§ JWT VC Presentation Profile

Profile Status: Draft

Latest Draft: https://identity.foundation/jwt-vc-presentation-profile

Editors:
Daniel McGrogan (Workday)
Kristina Yasuda (Microsoft)
Jen Schreiber (Workday)
Contributors:
Tobias Looker (Mattr)
Andrew Hughes (Ping Identity)
David Waite (Ping Identity)
Valerie Lanard (Workday)
Daniel Godbout (Microsoft)
Rohit Gulati (Microsoft)
Eric Kuhn (Kraken)
Participate:
GitHub repo
File a bug
Commit history

§ Abstract

The JWT VC Presentation Profile defines a set of requirements against existing specifications to enable the interoperable presentation of Verifiable Credentials (VCs) between Wallets and Verifiers.

This document is not a specification, but a profile. It outlines existing specifications required for implementations to interoperate among each other. It also clarifies mandatory to implement features for the optionalities mentioned in the referenced specifications.

The profile uses OpenID for Verifiable Presentations (OpenID4VP ID1) as the base protocol for the request and verification of JWT VCs encapsulated in Verifiable Presentations. A full list of the open standards used in this profile can be found in Overview of the Open Standards Requirements.

§ Audience

The audience of the document includes verifiable credential implementers and/or enthusiasts. The first few sections give an overview of the problem area and profile requirements for JWT VC interoperability. Subsequent sections are detailed and technical, describing the protocol flow and request-responses.

§ Status of This Document

The status of the JWT VC Presentation Profile v1.0.0 is a PRE-DRAFT specification under development within the Decentralized Identity Foundation (DIF).

§ Description

The VC Data Model v1.1 defines the data model of Verifiable Credentials (VCs) but does not prescribe standards for transport protocol, key management, authentication, query language, etc. As a result, implementers must decide which standards to use for their presentations without a guarantee that others will support the same set of standards.

This document aims to provide a path to interoperability by standardizing the set of specifications that enable the presentation of JWT-VCs between implementers. Future versions of this document will include details on issuance and wallet interoperability. Ultimately, this profile will define a standardized approach to Verifiable Credentials so that distributed developers, apps, and systems can share credentials through common means.

§ Scope

§ Scope

This document is currently scoped for the presentation of VCs between the Self-Issued OP and the Verifier/RP, also known as the RP. The Self-Issued OP is a native mobile application. The following aspects of the presentation are covered:

The JWT VC Presentation Profile currently supports only one response mode, assuming that a Self-Issued OP is on a different device than the one on which the End-User has initiated a user interaction at the Verifier/RP, even if it is not.

Supporting an additional response mode when Self-Issued OP is on the same device as the one on which the End-User has initiated a user interaction at the Verifier/RP might be added in the future.

§ Out of Scope

The following items are out of scope for the current version of this document:

Note: Although selective disclosure and unlinkability are out of scope of this document, future versions will include JSON Web Proofs (JWP) and JSON Web Algorithms (JWA) once they get ratified in IETF.

§ Structure of this Document

A description to the reader on how the document is structured.

§ Terminology

This section consolidates in one place common terms used across open standards that this profile consists of. For the details of these, as well as other useful terms, see text within each of the specification listed in References.

Authorization Request
OAuth 2.0 Authorization Request extended by OIDC and OpenID4VP
Authorization Response
OAuth 2.0 Authorization Response extended by OIDC and OpenID4VP
Claim
An assertion made about the subject of a credential
Decentralized Identifier
An identifier with its core ability being enabling Clients to obtain key material and other metadata by reference
End User
Participant
Holder
An entity that possesses or holds verifiable credentials and can generate verifiable presentations from them as defined in VC Data Model.
OpenID Provider (OP)
OAuth 2.0 Authentication Server implementing OIDC and OpenID4VP
Presentation
Data derived from one or more verifiable credentials, issued by one or more issuers, that is shared with a verifier
Relying Party (RP)
OAuth 2.0 Client application using OIDC and OpenID4VP in SIOPv2. Synonymous with term Verifier in VC Data Model
Request Object
JWT that contains a set of request parameters as its Claims
Self Issued OpenID Provider (SIOP)
An OpenID Provider (OP) used by an End User to prove control over a cryptographically verifiable identifier such as a DID.
Verifiable Credential
A set of one or more Claims made by an issuer that is tamper-evident and has authorship that can be cryptographically verified.
Verifiable Presentation (VP)
A Presentation that is tamper-evident and has authorship that can be cryptographically verified
Verifier
An entity that receives one or more verifiable credential inside a verifiable presentation for processing. Synonymous with the term Relying Party (RP)
Verification
The process in which a Verifier validates that the verifiable credential inside a verifiable presentation is authentic and a timely statement of the issuer or presenter
Wallet
An entity that receives, stores, presents, and manages credentials and key material of the End User. Acts as a Self Issued OpenID Provider (SIOP)

§ Profile

§ The Protocol Flow

This section briefly describes the end to end verification flow. Concepts and terms mentioned here will be described in more detail in subsequent sections of this document.

