How does a credential get issued to an EUDI Wallet using OpenID4VCI?

The issuance flow has several steps: (1) the wallet discovers the issuer's metadata via a well-known endpoint, (2) the wallet initiates an OAuth 2.0 authorization request, (3) the user authenticates with the issuer (typically using their national eID), (4) the wallet receives an authorization code and exchanges it for an access token, (5) the wallet sends a credential request including a proof of possession (signed with the device key and the issuer's c_nonce), and (6) the issuer returns the signed credential in SD-JWT or mDoc format. The wallet stores the credential locally.

What is the pre-authorized code flow in OpenID4VCI?

The pre-authorized code flow allows issuers to initiate credential issuance proactively. Instead of the wallet starting the process, the issuer creates a credential offer (typically encoded as a QR code or deep link) after a qualifying event (graduation, license renewal, government registration). The user scans the offer with their wallet, and the wallet uses the pre-authorized code to obtain the credential without a full authorization redirect. This streamlines scenarios where the issuer already knows the user's identity and has determined their eligibility.

How does OpenID4VCI ensure only the legitimate wallet receives the credential?

OpenID4VCI uses proof of possession (PoP) to bind the credential to the wallet's device key. The wallet generates a signed JWT (called a "key proof") over the issuer's c_nonce using its hardware-backed device key. The issuer verifies this proof and binds the credential to the public key, ensuring only the wallet with the corresponding private key can use the credential. Combined with key attestation (proving the key is in secure hardware), this creates a strong chain from the physical device to the credential.

OpenID4VCI (OpenID for Verifiable Credential Issuance)

OpenID4VCI

technical

Full Name: OpenID for Verifiable Credential Issuance

Definition

OpenID for Verifiable Credential Issuance (OpenID4VCI) is a protocol specification that defines how credential issuers deliver verifiable credentials to wallet applications. Built as an extension of OAuth 2.0 and OpenID Connect, OpenID4VCI standardizes the entire credential issuance lifecycle: from issuer metadata discovery, through user authorization and authentication, to credential request and delivery. In the EUDI Wallet ecosystem, OpenID4VCI is the mandatory protocol for credential issuance, enabling any compliant wallet to receive credentials from any compliant issuer across all EU Member States, regardless of the specific wallet or issuer implementation.

The Credential Issuance Flow

The standard OpenID4VCI authorization code flow begins with issuer metadata discovery. The wallet retrieves the issuer's configuration from a well-known endpoint (/.well-known/openid-credential-issuer), learning which credential types the issuer offers, supported formats (SD-JWT, mDoc), required proof types, and endpoint URLs. This metadata-driven approach enables interoperability without prior bilateral agreements.

The wallet then initiates an authorization request to the issuer's authorization server, specifying which credential type it wants. The issuer authenticates the user (typically through national eID authentication, such as Germany's Online-Ausweis or reading the eID card via NFC), verifies their eligibility for the requested credential, and obtains consent. Upon successful authentication, the authorization server returns an authorization code.

The wallet exchanges the authorization code for an access token (with PKCE protection), and the issuer provides a c_nonce (credential nonce) for proof of possession. The wallet then sends a credential request to the issuer's credential endpoint, including a proof of possession JWT signed with the wallet's device key over the c_nonce.

The issuer verifies the proof of possession (confirming the wallet controls the claimed device key), generates the credential (signing the identity attributes with the issuer's key and binding it to the wallet's device key), and returns the completed credential in the requested format. The wallet stores the credential locally in secure device storage.

Pre-Authorized Code Flow

The pre-authorized code flow is a unique OpenID4VCI addition designed for scenarios where the issuer initiates credential delivery after a real-world event. Examples include: a university issuing a diploma credential after graduation, a government agency issuing a driver's license after passing the driving test, or a healthcare provider issuing a vaccination certificate after an immunization.

In this flow, the issuer creates a credential offer containing a pre-authorized code and an optional PIN requirement. The offer is delivered to the user as a QR code (displayed on a screen or printed on paper), a deep link (in an email or SMS), or a push notification. The user scans or taps the offer with their EUDI Wallet app.

The wallet processes the credential offer, optionally prompts the user for the PIN (providing an additional authentication layer), and exchanges the pre-authorized code directly for an access token -- no authorization redirect is needed because the issuer has already authenticated the user through the real-world event (the graduation ceremony, the driving test, the vaccination appointment).

This flow dramatically simplifies credential issuance for the user. Instead of navigating to an issuer's website, authenticating, and initiating a request, the user simply scans a QR code (or opens a link) and confirms receipt in their wallet. The entire process takes seconds, making credential issuance as simple as scanning a QR code for a boarding pass.

Credential Format Support and Batch Issuance

OpenID4VCI supports multiple credential formats through format-specific parameters in the credential request. For EUDI Wallets, the two mandatory formats are SD-JWT (for online presentations) and mDoc (for proximity presentations). The wallet can request the same credential in both formats, allowing the issuer to deliver two copies of the same credential optimized for different presentation scenarios.

Batch issuance allows a single authorization to result in multiple credential requests. A citizen activating their EUDI Wallet might receive their Person Identification Data (PID) credential in both SD-JWT and mDoc formats, their driving license as an mDoc, and their address credential as an SD-JWT -- all through a single authentication event. The wallet sends separate credential requests for each, reusing the same access token.

Deferred issuance handles scenarios where credential generation takes time (for example, when manual verification is required). The issuer returns a deferred credential response with a transaction ID, and the wallet periodically polls the deferred credential endpoint until the credential is ready. This pattern supports workflows where immediate issuance is not possible.

What is OpenID4VCI?

OpenID4VCI: OpenID for Verifiable Credential Issuance

OpenID4VCI

Definition

The Credential Issuance Flow

Pre-Authorized Code Flow

Credential Format Support and Batch Issuance

Related Terms

OpenID4VP

OAuth 2.0

Nonce

Frequently Asked Questions

Related Guides

→ Glossary Index

→ OpenID4VP

→ OAuth 2.0

→ Nonce

Sources

⚠️ Independent Information