Age gate — only `age_over_18`

Use case

A Dutch online retailer selling alcohol needs proof of majority. Asking for the full PID would be over-collection. The wallet's derived age_over_18 claim is exactly what's required — boolean, audit-friendly, GDPR-minimal.

Wallet profile (YAML)

id: age-gate
name: "Age gate — over 18"
accepted_formats:
  - vc+sd-jwt
trust_registry_url: https://trust.thoryn.org
allowed_issuers:
  - "did:eidas:nl"
  - "did:eidas:de"
  # any qualified PID issuer
session_ttl_seconds: 300
require_holder_binding: true
nonce_required: true

Presentation definition

{
  "id": "age-gate-pd",
  "input_descriptors": [
    {
      "id": "age",
      "constraints": {
        "limit_disclosure": "required",
        "fields": [
          { "path": ["$.vct"], "filter": { "const": "PIDCredential" } },
          { "path": ["$.age_over_18"] }
        ]
      }
    }
  ]
}

The crucial line: limit_disclosure: required. Without it, wallets may disclose the whole credential. With it, the wallet must restrict to the requested fields — and crucially, the derived age_over_18 claim never lets the birth date leave the wallet.

Sample webhook payload

{
  "session_id": "...",
  "vct": "PIDCredential",
  "claims": {
    "age_over_18": true
  },
  "verified_at": "2026-04-25T..."
}

That's it. No name, no birth date, no document number. Your audit log can prove "we verified" without ever holding personal data.

When to use

• Age-restricted retailers (alcohol, nicotine, gambling)
• Any flow where regulatory compliance requires proof-of-verification but not the underlying PII

When not to use

• KYC — you need the full identity, use kyc-pid
• Custom age threshold (over-21) — present a different derived claim

See also

• Broker — Use cases — scenario 4 (age-gate)
• age-over-18 policy rule