Verifying SD-JWT VC credentials via OID4VC

This guide provides a comprehensive walkthrough for verifying a SD-JWT VC credentials based on the IETF standard using the walt.id verifier API. The verification process will utilize the OID4VCI protocol, an extension of OpenID, facilitating secure and standardized communication between identities.

SD-JWT VC: A digital equivalent of physical credentials such as a driver's license or university degree. VCs are cryptographically secure, privacy-respecting, and instantly verifiable.

OID4VCI: A protocol specifying how parties can issue VCs and present these credentials in a way that's consistent and secure across platforms ensuring interoperability.

Preparing the Verification

First, determine the type of SD-JWT VC Credential to be verified. Although this guide focuses on a "VerifiableDiploma," you can use any credential type compliant with the IETF standard.

The verification process will be as follows:

  1. Specify the credential type(s) to request from a user and the verification policies to be applied to the credential( s).
  2. Optionally provide a success and failure redirect URL, which the user will be redirected to after the verification process is completed.

After you have provided the required information:

  1. The API generates a Presentation Definition.
  2. API returns a URL which can passed to OIDC-compliant wallet to fulfill the request.

If you have provided a success or failure redirect URL, the user will be redirected to that URL. You can then access the verification results by using the id of the verification session, which can be found in the URL generated by the API, as well as in the query or path parameters of the redirect URL.

Example Verification Request

In this example, we specify the credential we want to verify by supplying the type.

CURL
curl -X 'POST' \
  'https://verifier.portal.walt-test.cloud/openid4vc/verify' \
  -H 'accept: */*' \
  -H 'authorizeBaseUrl: openid4vp://authorize' \
  -H 'responseMode: direct_post' \
  -H 'successRedirectUri: https://example.com/success?id=$id' \
  -H 'errorRedirectUri: https://example.com/error?id=$id' \
  -H 'statusCallbackUri: https://example.com/verificationResult' \
  -H 'statusCallbackApiKey: myAPIKey' \
  -H 'stateId: myUniqueStateValue' \
  -H 'Content-Type: application/json' \
  -d '{
  "request_credentials": [
   { "vct": "VerifiableDiploma", "format": "vc+sd-jwt" }
  ]
}'

Header Parameters

  • authorizeBaseUrl - is used to modify the start of the OID4VC request URL. The default value is openid4vp://authorize which is fine for most use-cases. If you however are required to use the HAIP OID4VC profile, you need to update the value as follows: haip://
  • responseMode - should be direct_post as the other options are not yet supported.
  • successRedirectUri (optional) - is used to redirect the user if verification is successful. You can use the $id placeholder to get access to the id of verification session in your application in order to retrieve the verification results. E.g. /success?id=$id will be replaced with /success?id=1234567890
  • errorRedirectUri (optional) - is used to redirect the user if verification is unsuccessful. You can use the $id placeholder to get access to the id of verification session in your application in order to retrieve the verification results. E.g. /error?id=$id will be replaced with /error?id=1234567890
  • statusCallbackUri (optional) - URL that should be called when the presentation request has been fulfilled by a wallet. The request sent will be a POST including the whole presentation result. See Verification Status Policies Response
  • statusCallbackApiKey (optional) - If the endpoint you provide via statusCallbackUri is protected, you can use the statusCallbackApiKey to authenticate. The provided key will be appended as Authorization Header to the request.
  • stateId (optional) - overwrite the unique state value which gets created for each verification request with your own.
  • openId4VPProfile (optional) - Define profile for VP (Verifiable Presentation) request. The default is W3C OpenID4VP, which can optionally provided as DEFAULT. Apart from that, you can choose from the following options:
    • HAIP: For the OID4VC HAIP profile.
    • EBSIV3: For EBSI V3 compliant VP. Learn more here.
    • ISO_18013_7_MDOC: For mdoc Openid4VP.

