light-mode-image
Learn
WebDC API

mDocs remote web app verification - DC API Workflow

DC API support is currently offered as a tech preview. The Digital Credentials API specification itself is still under active development in the W3C Web Incubator CG, and platform implementations continue to evolve. As such, functionality may be limited, may not work in all scenarios, and could change or break without prior notice as browsers and operating systems update their implementations.

mDocs are digital credentials based on the ISO/IEC 18013-5 standard and 18013-7 technical specification, designed to be stored on a holder’s mobile device and support either in-person or remote verification workflows.

The purpose of this page is to describe the end-to-end remote web app verification DC API workflow, where a user interacts with a web application to present an mDoc stored on their mobile device via the DC API, as per Annex C and D of ISO/IEC 18013-7:2025.

Prerequisites

We recommend you make yourself familiar with the following concepts to support your understanding of the implementation described in this page:

Overview

The DC API is a browser standard that enables web applications to request and verify digital credentials directly from compatible wallet applications on the user's device. This provides a seamless user experience where credential presentation happens entirely within the browser context. The API allows wallets to register as credential providers with the mobile device's operating system, making them automatically discoverable when a website requests credentials.

Detailed workflow

Let's take a closer look at the end-to-end workflow and explain the role of each component:

Invoking the interaction

The user triggers an action in a verifier web application that requires presenting a credential for verification.

Generating challenge

When the verifier web application has a backend, the backend generates a unique challenge to ensure the security of the verification workflow. This challenge will be used to validate that the verification results received later are associated with this specific session.

Generating the challenge on the backend helps prevent tampering and replay attacks, as the challenge is not exposed to the frontend until verification is complete.

Furthermore, it enables the backend to associate the verification results with an existing session or transaction, enhancing the overall security and integrity of the verification process.

Passing challenge to web application

The verifier backend sends the generated challenge to the verifier web application, which will include it when starting the presentation session with MATTR VII.

Checking browser support

The verifier web application checks if the user's browser supports the DC API.

Requesting credentials

The verifier web application calls the SDK's requestCredentials method to start a presentation session with the configured MATTR VII tenant, including the challenge received from the backend.

Creating presentation session

The MATTR VII tenant creates a new presentation session and returns the request object to the verifier web application.

Invoking DC API

The verifier web application passes the request object to the user's browser to invoke the Digital Credentials API.

Presenting verification request

The browser presents a verification request interface to the user. This can be a QR code (when the user is on a desktop) or a button to start the process directly in the browser (when the user is on a mobile device).

Initiating verification

The user initiates the verification process by scanning the QR code/clicking the button.

Forwarding request to mobile device

The browser forwards the request to the mobile device.

Displaying matching credentials

The mobile device displays to the user matching credentials from installed wallet applications that are registered to handle DC API requests. This UI is rendered by the mobile device and is displayed on top of the web browser.

Selecting credential

The user selects a credential from the displayed options.

Forwarding to wallet

The mobile device forwards the verification request to the wallet application that holds the selected credential. On iOS devices, if there is only one compatible wallet that holds a matching credential, the system may directly open that wallet without displaying the selection UI to the user.

Reviewing credential details

The wallet application displays the credential details to the user for review and consent. This UI is rendered by the wallet application and is displayed on top of the web browser.

The user reviews the credential details and provides consent to share them with the verifier.

Returning presentation response

The wallet application returns the encrypted credential as a presentation response to the browser.

Forwarding to Verifier

The browser forwards the presentation response to the verifier web application.

Submitting for verification

The verifier web application submits the presentation response to the MATTR VII tenant for verification.

Verifying credential

The MATTR VII tenant decrypts and verifies the credential.

Notifying verification completion

The MATTR VII tenant notifies the verifier web application that verification has been completed. When the web application has a backend, the tenant does not send the verification results directly to the frontend for enhanced security.

Passing session ID to backend

The verifier web application sends the presentation session ID to the verifier backend to retrieve the verification results securely.

Retrieving verification results

The verifier backend makes a request to MATTR VII to retrieve the verification results for the session using the session ID.

Returning results with challenge

The MATTR VII tenant responds with the verification results and the unique challenge that was included when the presentation session was created.

Validating challenge

The verifier backend compares the original challenge it generated with the challenge received from MATTR VII to ensure the response can be trusted and is associated with the correct session.

Passing results to web application

Once the challenge is validated, the verifier backend sends the verification results to the verifier web application.

Displaying results

The verifier web application displays the verification results and the user continues the interaction accordingly.

Based on the unique challenge, the verifier can also continue any backend processes associated with the verification session, such as granting access to a service or completing a transaction.

How would you rate this page?

Journey pattern

Previous Page

Guide

Next Page

On this page

PrerequisitesOverviewDetailed workflowInvoking the interactionGenerating challengePassing challenge to web applicationChecking browser supportRequesting credentialsCreating presentation sessionInvoking DC APIPresenting verification requestInitiating verificationForwarding request to mobile deviceDisplaying matching credentialsSelecting credentialForwarding to walletReviewing credential detailsProviding consentReturning presentation responseForwarding to VerifierSubmitting for verificationVerifying credentialNotifying verification completionPassing session ID to backendRetrieving verification resultsReturning results with challengeValidating challengePassing results to web applicationDisplaying results