Tech Breakdown

CredIssuer and OpenID4VP

2nd June 2025 No comments yet

This blog looks into providing an overview of how CredIssuer integrates with the OpenID for Verifiable Presentations (OpenID4VP) to enable secure, privacy-preserving, and interoperable digital credentialing. By leveraging OpenID4VP, CredIssuer ensures that organizations, institutions, and individuals can issue, store, and present verifiable credentials with cryptographic assurance and minimal data disclosure. The following sections explain key concepts such as verifiable credentials, verifiable presentations, selective disclosure, and the OpenID4VP protocol, along with real-world use cases and process flows that demonstrate how these technologies come together to deliver trusted, user-controlled verification experiences.

 

What is a Verifiable Credential? 

A Verifiable Credential (VC) is a digitally signed document that proves a fact about a person, organization, or object, such as identity, a degree, a birthdate, or a license, in a way that is cryptographically secure, privacy-preserving, and verifiable without needing to directly contact the issuer.

Key points:

  • Issued by a trusted authority (e.g., university, government, employer)
  • Held securely in a digital wallet by the user
  • Can be selectively shared with verifiers
  • Signed and tamper-evident to prevent forgery

Example:
 A university issues a Verifiable Credential stating “Bachelor’s Degree in Computer Science awarded to John Doe in 2025,” which the user can store in their digital wallet and share with an employer who can verify it without contacting the university. 

 

What are Verifiable Presentations?

A Verifiable Presentation (VP) is a package of one or more Verifiable Credentials, organized and cryptographically signed by the holder, to present specific information to a verifier.

It works like a curated digital folder, allowing the holder to share only the necessary credentials, securely sealed with their digital signature.This ensures that the verifier can trust both the authenticity of the credentials and that they come directly from the rightful holder.

 

What is Selective Disclosure? 

Selective disclosure is the capability that allows a credential holder to present only specific, relevant attributes from a verifiable credential without exposing the entire data set. This mechanism enhances privacy by ensuring that only the minimum necessary information is shared with a verifier.

Key Points – 

  • The user chooses which credentials or attributes to present
  • Enables selective disclosure (only share necessary information)

 

OpenID4VP for Verifiable Presentation 

What is OpenID4VP?

OpenID4VP (OpenID for Verifiable Presentations) is an open standard that defines how verifiable credentials are securely shared between a user’s wallet and a verifier, using familiar web authentication methods.
It extends OpenID Connect — a widely adopted identity protocol — to handle cryptographically verifiable credential exchanges, rather than just traditional identity assertions.

In OpenID4VP, a verifier (such as a government portal, employer, or university) can request specific credentials, and a user’s wallet can respond by presenting a Verifiable Presentation (VP). The entire interaction is protected by strong cryptographic bindings, ensuring the proof is authentic, private, and intended for the correct recipient.

 

Why is OpenID4VP Important?

Without OpenID4VP, there would be no standardized way for digital wallets and service providers to interact around Verifiable Presentations.
OpenID4VP solves critical challenges:

  • Standardization: Creates a common protocol that wallets and verifiers can implement to ensure compatibility.
  • Security: Protects against risks such as replay attacks, credential misuse, or interception by unauthorized parties.
  • Privacy: Supports selective disclosure of information, allowing users to share only what is necessary.
  • Interoperability: Enables users to present credentials issued by different organizations across diverse wallets and services.
  • Ease of Adoption: Builds on existing OpenID Connect and OAuth2 flows, making it easier for developers to integrate with modern authentication systems.

 

Important Terms in OpenID4VP

Term Definition
Presentation Request A structured request from the verifier specifying which credentials or claims are needed.
Verifiable Presentation (VP) A cryptographically signed package of one or more Verifiable Credentials, prepared by the user’s wallet in response to the request.
Nonce A unique, random value used to prevent replay attacks and ensure the freshness of each presentation.
Audience (aud) Claim A claim inside the Verifiable Presentation that binds it to the specific verifier, ensuring it cannot be reused by another party.
State Parameter Used to maintain continuity between the request and the response in asynchronous flows (e.g., mobile app redirection).
Authorization Code Flow An optional secure method where the verifier obtains an authorization code first, then exchanges it for an access token to retrieve claims or services.
Access Token A token issued after successful authentication that allows verifiers to securely call APIs if more information is needed after the initial VP is submitted.
Presentation Submission The specific format and structure used by the wallet to send the Verifiable Presentation back to the verifier, often following standards like Presentation Exchange (PEX).

 

OpenID4VP Verifiable Flow

1: Verifier Prepares a Presentation Request

  • The verifier (e.g., a government portal or employer website) creates a Verifiable Presentation Request.
  • This request includes:
    • Which credentials or claims it want (example: proof of age over 60).
    • How the credential should be presented (specific format like JWT or JSON-LD).
    • Optional metadata (such as client ID, nonce, redirect URIs for the callback).
  • The request is typically encoded into a URL or QR code.

2: The Holder Scans or Clicks the Request

  • The user (holder) opens the request via:
    • Clicking a link (desktop or mobile).
    • Scanning a QR code (in-person or on-screen).
  • The user’s wallet application (like Inji, CredIssuer Wallet) parses the incoming request.

3: Wallet Matches and Prepares a Presentation

  • The wallet checks if the user holds credentials that satisfy the request.
  • If matching credentials are found:
    • It prompts the user to review what information is being requested.
    • The user consents to sharing selected data (full credential or selective disclosure if supported).

4: Wallet Creates the Verifiable Presentation

  • After consent, the wallet:
    • Packages the credential(s) into a Verifiable Presentation (VP).
    • Signs the VP cryptographically (proving it is authentic and issued to the user).
    • Binds the presentation to the verifier (through “audience” claim and “nonce” to prevent replay).

