Verifying Mobile Driver's Licenses (mDL, ISO/IEC 18013-5) via OID4VP
This guide shows you how to verify ISO/IEC 18013-5 mobile driver's licenses (mDL) using the walt.id Enterprise Stack Verifier2 API and the OID4VP protocol. The verification process sends a credential request to a holder's wallet, receives the signed presentation, and validates it against your policies.
mDL (Mobile Driver's License): A digital representation of a driver's license based on the ISO/IEC 18013-5 standard, stored securely on digital ID wallet.
OID4VP: A protocol specifying how parties can present digital credentials in a way that's consistent and secure across platforms ensuring interoperability.
Prerequisites
Before you begin, ensure you have:
- Enterprise Verifier2 Service setup — Follow the Setup guide
- Valid authentication token — Required for all API calls to the Enterprise Stack
- A test wallet with credentials — Use the walt.id Wallet for testing, or any OID4VP-compatible wallet
Enterprise Architecture: The Enterprise Verifier2 Service runs as a dedicated microservice within your organization's infrastructure. All requests are scoped to {organizationID}.{tenantID}.{verifierServiceID} for multi-tenancy isolation.
mDL Verification Requirement: Verifying mDL credentials requires a clientId to be configured during verifier2 service setup. If you created your service without setting a clientId, you'll need to recreate it with one before mDL verification will work.
Example 1: Basic Verification
This example requests a mobile driver's license (mDL) and verifies its cryptographic signature using the default signature policy.
CURL
Endpoint: POST /v1/{target}/verifier2-service-api/verification-session/create | API Reference
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/verifier2-service-api/verification-session/create' \
-H 'accept: application/json' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"flow_type": "cross_device",
"core_flow": {
"dcql_query": {
"credentials": [
{
"id": "credential_1",
"format": "mso_mdoc",
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL"
},
"claims": [
{
"path": [
"org.iso.18013.5.1",
"family_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"given_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"birth_date"
]
}
]
}
]
},
"policies": {
"vc_policies": [
{
"policy": "signature"
}
]
}
}
}'
Path Parameters
- orgID: String (required) - Your organization ID (e.g.,
testfortest.enterprise-sandbox.waltid.dev) - target: String (required) - The verifier service target path (e.g.,
waltid.verifier1)
Header Parameters
- Authorization: String (required) - Bearer token for Enterprise Stack authentication. Format:
Bearer {token}. Obtain from your Enterprise Stack authentication flow.
Body Parameters
- flow_type: String (required) - Specifies how the credential request will be delivered to the holder's wallet. Options:
"cross_device"— User scans a QR code on a different device (e.g. desktop browser → phone wallet)"same_device"— User clicks a deep link on the same device (e.g. phone browser → wallet app on same phone)"dc_api"— Browser/OS-native Digital Credentials API (Chrome, Safari, iOS/Android native) over OpenID4VP 1.0 (Annex D)."dc_api-annex-c"— Browser/OS-native Digital Credentials API (Chrome, Safari, iOS/Android native) over 18013-7 (Annex C).
- core_flow: Object (required) - Defines what credentials to request and which policies to apply. Contains:
- dcql_query: Object (required) - Specifies the credential type, format, and claims to request using the DCQL query language. You can also use the DCQL builder here.
- credentials: Array - List of credential queries. Each credential query contains:
- id: String - Unique identifier for this credential in the request (used in policy results)
- format: String - Credential format. For mDL, use
"mso_mdoc"(mobile security object document). - meta.doctype_value: String - The ISO mDL document type. For mobile driver's licenses, use
"org.iso.18013.5.1.mDL". - claims: Array (optional) - Specific claims to request from the credential. Each claim has a
patharray with namespace and claim name (e.g.["org.iso.18013.5.1", "family_name"]). If omitted, all claims that are non-selectively disclosable are provided by the wallet.
- credentials: Array - List of credential queries. Each credential query contains:
- policies: Object (optional) - Validation rules applied to the received credential. Defaults to signature verification only if omitted.
- vc_policies: Array - Policies applied to individual credentials. Each policy has a
policyfield specifying the policy name. Available policies:signature,expired,not-before,revoked-status-list,schema, and more. See Policies for the complete list. - vp_policies: Array (optional) - Policies applied to the entire presentation (not shown in this example)
- vc_policies: Array - Policies applied to individual credentials. Each policy has a
- signedRequest: Boolean (optional) - Whether to sign the authorization request JWT. Required for HAIP profile compliance and DC API Annex C (ISO 18013-7) flows. Defaults to
false. See Signed Requests to learn more. - encryptedResponse: Boolean (optional) - Whether the wallet should encrypt the VP token response. Defaults to
false. See Encrypted Responses to learn more. - key: Object (optional) - Signing key for this verification session. Overrides the service-wide default
keyconfigured during verifier2 service creation. Must be a serialized key in the format{"type":"jwk","jwk":{...}}. Required whensignedRequest: trueorencryptedResponse: trueand no service-wide default is configured. See Signed Requests and Encrypted Responses for when this is needed. - x5c: Array of Strings (optional) - X.509 certificate chain for this verification session. Overrides the service-wide default
x5cconfigured during verifier2 service creation. Must be an ordered chain in DER-encoded, Base64-encoded format where the first certificate corresponds to thekey. Required for X.509-based client authentication (x509_san_dns:orx509_hash:asclientId) and signed Annex C requests. See Signed Requests to learn more. - verifier_info: Object (optional) - An array of attestations about the Verifier relevant to the Credential Request. Each object is a JSON object with the following fields:
- format: String - The format of the attestation. Currently only
"jwt"is supported. - data: String - The attestation data in JWT format.
- credentialIds: Array (optional) - Specifies which credentials in your DCQL query this attestation applies to. References the
idfields from yourcredentialsarray in the DCQL query. If omitted, the attestation applies to all requested credentials.
- format: String - The format of the attestation. Currently only
- expirationDuration: String (optional) - ISO-8601 duration specifying how long the verification session remains valid. Defaults to 10 minutes (
PT10M). Example:"PT1H"for 1 hour,"PT30M"for 30 minutes. - expirationDate: String (optional) - ISO-8601 datetime specifying the exact time when the session expires. Takes precedence over
expirationDurationif both are set. Example:"2026-05-21T15:00:00Z". Session expires if left unused (no presentation pushed). Once a presentation is received, the session is no longer eligible for expiry.
- dcql_query: Object (required) - Specifies the credential type, format, and claims to request using the DCQL query language. You can also use the DCQL builder here.
- openid: Object (optional) - OpenID4VP-specific extensions
- transactionData: Array (optional) - Bind the credential presentation to a specific transaction (e.g., payment authorization, account access). Each entry references credential IDs and includes transaction details. See Transaction Data Authorization for full documentation.
- url_config: Object (optional) - URL configuration for this session. Only applies to
cross_deviceandsame_deviceflows (notdc_api).- url_prefix: String (optional) - The publicly accessible base URL where the wallet will fetch the authorization request and post its response.
- The service constructs: Request URI:
{urlPrefix}/{target}/verifier2-service-api/{sessionId}/requestand Response URI:{urlPrefix}/{target}/verifier2-service-api/{sessionId}/response - Must be reachable by the wallet (use ngrok or public URL for local development)
- The service constructs: Request URI:
- url_host: String (optional) - The base URL used to construct the authorization request link. Can be set as a service-wide default during verifier2 service creation and overridden per-session here.
- For standard OID4VP flows, use
"openid4vp://authorize"(default) - For custom authorization endpoints (e.g. conformance testing), provide a full HTTPS URL
- For standard OID4VP flows, use
- url_prefix: String (optional) - The publicly accessible base URL where the wallet will fetch the authorization request and post its response.
- redirects: Object (optional) - Success and error redirect URLs (only for
cross_deviceandsame_deviceflows)- successRedirectUri: String - URL to redirect the user after successful verification
- errorRedirectUri: String - URL to redirect the user if verification fails
Service-Level Defaults: The
key,x5c, andurl_hostparameters can be configured as service-wide defaults during verifier2 service creation. Request-level parameters provided here override these defaults for that specific session only.
Example Response
The response contains the session ID and authorization URLs to present to the user.
