Skip to content

OID4VP

OpenID for Verifiable Presentations 1.0 implementation in Document Rails allows you to easily handle credential presentations from popular mobile wallets by delegating all the protocol details to our service.

Document Rails offers two flows of OID4VP handling - regular and application-delegated.

Regular flow allows Document Rails to handle all OID4VP communication, passing final verification results to your application using outbound webhooks.

Application-delegated flow requires your application to pass OID4VP requests received from a wallet to Document Rails. This flow permits endpoint customization and custom logic within the OID4VP transaction.

Preparation

Credentials

OID4VP API, unlike the regular verification API, is strongly validated against credentials and credential variables that exist within your organization.

This helps maintain consistency when validating credentials and presentations, as your application can expect the same resource identifiers to be utilized across different verification sessions.

Before setting up OID4VP, make sure you have the necessary credentials set up. For consistency, you may even re-use the same credential identifiers you use in your issuance recipes.

Signing keys

OID4VP specification mandates signed presentation requests. Document Rails automatically signs and encodes generated presentation requests using the configured signing key, but to allow user's wallet to verify the public key, you have to configure oid4vp_client_id_prefix for signing keys that you plan to use with the OID4VP API.

Document Rails supports the following oid4vp_client_id_prefix values:

  • x509_san_dns - the wallet will verify the client_id value against the DNS name provided within the certificate attached to the signing key. To utilize this method, make sure you attach a certificate that contains the DNS name within the subjectAltName section to the signing key.

  • decentralized_identifier - the wallet will verify the client_id value against the DID provided as a credential_issuer_vm value within your signing key. To utilize this method, make sure you provide a credential_issuer_vm value when creating the signing key.

import { createKey } from "@vaultie/document-rails";

const response = await createKey(
    client,
    accessToken,
    organizationId,
    {
        // See "Signing keys" documentation for more information about other values.
        // ...

        // OID4VP client identifier prefix (optional).
        //
        // See OID4VP documentation for more information.
        oid4vp_client_id_prefix: "decentralized_identifier"
    }
);