Body Parameters

  • vp_policies - Policies applied to the Verifiable Presentation. A list of policies can be found here
  • vc_policies - Policies applied to all requested credentials. A list of policies can be found here.
  • request_credentials - An array of objects detailing the credentials to be requested from the user. Each object varies based on the type of credential being requested.
    Expand To Learn More

    Below are the possible credential types and their respective object structures:

    1. SD-JWT VC Credential (IETF Standard)
    • vct: Specifies the type of credential (e.g., https://issuer.com/identity_credential). This maps to the vct attribute in the SD-JWT VC credential.
    • format: Describes the format of the credential. For SD-JWT VC credentials, this would be vc+sd-jwt.: Describes the format of the credential. For SD-JWT VC credentials, this would be vc+sd-jwt.
      { "vct": "test.com/identity_credential", "format": "vc+sd-jwt" }
      
    1. W3C JWT Credential
    • type Specifies the type of credential (e.g., VerifiableID, VerifiableDiploma). This maps to the type attribute in W3C credentials.
    • format: Describes the format of the credential. For W3C JWT credentials, this would be jwt_vc_json.
      { "type": "ProofOfResidence", "format": "jwt_vc_json" }
      
    1. mDL Credential (ISO/IEC 18013-5)
    • doc_type: Specifies the type of credential (e.g., org.iso.18013.5.1.mDL). This maps to the doc_type attribute of the mdoc document.
    • format: Describes the format of the credential. For mDL credentials, this would be mso_mdoc.
      { "doc_type": "org.iso.18013.5.1.mDL", "format": "mso_mdoc" }
      

    Optional Parameters
    Next to describing the type and format of the credential, the objects also take an optional policies and id attribute

    • policies: An array of policies to apply to the specified credential. A list of all policies can be found here.
    • id: Used to set a specific id for the generated Presentation Definition. If not set, the verifier API auto-assigns a generated one.

    Full Examples

     {
      "vct": "ProofOfResidence",
      "format": "vc+sd-jwt",
      "policies": [
        "schema",
        {
          "policy": "webhook",
          "args": "https://example.org/abc/xyz"
        }
      ],
      "id": "test123"
     }
    

Example Verification Request 2 - Defining VC/VP Policies

Please note that if you are using the HAIP profile, you cannot specify custom policies at this point.


In this example, we're not only specifying the types of credentials to verify, but also defining specific policies that should be executed upon their verification. These include Verifiable Credential (VC) policies applied to credentials, or Verifiable Presentation (VP) policies applied to the VP. The default policy applied for both VP and VC(s) is the signature policy. A list of available policies can be found here.

It's important to note that VC policies, once defined, are applied globally - that is, they are enacted on all requested credentials within the scope of the verification. In a subsequent section, we'll delve into how to customize and apply specific policies to individual credentials.

We will now specify these in the verification request alongside the request_credentials parameter (previously explained) using vc_policies and vp_policies. These represent lists of policies - either one, or both, can be provided. The structure for both is identical.

VC and VP policies are formatted as lists: the policy can be represented as a string if no arguments are required, or as an object if arguments are needed.

Example Polices

[
  "signature",
  // policy without argument
  "expired",
  // policy without argument
  "not-before",
  // policy without argument
  {
    "policy": "webhook",
    "args": "https://example.org/abc/xyz"
  }
  // policy with argument
]

Initiation Request

CURL
curl -X 'POST' \
  'https://verifier.portal.walt.id/openid4vc/verify' \
  -H 'accept: */*' \
  -H 'authorizeBaseUrl: openid4vp://authorize' \
  -H 'responseMode: direct_post' \
  -H 'successRedirectUri: https://example.com/success?id=$id' \
  -H 'errorRedirectUri: https://example.com/error?id=$id' \
  -H 'statusCallbackUri: https://example.com/verificationResult' \
  -H 'statusCallbackApiKey: myAPIKey' \
  -H 'stateId: myUniqueStateValue' \
  -H 'Content-Type: application/json' \
  -d '{
      "vp_policies": ["signature", "expired", "not-before"],
      "vc_policies": ["signature", "expired", "not-before",
       {"policy": "webhook", "args": "https://example.org/abc/xyz"}],
      "request_credentials": [
       { "vct": "VerifiableDiploma", "format": "vc+sd-jwt" }
      ]
   }'

