OpenID for Verifiable Presentations (OpenID4VP)

OpenID for Verifiable Presentations (OpenID4VP) is an OAuth 2.0 and OpenID Connect (OIDC) profile for requesting and receiving verifiable presentations from a holder’s wallet.

OpenID4VP standardizes:

• How a verifier asks a wallet for specific credentials
• How the wallet returns the requested presentations
• How verifiers validate responses across different credential formats

OpenID4VP is used in ecosystems such as EUDI Wallet, and it supports multiple credential formats (for example, W3C Verifiable Credentials, SD-JWT VC, and ISO mdoc).

Core concepts

OpenID4VP uses familiar OIDC building blocks but introduces verifiable presentation–specific parameters.

Verifier: The relying party requesting a presentation.

Wallet: The holder-controlled application that selects credentials and creates presentations.

Authorization request: The message the verifier sends to the wallet. It includes a credential request expressed using DCQL.

VP token: The authorization response parameter (vp_token) that carries one or more verifiable presentations.

How OpenID4VP fits with other standards

OpenID4VP does not define the internal structure of every credential format. It defines the “rails” for a wallet and verifier to exchange presentations.

• For expressing what credentials are requested, OpenID4VP uses Digital Credential Query Language (DCQL).
• For browser-mediated credential exchange, OpenID4VP can also be used with the Digital Credentials API.

High-level flow

At a high level, OpenID4VP follows a request/response pattern:

1. The verifier constructs an OpenID4VP authorization request.
2. The wallet matches the request against available credentials.
3. The holder approves sharing.
4. The wallet returns vp_token (and sometimes additional parameters).
5. The verifier validates the result.

sequenceDiagram
    participant Verifier
    participant Wallet
    participant Holder

    Verifier->>Wallet: Authorization request (OpenID4VP)
    Wallet->>Holder: Ask for consent
    Holder->>Wallet: Approve
    Wallet->>Verifier: Authorization response (vp_token)
    Verifier->>Verifier: Validate presentations

Role in Vidos

Vidos includes OpenID4VP building blocks across services and shared packages:

• Authorizer service: Creates OpenID4VP authorization requests and handles wallet responses using direct_post, direct_post.jwt, dc_api, and dc_api.jwt response modes.
• Validator service: Validates incoming OpenID4VP results against the original DCQL credential query and performs protocol-level checks.
• @vidos/types: Provides Zod schemas and constants for OpenID4VP request/response handling (for example, authorization request objects, response modes, and vp_token response parsing).

Note

The OpenID4VP specification supports additional response modes (such as fragment) for redirect-based flows. Vidos’ implementation focuses on direct_post and Digital Credentials API response modes because they fit verifiable presentation verification flows. For background on the underlying browser API, see Digital Credentials API.

Further resources

• OpenID for Verifiable Presentations 1.0
• Digital Credential Query Language (DCQL)