OpenID4VCI

Overview

The OpenID4VCI specification is an open standard developed by the OpenID Foundation, defining how digital wallets can receive verifiable credentials from credential issuers in a secure and interoperable way. It leverages the widely adopted OAuth 2.0 and OpenID Connect to establish a trust framework for credential issuance, ensuring both privacy and user control.

MATTR VII supports issuing credentials using the OpenID4VCI specification. Supported credential formats include CWT, Semantic CWT, JSON, and mDocs.

If you are unfamiliar with OpenID Connect, the identity protocol underpinning the OpenID provisioning capability, there are many excellent guides available online such as this guide from Google , or this guide from Mozilla .

Workflows

OID4VCI defines two distinct workflows, each tailored to different use cases and requirements:

Authorization Code flow: This interactive, user-driven flow requires the credential recipient (typically a wallet) to redirect the user to the issuer (such as a government or organization) for authentication. After the user successfully authenticates and gives consent, the issuer’s authentication provider returns an authorization code. The wallet then exchanges this code for an access token, which is used to obtain the credential.
Pre-authorized Code flow: In this flow, the issuer prepares the credential issuance in advance and may authenticate and authorize the holder ahead of time. Instead of obtaining an authorization code through user authentication, the wallet receives a pre-authorized code directly from the issuer, often via an out-of-band method. The user does not need to authenticate again and the wallet presents the pre-authorized code to retrieve an access token and then claim the credential. For added security, the issuer can require a transaction code (shared separately with the holder) which the wallet must also provide to claim the credential.

MATTR VII supports both workflows, allowing you to choose the one that best fits your use case.