Header Parameters

  • authorizeBaseUrl - is used to modify the start of the OID4VC request URL. If you are using the cross-device flow, where you will display the URL as a QR code, you can leave the value as openid4vp://authorize or if you don't know the wallet the user will be using to claim the credential. If you are using the same device flow, where you already know the user's wallet and want the user to be able to go directly to it, you can use the wallet URL path that is able to receive an OIDC request as a query parameter. Our wallet for example can receive OID4VC requests here https://wallet.walt.id//wallet-api/wallet/{wallet}/exchange/useOfferRequest.
  • responseMode - should be direct_post as the other options are not yet supported.
  • successRedirectUri (optional) - is used to redirect the user if verification is successful. You can use the $id placeholder to get access to the id of verification session in your application in order to retrieve the verification results. E.g. /success?id=$id will be replaced with /success?id=1234567890
  • errorRedirectUri (optional) - is used to redirect the user if verification is unsuccessful. You can use the $id placeholder to get access to the id of verification session in your application in order to retrieve the verification results. E.g. /error?id=$id will be replaced with /error?id=1234567890
  • statusCallbackUri (optional) - URL that should be called when the presentation request has been fulfilled by a wallet. The request sent will be a POST including the whole presentation result. See Verification Status Policies Response
  • statusCallbackApiKey (optional) - If the endpoint you provide via statusCallbackUri is protected, you can use the statusCallbackApiKey to authenticate. The provided key will be appended as Authorization Header to the request.
  • stateId (optional) - overwrite the unique state value which gets created for each verification request with your own.
  • openId4VPProfile (optional) - Define profile for VP (Verifiable Presentation) request. The default is W3C OpenID4VP, which can optionally provided as DEFAULT. Apart from that, you can choose from the following options:
    • HAIP: For the OID4VC HAIP profile.
    • EBSIV3: For EBSI V3 compliant VP. Learn more here.
    • ISO_18013_7_MDOC: For mdoc Openid4VP.

Body Parameters

  • vp_policies - Policies applied to the Verifiable Presentation. A list of policies can be found here
  • vc_policies - Policies applied to all requested credentials. A list of policies can be found here.
  • request_credentials - An array of objects detailing the credentials to be requested from the user. Each object varies based on the type of credential being requested.
    Expand To Learn More

    Below are the possible credential types and their respective object structures:

    1. SD-JWT VC Credential (IETF Standard)
    • vct: Specifies the type of credential (e.g., https://issuer.com/identity_credential). This maps to the vct attribute in the SD-JWT VC credential.
    • format: Describes the format of the credential. For SD-JWT VC credentials, this would be vc+sd-jwt.: Describes the format of the credential. For SD-JWT VC credentials, this would be vc+sd-jwt.
      { "vct": "test.com/identity_credential", "format": "vc+sd-jwt" }
      
    1. W3C JWT Credential
    • type Specifies the type of credential (e.g., VerifiableID, VerifiableDiploma). This maps to the type attribute in W3C credentials.
    • format: Describes the format of the credential. For W3C JWT credentials, this would be jwt_vc_json.
      { "type": "ProofOfResidence", "format": "jwt_vc_json" }
      
    1. mDL Credential (ISO/IEC 18013-5)
    • doc_type: Specifies the type of credential (e.g., org.iso.18013.5.1.mDL). This maps to the doc_type attribute of the mdoc document.
    • format: Describes the format of the credential. For mDL credentials, this would be mso_mdoc.
      { "doc_type": "org.iso.18013.5.1.mDL", "format": "mso_mdoc" }
      

    Optional Parameters
    Next to describing the type and format of the credential, the objects also take an optional policies and id attribute

    • policies: An array of policies to apply to the specified credential. A list of all policies can be found here.
    • id: Used to set a specific id for the generated Presentation Definition. If not set, the verifier API auto-assigns a generated one.

    Full Examples

     {
      "vct": "ProofOfResidence",
      "format": "vc+sd-jwt",
      "policies": [
        "schema",
        {
          "policy": "webhook",
          "args": "https://example.org/abc/xyz"
        }
      ],
      "id": "test123"
     }
    

Upon execution, the system generates a URL, which can be shared directly with users or displayed as a QR code.

Example Verification Request 3: Applying Policies to Specific Credentials

Please note that if you are using the HAIP profile, you cannot specify custom policies at this point.


In this example, which builds up on the previous ones, we'll demonstrate how to apply specific policies to a distinct credential in the verification process. This is achieved by specifying next to the required credential type and format, the policies that should be applied as an array in the credential specification object which goes into the requested_credentials array. A list of supported policies can be found here.