{
"sessionId": "b68503d9-432c-49e7-97f8-5a1a7029c13a",
"bootstrapAuthorizationRequestUrl": "openid4vp://authorize?client_id=did%3Ajwk%3AeyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0&request_uri=https%3A%2F%2Fwaltid.testing-0-20-0.enterprise.test.waltid.cloud%2Fv1%2Fwaltid.tenant1.verifier3%2Fverifier2-service-api%2Fb68503d9-432c-49e7-97f8-5a1a7029c13a%2Frequest",
"fullAuthorizationRequestUrl": "openid4vp://authorize?response_type=vp_token&client_id=did%3Ajwk%3AeyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0&state=57ce75d0-c42b-4779-988f-65ca3a07a060&response_mode=direct_post&nonce=01ebdfac-948b-4e49-b2a6-b959a039d860&response_uri=https%3A%2F%2Fwaltid.testing-0-20-0.enterprise.test.waltid.cloud%2Fv1%2Fwaltid.tenant1.verifier3%2Fverifier2-service-api%2Fb68503d9-432c-49e7-97f8-5a1a7029c13a%2Fresponse&dcql_query=%7B%22credentials%22%3A%5B%7B%22id%22%3A%22credential_1%22%2C%22format%22%3A%22mso_mdoc%22%2C%22meta%22%3A%7B%22doctype_value%22%3A%22org.iso.18013.5.1.mDL%22%7D%2C%22claims%22%3A%5B%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22family_name%22%5D%7D%2C%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22given_name%22%5D%7D%2C%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22birth_date%22%5D%7D%5D%7D%5D%7D&client_metadata=%7B%22vp_formats_supported%22%3A%7B%22mso_mdoc%22%3A%7B%22issuerauth_alg_values%22%3A%5B-7%2C-9%2C-50%5D%2C%22deviceauth_alg_values%22%3A%5B-7%2C-9%2C-50%2C-65537%5D%7D%7D%2C%22client_name%22%3A%22Verifier%22%7D",
"creationTarget": "waltid.tenant1.verifier3.b68503d9-432c-49e7-97f8-5a1a7029c13a"
}
- sessionId: String - The unique ID of this verification session. Use this to query the session status.
- bootstrapAuthorizationRequestUrl: String - Shortened URL using
request_uriby reference. Use this for QR codes to minimize QR code density. - fullAuthorizationRequestUrl: String - Complete URL with all parameters embedded. Use this if the wallet doesn't support
request_uri(rare). - creationTarget: String - The full resource path including the session ID. Use this as the
{creationTarget}path parameter when querying session info.
Presenting the Request to the User
After creating the session, you need to present the authorization request to the user based on the flow type you chose.
Cross-Device Flow (QR Code)
- Generate a QR code from the
bootstrapAuthorizationRequestUrl - Display the QR code to the user on your web page or application
- User scans the QR code with their wallet app
- Wallet presents the credential and posts the response to your verifier
- Monitor the session status by polling the session endpoint or using SSE/callbacks (see below)
Same-Device Flow (Deep Link)
- Redirect the user to the
bootstrapAuthorizationRequestUrl - User's wallet app opens automatically (via deep link)
- Wallet presents the credential and posts the response to your verifier
- User is redirected to your
successRedirectUriorerrorRedirectUri - Query the session status to retrieve the verification results
Checking Verification Results
You can query the verification session to check if the user has presented their credential and whether validation succeeded.
CURL
Endpoint: GET /v1/{target}/verifier2-service-api/verification-session/{sessionId}/info | API Reference
Example Request
curl -X 'GET' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/verifier2-service-api/verification-session/{sessionId}/info' \
-H 'accept: application/json' \
-H 'Authorization: Bearer {yourToken}'
Path Parameters
- orgID: String (required) - Your organization ID (e.g.,
testfortest.enterprise-sandbox.waltid.dev) - target: String (required) - The verifier service target path (e.g.,
waltid.verifier1) - sessionId: String (required) - The unique ID of the verification session returned when you created the session. Use this to query the current status and results.
Header Parameters
- Authorization: String (required) - Bearer token for Enterprise Stack authentication. Format:
Bearer {token}.
Example Response
The response contains the complete session information including setup, status, policy results, and presented credentials.
{
"_id": "waltid.tenant1.verifier3.b68503d9-432c-49e7-97f8-5a1a7029c13a",
"session": {
"id": "b68503d9-432c-49e7-97f8-5a1a7029c13a",
"setup": {
"flow_type": "cross_device",
"core_flow": {
"dcql_query": {
"credentials": [
{
"id": "credential_1",
"format": "mso_mdoc",
"multiple": false,
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL",
"format": "mso_mdoc"
},
"require_cryptographic_holder_binding": true,
"claims": [
{
"path": [
"org.iso.18013.5.1",
"family_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"given_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"birth_date"
]
}
]
}
]
},
"signed_request": false,
"encrypted_response": false,
"policies": {
"vc_policies": [
{
"policy": "signature",
"id": "signature"
}
]
}
},
"url_config": {}
},
"creationDate": "2026-05-20T12:53:33.892550815Z",
"expirationDate": "2026-05-20T13:03:52.467486314Z",
"retentionDate": "2036-05-20T12:53:33.892550815Z",
"status": "SUCCESSFUL",
"attempted": true,
"reattemptable": true,
"bootstrapAuthorizationRequest": {
"response_type": "vp_token",
"client_id": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0",
"request_uri": "https://waltid.testing-0-20-0.enterprise.test.waltid.cloud/v1/waltid.tenant1.verifier3/verifier2-service-api/b68503d9-432c-49e7-97f8-5a1a7029c13a/request"
},
"bootstrapAuthorizationRequestUrl": "openid4vp://authorize?client_id=did%3Ajwk%3AeyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0&request_uri=https%3A%2F%2Fwaltid.testing-0-20-0.enterprise.test.waltid.cloud%2Fv1%2Fwaltid.tenant1.verifier3%2Fverifier2-service-api%2Fb68503d9-432c-49e7-97f8-5a1a7029c13a%2Frequest",
"authorizationRequest": {
"response_type": "vp_token",