The flow begins as the Verifier generates a QR Code that contains a request_uri parameter which allows Self-Issued OP (SIOP) Request to be passed by reference. Verifier displays this QR code on their Verifier Website to initiate the exchange.

sequenceDiagram participant user as End User participant siop as Wallet/SIOP participant rp as Verifier/RP rp ->> rp: Generates QR Code
with request_uri rp ->> rp: Displays QR Code

Verifier Website presents the QR Code to the End User on their Verifier Website. The End User scans the QR Code using their Wallet. The Wallet parses the QR code to obtain the request_uri.

The Wallet sends a GET request to the obtained request_uri to retrieve the Request Object. The Request Object is a signed JWT that contains a set of request parameters as defined in SIOPv2 ID1 and OpenID4VP ID1. In particular, Wallet will determine which VCs to submit to the Verifier by processing presentation_definition property in the Request Object.

sequenceDiagram participant user as End User participant siop as Wallet/SIOP participant rp as Verifier/RP rp ->> rp: Generates and displays
QR Code with `request_uri` user -->> siop: Opens app siop -->> rp: Scans QR Code siop ->> siop: Obtains `request_uri`
from QR Code

Upon receiving the Request Object, the Wallet will identify VCs that satisfy the Presentation Definition and encapsulate them in a Verifiable Presentation (VP). The Wallet will complete the SIOP or Authorization Response by sending an ID Token and a VP Token to the Verifier’s redirect_uri.

Upon receiving the ID Token and VP Token, Verifier performs necessary checks such as DID resolution, signature validation, Linked Domain validation, revocation checks, etc. and sends an acknowledgement of receipt back to the Wallet. The flow of the Wallet presenting VCs to the Verifier is now complete.

sequenceDiagram participant user as End User participant siop as Wallet/SIOP participant rp as Verifier/RP siop ->> siop: Identifies VCs
described in the
Request Object siop ->> siop: Generates a VP siop ->> rp: POST /redirect_uri
ID Token and VP Token rp -->> siop: Acknowledgement

§ Overview of the Open Standards Requirements

This profile uses certain versions of specifications that have not yet reached final status: For more details see Normative References section.

§ Security Considerations

It is important to note that Cross-device SIOP is susceptible to a session phishing attack, where an attacker relays the request from a good Verifier/RP to a victim and is able to sign in as a victim. Implementers MUST implement mitigations most suitable to the use-case. For more details and concrete mitigations, see section 15 Security Considerations in SIOPv2 ID1.

§ JWT VCs

§ Using JWT claims instead of their counterparts in the data model specification

Section 6.3.1 of VC Data Model v1.1 provides two options for how to encode properties defined in VC Data Model v1.1 as a JWT:

  1. Use registered JWT claims instead of respective counterparts defined in a VC Data Model v1.1.
  2. Use JWT claims in addition to VC Data Model v1.1 counterparts

For the purpose of this profile, registered JWT claims exp, iss, nbf, jti, sub and aud MUST be used in a JWT VC instead of their respective counterparts defined in VC Data Model v1.1.

§ Base64url Encoding of a JWT encoded VC included in a VP

Verifiable Credentials included in a JWT-encoded Verifiable Presentation MUST be Base64url encoded.

Base64url encoding is defined as a base64 encoding using the URL and filename safe character set defined in Section 5 of RFC4648, with all trailing ‘=’ characters omitted (as permitted by Section 3.2 of RFC4648) and without the inclusion of any line breaks, whitespace, or other additional characters. Note that the base64url encoding of the empty octet sequence is the empty string. (See Appendix C of RFC7515 for notes on implementing base64url encoding without padding.)

§ exp JWT claim

exp JWT claim in JWT encoded VC or VP MUST be used to set the value of the “expirationDate” of the VC or VP, and not of the credentialSubject.

§ nbf JWT claim

VC Data Model v1.1 specifies that “issuanceDate” property MUST be represented as an nbf JWT claim, and not iat JWT claim. This might sound couterintuitive, but the implementers of this profile MUST follow this guidance.

