light-mode-image
Learn
WebDC API

Digital Credentials API

DC API support is currently offered as a tech preview. The Digital Credentials API specification itself is still under active development in the W3C Web Incubator CG, and platform implementations continue to evolve. As such, functionality may be limited, may not work in all scenarios, and could change or break without prior notice as browsers and operating systems update their implementations.

The Digital Credentials (DC) API is a browser standard being incubated in the W3C's Web Incubator CG. MATTR's remote mDocs verification capabilities support the DC API as a streamlined alternative to traditional redirect-based verification workflows.

While OID4VP relies on URL schemes and redirects to move between web applications and wallet apps, the DC API provides a native browser mechanism for requesting and presenting digital credentials. This eliminates common user experience challenges such as wallet selection confusion and improves security by leveraging platform-level trust mechanisms.

The credential selection shift

The most significant improvement the DC API brings is shifting focus from selecting a wallet to selecting the right credential. Traditional approaches require users to choose between multiple wallet applications, often without knowing which wallet contains the credential they need. This leads to:

  • The NASCAR problem: Users face an overwhelming screen of wallet options (similar to the multitude of sponsor logos on NASCAR vehicles).
  • Dead-end experiences: Users select a wallet app that either isn't installed or doesn't contain the required credential.
  • Limited wallet support: Relying parties restrict the number of supported wallets to avoid poor user experience, reducing choice and stifling innovation.

The DC API solves this by allowing wallet applications to register as credential providers with the operating system. When a credential is requested, the system queries all registered wallets, aggregates matching credentials, and presents them to the user in a unified interface. Users select the credential they need, not the wallet that contains it.

Basic DC API workflow

The interaction comprises the following steps:

Verification request

When a user interacts with a verifier web application that requires presenting a credential, the verifier application initiates a DC API request through the user's browser. The browser invokes the DC API, which communicates with the mobile device and shares a request object.

The request object includes a presentation definition detailing the information the verifier requires, such as the type and format of credentials and any individual claims from those credentials.

Gathering matching credentials

Whenever a wallet that supports the DC API stores a credential, it registers that credential with the operating system as being available for DC API requests.

When a presentation request is received via the DC API, the mobile device queries all registered credentials and presents the matching ones to the user in a unified interface, regardless of which wallet application stores them.

The user selects the credential they want to present and consents for the wallet application that holds it to share the information with the verifier.

Verification response

The wallet application sends the encrypted verifiable presentation response via the DC API back to the verifier application.

The browser ensures the response returns to the exact context where the request originated, maintaining session continuity and security.

Verifying the verifiable presentation

Once the verifier receives the verifiable presentation, they decrypt it and apply verification checks to validate the credential's authenticity, issuer trust status, and compliance with the presentation request.

The DC API supports both same-device and cross-device verification workflows:

  • Same-device workflows involve a single device which houses both:
    • The browser used to access the verifier web application and trigger the DC API request.
    • The wallet application which holds the credential and responds to the request.
  • Cross-device workflows involve two different devices:
    • The first device houses the browser used to access the verifier web application and trigger the DC API request.
    • The second device houses the wallet application which holds the credential and responds to the request.

Same-device verification workflow

Same-device workflows involve a single mobile device running both the verifier application (in a browser) and wallet applications that store credentials.

For example, consider a user applying for a loan through their bank's mobile website. When the site needs to verify the user's identity, it triggers a DC API request in the browser. The browser uses the DC API to query all registered credentials on the device and display the ones that match the request. The user authenticates, selects their driver's license, and approves sharing it. The wallet application then creates and signs the presentation and returns it through the browser to the verifier application.

The DC API manages the entire flow within the browser context, eliminating the need for redirects or leaving the browser environment. The user authenticates using platform-level biometrics, and the private key associated with the credential remains secure in the device's key store.

Cross-device verification workflow

Cross-device workflows involve two devices:

  • One device (typically a desktop or laptop) runs the verifier application in a web browser and creates the presentation request.
  • A second device (typically a mobile phone) houses wallet applications that store the required credentials and respond to the request.

The browser on the first device displays a QR code or other mechanism to initiate the cross-device flow. The user scans this with their mobile device, which invokes the DC API on the mobile platform. The mobile devices queries registered credentials and presents them to the user.

For example, a user completing a tax return on their desktop computer is asked to verify their identity. The website displays a QR code, which the user scans with their phone. The mobile device then presents matching registered credentials, the user selects their national ID card, authenticates, and consents to sharing the information. The presentation is sent back to the desktop browser, where verification completes and the tax return process continues.

The DC API uses secure communication protocols with built-in proximity checks (such as CTAP 2.1 over Bluetooth Low Energy) to verify the devices are physically close together. This mitigates risks such as QR code replay attacks or session hijacking.

Security and privacy benefits

The DC API provides several security and privacy advantages over redirect-based approaches:

  • Session continuity: Once the interaction completes or if the user cancels, the session continues in the original browser context without losing state or requiring navigation.

  • Proximity verification in cross-device flows: Cross-device flows use operating system-level proximity checks to ensure devices are physically near each other before proceeding, reducing risks from QR code screenshots or remote attacks.

  • Reduced tracking surface: The DC API prevents unauthorized apps from silently tracking user interactions or accessing credential data without explicit user action.

Platform support

The DC API is a web browser standard and is implemented differently across platforms:

  • iOS: Supported on Safari version 26 and later, available on iPhone 11 and later running iOS 26.
  • Android: Supported on Chrome and Chromium-based browsers version 138 and later.

The DC API is specifically designed for web applications running in browsers. Native mobile applications use platform-specific APIs to interact with digital credentials.

For example, Android provides a platform-specific implementation called the DigitalCredential API, which is part of the Credential Manager framework.

Relationship to ISO/IEC 18013-7

The DC API is incorporated into the ISO/IEC 18013-7:2025 specification for remote verification of mDocs:

  • Annex C: Defines device retrieval using the Digital Credentials API, currently supported on iOS devices and the Safari browser.
  • Annex D (draft): Defines OID4VP using the Digital Credentials API, expected to be supported on Android devices and Chromium-based browsers.

MATTR's implementation supports both annexes via a single integration in the Verifier Web SDK, providing a consistent verification experience across platforms and browser types.

How would you rate this page?

Tutorial

Previous Page

Journey pattern

Next Page

On this page

The credential selection shiftBasic DC API workflowVerification requestGathering matching credentialsVerification responseVerifying the verifiable presentationSame-device verification workflowCross-device verification workflowSecurity and privacy benefitsPlatform supportRelationship to ISO/IEC 18013-7