"client_id": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0",
"state": "57ce75d0-c42b-4779-988f-65ca3a07a060",
"response_mode": "direct_post",
"nonce": "01ebdfac-948b-4e49-b2a6-b959a039d860",
"response_uri": "https://waltid.testing-0-20-0.enterprise.test.waltid.cloud/v1/waltid.tenant1.verifier3/verifier2-service-api/b68503d9-432c-49e7-97f8-5a1a7029c13a/response",
"dcql_query": {
"credentials": [
{
"id": "credential_1",
"format": "mso_mdoc",
"multiple": false,
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL",
"format": "mso_mdoc"
},
"require_cryptographic_holder_binding": true,
"claims": [
{
"path": [
"org.iso.18013.5.1",
"family_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"given_name"
]
},
{
"path": [
"org.iso.18013.5.1",
"birth_date"
]
}
]
}
]
},
"client_metadata": {
"vp_formats_supported": {
"mso_mdoc": {
"issuerauth_alg_values": [
-7,
-9,
-50
],
"deviceauth_alg_values": [
-7,
-9,
-50,
-65537
]
}
},
"client_name": "Verifier"
}
},
"authorizationRequestUrl": "openid4vp://authorize?response_type=vp_token&client_id=did%3Ajwk%3AeyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0&state=57ce75d0-c42b-4779-988f-65ca3a07a060&response_mode=direct_post&nonce=01ebdfac-948b-4e49-b2a6-b959a039d860&response_uri=https%3A%2F%2Fwaltid.testing-0-20-0.enterprise.test.waltid.cloud%2Fv1%2Fwaltid.tenant1.verifier3%2Fverifier2-service-api%2Fb68503d9-432c-49e7-97f8-5a1a7029c13a%2Fresponse&dcql_query=%7B%22credentials%22%3A%5B%7B%22id%22%3A%22credential_1%22%2C%22format%22%3A%22mso_mdoc%22%2C%22meta%22%3A%7B%22doctype_value%22%3A%22org.iso.18013.5.1.mDL%22%7D%2C%22claims%22%3A%5B%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22family_name%22%5D%7D%2C%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22given_name%22%5D%7D%2C%7B%22path%22%3A%5B%22org.iso.18013.5.1%22%2C%22birth_date%22%5D%7D%5D%7D%5D%7D&client_metadata=%7B%22vp_formats_supported%22%3A%7B%22mso_mdoc%22%3A%7B%22issuerauth_alg_values%22%3A%5B-7%2C-9%2C-50%5D%2C%22deviceauth_alg_values%22%3A%5B-7%2C-9%2C-50%2C-65537%5D%7D%7D%2C%22client_name%22%3A%22Verifier%22%7D",
"requestMode": "REQUEST_URI",
"policies": {
"vp_policies": {
"jwt_vc_json": [
"jwt_vc_json/audience-check",
"jwt_vc_json/nonce-check",
"jwt_vc_json/envelope_signature"
],
"dc+sd-jwt": [
"dc+sd-jwt/audience-check",
"dc+sd-jwt/kb-jwt_signature",
"dc+sd-jwt/nonce-check",
"dc+sd-jwt/sd_hash-check"
],
"mso_mdoc": [
"mso_mdoc/device-auth",
"mso_mdoc/device_key_auth",
"mso_mdoc/issuer_auth",
"mso_mdoc/issuer_signed_integrity",
"mso_mdoc/mso"
]
},
"vc_policies": [
{
"policy": "signature",
"id": "signature"
}
]
},
"policy_results": {
"vp_policies": {
"credential_1": {
"mso_mdoc/device-auth": {
"policy_executed": {
"policy": "mso_mdoc/device-auth",
"id": "mso_mdoc/device-auth",
"description": "Verify device authentication"
},
"success": true,
"results": {
"device_public_jwk": {
"kty": "EC",
"crv": "P-256",
"x": "m4r2Sf0jYK3OXLPrdrwC2OSSkwCBUVNJH-kpIlzmBzo",
"y": "Uqa4uWu4rgrm3Cj9wugwYIig5ZS9DkLKxKnGk8sYr1o"
},
"device_auth_bytes_hex": "d8185868847444657669636541757468656e7469636174696f6e83f6f682714f70656e494434565048616e646f7665725820e85d5ae0c4a98f58e23408479ebe1b09b396e774e51ba9fd3848116113ee0e98756f72672e69736f2e31383031332e352e312e6d444cd81841a0"
},
"errors": [],
"execution_time": "PT0.078628917S"
},
"mso_mdoc/device_key_auth": {
"policy_executed": {
"policy": "mso_mdoc/device_key_auth",
"id": "mso_mdoc/device_key_auth",
"description": "Verify holder-verified data"
},
"success": true,
"results": {
"empty_device_signed_namespaces": true
},
"errors": [],
"execution_time": "PT0.003564846S"
},
"mso_mdoc/issuer_auth": {
"policy_executed": {
"policy": "mso_mdoc/issuer_auth",
"id": "mso_mdoc/issuer_auth",
"description": "Verify issuer authentication"
},
"success": true,
"results": {
"certificate_chain": [
"30820208308201ada00302010202140e8f24af5f78b7ab2db6de8a2f761c9ccb5c6986300a06082a8648ce3d0403023024310b30090603550406130255533115301306035504030c0c4578616d706c652049414341301e170d3235303532393037313833395a170d3236303832393037313833395a3022310b30090603550406130255533113301106035504030c0a4578616d706c652044533059301306072a8648ce3d020106082a8648ce3d030107034200041962a974bde33e83c9e702a0480fa3c52da3829f9950313ab0841b781f3abc5d177c40c07f7aff155c895ee6150b2553f7914203fee6949988d7fc6e332819faa381be3081bb301f0603551d230418301680148c2311b1fa254de2b90ece8ca8e5a3e4dc74d414301d0603551d0e04160414ed2e3d2d27a0fded289df4f8e0555b2ffad22a7b300e0603551d0f0101ff04040302078030230603551d12041c301a861868747470733a2f2f696163612e6578616d706c652e636f6d30150603551d250101ff040b3009060728818c5d050102302d0603551d1f042630243022a020a01e861c68747470733a2f2f696163612e6578616d706c652e636f6d2f63726c300a06082a8648ce3d0403020349003046022100cb92abbe413c15d70561ad20c779edf851aa929fdd8ce5de574376842c2b6c44022100fdd9962cc2e224f5775339904b93141ed9fad75cf45652ff93760075a549e757"
],
"signer_jwk": {
"kty": "EC",
"crv": "P-256",
"x": "GWKpdL3jPoPJ5wKgSA-jxS2jgp-ZUDE6sIQbeB86vF0",
"y": "F3xAwH96_xVciV7mFQslU_eRQgP-5pSZiNf8bjMoGfo"
},
"signer_pem": "-----BEGIN CERTIFICATE-----\nMIICCDCCAa2gAwIBAgIUDo8kr194t6sttt6KL3YcnMtcaYYwCgYIKoZIzj0EAwIw\r\nJDELMAkGA1UEBhMCVVMxFTATBgNVBAMMDEV4YW1wbGUgSUFDQTAeFw0yNTA1Mjkw\r\nNzE4MzlaFw0yNjA4MjkwNzE4MzlaMCIxCzAJBgNVBAYTAlVTMRMwEQYDVQQDDApF\r\neGFtcGxlIERTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGWKpdL3jPoPJ5wKg\r\nSA+jxS2jgp+ZUDE6sIQbeB86vF0XfEDAf3r/FVyJXuYVCyVT95FCA/7mlJmI1/xu\r\nMygZ+qOBvjCBuzAfBgNVHSMEGDAWgBSMIxGx+iVN4rkOzoyo5aPk3HTUFDAdBgNV\r\nHQ4EFgQU7S49LSeg/e0onfT44FVbL/rSKnswDgYDVR0PAQH/BAQDAgeAMCMGA1Ud\r\nEgQcMBqGGGh0dHBzOi8vaWFjYS5leGFtcGxlLmNvbTAVBgNVHSUBAf8ECzAJBgco\r\ngYxdBQECMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHBzOi8vaWFjYS5leGFtcGxlLmNv\r\nbS9jcmwwCgYIKoZIzj0EAwIDSQAwRgIhAMuSq75BPBXXBWGtIMd57fhRqpKf3Yzl\r\n3ldDdoQsK2xEAiEA/dmWLMLiJPV3UzmQS5MUHtn611z0VlL/k3YAdaVJ51c=\n-----END CERTIFICATE-----"