Here's how it looks in practice:

{
  "vp_policies": [
    "signature",
    "expired"
  ],
  "vc_policies": [
    "signature",
    "expired"
  ],
  "request_credentials": [
    {
      "vct": "VerifiableId",
      "format": "vc+sd-jwt"
    },
    {
      "vct": "ProofOfResidence",
      "format": "vc+sd-jwt"
    },
    {
      "vct": "OpenBadgeCredential",
      "format": "vc+sd-jwt"
      "policies": [
        "signature",
        {
          "policy": "webhook",
          "args": "https://example.org/abc/xyz"
        }
      ]
    }
  ]
}

In this code snippet, we extended the regular credential specification object that goes into request_credentials to include policies that should be applied only to the "OpenBadgeCredential". The first policy "signature" doesn't require any arguments and can therefore be provided as a string. The "webhook" policy does require an argument and is therefore provided as an object. A list of different types of policies and their required arguments can be found here.

Meanwhile, the other requested credentials, "VerifiableId" and "ProofOfResidence", don't specify and custom policies, meaning they will be verified against the globally defined "vp_policies" and "vc_policies".

Initiation Request

CURL
curl -X 'POST' \
'https://verifier.portal.walt.id/openid4vc/verify' \
-H 'accept: */*' \
-H 'authorizeBaseUrl: openid4vp://authorize' \
-H 'responseMode: direct_post' \
-H 'successRedirectUri: https://example.com/success?id=$id' \
-H 'errorRedirectUri: https://example.com/error?id=$id' \
-H 'statusCallbackUri: https://example.com/verificationResult' \
-H 'statusCallbackApiKey: myAPIKey' \
-H 'stateId: myUniqueStateValue' \
-H 'Content-Type: application/json' \
-d '{
  "vp_policies": [
    "signature",
    "expired"
  ],
  "vc_policies": [
    "signature",
    "expired"
  ],
  "request_credentials": [
    {
      "vct": "VerifiableId",
      "format": "vc+sd-jwt"
    },
    {
      "vct": "ProofOfResidence",
      "format": "vc+sd-jwt"
    },
    {
      "vct": "OpenBadgeCredential",
      "format": "vc+sd-jwt"
      "policies": [
        "signature",
        {
          "policy": "webhook",
          "args": "https://example.org/abc/xyz"
        }
      ]
    }
  ]
}'

Header Parameters

  • authorizeBaseUrl - is used to modify the start of the OID4VC request URL. If you are using the cross-device flow, where you will display the URL as a QR code, you can leave the value as openid4vp://authorize or if you don't know the wallet the user will be using to claim the credential. If you are using the same device flow, where you already know the user's wallet and want the user to be able to go directly to it, you can use the wallet URL path that is able to receive an OIDC request as a query parameter. Our wallet for example can receive OID4VC requests here https://wallet.walt.id//wallet-api/wallet/{wallet}/exchange/useOfferRequest.
  • responseMode - should be direct_post as the other options are not yet supported.
  • successRedirectUri (optional) - is used to redirect the user if verification is successful. You can use the $id placeholder to get access to the id of verification session in your application in order to retrieve the verification results. E.g. /success?id=$id will be replaced with /success?id=1234567890
  • errorRedirectUri (optional) - is used to redirect the user if verification is unsuccessful. You can use the $id placeholder to get access to the id of verification session in your application in order to retrieve the verification results. E.g. /error?id=$id will be replaced with /error?id=1234567890
  • statusCallbackUri (optional) - URL that should be called when the presentation request has been fulfilled by a wallet. The request sent will be a POST including the whole presentation result. See Verification Status Policies Response
  • statusCallbackApiKey (optional) - If the endpoint you provide via statusCallbackUri is protected, you can use the statusCallbackApiKey to authenticate. The provided key will be appended as Authorization Header to the request.
  • stateId (optional) - overwrite the unique state value which gets created for each verification request with your own.
  • openId4VPProfile (optional) - Define profile for VP (Verifiable Presentation) request. The default is W3C OpenID4VP, which can optionally provided as DEFAULT. Apart from that, you can choose from the following options:
    • HAIP: For the OID4VC HAIP profile.
    • EBSIV3: For EBSI V3 compliant VP. Learn more here.
    • ISO_18013_7_MDOC: For mdoc Openid4VP.

