HomeOpenID4VCI

OpenID for Verifiable Credential Issuance

An OAuth 2.0-based protocol for issuing verifiable credentials to digital wallets, supporting both W3C VCDM and ISO mDOC formats.

What is OpenID4VCI?

OpenID for Verifiable Credential Issuance (OID4VCI) is an extension to OAuth 2.0 that defines how a Credential Issuer can issue verifiable credentials to a Wallet. It's format-agnostic, supporting W3C VCDM, SD-JWT VC, and ISO mDOC.

OAuth 2.0 Based

Builds on familiar OAuth patterns. Uses access tokens, authorization codes, and well-known metadata.

Format Agnostic

Supports multiple credential formats: JWT, SD-JWT, W3C JSON-LD, ISO mDOC.

Proof of Possession

Wallet proves control of a key during issuance. This key is bound to the credential.

Multiple Flows

Authorization Code flow for user-initiated, Pre-Authorized Code for issuer-initiated.

Two Issuance Flows

OID4VCI supports two main flows depending on who initiates the issuance and when user verification happens.

Authorization Code

Standard OAuth flow. User authenticates and consents at the issuer, then the wallet receives the credential.

Best for:

  • Wallet-initiated issuance
  • User identity verification during flow
  • Complex consent requirements
Pre-Authorized Code

Issuer has already verified the user (in-person, via existing account). Provides a code that the wallet exchanges directly.

Best for:

  • Issuer-initiated (QR code, email link)
  • In-person verification already done
  • Simpler user experience

Key Concepts

Credential Offer

A JSON object that describes what credentials are available and how to get them. Can be transmitted via QR code, deep link, or redirect.

Credential Endpoint

The OAuth-protected endpoint where the wallet sends a credential request with an access token and receives the issued credential(s).

c_nonce

A server-provided nonce that the wallet includes in its proof of possession. Ensures freshness and prevents replay attacks.

Proof of Possession

The wallet signs a proof (JWT or CWT) demonstrating control of a private key. The corresponding public key is bound to the issued credential.

Supported Credential Formats

OID4VCI is format-agnostic. The issuer's metadata declares which formats are supported.

FormatIdentifierDescription
JWT VCjwt_vc_jsonW3C VC as JWT with JSON claims
SD-JWT VCvc+sd-jwtSelective disclosure JWT credentials
ISO mDOCmso_mdocISO 18013-5 mobile documents
JSON-LD VCldp_vcW3C VC with Linked Data Proofs

Real-World Implementations

OpenID4VCI is being adopted by major identity providers and government programs.

Microsoft Entra Verified ID

Microsoft

Enterprise verifiable credentials integrated with Azure AD, using OID4VCI for employee credentials, certifications, and access management.

  • Azure AD integration
  • LinkedIn credential sharing
  • Enterprise compliance

EU Digital Identity Wallet

European Commission

The EUDI Wallet reference implementation uses OID4VCI for credential issuance, supporting SD-JWT VC and mDOC formats.

  • Cross-border interoperability
  • Government-issued credentials
  • Privacy-preserving disclosure
Growing Ecosystem
The OpenID Foundation's certification program ensures interoperability between OID4VCI implementations from different vendors.

Continue Learning

Issuance Flows Credential Offer