},
"errors": [],
"execution_time": "PT0.078830219S"
},
"mso_mdoc/issuer_signed_integrity": {
"policy_executed": {
"policy": "mso_mdoc/issuer_signed_integrity",
"id": "mso_mdoc/issuer_signed_integrity",
"description": "Verify issuer-verified data integrity"
},
"success": true,
"results": {
"namespace": {
"org.iso.18013.5.1": [
{
"id": "family_name",
"digest_id": 0,
"value": "Doe",
"value_type": "CborString",
"random_hex": "e14217e08f91b89c3bbe3ee466778e98",
"serialized_hex": "a4686469676573744944006672616e646f6d50e14217e08f91b89c3bbe3ee466778e9871656c656d656e744964656e7469666965726b66616d696c795f6e616d656c656c656d656e7456616c756563446f65"
},
{
"id": "given_name",
"digest_id": 1,
"value": "John",
"value_type": "CborString",
"random_hex": "fbee28e15ccb9cdbca72ee8b5bf94ff2",
"serialized_hex": "a4686469676573744944016672616e646f6d50fbee28e15ccb9cdbca72ee8b5bf94ff271656c656d656e744964656e7469666965726a676976656e5f6e616d656c656c656d656e7456616c7565644a6f686e"
},
{
"id": "birth_date",
"digest_id": 2,
"value": "1986-03-22",
"value_type": "CborString",
"random_hex": "fd7b099a5883278e8b3351ec2089afbe",
"serialized_hex": "a4686469676573744944026672616e646f6d50fd7b099a5883278e8b3351ec2089afbe71656c656d656e744964656e7469666965726a62697274685f646174656c656c656d656e7456616c75656a313938362d30332d3232"
}
]
},
"matching_digest": {
"org.iso.18013.5.1": [
"family_name",
"given_name",
"birth_date"
]
}
},
"errors": [],
"execution_time": "PT0.040422222S"
},
"mso_mdoc/mso": {
"policy_executed": {
"policy": "mso_mdoc/mso",
"id": "mso_mdoc/mso",
"description": "Verify MSO"
},
"success": true,
"results": {
"signed": "2026-05-20T12:31:10.361778536Z",
"valid_from": "2027-05-20T12:31:10.361778836Z"
},
"errors": [],
"execution_time": "PT0.009410621S"
}
}
},
"vc_policies": [
{
"policy": {
"policy": "signature",
"id": "signature"
},
"success": true,
"result": {
"verification_result": true,
"signed_credential": "o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xg9gYWFKkaGRpZ2VzdElEAGZyYW5kb21Q4UIX4I-RuJw7vj7kZneOmHFlbGVtZW50SWRlbnRpZmllcmtmYW1pbHlfbmFtZWxlbGVtZW50VmFsdWVjRG9l2BhYUqRoZGlnZXN0SUQBZnJhbmRvbVD77ijhXMuc28py7otb-U_ycWVsZW1lbnRJZGVudGlmaWVyamdpdmVuX25hbWVsZWxlbWVudFZhbHVlZEpvaG7YGFhYpGhkaWdlc3RJRAJmcmFuZG9tUP17CZpYgyeOizNR7CCJr75xZWxlbWVudElkZW50aWZpZXJqYmlydGhfZGF0ZWxlbGVtZW50VmFsdWVqMTk4Ni0wMy0yMmppc3N1ZXJBdXRohEOhASahGCFZAgwwggIIMIIBraADAgECAhQOjySvX3i3qy223oovdhycy1xphjAKBggqhkjOPQQDAjAkMQswCQYDVQQGEwJVUzEVMBMGA1UEAwwMRXhhbXBsZSBJQUNBMB4XDTI1MDUyOTA3MTgzOVoXDTI2MDgyOTA3MTgzOVowIjELMAkGA1UEBhMCVVMxEzARBgNVBAMMCkV4YW1wbGUgRFMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZYql0veM-g8nnAqBID6PFLaOCn5lQMTqwhBt4Hzq8XRd8QMB_ev8VXIle5hULJVP3kUID_uaUmYjX_G4zKBn6o4G-MIG7MB8GA1UdIwQYMBaAFIwjEbH6JU3iuQ7OjKjlo-TcdNQUMB0GA1UdDgQWBBTtLj0tJ6D97Sid9PjgVVsv-tIqezAOBgNVHQ8BAf8EBAMCB4AwIwYDVR0SBBwwGoYYaHR0cHM6Ly9pYWNhLmV4YW1wbGUuY29tMBUGA1UdJQEB_wQLMAkGByiBjF0FAQIwLQYDVR0fBCYwJDAioCCgHoYcaHR0cHM6Ly9pYWNhLmV4YW1wbGUuY29tL2NybDAKBggqhkjOPQQDAgNJADBGAiEAy5KrvkE8FdcFYa0gx3nt-FGqkp_djOXeV0N2hCwrbEQCIQD92ZYswuIk9XdTOZBLkxQe2frXXPRWUv-TdgB1pUnnV1kC29gYWQLWpmd2ZXJzaW9uYzEuMG9kaWdlc3RBbGdvcml0aG1nU0hBLTI1Nmx2YWx1ZURpZ2VzdHOhcW9yZy5pc28uMTgwMTMuNS4xqwBYINkmb8SGjrc7AGjP6gkyvJ1pNbdZ6I-xwFA8f9PL2guiAVggg2tS4UeThS0khoqyZTViFHzWiuuRR1I4aUCEswwJ6tcCWCBhf1K133IForrOHf43caHLjpNTlAJVxHYT_SzmJ4eK1gNYINMP97ZPmf-QLX72eHRlgwN0evBd5GvLr-6cDYvT7L09BFggb0V8kEZVt9-_wzIBLAlhrytSmm7ajzC58n1yVf4uE7QFWCCBdiI7t2bTX4feg_2GwpgMysLgiravmc_awwdpD2Z0cQZYID7NylJKtQhbBuKye2pL1k5iFX6X38JHL-9AiGa0559RB1ggG_IJ-IWsyVPi4JWkVf2p2PVHkga6jjaA5gQA4SLQCb0IWCBA_JctXYaTi9Z1eH11APUEX4fVq0RlvySyY75Vx5bvaglYIFCx9IEHFGrffrbP97PsM-dwi8K5ZMqolCg-oGrF-mlwClggBo2e11n0snkAvTs49Yu5McIu_BQ4hYgQTiDXTTCkvsltZGV2aWNlS2V5SW5mb6FpZGV2aWNlS2V5pAECIAEhWCCbivZJ_SNgrc5cs-t2vALY5JKTAIFRU0kf6SkiXOYHOiJYIFKmuLlruK4K5two_cLoMGCIoOWUvQ5CysSpxpPLGK9aZ2RvY1R5cGV1b3JnLmlzby4xODAxMy41LjEubURMbHZhbGlkaXR5SW5mb6Nmc2lnbmVkwHgeMjAyNi0wNS0yMFQxMjozMToxMC4zNjE3Nzg1MzZaaXZhbGlkRnJvbcB4HjIwMjYtMDUtMjBUMTI6MzE6MTAuMzYxNzc4NzM2Wmp2YWxpZFVudGlswHgeMjAyNy0wNS0yMFQxMjozMToxMC4zNjE3Nzg4MzZaWEBpgFeAPp3GYOhzUo9aUpOyQfv6dQONcrJEVd6N_AvHOyoQyKDXrpYXST9Djj01iPAe5aR29TI7sWIkUiYwZxwBbGRldmljZVNpZ25lZKJqbmFtZVNwYWNlc9gYQaBqZGV2aWNlQXV0aKFvZGV2aWNlU2lnbmF0dXJlhEOhASag9lhALzj9UuVdvDr5rmcY8bFNCc6l6Fg3vJ6sKNbQI_9lCtYptsdvt1UlRwsdjjq9zCzEBHKk7_qiPWG2gqk7hFSV6WZzdGF0dXMA",
"credential_signature": {
"type": "signature-cose",
"signerKey": {
"type": "jwk",
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "GWKpdL3jPoPJ5wKgSA-jxS2jgp-ZUDE6sIQbeB86vF0",
"y": "F3xAwH96_xVciV7mFQslU_eRQgP-5pSZiNf8bjMoGfo"
}
},
"x5cList": [
"MIICCDCCAa2gAwIBAgIUDo8kr194t6sttt6KL3YcnMtcaYYwCgYIKoZIzj0EAwIwJDELMAkGA1UEBhMCVVMxFTATBgNVBAMMDEV4YW1wbGUgSUFDQTAeFw0yNTA1MjkwNzE4MzlaFw0yNjA4MjkwNzE4MzlaMCIxCzAJBgNVBAYTAlVTMRMwEQYDVQQDDApFeGFtcGxlIERTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGWKpdL3jPoPJ5wKgSA+jxS2jgp+ZUDE6sIQbeB86vF0XfEDAf3r/FVyJXuYVCyVT95FCA/7mlJmI1/xuMygZ+qOBvjCBuzAfBgNVHSMEGDAWgBSMIxGx+iVN4rkOzoyo5aPk3HTUFDAdBgNVHQ4EFgQU7S49LSeg/e0onfT44FVbL/rSKnswDgYDVR0PAQH/BAQDAgeAMCMGA1UdEgQcMBqGGGh0dHBzOi8vaWFjYS5leGFtcGxlLmNvbTAVBgNVHSUBAf8ECzAJBgcogYxdBQECMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHBzOi8vaWFjYS5leGFtcGxlLmNvbS9jcmwwCgYIKoZIzj0EAwIDSQAwRgIhAMuSq75BPBXXBWGtIMd57fhRqpKf3Yzl3ldDdoQsK2xEAiEA/dmWLMLiJPV3UzmQS5MUHtn611z0VlL/k3YAdaVJ51c="
]
},
"verified_data": {
"docType": "org.iso.18013.5.1.mDL",
"org.iso.18013.5.1": {
"family_name": "Doe",
"given_name": "John",
"birth_date": "1986-03-22"
}
},
"successful_issuer_public_key": {
"kty": "EC",
"crv": "P-256",
"x": "GWKpdL3jPoPJ5wKgSA-jxS2jgp-ZUDE6sIQbeB86vF0",
"y": "F3xAwH96_xVciV7mFQslU_eRQgP-5pSZiNf8bjMoGfo"
},
