How it works

EUDI Wallet presentation flow

The eIDAS Verifier runs the ARF-conformant OpenID4VP flow. Relying party creates a session with a presentation definition; the EUDI Wallet presents the requested credentials; the verifier validates the trust chain, selective disclosures, holder binding, and wallet attestation before returning verified claims.

mdoc + SD-JWT VC

EUDIW credentials ship in two formats. SD-JWT VC (IETF draft) covers selective-disclosure use cases with JWT-native tooling. mdoc (ISO 18013-5) is the binary format used for mobile driving licences and compatible with legacy non-digital readers. The verifier handles both transparently.

Attestation verification

Under the ARF, the wallet provider must attest that the wallet binary was provisioned by a trusted provider and that the holder key is in hardware. The verifier checks the attestation chain before trusting the presentation. Revoked wallet providers lose trust for all their attested wallets — propagation via Trust Registry.

Trust-chain resolution

Qualified credentials chain through member-state Trust Service Providers to the EU trust list roots. The verifier resolves issuer JWKS via Trust Registry, which ingests the lists under ETSI TS 119 612. Revocations at the member-state level propagate to the verifier within the ingestion cycle.

Selective disclosure

The verifier honours limit_disclosure: required. For age verification, the wallet produces the derived age_over_18 claim — the birth date never transits the verifier. For cross-border identity, only the requested claims (name, document number, issuance country) are disclosed, not the full PID document.

Conformance testing

The verifier is tested in CI against the NL reference wallet, the EU reference wallet, and the ARF conformance suites. Failures block releases. Relying parties inherit conformance without having to certify independently — it's the operator's obligation, not yours.