Holder binding verification policy reference
This reference documents the holder binding verification policy for the verifier service.
Policy overview
Section titled “Policy overview”The holder binding policy verifies that a presented credential is bound to the presenting holder when holder binding data is available.
For request types that require holder binding (for example HAIP or DCQL credential queries with require_cryptographic_holder_binding: true), the authorizer enforces this requirement by setting verifier policy params.
What this policy checks
Section titled “What this policy checks”- Verifies SD-JWT VC key binding (
kb+jwt) claims such as audience and nonce - Verifies mdoc holder binding against expected session transcript inputs
- Verifies verifiable presentation holder binding for W3C VP formats
- Applies configured behavior for invalid holder binding
- Applies configured behavior when holder binding is required but missing
Configuration
Section titled “Configuration”policies.holderBinding supports the following options:
skip:booleanonInvalid:"valid" | "warning" | "error"onMissingWhenRequired:"valid" | "warning" | "error"
Default behavior:
skip: falseonInvalid: "error"onMissingWhenRequired: "error"
Request policy params
Section titled “Request policy params”To require holder binding for a specific verification request, set options.policyParams.holderBinding.required: true.
For OpenID4VP DCQL flows, this is usually set by the authorizer when a DCQL credential query has require_cryptographic_holder_binding: true.
To pass holder binding proof inputs, use options.policyParams.holderBinding.proof with one of the supported proof parameter types (oid4vp, oid4vp-dc-api, iso18013-5, iso18013-7, ietf-oauth-sd-jwt-vc).