"successful_issuer_public_key_id": "pX99OZjL2iNqM7OMkE1r1rYyuAObvPntewcDHdc2bMM"
}
}
],
"specific_vc_policies": {},
"overallSuccess": true
},
"presentation_validation_results": {
"credential_1": {
"mso_mdoc/device-auth": {
"policy_executed": {
"policy": "mso_mdoc/device-auth",
"id": "mso_mdoc/device-auth",
"description": "Verify device authentication"
},
"success": true,
"results": {
"device_public_jwk": {
"kty": "EC",
"crv": "P-256",
"x": "m4r2Sf0jYK3OXLPrdrwC2OSSkwCBUVNJH-kpIlzmBzo",
"y": "Uqa4uWu4rgrm3Cj9wugwYIig5ZS9DkLKxKnGk8sYr1o"
},
"device_auth_bytes_hex": "d8185868847444657669636541757468656e7469636174696f6e83f6f682714f70656e494434565048616e646f7665725820e85d5ae0c4a98f58e23408479ebe1b09b396e774e51ba9fd3848116113ee0e98756f72672e69736f2e31383031332e352e312e6d444cd81841a0"
},
"errors": [],
"execution_time": "PT0.078628917S"
},
"mso_mdoc/device_key_auth": {
"policy_executed": {
"policy": "mso_mdoc/device_key_auth",
"id": "mso_mdoc/device_key_auth",
"description": "Verify holder-verified data"
},
"success": true,
"results": {
"empty_device_signed_namespaces": true
},
"errors": [],
"execution_time": "PT0.003564846S"
},
"mso_mdoc/issuer_auth": {
"policy_executed": {
"policy": "mso_mdoc/issuer_auth",
"id": "mso_mdoc/issuer_auth",
"description": "Verify issuer authentication"
},
"success": true,
"results": {
"certificate_chain": [
"30820208308201ada00302010202140e8f24af5f78b7ab2db6de8a2f761c9ccb5c6986300a06082a8648ce3d0403023024310b30090603550406130255533115301306035504030c0c4578616d706c652049414341301e170d3235303532393037313833395a170d3236303832393037313833395a3022310b30090603550406130255533113301106035504030c0a4578616d706c652044533059301306072a8648ce3d020106082a8648ce3d030107034200041962a974bde33e83c9e702a0480fa3c52da3829f9950313ab0841b781f3abc5d177c40c07f7aff155c895ee6150b2553f7914203fee6949988d7fc6e332819faa381be3081bb301f0603551d230418301680148c2311b1fa254de2b90ece8ca8e5a3e4dc74d414301d0603551d0e04160414ed2e3d2d27a0fded289df4f8e0555b2ffad22a7b300e0603551d0f0101ff04040302078030230603551d12041c301a861868747470733a2f2f696163612e6578616d706c652e636f6d30150603551d250101ff040b3009060728818c5d050102302d0603551d1f042630243022a020a01e861c68747470733a2f2f696163612e6578616d706c652e636f6d2f63726c300a06082a8648ce3d0403020349003046022100cb92abbe413c15d70561ad20c779edf851aa929fdd8ce5de574376842c2b6c44022100fdd9962cc2e224f5775339904b93141ed9fad75cf45652ff93760075a549e757"
],
"signer_jwk": {
"kty": "EC",
"crv": "P-256",
"x": "GWKpdL3jPoPJ5wKgSA-jxS2jgp-ZUDE6sIQbeB86vF0",
"y": "F3xAwH96_xVciV7mFQslU_eRQgP-5pSZiNf8bjMoGfo"
},
"signer_pem": "-----BEGIN CERTIFICATE-----\nMIICCDCCAa2gAwIBAgIUDo8kr194t6sttt6KL3YcnMtcaYYwCgYIKoZIzj0EAwIw\r\nJDELMAkGA1UEBhMCVVMxFTATBgNVBAMMDEV4YW1wbGUgSUFDQTAeFw0yNTA1Mjkw\r\nNzE4MzlaFw0yNjA4MjkwNzE4MzlaMCIxCzAJBgNVBAYTAlVTMRMwEQYDVQQDDApF\r\neGFtcGxlIERTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGWKpdL3jPoPJ5wKg\r\nSA+jxS2jgp+ZUDE6sIQbeB86vF0XfEDAf3r/FVyJXuYVCyVT95FCA/7mlJmI1/xu\r\nMygZ+qOBvjCBuzAfBgNVHSMEGDAWgBSMIxGx+iVN4rkOzoyo5aPk3HTUFDAdBgNV\r\nHQ4EFgQU7S49LSeg/e0onfT44FVbL/rSKnswDgYDVR0PAQH/BAQDAgeAMCMGA1Ud\r\nEgQcMBqGGGh0dHBzOi8vaWFjYS5leGFtcGxlLmNvbTAVBgNVHSUBAf8ECzAJBgco\r\ngYxdBQECMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHBzOi8vaWFjYS5leGFtcGxlLmNv\r\nbS9jcmwwCgYIKoZIzj0EAwIDSQAwRgIhAMuSq75BPBXXBWGtIMd57fhRqpKf3Yzl\r\n3ldDdoQsK2xEAiEA/dmWLMLiJPV3UzmQS5MUHtn611z0VlL/k3YAdaVJ51c=\n-----END CERTIFICATE-----"
},
"errors": [],
"execution_time": "PT0.078830219S"
},
"mso_mdoc/issuer_signed_integrity": {
"policy_executed": {
"policy": "mso_mdoc/issuer_signed_integrity",
"id": "mso_mdoc/issuer_signed_integrity",
"description": "Verify issuer-verified data integrity"
},
"success": true,
"results": {
"namespace": {
"org.iso.18013.5.1": [
{
"id": "family_name",
"digest_id": 0,
"value": "Doe",
"value_type": "CborString",
"random_hex": "e14217e08f91b89c3bbe3ee466778e98",
"serialized_hex": "a4686469676573744944006672616e646f6d50e14217e08f91b89c3bbe3ee466778e9871656c656d656e744964656e7469666965726b66616d696c795f6e616d656c656c656d656e7456616c756563446f65"
},
{
"id": "given_name",
"digest_id": 1,
"value": "John",
"value_type": "CborString",
"random_hex": "fbee28e15ccb9cdbca72ee8b5bf94ff2",
"serialized_hex": "a4686469676573744944016672616e646f6d50fbee28e15ccb9cdbca72ee8b5bf94ff271656c656d656e744964656e7469666965726a676976656e5f6e616d656c656c656d656e7456616c7565644a6f686e"
},
{
"id": "birth_date",
"digest_id": 2,
"value": "1986-03-22",
"value_type": "CborString",
"random_hex": "fd7b099a5883278e8b3351ec2089afbe",
"serialized_hex": "a4686469676573744944026672616e646f6d50fd7b099a5883278e8b3351ec2089afbe71656c656d656e744964656e7469666965726a62697274685f646174656c656c656d656e7456616c75656a313938362d30332d3232"
}
]
},
"matching_digest": {
"org.iso.18013.5.1": [
"family_name",
"given_name",
"birth_date"
]
}
},
"errors": [],
"execution_time": "PT0.040422222S"
},
"mso_mdoc/mso": {
"policy_executed": {
"policy": "mso_mdoc/mso",
"id": "mso_mdoc/mso",
"description": "Verify MSO"
},
"success": true,
"results": {
"signed": "2026-05-20T12:31:10.361778536Z",
"valid_from": "2027-05-20T12:31:10.361778836Z"
},
"errors": [],
"execution_time": "PT0.009410621S"
}
}
},
"presented_raw_data": {
"vpToken": {
"credential_1": [
