Credentials & Trust
VDX manages the full credential lifecycle, from schema design through issuance, wallet storage, selective disclosure presentation, and verification against trusted issuers. Organizations control every aspect: what credentials they issue, who can verify them, which trust frameworks govern the process, and how credentials integrate with their authorization infrastructure.
Credential Design & Issuance
The Credential Designer is a visual tool for defining credential schemas. Administrators specify which claims to include, which are mandatory, which support selective disclosure, and what display metadata (names, descriptions, icons, colors) wallets should present to users. No code required, schemas are defined through the admin portal and published as OID4VCI credential configurations.
Issuer Management handles the operational side. Each issuer has its own DID, signing keys, and issuance policies. Multiple issuers can operate within a single tenant, useful when different departments issue different credential types. The platform tracks the full credential lifecycle: issuance events, usage, expiration, and revocation.
Supported Formats
| Format | Standard | Key feature |
|---|---|---|
| SD-JWT VC | IETF | Selective disclosure, holder chooses which claims to reveal per presentation |
| mDL / mdoc | ISO 18013-5/7 | CBOR-based mobile documents, mobile driving license, national ID |
| W3C VC | W3C | JSON-LD and JWT with Linked Data Proofs, broadest ecosystem compatibility |
All three formats are supported for both issuance and verification. The claims mapping service translates between formats automatically, an mdoc credential can be verified against the same requirements as an SD-JWT credential.
Verification
The Verifier Management console defines what credentials your organization accepts. Verification requirements are configured per resource or service:
- A building entrance requires a student credential from a specific university
- A financial service requires a government-issued PID with eIDAS
highassurance - A conference registration accepts any of three credential types from trusted issuers
Requirements can be composed: "present A AND B" or "present A OR B." The platform supports DCQL (Digital Credentials Query Language) for complex credential set matching where multiple credentials from different issuers are evaluated together.
Verification works in two modes:
Online: real-time OID4VP flow with QR code or deep link. The user presents credentials from their wallet, and the platform verifies signatures, holder binding, issuer trust, and credential status in real time.
Offline: signature validation against cached trust material. For environments without reliable connectivity (kiosks, border control, field verification), the platform validates cryptographic signatures locally using pre-fetched trusted issuer keys.
Trust Establishment
Credentials are only as valuable as your trust in the issuer. VDX supports multiple trust frameworks, configurable per tenant:
| Framework | What it provides |
|---|---|
| ETSI TS 119 612/602 | EU Trusted Lists, automatic resolution and validation against EU member state trust service provider lists |
| OpenID Federation | Trust chain resolution for federated identity ecosystems |
| DID-based trust | Configurable trusted issuer DID lists per credential type and tenant |
| X.509 PKI | Certificate chain validation with CA bundles and fingerprint matching |
Trust configuration is tenant-scoped, each organization defines which issuers they trust for which credential types, without affecting other tenants on the same platform.
Device & Kiosk Verification
VDX extends credential verification to physical devices: reception kiosks, access terminals, event check-in tablets, and NFC readers.
The Mobile RP SDK enables building relying party experiences on mobile devices. NFC proximity verification supports ISO 18013-5 flows for mDL and other mdoc credentials. Devices can operate in online mode (connected to VDX) or offline mode (validating locally against cached trust material).
Device Management tracks which devices are authorized, their last-known status, firmware versions, and which verification policies apply to each device or device group. Push verification initiates the flow from the device, a reception kiosk starts the verification when it detects a visitor, rather than waiting for the user to trigger it.
Authorization Server
The VDX Security Token Service (STS) integrates credential-based authentication with standard OAuth2/OIDC infrastructure.
RFC 8693 Token Exchange: tokens from any authentication source (wallet VP, institutional OIDC, Azure AD, Keycloak) are exchanged for uniform STS tokens with standardized claims. Enterprise applications keep using standard OIDC tokens, no code changes needed.
Identity Broker: connects upstream OIDC providers while maintaining control over token issuance. Unlike direct federation, the broker preserves issuer_state for OID4VCI correlation, which is critical for credential issuance flows that span multiple authentication steps.
Claims Mapping: translates between credential formats and OIDC claims output, with provenance tracking that records which credentials contributed each claim. Output includes verified_claims structure per OIDC Identity Assurance, downstream consumers know what was verified, how, and to what assurance level.