OpenID for Verifiable Credential Issuance is a protocol that enables the standardized issuance of verifiable credentials from issuers to digital wallets. Built on OAuth 2.0, it defines a secure API and workflow for requesting, authorizing, and delivering digital credentials in various formats.
The protocol supports multiple credential formats including W3C Verifiable Credentials, ISO mDL, and IETF SD-JWT VC, making it highly flexible for different use cases. It enables both issuer-initiated and wallet-initiated credential issuance flows.
Key features include:
- Support for both synchronous (immediate) and asynchronous (deferred) credential issuance
- Multiple authorization flows including Authorization Code Flow and Pre-Authorized Code Flow
- Cryptographic binding of credentials to holder keys
- Extensible metadata for describing credential types and issuer capabilities
- Optional encryption of credential responses
- Support for batch credential issuance
Core technical components:
Credential Endpoint (required)
- Issues one or more credentials upon presentation of valid access token
- Supports proof of possession for cryptographic binding
Nonce Endpoint (optional)
- Provides fresh nonce values for proof generation
- Helps prevent replay attacks
Deferred Credential Endpoint (optional)
- Enables asynchronous credential delivery
- Used when immediate issuance is not possible
Notification Endpoint (optional)
- Allows wallets to notify issuers about credential status
- Supports success/failure notifications
The specification defines:
- Purpose and Scope:
- Standardized API for verifiable credential issuance
- Framework for secure credential delivery
- Support for multiple credential formats and binding methods
- Key Technical Specifications:
- OAuth 2.0-based authorization
- JWT-based proofs and attestations
- JSON-based metadata and request/response formats
- TLS required for all endpoints
- Implementation Requirements:
- Must implement required Credential Endpoint
- Must support at least one authorization flow
- Must validate all proofs and tokens
- Must implement proper error handling
- Security Considerations:
- Access token protection
- Proof replay prevention
- Transaction code security
- TLS requirements
- Interoperability Features:
- Multiple credential format support
- Extensible metadata
- Standard error codes
- Common proof formats
- Current Status:
- Active development by OpenID Foundation
- Multiple implementations in progress
- Growing adoption in digital identity ecosystem
The specification provides a robust foundation for building interoperable credential issuance systems while maintaining security and privacy.