"o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xg9gYWFKkaGRpZ2VzdElEAGZyYW5kb21Q4UIX4I-RuJw7vj7kZneOmHFlbGVtZW50SWRlbnRpZmllcmtmYW1pbHlfbmFtZWxlbGVtZW50VmFsdWVjRG9l2BhYUqRoZGlnZXN0SUQBZnJhbmRvbVD77ijhXMuc28py7otb-U_ycWVsZW1lbnRJZGVudGlmaWVyamdpdmVuX25hbWVsZWxlbWVudFZhbHVlZEpvaG7YGFhYpGhkaWdlc3RJRAJmcmFuZG9tUP17CZpYgyeOizNR7CCJr75xZWxlbWVudElkZW50aWZpZXJqYmlydGhfZGF0ZWxlbGVtZW50VmFsdWVqMTk4Ni0wMy0yMmppc3N1ZXJBdXRohEOhASahGCFZAgwwggIIMIIBraADAgECAhQOjySvX3i3qy223oovdhycy1xphjAKBggqhkjOPQQDAjAkMQswCQYDVQQGEwJVUzEVMBMGA1UEAwwMRXhhbXBsZSBJQUNBMB4XDTI1MDUyOTA3MTgzOVoXDTI2MDgyOTA3MTgzOVowIjELMAkGA1UEBhMCVVMxEzARBgNVBAMMCkV4YW1wbGUgRFMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZYql0veM-g8nnAqBID6PFLaOCn5lQMTqwhBt4Hzq8XRd8QMB_ev8VXIle5hULJVP3kUID_uaUmYjX_G4zKBn6o4G-MIG7MB8GA1UdIwQYMBaAFIwjEbH6JU3iuQ7OjKjlo-TcdNQUMB0GA1UdDgQWBBTtLj0tJ6D97Sid9PjgVVsv-tIqezAOBgNVHQ8BAf8EBAMCB4AwIwYDVR0SBBwwGoYYaHR0cHM6Ly9pYWNhLmV4YW1wbGUuY29tMBUGA1UdJQEB_wQLMAkGByiBjF0FAQIwLQYDVR0fBCYwJDAioCCgHoYcaHR0cHM6Ly9pYWNhLmV4YW1wbGUuY29tL2NybDAKBggqhkjOPQQDAgNJADBGAiEAy5KrvkE8FdcFYa0gx3nt-FGqkp_djOXeV0N2hCwrbEQCIQD92ZYswuIk9XdTOZBLkxQe2frXXPRWUv-TdgB1pUnnV1kC29gYWQLWpmd2ZXJzaW9uYzEuMG9kaWdlc3RBbGdvcml0aG1nU0hBLTI1Nmx2YWx1ZURpZ2VzdHOhcW9yZy5pc28uMTgwMTMuNS4xqwBYINkmb8SGjrc7AGjP6gkyvJ1pNbdZ6I-xwFA8f9PL2guiAVggg2tS4UeThS0khoqyZTViFHzWiuuRR1I4aUCEswwJ6tcCWCBhf1K133IForrOHf43caHLjpNTlAJVxHYT_SzmJ4eK1gNYINMP97ZPmf-QLX72eHRlgwN0evBd5GvLr-6cDYvT7L09BFggb0V8kEZVt9-_wzIBLAlhrytSmm7ajzC58n1yVf4uE7QFWCCBdiI7t2bTX4feg_2GwpgMysLgiravmc_awwdpD2Z0cQZYID7NylJKtQhbBuKye2pL1k5iFX6X38JHL-9AiGa0559RB1ggG_IJ-IWsyVPi4JWkVf2p2PVHkga6jjaA5gQA4SLQCb0IWCBA_JctXYaTi9Z1eH11APUEX4fVq0RlvySyY75Vx5bvaglYIFCx9IEHFGrffrbP97PsM-dwi8K5ZMqolCg-oGrF-mlwClggBo2e11n0snkAvTs49Yu5McIu_BQ4hYgQTiDXTTCkvsltZGV2aWNlS2V5SW5mb6FpZGV2aWNlS2V5pAECIAEhWCCbivZJ_SNgrc5cs-t2vALY5JKTAIFRU0kf6SkiXOYHOiJYIFKmuLlruK4K5two_cLoMGCIoOWUvQ5CysSpxpPLGK9aZ2RvY1R5cGV1b3JnLmlzby4xODAxMy41LjEubURMbHZhbGlkaXR5SW5mb6Nmc2lnbmVkwHgeMjAyNi0wNS0yMFQxMjozMToxMC4zNjE3Nzg1MzZaaXZhbGlkRnJvbcB4HjIwMjYtMDUtMjBUMTI6MzE6MTAuMzYxNzc4NzM2Wmp2YWxpZFVudGlswHgeMjAyNy0wNS0yMFQxMjozMToxMC4zNjE3Nzg4MzZaWEBpgFeAPp3GYOhzUo9aUpOyQfv6dQONcrJEVd6N_AvHOyoQyKDXrpYXST9Djj01iPAe5aR29TI7sWIkUiYwZxwBbGRldmljZVNpZ25lZKJqbmFtZVNwYWNlc9gYQaBqZGV2aWNlQXV0aKFvZGV2aWNlU2lnbmF0dXJlhEOhASag9lhALzj9UuVdvDr5rmcY8bFNCc6l6Fg3vJ6sKNbQI_9lCtYptsdvt1UlRwsdjjq9zCzEBHKk7_qiPWG2gqk7hFSV6WZzdGF0dXMA"
]
},
"state": "57ce75d0-c42b-4779-988f-65ca3a07a060"
},
"presented_presentations": {
"credential_1": {
"type": "mso_mdoc",
"format": "mso_mdoc",
"mdoc": {
"credentialData": {
"docType": "org.iso.18013.5.1.mDL",
"org.iso.18013.5.1": {
"family_name": "Doe",
"given_name": "John",
"birth_date": "1986-03-22"
}
},
"signed": "o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xg9gYWFKkaGRpZ2VzdElEAGZyYW5kb21Q4UIX4I-RuJw7vj7kZneOmHFlbGVtZW50SWRlbnRpZmllcmtmYW1pbHlfbmFtZWxlbGVtZW50VmFsdWVjRG9l2BhYUqRoZGlnZXN0SUQBZnJhbmRvbVD77ijhXMuc28py7otb-U_ycWVsZW1lbnRJZGVudGlmaWVyamdpdmVuX25hbWVsZWxlbWVudFZhbHVlZEpvaG7YGFhYpGhkaWdlc3RJRAJmcmFuZG9tUP17CZpYgyeOizNR7CCJr75xZWxlbWVudElkZW50aWZpZXJqYmlydGhfZGF0ZWxlbGVtZW50VmFsdWVqMTk4Ni0wMy0yMmppc3N1ZXJBdXRohEOhASahGCFZAgwwggIIMIIBraADAgECAhQOjySvX3i3qy223oovdhycy1xphjAKBggqhkjOPQQDAjAkMQswCQYDVQQGEwJVUzEVMBMGA1UEAwwMRXhhbXBsZSBJQUNBMB4XDTI1MDUyOTA3MTgzOVoXDTI2MDgyOTA3MTgzOVowIjELMAkGA1UEBhMCVVMxEzARBgNVBAMMCkV4YW1wbGUgRFMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZYql0veM-g8nnAqBID6PFLaOCn5lQMTqwhBt4Hzq8XRd8QMB_ev8VXIle5hULJVP3kUID_uaUmYjX_G4zKBn6o4G-MIG7MB8GA1UdIwQYMBaAFIwjEbH6JU3iuQ7OjKjlo-TcdNQUMB0GA1UdDgQWBBTtLj0tJ6D97Sid9PjgVVsv-tIqezAOBgNVHQ8BAf8EBAMCB4AwIwYDVR0SBBwwGoYYaHR0cHM6Ly9pYWNhLmV4YW1wbGUuY29tMBUGA1UdJQEB_wQLMAkGByiBjF0FAQIwLQYDVR0fBCYwJDAioCCgHoYcaHR0cHM6Ly9pYWNhLmV4YW1wbGUuY29tL2NybDAKBggqhkjOPQQDAgNJADBGAiEAy5KrvkE8FdcFYa0gx3nt-FGqkp_djOXeV0N2hCwrbEQCIQD92ZYswuIk9XdTOZBLkxQe2frXXPRWUv-TdgB1pUnnV1kC29gYWQLWpmd2ZXJzaW9uYzEuMG9kaWdlc3RBbGdvcml0aG1nU0hBLTI1Nmx2YWx1ZURpZ2VzdHOhcW9yZy5pc28uMTgwMTMuNS4xqwBYINkmb8SGjrc7AGjP6gkyvJ1pNbdZ6I-xwFA8f9PL2guiAVggg2tS4UeThS0khoqyZTViFHzWiuuRR1I4aUCEswwJ6tcCWCBhf1K133IForrOHf43caHLjpNTlAJVxHYT_SzmJ4eK1gNYINMP97ZPmf-QLX72eHRlgwN0evBd5GvLr-6cDYvT7L09BFggb0V8kEZVt9-_wzIBLAlhrytSmm7ajzC58n1yVf4uE7QFWCCBdiI7t2bTX4feg_2GwpgMysLgiravmc_awwdpD2Z0cQZYID7NylJKtQhbBuKye2pL1k5iFX6X38JHL-9AiGa0559RB1ggG_IJ-IWsyVPi4JWkVf2p2PVHkga6jjaA5gQA4SLQCb0IWCBA_JctXYaTi9Z1eH11APUEX4fVq0RlvySyY75Vx5bvaglYIFCx9IEHFGrffrbP97PsM-dwi8K5ZMqolCg-oGrF-mlwClggBo2e11n0snkAvTs49Yu5McIu_BQ4hYgQTiDXTTCkvsltZGV2aWNlS2V5SW5mb6FpZGV2aWNlS2V5pAECIAEhWCCbivZJ_SNgrc5cs-t2vALY5JKTAIFRU0kf6SkiXOYHOiJYIFKmuLlruK4K5two_cLoMGCIoOWUvQ5CysSpxpPLGK9aZ2RvY1R5cGV1b3JnLmlzby4xODAxMy41LjEubURMbHZhbGlkaXR5SW5mb6Nmc2lnbmVkwHgeMjAyNi0wNS0yMFQxMjozMToxMC4zNjE3Nzg1MzZaaXZhbGlkRnJvbcB4HjIwMjYtMDUtMjBUMTI6MzE6MTAuMzYxNzc4NzM2Wmp2YWxpZFVudGlswHgeMjAyNy0wNS0yMFQxMjozMToxMC4zNjE3Nzg4MzZaWEBpgFeAPp3GYOhzUo9aUpOyQfv6dQONcrJEVd6N_AvHOyoQyKDXrpYXST9Djj01iPAe5aR29TI7sWIkUiYwZxwBbGRldmljZVNpZ25lZKJqbmFtZVNwYWNlc9gYQaBqZGV2aWNlQXV0aKFvZGV2aWNlU2lnbmF0dXJlhEOhASag9lhALzj9UuVdvDr5rmcY8bFNCc6l6Fg3vJ6sKNbQI_9lCtYptsdvt1UlRwsdjjq9zCzEBHKk7_qiPWG2gqk7hFSV6WZzdGF0dXMA",
"docType": "org.iso.18013.5.1.mDL",
"signature": {
"type": "signature-cose",
"signerKey": {
"type": "jwk",
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "GWKpdL3jPoPJ5wKgSA-jxS2jgp-ZUDE6sIQbeB86vF0",
"y": "F3xAwH96_xVciV7mFQslU_eRQgP-5pSZiNf8bjMoGfo"
}
},
"x5cList": [
"MIICCDCCAa2gAwIBAgIUDo8kr194t6sttt6KL3YcnMtcaYYwCgYIKoZIzj0EAwIwJDELMAkGA1UEBhMCVVMxFTATBgNVBAMMDEV4YW1wbGUgSUFDQTAeFw0yNTA1MjkwNzE4MzlaFw0yNjA4MjkwNzE4MzlaMCIxCzAJBgNVBAYTAlVTMRMwEQYDVQQDDApFeGFtcGxlIERTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGWKpdL3jPoPJ5wKgSA+jxS2jgp+ZUDE6sIQbeB86vF0XfEDAf3r/FVyJXuYVCyVT95FCA/7mlJmI1/xuMygZ+qOBvjCBuzAfBgNVHSMEGDAWgBSMIxGx+iVN4rkOzoyo5aPk3HTUFDAdBgNVHQ4EFgQU7S49LSeg/e0onfT44FVbL/rSKnswDgYDVR0PAQH/BAQDAgeAMCMGA1UdEgQcMBqGGGh0dHBzOi8vaWFjYS5leGFtcGxlLmNvbTAVBgNVHSUBAf8ECzAJBgcogYxdBQECMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHBzOi8vaWFjYS5leGFtcGxlLmNvbS9jcmwwCgYIKoZIzj0EAwIDSQAwRgIhAMuSq75BPBXXBWGtIMd57fhRqpKf3Yzl3ldDdoQsK2xEAiEA/dmWLMLiJPV3UzmQS5MUHtn611z0VlL/k3YAdaVJ51c="
]
},
"format": "mso_mdoc",
"mso": {
"version": "1.0",
"digestAlgorithm": "SHA-256",
"valueDigests": {
"org.iso.18013.5.1": {
...
},
"deviceKeyInfo": {
"deviceKey": {
...
