Skip to content
Vidos Logo Vidos

Credential Sets

Credential Sets enable verifiers to express logical requirements across multiple credentials in DCQL queries. They provide the mechanism for combining credential requirements using AND/OR logic, allowing verifiers to specify that certain credentials are mandatory while others are alternatives, or that specific combinations of credentials are required together.

What are credential sets?

Section titled “What are credential sets?”

A credential set is a logical grouping that defines acceptable combinations of credentials. While credential queries define what individual credentials look like, credential sets define how those credentials relate to each other in satisfying the verifier’s requirements.

Without credential sets, DCQL would only support simple lists of credentials. Credential sets transform DCQL into a language capable of expressing complex business rules like “provide Photo ID AND (Utility Bill OR Bank Statement)” or “provide Passport OR (Driver’s License AND Birth Certificate).”

Why credential sets matter

Section titled “Why credential sets matter”

Real-world verification scenarios often require more than a single credential. Consider these examples:

  • Opening a bank account requires proof of identity AND proof of address
  • Boarding a flight requires passport OR national ID
  • Student discount requires student ID AND (enrollment letter OR tuition receipt)
  • Age verification can be satisfied by driver’s license OR passport OR national ID

Credential sets provide the structure to express these requirements in a standardized, machine-readable format that wallets can evaluate automatically.

Structure

Section titled “Structure”

A credential set is a JSON object within the top-level credential_sets array of a DCQL query. Each credential set defines one logical requirement with two fields:

options: A required array where each element is a list of credential query IDs. Each list represents one valid combination of credentials that satisfies the requirement. The wallet must provide credentials matching at least one of these combinations.

required: An optional boolean indicating whether this credential set is mandatory. Defaults to true. When true, the wallet must satisfy this set. When false, satisfying this set is optional.

Selection logic

Section titled “Selection logic”

The logic for evaluating credential sets follows clear rules:

  1. The wallet must satisfy every credential set where required is true (or omitted)
  2. To satisfy a credential set, the wallet must provide credentials matching at least one option from the options array
  3. Each option is a list of credential query IDs that must all be satisfied together
  4. Optional credential sets (required: false) provide additional information the holder can choose to share

This creates a powerful but straightforward logical framework for combining credentials.

Simple OR logic

Section titled “Simple OR logic”

The most basic use of credential sets expresses alternatives. When the verifier accepts any one of several credential types, create a credential set with single-item options:

{
  "credentials": [
    {"id": "passport", "format": "mso_mdoc", "meta": {...}},
    {"id": "drivers_license", "format": "mso_mdoc", "meta": {...}},
    {"id": "national_id", "format": "mso_mdoc", "meta": {...}}
  ],
  "credential_sets": [
    {
      "options": [
        ["passport"],
        ["drivers_license"],
        ["national_id"]
      ],
      "required": true
    }
  ]
}

This credential set requires exactly one credential from the three options. The holder chooses which to provide based on what they have available.

AND logic

Section titled “AND logic”

When multiple credentials are required together, include them in the same option:

{
  "credentials": [
    {"id": "photo_id", "format": "mso_mdoc", "meta": {...}},
    {"id": "address_proof", "format": "dc+sd-jwt", "meta": {...}}
  ],
  "credential_sets": [
    {
      "options": [
        ["photo_id", "address_proof"]
      ],
      "required": true
    }
  ]
}

This requires both credentials together. The wallet must provide both photo_id AND address_proof to satisfy the requirement.

Combined AND/OR logic

Section titled “Combined AND/OR logic”

Complex scenarios combine AND and OR operators by using multiple options with multiple credentials per option:

{
  "credentials": [
    {"id": "photo_id", "format": "mso_mdoc", "meta": {...}},
    {"id": "utility_bill", "format": "dc+sd-jwt", "meta": {...}},
    {"id": "bank_statement", "format": "dc+sd-jwt", "meta": {...}}
  ],
  "credential_sets": [
    {
      "options": [
        ["photo_id"]
      ],
      "required": true
    },
    {
      "options": [
        ["utility_bill"],
        ["bank_statement"]
      ],
      "required": true
    }
  ]
}

This requires photo_id (mandatory) AND either utility_bill OR bank_statement (mandatory choice between alternatives). Two credential sets are used: one for the mandatory ID, another for the mandatory address proof with alternatives.

Optional credential sets

Section titled “Optional credential sets”

Setting required: false makes a credential set optional, allowing holders to provide additional information for enhanced service or privileges:

{
  "credentials": [
    {"id": "student_id", "format": "dc+sd-jwt", "meta": {...}},
    {"id": "residence_proof", "format": "dc+sd-jwt", "meta": {...}}
  ],
  "credential_sets": [
    {
      "options": [["student_id"]],
      "required": true
    },
    {
      "options": [["residence_proof"]],
      "required": false
    }
  ]
}

The student_id is mandatory for the base service. The residence_proof is optional but might qualify the holder for additional benefits like local resident discounts.

Multiple required sets

Section titled “Multiple required sets”

A DCQL query can include multiple required credential sets, each representing a distinct requirement:

{
    "credential_sets": [
        {
            "options": [["identity_doc"]],
            "required": true
        },
        {
            "options": [["address_doc"]],
            "required": true
        },
        {
            "options": [["income_doc"]],
            "required": true
        }
    ]
}

All three must be satisfied. Each credential set enforces one aspect of the overall requirement.

Preference and choice

Section titled “Preference and choice”

Within a credential set’s options, the order can express preference. While the specification doesn’t mandate this, wallets may present options in order, allowing holders to provide the most convenient credential:

{
    "options": [["mobile_id"], ["passport"], ["drivers_license"]]
}

If the wallet presents these in order, holders see mobile_id first (perhaps the most convenient), then passport, then driver’s license as alternatives.

Role in Vidos

Section titled “Role in Vidos”

In Vidos, credential sets enable the Authorizer to express complex authorization policies as DCQL queries. When a policy requires multiple credentials or offers alternatives, the Authorizer generates appropriate credential sets.

The Validator evaluates whether presentations satisfy credential set requirements, checking that all required sets are fulfilled and that each set has at least one satisfied option.

This enables Vidos to support sophisticated authorization scenarios while maintaining DCQL’s privacy-preserving characteristics.

Summary

Section titled “Summary”

Credential sets provide the logical framework for combining credentials in DCQL queries. Through the options array and required flag, they enable expressing AND/OR logic, mandatory and optional requirements, and complex credential combinations. This transforms simple credential lists into expressive queries that match real-world verification needs.

Section titled “Related documentation”