5: Wallet Sends the Presentation to the Verifier

  • Depending on the flow:
    • Frontchannel (browser redirect with a JWT in the URL).
    • Backchannel (POST directly to the verifier endpoint).
  • The VP is transmitted securely, along with any other protocol parameters.

6: Verifier Validates the Presentation

  • The verifier parses and verifies:
    • Cryptographic signature of the VP.
    • Issuer trustworthiness (is the credential issued by a trusted entity?).
    • Audience claim (was the VP intended for this verifier?).
    • Nonce (to ensure freshness).
  • If everything is valid, the verifier accepts the proof and grants access/services.

       

      Visual Flow of OpenID4VP

      How Verifiable Presentations Work 

       

      CredIssuer and OpenID4VP: Seamless, Secure, Standards-Based Document Verification

      At CredIssuer, we believe that trust must be verifiable, private, and user-controlled.

      That’s why we have natively integrated support for the OpenID for Verifiable Presentations (OpenID4VP) standard into our credential issuance and verification platform.

      By adopting OpenID4VP, CredIssuer enables organizations to request, receive, and validate Verifiable Credentials with the same reliability and ease as traditional web authentication — but with far greater security and user sovereignty.

       

      How It Works with CredIssuer:

      1. Credential Issuance:
         Institutions and organizations issue digitally signed Verifiable Credentials through CredIssuer.
      2. Secure Storage:
         Users store their credentials in a compliant digital wallet, ready to use anytime.
      3. Verification Request:
        Verifiers initiate a credential verification by sending a Presentation Request (via QR code, link, or direct app integration).
      4. Consent and Sharing:
        Users review the request in their wallet and approve a Verifiable Presentation — only the needed claims are shared.
      5. Instant Cryptographic Verification:
         The verifier checks the Verifiable Presentation’s authenticity, issuer trust, and binding to the verification request, ensuring trust without manual document checks.

       

      The Future Possibilities with OpenID4VP and CredIssuer  

      Seema’s Journey — How Verifiable Credentials Simplified Senior Citizen Travel

      Service –  Indian Railways Senior Citizen Age Concessions 

      Seema, a 62-year-old retired teacher from Lucknow, was planning to visit her grandchildren in Mumbai. While booking her train tickets online, she noticed an option to claim the Senior Citizen Concession — a benefit she was eligible for. In the past, Seema would have had to upload scanned copies of her Aadhaar card or carry printed documents to prove her age at the railway station. It was a tedious, repetitive process — one that sometimes led to delays, rejections, or last-minute confusion. This time, however, things were different.

      When Seema selected the Senior Citizen Concession option on the IRCTC portal, a prompt appeared:
      “Prove your age using your Digital Wallet.” Seema opened her CredIssuer Wallet app on her phone, scanned the QR code displayed on the website, and was immediately presented with a request:
      “Share proof of your date of birth to verify you are over 60.” Her birth certificate, securely stored as a Verifiable Credential, matched the request. The wallet displayed a simple consent screen:
      “Only your Date of Birth will be shared with Indian Railways. No other information will be shared.”

      With a tap, Seema approved the request. Her wallet created a Verifiable Presentation, cryptographically signing her proof of age and binding it specifically to the Indian Railways system, ensuring it couldn’t be reused or intercepted elsewhere. In seconds, the portal verified her eligibility and automatically applied the Senior Citizen fare discount — no uploads, no paperwork, no waiting. For Seema, the process felt simple, secure, and respectful of her privacy. For Indian Railways, it meant faster processing, fewer document verification errors, and improved trust.

       

      The Process at a Glance 

      1. The traveler visits the Indian Railways ticket booking portal or app.
      2. During the booking process, the portal prompts: “Prove you are eligible for Senior Citizen Concession (Age 60+).”
      3. The portal generates an OpenID4VP Presentation Request, either as a QR code (for mobile users) or a link (for desktop users).
      4. The traveler opens their CredIssuer wallet (or any other digital wallet like Inji).
      5. The wallet parses the request and identifies a matching Verifiable Credential (e.g., a Birth Certificate or Verified Date of Birth Credential).
      6. The traveler reviews the request and consents to share only their date of birth — no other personal details are exposed.
      7. The wallet creates a Verifiable Presentation proving that the traveler’s date of birth qualifies them as 60+.
      8. The presentation is signed and securely sent to the Indian Railways portal.
      9. The portal verifies the presentation cryptographically, confirms the traveler’s eligibility, and applies the Senior Citizen discount automatically.

       

      Real-time Images of CredIssuer utilizing OpenID4VP

      Images of the platform raising request for verification.

      A) A user interface screen showing selectable categories — Degree Verification, Email Check, and Age Verification — for submitting a verification request.

       

      B) A user interface screen displaying the specific verification check for ‘Birth Certificate.’

       

      C) A user screen displaying a generated QR code for verification, intended for authorized personnel to share with end-users.

       

      D) A user screen displaying a successful verification message after credentials have been shared and verified.

       

      Images for End User Age Verification Process 

      A) A user screen displaying the login interface of the CredIssuer Wallet.

       

       B) A user screen displaying the built-in QR code reader option within the CredIssuer app.

       

      C) A user screen showing that a verification request has been received, prompting the user to select the credential they wish to share.

       

      D) A user screen where the user provides consent to share their selected credentials.

       

      E) The platform successfully shares user data. 

      References – 

      https://openid.net/specs/openid-4-verifiable-presentations-1_0.html

       

      Leave a Reply