§ Authorization Request

SIOPv2 ID1 MUST be used for key management and authentication, OpenID4VP ID1 MUST be used to transport Verifiable Credentials, and Presentation Exchange MUST be used as a query language as defined in OpenID4VP ID1.

§ Invoking Self-Issued OP

Custom URL Scheme openid-vc:// MUST be used to invoke Self-Issued OP.

§ Self-Issued OP Request URI

Request object shall be passed by reference, rather than by value, as defined in Section 6.2 of OIDC. The Holder Wallet retrieves full Request Object value from the resource at the request_uri.

There are multiple ways for a Verifier/RP to communicate request_uri to the Self-Issued OP. request_uri can be obtained from a QR code when Self-Issued OP is on a different device than the one on which the user interaction is occurring. It can also be obtained from a deep link when Self-Issued OP is on the same device as the one on which the user interaction is occurring.

The Self-Issued OP Request URI has an openid scheme.

The request_uri parameter is a HTTP URL from where the Holder Wallet can retrieve a full Request Object.

The Holder Wallet will retrieve the Request Object value from the request_uri as defined in section 6 of OIDC.

The Self-Issued OP request URI MUST include the following parameter:

Below is a non-normative example of a Self-Issued OP URI which will be encoded into a QR code:

openid-vc://?request_uri=https://someverifierdomain.com/v1.0/verifiablecredentials/request/a0eed079-672f-4055-a4f5-e0f5d76ecdea
TODO

Need to add QR Code above

§ Self-Issued OP Request Object

Upon receipt of the Request, the Holder Wallet MUST send an HTTP GET request to the request_uri to retrieve the referenced Request Object, unless it is already cached, and parse it to recreate the Request parameters.

The response body to that request must be an encoded JWT. The media type must be application/jwt

Below is a non-normative unencoded example of a retrieved Request Object:

