OID4VCI

What is OID4VCI?

OID4VCI stands for OpenID for Verifiable Credential Issuance. It is an open standard published by the OpenID Foundation that defines how a credential issuer (such as a government department, financial institution, or employer) can deliver verifiable credentials to a digital wallet in a secure and interoperable way.

OID4VCI builds on OAuth 2.0 and OpenID Connect, two protocols already widely used across the web for authentication and authorization. Reusing those foundations means issuers, wallets, and identity providers can adopt OID4VCI without reinventing core security plumbing.

The full specification is available at the OpenID Foundation.

Why OID4VCI matters

Before OID4VCI, an issuer wanting to deliver a digital credential to a wallet often had to build a bespoke integration with each wallet. That model does not scale. Holders end up with a fragmented experience, issuers carry the cost of multiple integrations, and the ecosystem grows slowly because every new participant has to coordinate with every other.

OID4VCI changes the model. Any wallet that implements the standard can receive credentials from any issuer that implements it, regardless of vendor. That unlocks:

• Interoperability: A single issuance integration that works across many wallets.
• Choice for holders: Holders pick the wallet that suits them, and any compliant wallet can hold the credential.
• Lower integration cost: Issuers do not need to maintain a separate code path per wallet provider.
• Standards alignment: OID4VCI aligns with regulatory and ecosystem direction, such as the European Digital Identity Wallet (EUDI) framework.

How OID4VCI works at a high level

At a glance, OID4VCI follows three steps:

1. Offer: The issuer prepares an offer, which tells the wallet what credentials are available and how to claim them.
2. Authorize: The wallet (and where relevant, the holder) authorizes the credential request. The exact mechanism depends on which OID4VCI flow is used.
3. Issue: The wallet receives an access token, requests the credential, and the issuer responds with a signed verifiable credential.

The specification accommodates different real-world scenarios through two distinct flows.

OID4VCI flows

OID4VCI defines two distinct workflows, each tailored to different use cases and requirements:

• Authorization Code flow: This interactive, user-driven flow requires the credential recipient (typically a wallet) to redirect the user to the issuer (such as a government or organization) for authentication. After the user successfully authenticates and gives consent, the issuer's authentication provider returns an authorization code. The wallet then exchanges this code for an access token, which is used to obtain the credential.

  The following credential formats can be issued via the Authorization Code flow:

  • CWT
  • Semantic CWT
  • mDocs

• Pre-authorized Code flow: In this flow, the issuer prepares the credential issuance in advance and may authenticate and authorize the holder ahead of time. Instead of obtaining an authorization code through user authentication, the wallet receives a pre-authorized code directly from the issuer, often via an out-of-band method. The user does not need to authenticate again and the wallet presents the pre-authorized code to retrieve an access token and then claim the credential. For added security, the issuer can require a transaction code (shared separately with the holder) which the wallet must also provide to claim the credential.

  The Pre-authorized Code flow is only supported for mDocs.

MATTR VII supports both workflows, allowing you to choose the one that best fits your use case.

Connecting a system of record to an issuance flow

Most organizations already hold the data they want to issue as a credential in an existing system: a customer database, an HR system, a license registry, a learning record store. OID4VCI does not replace that system. Instead, MATTR VII connects to it at the moment of issuance and uses the existing data to populate the credential.

In MATTR VII, this connection is modeled as a claims source. A claims source defines:

• Where the source data lives (an HTTP endpoint, for example).
• How MATTR VII authenticates to that endpoint.
• How the response is mapped onto the claims of the credential being issued.

A typical end-to-end issuance setup looks like this:

1. Define the credential: Create a credential configuration that describes the credential format, the claims it carries, and how it is signed.
2. Connect the system of record: Configure a claims source so MATTR VII knows where to fetch the holder's data at issuance time.
3. Choose an issuance flow: Decide between the Authorization Code flow and the Pre-authorized Code flow, based on whether the holder needs to authenticate interactively.
4. Deliver the offer: Generate a credential offer and deliver it to the holder, for example via a QR code, deep link, or in-app prompt.
5. Issue the credential: When the holder accepts the offer in their wallet, MATTR VII retrieves the relevant data from the claims source, assembles and signs the credential, and delivers it through OID4VCI.

