Responses and vp_token

An OpenID4VP authorization response returns the requested verifiable presentations. The key parameter is vp_token.

The response uses vp_token to return one or more verifiable presentations.

Response delivery in direct_post

For direct_post response modes, the wallet sends an HTTPS POST to the verifier’s response_uri.

The POST body can contain:

• A successful response with vp_token
• An error response with error and error_description

vp_token for DCQL

When the request uses DCQL, vp_token is a JSON object mapping credential query identifiers to one or more verifiable presentations that satisfy each query.

Example (shape only):

{
    "state": "af0ifjsldkj",
    "vp_token": {
        "photo_id": ["<presentation-1>", "<presentation-2>"]
    }
}

Note

In Vidos’ response parsing, vp_token can be a JSON object or a JSON string containing that object. This is handled to interoperate with different wallet encodings.

Encrypted responses (direct_post.jwt)

In direct_post.jwt, the wallet returns an encrypted JWT response.

In Vidos’ Authorizer implementation, the encrypted response is received as:

{ "response": "<jwe>" }

The Authorizer decrypts the JWE using the request’s nonce, validates the decrypted payload against the expected response schema, and then processes vp_token.

Role in Vidos

Vidos validates OpenID4VP direct-post responses:

• Successful responses use the DCQL vp_token mapping shape.
• Error responses use error and optional error_description.

Vidos also enforces correlation checks:

• The callback URL must match the expected request URL.
• If state is present, it must match the authorization record.

Related documentation

• Authorization requests
• Security and validation