EXAMPLE
{
  "alg": "ES256K",
  "kid": "did:ion:EiAv0eJ5cB0hGWVH5YbY-uw1K71EpOST6ztueEQzVCEc0A:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfY2FiNjVhYTAiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiOG15MHFKUGt6OVNRRTkyRTlmRFg4ZjJ4bTR2X29ZMXdNTEpWWlQ1SzhRdyIsInkiOiIxb0xsVG5rNzM2RTNHOUNNUTh3WjJQSlVBM0phVnY5VzFaVGVGSmJRWTFFIn0sInB1cnBvc2VzIjpbImF1dGhlbnRpY2F0aW9uIiwiYXNzZXJ0aW9uTWV0aG9kIl0sInR5cGUiOiJFY2RzYVNlY3AyNTZrMVZlcmlmaWNhdGlvbktleTIwMTkifV0sInNlcnZpY2VzIjpbeyJpZCI6ImxpbmtlZGRvbWFpbnMiLCJzZXJ2aWNlRW5kcG9pbnQiOnsib3JpZ2lucyI6WyJodHRwczovL3N3ZWVwc3Rha2VzLmRpZC5taWNyb3NvZnQuY29tLyJdfSwidHlwZSI6IkxpbmtlZERvbWFpbnMifV19fV0sInVwZGF0ZUNvbW1pdG1lbnQiOiJFaUFwcmVTNy1Eczh5MDFnUzk2cE5iVnpoRmYxUlpvblZ3UkswbG9mZHdOZ2FBIn0sInN1ZmZpeERhdGEiOnsiZGVsdGFIYXNoIjoiRWlEMWRFdUVldERnMnhiVEs0UDZVTTNuWENKVnFMRE11M29IVWNMamtZMWFTdyIsInJlY292ZXJ5Q29tbWl0bWVudCI6IkVpREFkSzFWNkpja1BpY0RBcGFxV2IyZE95MFRNcmJKTmllNmlKVzk4Zk54bkEifX0#sig_cab65aa0",
  "typ": "JWT"
}.{
  "jti": "5a967ab4-3bbc-4add-869f-b4f5c361ba45",
  "iat": 1646337478,
  "response_type": "id_token",
  "response_mode": "post",
  "scope": "openid",
  "nonce": "O1mZGnuet++Ilg2c1jR4jA==",
  "client_id": "did:ion:EiAv0eJ5cB0hGWVH5YbY-uw1K71EpOST6ztueEQzVCEc0A:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfY2FiNjVhYTAiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiOG15MHFKUGt6OVNRRTkyRTlmRFg4ZjJ4bTR2X29ZMXdNTEpWWlQ1SzhRdyIsInkiOiIxb0xsVG5rNzM2RTNHOUNNUTh3WjJQSlVBM0phVnY5VzFaVGVGSmJRWTFFIn0sInB1cnBvc2VzIjpbImF1dGhlbnRpY2F0aW9uIiwiYXNzZXJ0aW9uTWV0aG9kIl0sInR5cGUiOiJFY2RzYVNlY3AyNTZrMVZlcmlmaWNhdGlvbktleTIwMTkifV0sInNlcnZpY2VzIjpbeyJpZCI6ImxpbmtlZGRvbWFpbnMiLCJzZXJ2aWNlRW5kcG9pbnQiOnsib3JpZ2lucyI6WyJodHRwczovL3N3ZWVwc3Rha2VzLmRpZC5taWNyb3NvZnQuY29tLyJdfSwidHlwZSI6IkxpbmtlZERvbWFpbnMifV19fV0sInVwZGF0ZUNvbW1pdG1lbnQiOiJFaUFwcmVTNy1Eczh5MDFnUzk2cE5iVnpoRmYxUlpvblZ3UkswbG9mZHdOZ2FBIn0sInN1ZmZpeERhdGEiOnsiZGVsdGFIYXNoIjoiRWlEMWRFdUVldERnMnhiVEs0UDZVTTNuWENKVnFMRE11M29IVWNMamtZMWFTdyIsInJlY292ZXJ5Q29tbWl0bWVudCI6IkVpREFkSzFWNkpja1BpY0RBcGFxV2IyZE95MFRNcmJKTmllNmlKVzk4Zk54bkEifX0",
  "redirect_uri": "https://beta.did.msidentity.com/v1.0/e1f66f2e-c050-4308-81b3-3d7ea7ef3b1b/verifiablecredentials/present",
  "state": "djGBIOZNYj6lR0cC6nUe/73lA8xfnyXIOgpH1pL9u1+1nZEf02UWGL9t/I2jR7S7QLgkgOpRlmvZNKuVzxSeE7LRCdCQT96Bk6toYJi16sD8cfYAgmyZ5LfRg6fOjMsroXK2hJgA960Vr0lwdUUaV6/iyTD2njlutngeTmovCLaAKPl9ZvCcDmwGbllLQ1egVNOxR+hBk70YXvlwSeHnGbUH2wt30yGYcyCqZTSsBvAP6B/X/6Nk0FXax1iAfXguRLVXNLsiajPOCg6xCkR2iwjqLQV0tHHZ/GOKJ2B6QZH1qBcA3Y65pz+R3QIBDmVpkxMrPtsL8RQL4XB01MFJ96iHY5ec1YpVULRKwLpEltaJsPrHSGqACKS1aidafFYU28KYN+1LnJ0L5dsW5/5v23vHHm0VeeQQUYba6rErkjfmLdKpc4Oi43Cn0OH25w+tW3SC1fmvZVPS6moVpmdRifORx9N07sg6PHcfrUlgLyxpfniwpLMjhJhmCOzsQjDLQaiU4tk36WvbQEoad9TEu4RpP0Z5A74jKQcR/bkwpyb9M00yzOsXuK2yMu4k3ol49jKw1SF4WKEcA511hiqx+MxL2Av7g4BZZrPKv7RpaAVk4GTZZy7qL3ULEVd8SWymp0ioxoaHgNx5EYaHixk+8QX1p7STUEQY3cYzo1ygZ5hJ0G6j0ZuaprDGCjqGdqykduKYj6m+dzK25OkPc9uRaOIB+st4SvTCpaEWUUJ9L5eFeTVkBrzXgTHe8Ke+x89tw3ETD3Rr1HO+8BvC1R1RmL67H0pQTzjbagR6nfy7fXEhNUx50mm38wtzbxlK7d7OYPyfyBhp7UAmArVCIY5/+S5Ew5OzjPws6bU0NbWqno7bA27CTrAAJCBw1WLoSfwQS7Rscdb4wGhqCafak4Sw83+tKyAwcuY6Hz9SVhJeZwI0aW7ppZcDiKIbL7zUrz3cWGKhIB+dDPs73keyEkqHnXayO/2Dvsz8kCmisp8xyTCHR8j9d719brayVe6WmyWdU84r+Fri9/xlZWqF3VjZfoxzOwHDy8fb7H1Kx5DyPW0+oriLCZy0tEBr458IxyyhiNer1sTzHxde1yH6bZibxrcVN6m1hk/vJImZKWn2hkHr3D23soG2tjD9YSg5wMRYOQnTMbnauXqDe4EJhVNVmCBCOLCFJvr0y6THDBZYPQmaB7BX5zp4PuHcOWjk9mfG/OYOxrYA0wbvq7mP9V1laAOa5YGVMbQMNmleblQ7pnnVTNrYPO1BKWz5QgkJrdYlOQbBBZX4jBirL4asz313ceL42ziJCHo7erWqimW+FuXv2EyjoAM02Q/yaPmsCif1ZvC4y5tKVU9b3bomdCzR13QYnnNtpdMqyInCXJOwXqC2rcpwrIwmB21SmFYhOadgkuxaMb57tgaSL7ZxYvYb7+WJUHjPWnn9GTNyTjAIeThLdc1t3IAGl/W3auIMF1mS2nF6meI/qB9ny44qlATGZ0P6zANGanOSZ6dEnTtIvakX4tLlYkvLdAfBnVcZA5HSFKl05x3YzLwYW3A/z3uChKzXFAkn+gH+EOx6MlGDRoZG5gt+389ouQYKIW4aDmRN6FR5RBeMnK5S7K5MZmppNUD5C4BG5gSWCVtGFxYHbAKxfDyE15yu+D4sOaBMqEyIbf0fk1yEGkLLZ68SLVRYCn3LnV+1adiLZo42OnHzp4DJ2p8Ws/msuR2PjIIJiM7NU5QWo8czz7Ftdzx26udQorN4jNU3HDv/eFksYOVOjLvx",
  "exp": 1646337778,
  "registration": {
    "client_name": "Interop WG",
    "subject_syntax_types_supported": [
      "did:ion"
    ],
    "vp_formats": {
      "jwt_vp": {
        "alg": [
          "ES256K"
        ]
      },
      "jwt_vc": {
        "alg": [
          "ES256K"
        ]
      }
    },
    "client_purpose": "Please share this information with us to get access to our library."
  },
  "claims": {
    "vp_token": {
      "presentation_definition": {
        "id": "c278823a-f9d7-4a22-9a73-4a1bcd87f60e",
        "input_descriptors": [
          {
            "id": "InteropExampleVC",
            "name": "InteropExampleVC",
            "purpose": "We need to verify that you have a valid InteropExampleVC Verifiable Credential.",
            "schema": [
              {
                "uri": "InteropExampleVC"
              }
            ]
          }
        ]
      }
    }
  }
}.[Signature]
§ Self-Issued OP Request Parameters