Body Parameters

  • vp_policies - Policies applied to the Verifiable Presentation. A list of policies can be found here
  • vc_policies - Policies applied to all requested credentials. A list of policies can be found here.
  • request_credentials - An array of objects detailing the credentials to be requested from the user. Each object varies based on the type of credential being requested.
    Expand To Learn More

    Below are the possible credential types and their respective object structures:

    1. SD-JWT VC Credential (IETF Standard)
    • vct: Specifies the type of credential (e.g., https://issuer.com/identity_credential). This maps to the vct attribute in the SD-JWT VC credential.
    • format: Describes the format of the credential. For SD-JWT VC credentials, this would be vc+sd-jwt.: Describes the format of the credential. For SD-JWT VC credentials, this would be vc+sd-jwt.
      { "vct": "test.com/identity_credential", "format": "vc+sd-jwt" }
      
    1. W3C JWT Credential
    • type Specifies the type of credential (e.g., VerifiableID, VerifiableDiploma). This maps to the type attribute in W3C credentials.
    • format: Describes the format of the credential. For W3C JWT credentials, this would be jwt_vc_json.
      { "type": "ProofOfResidence", "format": "jwt_vc_json" }
      
    1. mDL Credential (ISO/IEC 18013-5)
    • doc_type: Specifies the type of credential (e.g., org.iso.18013.5.1.mDL). This maps to the doc_type attribute of the mdoc document.
    • format: Describes the format of the credential. For mDL credentials, this would be mso_mdoc.
      { "doc_type": "org.iso.18013.5.1.mDL", "format": "mso_mdoc" }
      

    Optional Parameters
    Next to describing the type and format of the credential, the objects also take an optional policies and id attribute

    • policies: An array of policies to apply to the specified credential. A list of all policies can be found here.
    • id: Used to set a specific id for the generated Presentation Definition. If not set, the verifier API auto-assigns a generated one.

    Full Examples

     {
      "vct": "ProofOfResidence",
      "format": "jwt_vc_json",
      "policies": [
        "schema",
        {
          "policy": "webhook",
          "args": "https://example.org/abc/xyz"
        }
      ],
      "id": "test123"
     }
    

Upon execution, the system generates a URL, which can be shared directly with users or displayed as a QR code.

Example Verification Request 4: Implementing a Custom Presentation Definition

In this example, we'll explore how you can provide your own input_descriptor that will be merged with the autogenerated presentation definition. You can specify your custom input_descriptor for the presentation definition via an object in the request_credentials array, see example blow.

Important: Please provide also provide an id in the input_descriptor object.

Example

{
  "vp_policies": [
    ...
  ],
  "vc_policies": [
    ...
  ],
  "request_credentials": [
    { "vct": "VerifiableId", "format": "vc+sd-jwt" },
    {
      "format": "vc+sd-jwt",
      "vct": "https://issuer.com/identity_credential",
      "input_descriptor": {
        "id": "234",
        "constraints": {
          "fields": [
            {
              "path": [
                "$.birthdate"
              ],
              "filter": {
                "type": "string",
                "pattern": ".*"
              }
            }
          ]
        }
      }
    }
  ]
}

On execution the verifier API will auto-generate the input descriptor for the VerifiableId credential that we specified via the regular object and merge it with our custom input descriptor of the identity_credential to form the final presentation definition.

When using the input_descriptor make sure to also provide the presentation-definition policy in the vp_policies array to ensure the constraints specified are checked during verification.

Presenting the Credential via walt.id Wallet

Using the URL returned by the verification request, we can fulfill the request using the hosted wallet by walt.id. Either show the URL as QR code and scan it with a camera or provide the URL as is in the text field below the camera once you click on "Scan to receive or present credentials" in the web wallet credentials overview page in the top right corner.

Retrieving the Verification Status

After the user presents the credential(s), you can verify the status by performing the following call with the state value obtained from the URL query params you shared with the user previously.

Example

openid4vp://authorize?...state=a07bdb17-7d87-4965-9296-1adefcaaddd9...

Making the call to receive the verification result

curl -X 'GET' \
  'https://verifier.portal.walt.id/openid4vc/session/$state' \
  -H 'accept: */*'

Verification Status Policies Response

The response of the verification status call will contain the status of the verification policies applied to the credential(s) presented by the user. The policy results will be in the following format:

{
  "verificationResult": true,
  "policyResults": {
    "results": [
      {
        "credential": "VerifiableDiploma",
        "policies": [
          {
            "policy": "signature",
            "is_success": true
          }
        ]
      }
    ]
  }
}

The verificationResult field will be true if all policies were successful, otherwise it will be false.

The policyResults field will contain the results of the policies applied to each credential. The credential field will contain the name of the credential, and the policies field will contain the results of the policies applied to the credential. The policy field will contain the name of the policy, and the is_success field will contain the result of the policy.