es
• Language with region: en-US, fr-FR, de-DE, es-ES
• Language with script: zh-Hans, zh-Hant

Best Practices:

• Always provide a base/default value (non-tagged field) as a fallback
• Use consistent language tags throughout your configuration
• Only add language variants you actually need

The new OpenID4VP 1.0 specification introduces additional objects to the client metadata object. These are:

• jwks: OPTIONAL. A JSON Web Key Set, as defined in RFC7591, that contains one or more public keys, such as those used by the Wallet as an input to a key agreement that may be used for encryption of the Authorization Response see Section 8.3, or where the Wallet will require the public key of the Verifier to generate a Verifiable Presentation. This allows the Verifier to pass ephemeral keys specific to this Authorization Request. Public keys included in this parameter MUST NOT be used to verify the signature of signed Authorization Requests. Each JWK in the set MUST have a kid (Key ID) parameter that uniquely identifies the key within the context of the request.
• encrypted_response_enc_values_supported: OPTIONAL. Non-empty array of strings, where each string is a JWE RFC7516 enc algorithm that can be used as the content encryption algorithm for encrypting the Response. When a response_mode requiring encryption of the Response (such as dc_api.jwt or direct_post.jwt) is specified, this MUST be present for anything other than the default single value of A128GCM. Otherwise, this SHOULD be absent.
• vp_formats_supported: REQUIRED when not available to the Wallet via another mechanism. As defined in Section 11.1.

#Get OpenID Metadata

curl -X 'GET' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/verifier-service-api/configuration/openid-metadata/view' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json'

#Update OpenID Metadata

curl -X 'PUT' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/verifier-service-api/configuration/openid-metadata/update' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "baseUrl": "http://org.enterprise.localhost:3000",
  "clientId": "did:jwk:...",
  "clientMetadata": {
    "client_name": "walt.id Enterprise Verifier",
    "client_name#fr-FR": "Vérificateur Enterprise walt.id",
    "logo_uri": "https://cdn.walt.id/verifier/logo.png"
  }
}'

#Response Structure

The response contains the following structure:

{
  "baseUrl": "http://org.enterprise.localhost:3000",
  "clientId": "did:jwk:...",
  "clientMetadata": {
    "client_name": "walt.id Enterprise Verifier",
    "client_name#fr-FR": "Vérificateur Enterprise walt.id",
    "client_name#de": "walt.id Enterprise Prüfer",
    "logo_uri": "https://cdn.walt.id/verifier/logo.png",
    "logo_uri#fr-FR": "https://cdn.walt.id/verifier/logo-fr.png",
    "tos_uri": "https://verifier.example.com/terms",
    "policy_uri": "https://verifier.example.com/privacy",
    "client_uri": "https://verifier.example.com",
    "jwks": {
      "keys": [...]
    },
    "encrypted_response_enc_values_supported": ["A128GCM"],
    "vp_formats_supported": ["vp_jwt"]
  }
}

Response Fields

• baseUrl String: The base URL of the verifier.
• clientId String: The client ID of the verifier.
• clientMetadata Object: The client metadata object containing:
  • Base fields (provide fallback values):
    • client_name String: Human-readable name of the verifier.
    • logo_uri String: URL referencing the verifier logo.
    • tos_uri String (optional): Terms of Service URI.
    • policy_uri String (optional): Privacy Policy URI.
    • client_uri String (optional): Client URI.
  • Internationalized fields (optional, use #language-tag suffix):
    • client_name#language-tag String: Localized client name (e.g., client_name#fr-FR, client_name#de).
    • logo_uri#language-tag String: Localized logo URI.
    • tos_uri#language-tag String: Localized Terms of Service URI.
    • policy_uri#language-tag String: Localized Privacy Policy URI.
    • client_uri#language-tag String: Localized Client URI.
  • OpenID4VP fields:
    • jwks Object (optional): JSON Web Key Set for encryption/verification.
    • encrypted_response_enc_values_supported Array (optional): Supported encryption algorithms (e.g., ["A128GCM"]).
    • vp_formats_supported Array (optional): Supported VP formats (e.g., ["vp_jwt"]).

Note: When using internationalized fields, always provide a base/default value (non-tagged field) as a fallback. Wallets will select the appropriate language variant based on user preferences or Accept-Language headers.

#References

• RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol - Section 2.1 (Language Tags)
• BCP 47 - Tags for Identifying Languages
• OpenID4VP 1.0 Specification

::