Once issued, the credential lives in the holder's wallet and can be presented to verifiers without going back to the issuer.

How to get started with OID4VCI on MATTR

You can build and operate an OID4VCI issuance flow with MATTR through two complementary surfaces:

• MATTR Portal: A web interface for managing your MATTR VII tenants. The Portal lets you create credential configurations, manage claims sources, configure issuance flows, and monitor activity without writing code. It is the fastest way to stand up an end-to-end issuance flow for prototyping or production use. Learn more in the MATTR Portal documentation.
• MATTR VII API: A REST API for full programmatic control over every aspect of issuance, including credential configurations, claims sources, offers, and webhook events. Use the API when you need to embed issuance into your own systems or automate large-scale operations.

For a guided walkthrough, see the Credential Issuance overview.

If you are still deciding which approach fits your use case, or would like a deeper conversation about your issuance design, contact us.

Frequently asked questions

What is OID4VCI?

OID4VCI (OpenID for Verifiable Credential Issuance) is an open standard from the OpenID Foundation that defines how a digital credential issuer can deliver verifiable credentials to a digital wallet in a secure and interoperable way. It builds on OAuth 2.0 and OpenID Connect, two protocols already widely used for authentication and authorization on the web.

Why does OID4VCI matter for credential issuance?

OID4VCI gives issuers a standards-based, interoperable way to deliver verifiable credentials to any compliant wallet, instead of building a bespoke integration per wallet. That means issuers can reach a broader holder base, wallets can support credentials from many issuers, and ecosystems can grow without each participant having to coordinate one-to-one.

What are the two OID4VCI flows?

OID4VCI defines two flows:

• Authorization Code flow: The holder is redirected to the issuer to authenticate and consent. The wallet then exchanges an authorization code for an access token and retrieves the credential.
• Pre-authorized Code flow: The issuer prepares the credential in advance and hands the wallet a pre-authorized code (often via a QR code or link), so the holder does not need to authenticate again at issuance time. A transaction code can be added for additional security.

How do I connect a system of record to an OID4VCI issuance flow?

A system of record (the database or application that already holds the user's data) is connected to MATTR VII through a claims source. The claims source tells MATTR VII how to retrieve the data it needs to populate the credential at the moment of issuance. From the holder's perspective, they trigger the flow, authenticate (if required), and receive the credential into their wallet. Behind the scenes, MATTR VII calls the claims source, assembles the credential, signs it, and delivers it through OID4VCI.

How do MATTR VII and the MATTR Portal support OID4VCI?

MATTR VII supports both OID4VCI flows (Authorization Code and Pre-authorized Code) and multiple credential formats. You can configure issuance through the MATTR VII Platform API, or through the MATTR Portal, which provides a user interface for managing tenants, credential configurations, claims sources, and issuance flows without writing code.

Which credential formats can MATTR VII issue via OID4VCI?

Via the Authorization Code flow, MATTR VII can issue CWT, Semantic CWT, and mDoc credentials. Via the Pre-authorized Code flow, MATTR VII issues mDoc credentials.

Is OID4VCI the same as OpenID Connect?

No. OpenID Connect is a protocol for identity authentication, typically used to sign a user into an application. OID4VCI builds on the same underlying OAuth 2.0 foundations as OpenID Connect, but it is purpose-built for issuing verifiable credentials, not for authenticating sessions. The two are complementary and often used together (for example, OpenID Connect can authenticate the holder during the Authorization Code flow).

Summary

OID4VCI is the open standard that lets credential issuers deliver verifiable credentials to wallets in a way that works across the ecosystem. It defines two flows (Authorization Code and Pre-authorized Code) to suit different use cases, and connects to your existing systems of record through a claims source. MATTR VII supports OID4VCI out of the box, with both the MATTR Portal and the MATTR VII API available to configure and operate your issuance flows.