Digital Credential Query Language (DCQL)
Digital Credential Query Language (DCQL) is a JSON-based query language that standardizes how verifiers request verifiable credentials from holders in the OpenID4VP (Verifiable Presentations) ecosystem. It provides a simpler, more direct approach to credential requests compared to earlier methods, focusing on privacy preservation and ease of implementation.
Understanding DCQL
Section titled “Understanding DCQL”In digital identity systems, verifiers need to request specific credentials from holders. Without standardization, each verifier would create custom request formats, leading to fragmented implementations. DCQL solves this by providing a standardized way to express credential requirements that any compliant wallet can understand and respond to.
DCQL enables verifiers to specify precisely what credentials they need, which claims within those credentials they require, and what combinations of credentials are acceptable. The wallet evaluates these requirements and returns only the information that matches, preserving user privacy through selective disclosure.
Key characteristics
Section titled “Key characteristics”DCQL is designed with several core principles:
Privacy-preserving: Only required data is shared. Verifiers can express preferences for less sensitive claims (like “age_over_21” instead of “birth_date”), and wallets honor these preferences to minimize data disclosure.
Simplified querying: Unlike complex filter-based approaches, DCQL uses straightforward JSON structures to express requirements. Credential queries, credential sets, and claim queries combine to create clear, readable requests.
Format-agnostic: DCQL works with multiple credential formats including mso_mdoc (mobile documents), dc+sd-jwt (SD-JWT VCs), and others, ensuring broad compatibility across the ecosystem.
Standardized: As part of the OpenID4VP specification, DCQL ensures interoperability between different wallets, verifiers, and credential issuers across jurisdictions and use cases.
Main components
Section titled “Main components”DCQL consists of four primary components that work together to create comprehensive credential requests:
Credential queries
Section titled “Credential queries”Credential Queries are the fundamental building blocks, specifying individual credential requirements. Each query defines the credential format, required metadata, optional claims, and trusted issuer constraints.
Credential Sets
Section titled “Credential Sets”Credential Sets enable logical combinations of credentials using AND/OR operators. They allow verifiers to express requirements like “Photo ID AND (Utility Bill OR Bank Statement)” in a structured format.
Claim Queries
Section titled “Claim Queries”Claim Queries enable selective disclosure by specifying which fields within a credential are required. They support preference ordering, allowing verifiers to request less sensitive data when available.
Trusted Authorities
Section titled “Trusted Authorities”Trusted Authorities allow verifiers to specify acceptable credential issuers upfront, enabling wallets to filter credentials before disclosure and improving privacy by preventing rejection of credentials from untrusted sources.
How DCQL Works
Section titled “How DCQL Works”The DCQL request and response flow:
- Verifier creates DCQL query: The verifier constructs a JSON object containing credential queries, optionally organized into credential sets with specific claim requirements
- Query sent to wallet: The DCQL query is transmitted to the holder’s wallet via OpenID4VP
- Wallet evaluates requirements: The wallet processes the query against available credentials, checking formats, issuers, and claim availability
- Holder selects credentials: The wallet presents matching options to the holder, who chooses which credentials to share
- Presentation returned: The wallet creates a verifiable presentation containing selected credentials and returns it to the verifier
- Verifier validates response: The verifier checks that the presentation satisfies the DCQL requirements and performs cryptographic verification
sequenceDiagram
participant Verifier
participant Wallet
participant Holder
Verifier->>Wallet: DCQL Query (via OpenID4VP)
Wallet->>Wallet: Evaluate credentials
Wallet->>Holder: Show matching options
Holder->>Wallet: Select credentials
Wallet->>Verifier: Verifiable Presentation
Verifier->>Verifier: Validate & verify
Benefits of DCQL
Section titled “Benefits of DCQL”DCQL provides several advantages over previous credential request methods:
- Clarity: JSON-based structure is human-readable and easy to debug
- Flexibility: Supports complex credential combinations and alternatives
- Privacy: Built-in support for selective disclosure and preference ordering
- Simplicity: More straightforward than filter-based query languages
- Interoperability: Standard format works across different wallet implementations
- Trust integration: Native support for specifying trusted issuer frameworks
DCQL vs Presentation Exchange
Section titled “DCQL vs Presentation Exchange”While both DCQL and Presentation Exchange solve the problem of requesting credentials, they take different approaches:
| Aspect | Presentation Exchange | DCQL |
|---|---|---|
| Origin | DIF (Decentralized Identity Foundation) | OpenID Foundation (OpenID4VP) |
| Complexity | More expressive with JSONPath filters | Simpler, more direct queries |
| Structure | Nested Input Descriptors in Presentation Definition | Flat credential queries with sets |
| Field Selection | JSONPath expressions | Path arrays |
| Combinations | Submission Requirements | Credential Sets |
| Adoption | Broader ecosystem support | Focused on OpenID4VP/EUDI Wallet |
Both specifications are valid approaches, and Vidos supports both to ensure maximum interoperability.
Role in Vidos
Section titled “Role in Vidos”DCQL is integrated into Vidos verification workflows:
Authorizer Service: Generates DCQL queries based on authorization policies. When a verification policy requires specific credentials, the Authorizer translates policy rules into DCQL format for transmission via OpenID4VP.
Validator Service: Processes responses to DCQL queries, validating that presentations satisfy the original requirements. It checks credential formats, verifies required claims are present, and ensures credential set logic is satisfied.
Verifier Service: Performs cryptographic verification of credentials included in DCQL responses, validating signatures, checking credential status, and verifying issuer authenticity.
This integration enables Vidos to support modern OpenID4VP-based verification workflows while maintaining privacy and security standards.
Standards Compatibility
Section titled “Standards Compatibility”DCQL integrates with several key standards:
- OpenID4VP: DCQL is the native query language for OpenID for Verifiable Presentations
- W3C Verifiable Credentials: Works with W3C VC data model credentials
- ISO mDL (mso_mdoc): Supports mobile document format credentials
- SD-JWT VC: Compatible with Selective Disclosure JWT format
- DIDs: Works with DID-based credential issuers and holders
Use in EUDI Wallet Ecosystem
Section titled “Use in EUDI Wallet Ecosystem”DCQL is a core component of the European Digital Identity (EUDI) Wallet ecosystem, enabling standardized credential requests across EU member states. It supports cross-border interoperability while preserving privacy through selective disclosure and data minimization principles aligned with GDPR requirements.
Summary
Section titled “Summary”Digital Credential Query Language provides a standardized, privacy-preserving way to request verifiable credentials in OpenID4VP systems. Its straightforward JSON structure, support for selective disclosure, and native trust framework integration make it well-suited for modern digital identity use cases.
In Vidos, DCQL enables simplified credential requests that respect user privacy while ensuring verifiers receive the information they need for authorization decisions.