OpenID for Verifiable Presentations (OpenID4VP) and OpenID for Verifiable Credentials (OpenID4VC) define how wallets, verifiers, and issuers can securely exchange verifiable credentials using familiar OpenID Connect flows. This guide follows the High Assurance Interoperability Profile (ID-1), which ensures interoperability, security, and privacy across implementations.

Key Concepts

  • Issuer – Issues Verifiable Credentials (VCs) to a holder.
  • Holder / Wallet – Stores credentials and presents them to verifiers.
  • Verifier / Relying Party – Requests and verifies credentials.
  • Verifiable Presentation (VP) – A holder-signed proof containing one or more credentials.
  • High Assurance Profile – A defined subset of the OpenID4VC specifications to enable predictable and secure interoperability.

High-level Flow

  1. The verifiers request the Terminal 3 Authorize API with a Digital Credential Query Language (dcql_query) that describes the requirements of the Credentials that the Verifier is requesting to be presented.
  2. Terminal 3 then authenticates users and asks for consent to present the requested Credentials.
    • If the user is not logged in, they are redirected to the login/signup page.
    • Otherwise, Terminal 3 determines what credentials are available to match the Verifier’s request, and asks for user consent to present the requested Credentials.
  3. Terminal 3 redirects users back to the Verifier’s side (response_mode=fragment) with a vp_token or or sends the the Verifier a vp_token via a POST request (response_mode=direct_post.jwt).
  4. The verifiers must verify the vp_token to ensure it is valid before proceeding.

Refererences