The Self-Issued OP request object obtained via request_uri MUST include the following parameters and values:

§ Self-Issued OP Discovery

The Verifier/RP MUST use static Self-Issued OP metadata as defined in section 6.2.1 of SIOPv2 ID1.

EXAMPLE
{
  "authorization_endpoint": "openid-vc:",
  "issuer": "https://self-issued.me/v2/openid-vc",
  "response_types_supported": [
    "id_token"
  ],
  "scopes_supported": [
    "openid"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "ES256K",
    "EdDSA"
  ],
  "request_object_signing_alg_values_supported": [
    "ES256K",
    "EdDSA"
  ]
}

§ Verifier/RP Registration Metadata

The Self-Issued OP request MUST be signed. Decentralized Identifier resolution as defined in section 10.2.2.2. of SIOPv2 ID1 MUST be used as the Verifier/RP Registration Metadata Resolution Method.

The RP MUST support Subject Syntax Type as specified in section 9.2.3 and include the DID methods required by this profile. in SIOPv2 ID1. RP’s client_id MUST be expressed using a DID method URI (of a DID method supported by this profile), and the public key used to sign the request MUST be obtained from the verificationMethod property of a DID Document. The public key used to sign the request in question MUST be identified by the kid in the header of the signed request.

All RP metadata other than the public key MUST be obtained from the registration parameter as defined in section 6.3.1. of SIOPv2 ID1.

The following are Verifier/RP Registration Metadata parameters and values:

Below is a normative example of claims included in the registration parameter:

EXAMPLE
{
  "subject_syntax_types_supported": [
    "did:web",
    "did:ion"
  ],
  "vp_formats": {
    "jwt_vp": {
      "alg": [
        "ES256K",
        "EdDSA"
      ]
    },
    "jwt_vc": {
      "alg": [
        "ES256K",
        "EdDSA"
      ]
    }
  },
  "client_name": "Interop WG",
  "client_purpose": "Please share this information with us to get access to our library."
}

Other Registration parameters defined in OIDC Registration can be used.