}
},
"docType": "org.iso.18013.5.1.mDL",
"validityInfo": {
"signed": "2026-05-20T12:31:10.361778536Z",
"validFrom": "2026-05-20T12:31:10.361778736Z",
"validUntil": "2027-05-20T12:31:10.361778836Z"
}
}
}
}
},
"presented_credentials": {
"credential_1": [
{
"type": "vc-mdocs",
"credentialData": {
"docType": "org.iso.18013.5.1.mDL",
"org.iso.18013.5.1": {
"family_name": "Doe",
"given_name": "John",
"birth_date": "1986-03-22"
}
},
"signed": "o2d2ZXJzaW9uYzEuMGlkb2N1bWVudHOBo2dkb2NUeXBldW9yZy5pc28uMTgwMTMuNS4xLm1ETGxpc3N1ZXJTaWduZWSiam5hbWVTcGFjZXOhcW9yZy5pc28uMTgwMTMuNS4xg9gYWFKkaGRpZ2VzdElEAGZyYW5kb21Q4UIX4I-RuJw7vj7kZneOmHFlbGVtZW50SWRlbnRpZmllcmtmYW1pbHlfbmFtZWxlbGVtZW50VmFsdWVjRG9l2BhYUqRoZGlnZXN0SUQBZnJhbmRvbVD77ijhXMuc28py7otb-U_ycWVsZW1lbnRJZGVudGlmaWVyamdpdmVuX25hbWVsZWxlbWVudFZhbHVlZEpvaG7YGFhYpGhkaWdlc3RJRAJmcmFuZG9tUP17CZpYgyeOizNR7CCJr75xZWxlbWVudElkZW50aWZpZXJqYmlydGhfZGF0ZWxlbGVtZW50VmFsdWVqMTk4Ni0wMy0yMmppc3N1ZXJBdXRohEOhASahGCFZAgwwggIIMIIBraADAgECAhQOjySvX3i3qy223oovdhycy1xphjAKBggqhkjOPQQDAjAkMQswCQYDVQQGEwJVUzEVMBMGA1UEAwwMRXhhbXBsZSBJQUNBMB4XDTI1MDUyOTA3MTgzOVoXDTI2MDgyOTA3MTgzOVowIjELMAkGA1UEBhMCVVMxEzARBgNVBAMMCkV4YW1wbGUgRFMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQZYql0veM-g8nnAqBID6PFLaOCn5lQMTqwhBt4Hzq8XRd8QMB_ev8VXIle5hULJVP3kUID_uaUmYjX_G4zKBn6o4G-MIG7MB8GA1UdIwQYMBaAFIwjEbH6JU3iuQ7OjKjlo-TcdNQUMB0GA1UdDgQWBBTtLj0tJ6D97Sid9PjgVVsv-tIqezAOBgNVHQ8BAf8EBAMCB4AwIwYDVR0SBBwwGoYYaHR0cHM6Ly9pYWNhLmV4YW1wbGUuY29tMBUGA1UdJQEB_wQLMAkGByiBjF0FAQIwLQYDVR0fBCYwJDAioCCgHoYcaHR0cHM6Ly9pYWNhLmV4YW1wbGUuY29tL2NybDAKBggqhkjOPQQDAgNJADBGAiEAy5KrvkE8FdcFYa0gx3nt-FGqkp_djOXeV0N2hCwrbEQCIQD92ZYswuIk9XdTOZBLkxQe2frXXPRWUv-TdgB1pUnnV1kC29gYWQLWpmd2ZXJzaW9uYzEuMG9kaWdlc3RBbGdvcml0aG1nU0hBLTI1Nmx2YWx1ZURpZ2VzdHOhcW9yZy5pc28uMTgwMTMuNS4xqwBYINkmb8SGjrc7AGjP6gkyvJ1pNbdZ6I-xwFA8f9PL2guiAVggg2tS4UeThS0khoqyZTViFHzWiuuRR1I4aUCEswwJ6tcCWCBhf1K133IForrOHf43caHLjpNTlAJVxHYT_SzmJ4eK1gNYINMP97ZPmf-QLX72eHRlgwN0evBd5GvLr-6cDYvT7L09BFggb0V8kEZVt9-_wzIBLAlhrytSmm7ajzC58n1yVf4uE7QFWCCBdiI7t2bTX4feg_2GwpgMysLgiravmc_awwdpD2Z0cQZYID7NylJKtQhbBuKye2pL1k5iFX6X38JHL-9AiGa0559RB1ggG_IJ-IWsyVPi4JWkVf2p2PVHkga6jjaA5gQA4SLQCb0IWCBA_JctXYaTi9Z1eH11APUEX4fVq0RlvySyY75Vx5bvaglYIFCx9IEHFGrffrbP97PsM-dwi8K5ZMqolCg-oGrF-mlwClggBo2e11n0snkAvTs49Yu5McIu_BQ4hYgQTiDXTTCkvsltZGV2aWNlS2V5SW5mb6FpZGV2aWNlS2V5pAECIAEhWCCbivZJ_SNgrc5cs-t2vALY5JKTAIFRU0kf6SkiXOYHOiJYIFKmuLlruK4K5two_cLoMGCIoOWUvQ5CysSpxpPLGK9aZ2RvY1R5cGV1b3JnLmlzby4xODAxMy41LjEubURMbHZhbGlkaXR5SW5mb6Nmc2lnbmVkwHgeMjAyNi0wNS0yMFQxMjozMToxMC4zNjE3Nzg1MzZaaXZhbGlkRnJvbcB4HjIwMjYtMDUtMjBUMTI6MzE6MTAuMzYxNzc4NzM2Wmp2YWxpZFVudGlswHgeMjAyNy0wNS0yMFQxMjozMToxMC4zNjE3Nzg4MzZaWEBpgFeAPp3GYOhzUo9aUpOyQfv6dQONcrJEVd6N_AvHOyoQyKDXrpYXST9Djj01iPAe5aR29TI7sWIkUiYwZxwBbGRldmljZVNpZ25lZKJqbmFtZVNwYWNlc9gYQaBqZGV2aWNlQXV0aKFvZGV2aWNlU2lnbmF0dXJlhEOhASag9lhALzj9UuVdvDr5rmcY8bFNCc6l6Fg3vJ6sKNbQI_9lCtYptsdvt1UlRwsdjjq9zCzEBHKk7_qiPWG2gqk7hFSV6WZzdGF0dXMA",
"docType": "org.iso.18013.5.1.mDL",
"signature": {
"type": "signature-cose",
"signerKey": {
"type": "jwk",
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "GWKpdL3jPoPJ5wKgSA-jxS2jgp-ZUDE6sIQbeB86vF0",
"y": "F3xAwH96_xVciV7mFQslU_eRQgP-5pSZiNf8bjMoGfo"
}
},
"x5cList": [
"MIICCDCCAa2gAwIBAgIUDo8kr194t6sttt6KL3YcnMtcaYYwCgYIKoZIzj0EAwIwJDELMAkGA1UEBhMCVVMxFTATBgNVBAMMDEV4YW1wbGUgSUFDQTAeFw0yNTA1MjkwNzE4MzlaFw0yNjA4MjkwNzE4MzlaMCIxCzAJBgNVBAYTAlVTMRMwEQYDVQQDDApFeGFtcGxlIERTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGWKpdL3jPoPJ5wKgSA+jxS2jgp+ZUDE6sIQbeB86vF0XfEDAf3r/FVyJXuYVCyVT95FCA/7mlJmI1/xuMygZ+qOBvjCBuzAfBgNVHSMEGDAWgBSMIxGx+iVN4rkOzoyo5aPk3HTUFDAdBgNVHQ4EFgQU7S49LSeg/e0onfT44FVbL/rSKnswDgYDVR0PAQH/BAQDAgeAMCMGA1UdEgQcMBqGGGh0dHBzOi8vaWFjYS5leGFtcGxlLmNvbTAVBgNVHSUBAf8ECzAJBgcogYxdBQECMC0GA1UdHwQmMCQwIqAgoB6GHGh0dHBzOi8vaWFjYS5leGFtcGxlLmNvbS9jcmwwCgYIKoZIzj0EAwIDSQAwRgIhAMuSq75BPBXXBWGtIMd57fhRqpKf3Yzl3ldDdoQsK2xEAiEA/dmWLMLiJPV3UzmQS5MUHtn611z0VlL/k3YAdaVJ51c="
]
},
"format": "mso_mdoc",
"mso": {
"version": "1.0",
"digestAlgorithm": "SHA-256",
"valueDigests": {
"org.iso.18013.5.1": {
...
},
"deviceKeyInfo": {
"deviceKey": {
...
}
},
"docType": "org.iso.18013.5.1.mDL",
"validityInfo": {
"signed": "2026-05-20T12:31:10.361778536Z",
"validFrom": "2026-05-20T12:31:10.361778736Z",
"validUntil": "2027-05-20T12:31:10.361778836Z"
}
}
}
]
}
},
"timestamp": 1779281613892,
"parent": "waltid.tenant1.verifier3"
}
Key Response Fields:
- id: String - The verification session ID
- setup: Object - The complete session configuration that was used to create this verification session (the
VerificationSessionSetupfrom the create request) - creationDate: String - ISO 8601 timestamp when the session was created
- expirationDate: String - ISO 8601 timestamp when the session expires (default: 10 minutes after creation). Session will expire if left unused (no presentation pushed). Once a presentation is received, the session is no longer eligible for expiry.
- status: String - The current status of the verification session. Possible values:
"UNKNOWN"— Session ended up in unknown flow (should be avoided)"ACTIVE"— Session was created and is active (can be used)"UNUSED"— Session was not used yet, but not expired (can be used)"IN_USE"— AuthorizationRequest was requested by wallet"VALIDATING_RECEIVED_REQUEST"— Checking if received presentation will be processed"PROCESSING_FLOW"— Received presentation is being processed (validation + policy execution)"EXPIRED"— Verification request expired without being utilized"SUCCESSFUL"— Verification completed fully successfully (all validation & policies passed)"FAILED"— Verification was unsuccessful (presentation validation or policies failed)
- attempted: Boolean - Whether the wallet has attempted to respond to the verification request
- reattemptable: Boolean - Whether the user can retry this verification session if it failed
- policy_results: Object (optional) - Detailed results for all policies applied to the verification (only present after presentation is received):
- vp_policies: Object - Results for presentation-level policies (audience check, nonce check, envelope signature)
- vc_policies: Array - Results for credential-level policies (signature, expiry, schema, etc.). Each item contains
policy,success, andresult. - overallSuccess: Boolean (computed) - Whether all policies passed
- presented_credentials: Object (optional) - The parsed credentials presented by the user, organized by credential ID
Instead of polling the session status, you can use callbacks or Server Sent Events (SSE) to be notified when the verification completes. See Callbacks & SSE for details.
