OpenID for Verifiable Presentations (OID4VP)
OpenID for Verifiable Presentations (OID4VP) is an OpenID Foundation standard that enables verifiable credential verification. It allows Relying Parties (verifiers) to request and verify cryptographically-signed credentials from digital wallets.
Architecture Overview
What is OID4VP?
OID4VP extends OAuth 2.0 to support verification of Verifiable Credentials. Unlike traditional authentication where an Identity Provider vouches for user identity, OID4VP enables wallets to present cryptographically verifiable credentials directly to Relying Parties.
Key characteristics:
- Credential Format Agnostic - Supports SD-JWT VC, mDoc (ISO 18013-5), W3C VCDM, and other formats
- Privacy Preserving - Users control which claims to disclose via selective disclosure
- Decentralized - No central authority required during verification
- Interoperable - Based on open standards from OpenID Foundation
Universal OID4VP API
The Universal OID4VP API is a simplified REST interface that abstracts the complexity of the OID4VP specification. It provides just three endpoints that external systems (websites, CMS plugins, native apps) can use to verify credentials.
| Endpoint | Method | Purpose |
|---|---|---|
/oid4vp/backend/auth/requests | POST | Create an authorization request session |
/oid4vp/backend/auth/requests/{id} | GET | Check session status and retrieve verified data |
/oid4vp/backend/auth/requests/{id} | DELETE | Clean up a completed or abandoned session |
This design enables:
- CMS Integration - WordPress, Drupal, Shopify plugins with a single integration
- Wallet Interoperability - Works with any OID4VP-compliant wallet
- Vendor Neutrality - Swap backend implementations without code changes
Pre-configured Queries
The Universal OID4VP API uses pre-configured credential queries that are set up in the verifier backend. This approach:
- Simplifies integration - Just reference a
query_id, no need to understand query syntax - Centralizes policy - Credential requirements are managed by administrators
- Improves security - Prevents arbitrary credential requests from external systems
Your administrator will provide the available query_id values for your use case (e.g., age_verification, identity_check, license_verification).
Verification Flow
The typical verification flow:
- Create Request - Your backend calls
POST /auth/requestswith aquery_id - Display QR Code - Show the returned QR code to the user
- Wallet Scans - User scans QR with their wallet app
- Fetch Request - Wallet retrieves the full authorization request via
request_uri - Present Credentials - Wallet submits selected credentials via
direct_post - Get Results - Your backend polls status and retrieves verified claims
Supported Credential Formats
| Format | Identifier | Description |
|---|---|---|
| SD-JWT VC | dc+sd-jwt | Selective Disclosure JWT Verifiable Credentials |
| mDoc | mso_mdoc | ISO 18013-5 Mobile Driving License format |
| JWT VC | jwt_vc_json | W3C JWT-encoded Verifiable Credentials |
| LDP VC | ldp_vc | W3C Linked Data Proof Verifiable Credentials |
Security Features
The implementation includes several security mechanisms:
- JAR (JWT-secured Authorization Request) - Requests are signed per RFC 9101
- Holder Binding Verification - Proves the presenter controls the credential
- Response Code Protection - Single-use codes prevent replay attacks
- JARM Support - Encrypted authorization responses for sensitive data
Module Structure
The OID4VP implementation is split across IDK and EDK:
| Layer | Location | Description |
|---|---|---|
| Core Verifier | IDK | idk/lib/openid/oid4vp/verifier - Core verification logic |
| Query Language | IDK | idk/lib/openid/oid4vp/dcql - Query language implementation |
| Universal API | IDK | idk/lib/openid/oid4vp/universal - REST API layer |
| Holder | IDK | idk/lib/openid/oid4vp/holder - Wallet-side implementation |
Next Steps
- Integration Guide - Step-by-step integration tutorial
- Interactive API Docs - Full OpenAPI documentation