§ Linked Domain Verification

To strengthen trust between the Verifier/RP and End-user, a Verifier/RP’s DID must be bound to its website. This proves the Verifier/RP controls both the DID and the origin and allows the End-user to verify this relationship. To bind an owner of a DID to a controller of a certain origin, Well Known DID Configuration MUST be used as defined in Well Known DID.

Validation of Domain Linkage Credentials by the wallet MUST follow the steps given in the Well Known DID specification. To check validity of the Domain Linkage Credential, expiration property MUST be taken into account. Additional checks, e.g. of revocation, are not required by this profile. Since the Verifier/RP manages Domain Linkage Credentials and directly updates the DID Configuration Resource, the usage of a credentialStatus property for revocation in a Domain Linkage Credential typically is of little use.

When creating a Verifier/RP’s DID, the domain linked to that DID MUST be included in a serviceEndpoint property of the DID Document as shown in a non-normative response below:

EXAMPLE
{
  "service": [
    {
      "id": "#domain-1",
      "type": "LinkedDomains",
      "serviceEndpoint": "https://vcsatoshi.com"
    }
  ]
}

Prior to a presentation request, the Verifier/RP MUST create a Domain Linkage Credential in a JSON Web Token format. It MUST be included on the website via ‘/.well-known/did-configuration.json’.

Below is a non-normative example of a Domain Linkage Credential that is hosted at https://www.vcsatoshi.com/.well-known/did-configuration.json:

