⚠️ This API is under active development, please contact us for help ⚠️
The Authorization Endpoint initiates a Verifiable Presentation request using OpenID for Verifiable Presentations (OpenID4VP). The Verifier sends this request to the Holder’s Wallet to request specific credentials based on a Digital Credentials Query Language (DCQL).

Endpoint

Query Parameters

NameTypeRequiredDescription
response_typestringMust be vp_token.
response_modestringMust be one of: fragment or direct_post.jwt.
client_idstringIdentifier of the Verifier (your server). Must match the x509_san_dns in your TLS certificate. Example: verifier.com. If the value is prefixed with x509_san_dns:, domain ownership will be verified. Without the prefix, it is treated as a pre-registered client.
redirect_uristringVerifier’s callback endpoint to receive the presentation response. Example: https://verifier.com/callback.
dcql_queryobjectA JSON object describing the requested credentials, URL-encoded as a string.
noncestringStrong cryptographic random value to prevent replay attacks. Must be validated in the response.
statestringVerifier-generated value to maintain application state and prevent CSRF attacks.

Example Request

GET /v1/oidc4vp/authorize?
  response_type=vp_token&
  response_mode=fragment&
  client_id=x509_san_dns:verifier.com&
  redirect_uri=https%3A%2F%2Fverifier.com%2Fcallback&
  dcql_query=%7B%22credentials%22%3A%5B%7B%22id%22%3A%22some_identity_credential%22%2C%22format%22%3A%22dc%2Bsd-jwt%22%2C%22meta%22%3A%7B%22type_values%22%3A%5B%5B%22KycCredential%22%5D%5D%2C%22vct_values%22%3A%5B%22https%3A%2F%2Fcredentials.example.com%2Fidentity_credential%22%5D%7D%2C%22claims%22%3A%5B%7B%22path%22%3A%5B%22last_name%22%5D%7D%2C%7B%22path%22%3A%5B%22first_name%22%5D%7D%5D%7D%5D%7D&
  nonce=1b9c3c4a-b1f5-4a27-ae6b-91d7b0c1a58f&
  state=af0ifjsldkj

Example dcql_query object

JSON
{
  "credentials": [
    {
      "id": "some_identity_credential",
      "format": "dc+sd-jwt",
      "meta": {
        "type_values": [["KycCredential"]],
        "vct_values": ["https://credentials.example.com/identity_credential"]
      },
      "claims": [
        {
          "path": ["last_name"]
        },
        {
          "path": ["first_name"]
        }
      ]
    }
  ]
}
When sending in the URL, the object must be JSON-encoded and URL-encoded.

Response

Once the wallet processes the request:
  • If response_mode=fragment: The wallet will redirect the browser back to redirect_uri with the vp_token and other parameters in the fragment part of the URL.
  • If response_mode=direct_post.jwt: The wallet will send a direct POST request to the redirect_uri containing a signed JWT.

Authorization Request (request_uri)

Use of Authorization Requests is RECOMMENDED to ensure confidentiality, integrity, and authenticity of the request data, and to avoid issues caused by large request sizes. Example of Authorization Request Using request_uri: 
GET /v1/oidc4vp/authorize?
  client_id=x509_san_dns:verifier.com&
  request_uri=https://verifier.com/authorization_request