Understanding Flow Types and Core Concepts
Now that you've seen verification in action, let's understand the underlying structure.
Verification Session Structure
A VerificationSession defines the full lifecycle: authorization request → user presentation → policy validation → final result.
Every verification request follows this structure:
{
"flow_type": "cross_device | same_device | dc_api",
"core_flow": { /* common to all flows */ },
"url_config": { /* specific to cross_device and same_device */ },
"redirects": { /* optional */ }
}
Why this structure?
- flow_type determines how the credential request is delivered (QR code vs deep link vs browser API)
- core_flow contains the credential query and policies (same regardless of delivery method)
- url_config and redirects are flow-specific attributes
This separation makes it easy to switch between flows without changing your credential requirements.
Flow Type Comparison
| Flow Type | Use Case | Required Attributes | User Experience |
|---|---|---|---|
cross_device | User scans QR code from desktop | None beyond core flow | Desktop shows QR → User scans with phone → Phone wallet opens |
same_device | User clicks link on mobile | redirects (success/error URLs) | Browser redirects to wallet → Wallet opens → User returns to browser |
dc_api | Browser-native credential exchange | expectedOrigins (array of allowed origins) | Browser shows native credential picker → User selects → Instant return |
Advanced Options
Requesting Specific Claims
Mobile driver's licenses support selective disclosure. You can request specific claims using the claims array with namespace-qualified paths:
{
"flow_type": "cross_device",
"core_flow": {
"dcql_query": {
"credentials": [
{
"id": "credential_1",
"format": "mso_mdoc",
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL"
},
"claims": [
{
"path": ["org.iso.18013.5.1", "family_name"]
},
{
"path": ["org.iso.18013.5.1", "given_name"]
},
{
"path": ["org.iso.18013.5.1", "birth_date"]
},
{
"path": ["org.iso.18013.5.1", "portrait"]
}
]
}
]
}
}
}
This requests only specific claims from the mDL. The user's wallet will only disclose these specific data elements.
Claim Values
You can also request claims with specific values (for filtering):
{
"claims": [
{
"path": ["org.iso.18013.5.1", "issuing_country"],
"values": ["US", "CA"]
}
]
}
This requests only mDLs issued by US or Canadian authorities.
Custom Policies
Beyond signature verification, you can apply additional policies:
"policies": {
"vc_policies": [
{ "policy": "signature" },
{ "policy": "expired" },
{ "policy": "not-before" }
]
}
See Policies for the complete list and configuration options.
VICAL Trust Validation
For mDL credentials, you can apply the VICAL (Verifiable Issuer Certificate Authority List) policy for trust validation:
"policies": {
"vc_policies": [
{
"policy": "signature"
},
{
"policy": "vical",
"vical": "<base64 encoded VICAL file>",
"enableDocumentTypeValidation": false,
"enableTrustedChainRoot": false,
"enableSystemTrustAnchors": false,
"enableRevocation": false
}
]
}
See the VICAL policy documentation for detailed parameter descriptions and configuration examples.
Signed Requests
Sign the authorization request JWT using a verifier signing key. This is required for:
- HAIP profile compliance
- DC API Annex C (ISO 18013-7) flows
Enable by setting signedRequest: true in the request body.
Key Configuration Required: Signed requests require a signing key (key) to be configured. You can either:
- Set the
keyparameter during verifier2 service creation as a service-wide default - Override or provide the
keydirectly in the verification request body
Certificate Chain (x5c) Required for:
- X.509-based client authentication when using
x509_san_dns:orx509_hash:as theclientIdformat - Signed Annex C (ISO 18013-7) requests
The x5c parameter can be configured the same way as key — as a service-wide default or per-session override.
Encrypted Responses
The wallet can encrypt the VP token response. Enable by setting encryptedResponse: true in the request body.
Key Configuration Required: Encrypted responses require a key (key) for decrypting the VP token response. Configure it during verifier2 service creation or provide it in the verification request body.
Transaction Data Authorization
Bind credential presentations to specific transactions via transaction data like payment authorization or account access.
Use Cases:
- Payment authorization (amount, currency, payee)
- Account access requests (account ID, scope)
- Custom transaction types via configuration
Supported Formats: dc+sd-jwt and mso_mdoc
For mDL credentials, the wallet embeds transaction data hashes in the DeviceSigned namespaces corresponding to the transaction data type. The verifier evaluates the mso_mdoc/transaction-data-hash-check policy to validate the binding.
Example Request:
{
"flow_type": "cross_device",
"core_flow": {
"dcql_query": {
"credentials": [
{
"id": "mdl",
"format": "mso_mdoc",
"meta": {
"doctype_value": "org.iso.18013.5.1.mDL"
},
"claims": [
{
"path": ["org.iso.18013.5.1", "family_name"]
},
{
"path": ["org.iso.18013.5.1", "given_name"]
}
]
}
]
}
},
"openid": {
"transactionData": [
{
"type": "org.waltid.transaction-data.payment-authorization",
"credential_ids": ["mdl"],
"require_cryptographic_holder_binding": true,
"transaction_data_hashes_alg": ["sha-256"],
"amount": "42.00",
"currency": "EUR",
"payee": "ACME Corp"
}
]
}
}
Transaction Data Parameters
Each entry in the transactionData array includes:
Common Parameters (Required for all types):
- type: String (required) — The transaction data type identifier. Must match a type defined in your transaction-data-profiles configuration. Built-in types:
"org.waltid.transaction-data.payment-authorization"— For payment authorizations"org.waltid.transaction-data.account-access"— For account access requests
- credential_ids: Array of Strings (required) — References the
idfields from your DCQLcredentialsarray. Specifies which credential(s) this transaction data applies to. Example:["mdl"]if your credential query has"id": "mdl". - require_cryptographic_holder_binding: Boolean (optional) - If provided, it must be set to
true. Transaction data requires cryptographic holder binding (KB-JWT for SD-JWT VC, DeviceAuth for mDL). Requests withfalseare rejected per OpenID4VP §B.3.3. - transaction_data_hashes_alg: Array of Strings (optional) — Hash algorithms the wallet uses to bind transaction data. e.g.
["sha-256"]. If omitted "sha-256" is used.
Type-Specific Parameters:
The remaining parameters depend on the type field and are defined by your transaction data profile configuration:
- For
payment-authorizationtype:- amount: String — Payment amount (e.g.,
"42.00") - currency: String — Currency code (e.g.,
"EUR") - payee: String — Payee identifier or name (e.g.,
"ACME Corp")
- amount: String — Payment amount (e.g.,
- For
account-accesstype:- account_identifier: String — Account identifier
- access_scope: String — Scope of access being requested
See Transaction Data Profiles for how to define custom types and fields.
Encoding Behavior: You pass transaction data entries as plain JSON objects in your verification request. The verifier service automatically base64url-encodes each entry before placing it in the authorization request sent to the wallet. Do not base64-encode the entries yourself.
Constraints
transaction_datarequires adcql_query. Requests without one are rejected withinvalid_request.- Each entry's
credential_idsmust reference DCQL credential query ids declared in the same request. - Each referenced credential query must use a transaction-data-capable format:
dc+sd-jwtormso_mdoc. - Transaction data with
require_cryptographic_holder_binding: falseis rejected. See OpenID4VP §B.3.3. - Transaction-data types are configurable via transaction data profiles. Built-in profiles include
payment-authorizationandaccount-access. Custom types can be added through thetransaction-data-profilesconfiguration. - Available on
cross_device,same_device, anddc_api(Annex D) flows via theopenid.transactionDatafield.
Automatic Policy Enforcement: When transactionData is present, the verifier automatically adds the appropriate transaction-data hash-check policy (dc+sd-jwt/transaction-data-hash-check for SD-JWT, mso_mdoc/transaction-data-hash-check for mDL) to ensure the wallet properly binds the transaction data. This happens even if you specify custom vp_policies. Your custom policies are preserved; the hash-check policy is added on top.
Discovery & Configuration
To see which transaction data types your verifier service recognizes:
curl -X 'GET' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/verifier2-service-api/transaction-data-profiles' \
-H 'accept: application/json' \
-H 'Authorization: Bearer {yourToken}'
This endpoint requires CREATE_VERIFIER_SESSION permission. See Transaction Data Profiles to add custom types.
Next Steps
- Apply custom policies — See Policies for validation rules beyond signature verification
- Set up notifications — Use callbacks or SSE instead of polling for session status
- Verify other credential types — Try W3C VC or SD-JWT VC
- Use DC API — Try the Digital Credentials API for browser-native credential exchange
Last updated on June 17, 2026