Verify Mobile Driver's Licenses (ISO/IEC 18013-7 mDL) via OID4VP
This guide provides a comprehensive walkthrough for verifying an mDL based on the ISO/IEC 18103-7 standard using the walt.id Enterprise Verifier API. The verification process will utilize the OID4VP protocol.
Enterprise Service Dependencies
To verify credentials, you need to have the following enterprise services setup:
- Verifier Service - Have a running verifier service. Setup instructions can be found here.
Verification Process
- Set mDL as the credential type to request from a user.
- Specify the claims from the mDL that are subject to presentation.
- Optionally provide a success and failure redirect URL, which the user will be redirected to after the verification process is completed.
After you have provided the required information, the Verifier API:
- Generates an appropriate DCQL Query
- Returns a URL which can passed to a compliant wallet to fulfill the request.
Example Verification Request
Core Concepts
A VerificationSession defines the full lifecycle from authorization request → user presentation → policy validation → final result.
New structure:
{
"flow_type": "cross_device | same_device | dcapi",
"core_flow": { ... },
"flow_attributes": { ... }
}
Changes Compared to Verifier 1
- The previous “single request body” has been decomposed into core and flow-specific sections.
- Session creation now explicitly defines expected behaviour for the chosen flow.
- Flow attributes are validated upfront, preventing misconfigured flows.
Flow-Specific Attributes
Each flow type introduces specific required fields:
| Flow Type | Required Attributes | Notes |
|---|---|---|
cross_device | None beyond core flow | Standard QR-code based |
same_device | Optional UI hints | For in-app / embedded flows |
dcapi | expectedOrigins | Mandatory for Google / Apple DC API verification |
CURL
Endpoint: /v1/{target}/verifier2-service-api/verification-session/create | API Reference
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/verifier-service-api/credentials/verify' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"flow_type": "cross_device",
"core_flow": {
"dcql_query": {
"credentials": [
{
"id": "my_photoid",
"format": "mso_mdoc",
"meta": {
"doctype_value": "org.iso.23220.photoid.1"
},
"claims": [
{
"path": [
"org.iso.18013.5.1",
"family_name_unicode"
]
},
{
"path": [
"org.iso.18013.5.1",
"given_name_unicode"
]
},
{
"path": [
"org.iso.18013.5.1",
"issuing_authority_unicode"
]
},
{
"path": [
"org.iso.18013.5.1",
"resident_postal_code"
],
"values": [
1180,
1190,
1200,
1210
]
},
{
"path": [
"org.iso.18013.5.1",
"issuing_country"
],
"values": [
"AT"
]
},
{
"path": [
"org.iso.23220.photoid.1",
"person_id"
]
},
{
"path": [
"org.iso.23220.photoid.1",
"resident_street"
]
},
{
"path": [
"org.iso.23220.photoid.1",
"administrative_number"
]
},
{
"path": [
"org.iso.23220.photoid.1",
"travel_document_number"
]
},
{
"path": [
"org.iso.23220.dtc.1",
"dtc_version"
]
},
{
"path": [
"org.iso.23220.dtc.1",
"dtc_dg1"
]
}
]
}
]
},
"policies": {
"vc_policies": [
{
"policy": "signature"
},
{
"policy": "vical",
"vical": "<base64 encoded VICAL file>",
"enableDocumentTypeValidation": false,
"enableTrustedChainRoot": false,
"enableSystemTrustAnchors": false,
"enableRevocation": false
}
]
}
},
"redirects": {
"successRedirectUrl": "https://example.com/success",
"errorRedirectUrl": "https://example.com/error"
},
"urlHost": "https://example.com",
"urlPrefix": "openid4vp://authorize",
"signedRequest": true,
"encryptedResponse": false
}'
Path Parameters
orgID: Your organization ID (e.g.,testfortest.enterprise-sandbox.waltid.dev)target: The verifier service target path (e.g.,waltid.verifier1)
Header Parameters
- Authorization: Bearer token authentication is required for enterprise stack
Body Parameters
- flow_type: The flow type to be used for the verification.
- core_flow: The core flow to be used for the verification.
- dcql_query: The DCQL query to be used for the verification.
- policies: The policies to be applied to the verification. You can find a list of all policies here.
- vical: The VICAL file to be used for the verification. This is a key part of the validation of mDoc credentials. You can find more information about the VICAL policy here.
- redirects - An object containing the success and error redirect URLs. In previous versions of the verifier service, the redirect URLs were passed through headers
successRedirectUrianderrorRedirectUri. - urlHost - The host of the URL to be used for the verification session. In previous versions of the verifier service, the urlHost was passed through header
authorizeBaseUrl. - urlPrefix - The prefix of the URL to be used for the verification session.
- signedRequest - Whether the request should be signed.
- encryptedResponse - Whether the response should be encrypted.
Example Response
The verification endpoint will return a presentation session with a URL that can be used to complete the verification process:
mdoc-openid4vp://authorize?client_id=waltid.verifier1&request_uri=https://test.enterprise-sandbox.waltid.dev/v1/waltid.verifier1/verifier-service-api/openid4vc/request&response_type=vp_token&response_mode=direct_post.jwt&scope=openid&state=1234567890
Validating the Verification Session
You can query the verification session by using the following endpoint:
CURL
curl -X 'GET' \
'http://{orgID}.enterprise-sandbox.waltid.dev/v1/{creationTarget}/verifier2-service-api/verification-session/info' \
-H 'accept: application/json'
-H 'Authorization: Bearer {yourToken}'
Path Parameters
orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.walt.devwhen using the sandbox environment.creationTarget: resourceIdentifier - The target creation target returned when creating the verification session. It is a concatenation of the target resource and the session ID.
This will return the verficiation session object containing the following useful fields:
status: The status of the verification session.attempted: Whether the verification session has been attempted.reattemptable: Whether the verification session can be retried.policyResults: The results of the policies applied to the verification session.presentedRawData: The raw data verifiable presentation token.presentedCredentials: The parsed credentials presented by the user.
Policy results will be split into vcPolicy and vpPolicy results. More information about the policy results can be found here.
Alternatively, if you do not want to poll the verification session you can use a callback or Server Sent Events (SSE) to be notified when the verification session is completed.
Last updated on December 3, 2025