EXAMPLE
{
  "@context": "https://identity.foundation/.well-known/contexts/did-configuration-v0.0.jsonld",
  "linked_dids": [
    "eyJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6aW9uOkVpQ29QQUlDWFRiS0NJdldPQnA5NkxLSExRdUhrVmRscm1zWWV2WlBXOEFqV3c6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZGZPRFJsTldWbVkyTWlMQ0p3ZFdKc2FXTkxaWGxLZDJzaU9uc2lZM0oySWpvaWMyVmpjREkxTm1zeElpd2lhM1I1SWpvaVJVTWlMQ0o0SWpvaVJWZzVZemRSVjJ4MlprMU5kVVJRWnpsMFNqQjRXa1JMYW1SUVNqSkpPV2R1U210S2RVMXBZVnBpZHlJc0lua2lPaUk0VWtRelYweHRhRUpUUTBwUFZIRkViRzlWZG5wWlgwNVBTbTVQV1dKRmJuUTBRemRZVldWUVR6VTRJbjBzSW5CMWNuQnZjMlZ6SWpwYkltRjFkR2hsYm5ScFkyRjBhVzl1SWl3aVlYTnpaWEowYVc5dVRXVjBhRzlrSWwwc0luUjVjR1VpT2lKRlkyUnpZVk5sWTNBeU5UWnJNVlpsY21sbWFXTmhkR2x2Ymt0bGVUSXdNVGtpZlYwc0luTmxjblpwWTJWeklqcGJleUpwWkNJNklteHBibXRsWkdSdmJXRnBibk1pTENKelpYSjJhV05sUlc1a2NHOXBiblFpT25zaWIzSnBaMmx1Y3lJNld5Sm9kSFJ3Y3pvdkwzZDNkeTUyWTNOaGRHOXphR2t1WTI5dEx5SmRmU3dpZEhsd1pTSTZJa3hwYm10bFpFUnZiV0ZwYm5NaWZWMTlmVjBzSW5Wd1pHRjBaVU52YlcxcGRHMWxiblFpT2lKRmFVUjVTbHBhYlVGM2MxSlBTR056VGtSYVZDMXpOMnhhYkV4Q1gwWjViVFY2U0hCWVJWRXhWV0ZDY0RSM0luMHNJbk4xWm1acGVFUmhkR0VpT25zaVpHVnNkR0ZJWVhOb0lqb2lSV2xDYldSU1ExWjRUMU5WWm5WdVVtVjFVVGRhVmxGZlQzRXRlVFZETUd3d2RtOHRhelp3TUZFek1tSk9RU0lzSW5KbFkyOTJaWEo1UTI5dGJXbDBiV1Z1ZENJNklrVnBRVWwxTUVaUE1XbFVia0pUY3pJeWQzTlZaa3BaVldaRVZVZFJhMVJqTTE5bVJuSjRaVVZOWlhwZlpGRWlmWDAjc2lnXzg0ZTVlZmNjIn0.eyJzdWIiOiJkaWQ6aW9uOkVpQ29QQUlDWFRiS0NJdldPQnA5NkxLSExRdUhrVmRscm1zWWV2WlBXOEFqV3c6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZGZPRFJsTldWbVkyTWlMQ0p3ZFdKc2FXTkxaWGxLZDJzaU9uc2lZM0oySWpvaWMyVmpjREkxTm1zeElpd2lhM1I1SWpvaVJVTWlMQ0o0SWpvaVJWZzVZemRSVjJ4MlprMU5kVVJRWnpsMFNqQjRXa1JMYW1SUVNqSkpPV2R1U210S2RVMXBZVnBpZHlJc0lua2lPaUk0VWtRelYweHRhRUpUUTBwUFZIRkViRzlWZG5wWlgwNVBTbTVQV1dKRmJuUTBRemRZVldWUVR6VTRJbjBzSW5CMWNuQnZjMlZ6SWpwYkltRjFkR2hsYm5ScFkyRjBhVzl1SWl3aVlYTnpaWEowYVc5dVRXVjBhRzlrSWwwc0luUjVjR1VpT2lKRlkyUnpZVk5sWTNBeU5UWnJNVlpsY21sbWFXTmhkR2x2Ymt0bGVUSXdNVGtpZlYwc0luTmxjblpwWTJWeklqcGJleUpwWkNJNklteHBibXRsWkdSdmJXRnBibk1pTENKelpYSjJhV05sUlc1a2NHOXBiblFpT25zaWIzSnBaMmx1Y3lJNld5Sm9kSFJ3Y3pvdkwzZDNkeTUyWTNOaGRHOXphR2t1WTI5dEx5SmRmU3dpZEhsd1pTSTZJa3hwYm10bFpFUnZiV0ZwYm5NaWZWMTlmVjBzSW5Wd1pHRjBaVU52YlcxcGRHMWxiblFpT2lKRmFVUjVTbHBhYlVGM2MxSlBTR056VGtSYVZDMXpOMnhhYkV4Q1gwWjViVFY2U0hCWVJWRXhWV0ZDY0RSM0luMHNJbk4xWm1acGVFUmhkR0VpT25zaVpHVnNkR0ZJWVhOb0lqb2lSV2xDYldSU1ExWjRUMU5WWm5WdVVtVjFVVGRhVmxGZlQzRXRlVFZETUd3d2RtOHRhelp3TUZFek1tSk9RU0lzSW5KbFkyOTJaWEo1UTI5dGJXbDBiV1Z1ZENJNklrVnBRVWwxTUVaUE1XbFVia0pUY3pJeWQzTlZaa3BaVldaRVZVZFJhMVJqTTE5bVJuSjRaVVZOWlhwZlpGRWlmWDAiLCJpc3MiOiJkaWQ6aW9uOkVpQ29QQUlDWFRiS0NJdldPQnA5NkxLSExRdUhrVmRscm1zWWV2WlBXOEFqV3c6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZGZPRFJsTldWbVkyTWlMQ0p3ZFdKc2FXTkxaWGxLZDJzaU9uc2lZM0oySWpvaWMyVmpjREkxTm1zeElpd2lhM1I1SWpvaVJVTWlMQ0o0SWpvaVJWZzVZemRSVjJ4MlprMU5kVVJRWnpsMFNqQjRXa1JMYW1SUVNqSkpPV2R1U210S2RVMXBZVnBpZHlJc0lua2lPaUk0VWtRelYweHRhRUpUUTBwUFZIRkViRzlWZG5wWlgwNVBTbTVQV1dKRmJuUTBRemRZVldWUVR6VTRJbjBzSW5CMWNuQnZjMlZ6SWpwYkltRjFkR2hsYm5ScFkyRjBhVzl1SWl3aVlYTnpaWEowYVc5dVRXVjBhRzlrSWwwc0luUjVjR1VpT2lKRlkyUnpZVk5sWTNBeU5UWnJNVlpsY21sbWFXTmhkR2x2Ymt0bGVUSXdNVGtpZlYwc0luTmxjblpwWTJWeklqcGJleUpwWkNJNklteHBibXRsWkdSdmJXRnBibk1pTENKelpYSjJhV05sUlc1a2NHOXBiblFpT25zaWIzSnBaMmx1Y3lJNld5Sm9kSFJ3Y3pvdkwzZDNkeTUyWTNOaGRHOXphR2t1WTI5dEx5SmRmU3dpZEhsd1pTSTZJa3hwYm10bFpFUnZiV0ZwYm5NaWZWMTlmVjBzSW5Wd1pHRjBaVU52YlcxcGRHMWxiblFpT2lKRmFVUjVTbHBhYlVGM2MxSlBTR056VGtSYVZDMXpOMnhhYkV4Q1gwWjViVFY2U0hCWVJWRXhWV0ZDY0RSM0luMHNJbk4xWm1acGVFUmhkR0VpT25zaVpHVnNkR0ZJWVhOb0lqb2lSV2xDYldSU1ExWjRUMU5WWm5WdVVtVjFVVGRhVmxGZlQzRXRlVFZETUd3d2RtOHRhelp3TUZFek1tSk9RU0lzSW5KbFkyOTJaWEo1UTI5dGJXbDBiV1Z1ZENJNklrVnBRVWwxTUVaUE1XbFVia0pUY3pJeWQzTlZaa3BaVldaRVZVZFJhMVJqTTE5bVJuSjRaVVZOWlhwZlpGRWlmWDAiLCJuYmYiOjE2MTU1MDM5OTIsImV4cCI6MjQwNDQyMjM5MiwidmMiOnsiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiLCJodHRwczovL2lkZW50aXR5LmZvdW5kYXRpb24vLndlbGwta25vd24vY29udGV4dHMvZGlkLWNvbmZpZ3VyYXRpb24tdjAuMC5qc29ubGQiXSwiaXNzdWVyIjoiZGlkOmlvbjpFaUNvUEFJQ1hUYktDSXZXT0JwOTZMS0hMUXVIa1ZkbHJtc1lldlpQVzhBald3OmV5SmtaV3gwWVNJNmV5SndZWFJqYUdWeklqcGJleUpoWTNScGIyNGlPaUp5WlhCc1lXTmxJaXdpWkc5amRXMWxiblFpT25zaWNIVmliR2xqUzJWNWN5STZXM3NpYVdRaU9pSnphV2RmT0RSbE5XVm1ZMk1pTENKd2RXSnNhV05MWlhsS2Qyc2lPbnNpWTNKMklqb2ljMlZqY0RJMU5tc3hJaXdpYTNSNUlqb2lSVU1pTENKNElqb2lSVmc1WXpkUlYyeDJaazFOZFVSUVp6bDBTakI0V2tSTGFtUlFTakpKT1dkdVNtdEtkVTFwWVZwaWR5SXNJbmtpT2lJNFVrUXpWMHh0YUVKVFEwcFBWSEZFYkc5VmRucFpYMDVQU201UFdXSkZiblEwUXpkWVZXVlFUelU0SW4wc0luQjFjbkJ2YzJWeklqcGJJbUYxZEdobGJuUnBZMkYwYVc5dUlpd2lZWE56WlhKMGFXOXVUV1YwYUc5a0lsMHNJblI1Y0dVaU9pSkZZMlJ6WVZObFkzQXlOVFpyTVZabGNtbG1hV05oZEdsdmJrdGxlVEl3TVRraWZWMHNJbk5sY25acFkyVnpJanBiZXlKcFpDSTZJbXhwYm10bFpHUnZiV0ZwYm5NaUxDSnpaWEoyYVdObFJXNWtjRzlwYm5RaU9uc2liM0pwWjJsdWN5STZXeUpvZEhSd2N6b3ZMM2QzZHk1MlkzTmhkRzl6YUdrdVkyOXRMeUpkZlN3aWRIbHdaU0k2SWt4cGJtdGxaRVJ2YldGcGJuTWlmVjE5ZlYwc0luVndaR0YwWlVOdmJXMXBkRzFsYm5RaU9pSkZhVVI1U2xwYWJVRjNjMUpQU0dOelRrUmFWQzF6TjJ4YWJFeENYMFo1YlRWNlNIQllSVkV4VldGQ2NEUjNJbjBzSW5OMVptWnBlRVJoZEdFaU9uc2laR1ZzZEdGSVlYTm9Jam9pUldsQ2JXUlNRMVo0VDFOVlpuVnVVbVYxVVRkYVZsRmZUM0V0ZVRWRE1Hd3dkbTh0YXpad01GRXpNbUpPUVNJc0luSmxZMjkyWlhKNVEyOXRiV2wwYldWdWRDSTZJa1ZwUVVsMU1FWlBNV2xVYmtKVGN6SXlkM05WWmtwWlZXWkVWVWRSYTFSak0xOW1Sbko0WlVWTlpYcGZaRkVpZlgwIiwiaXNzdWFuY2VEYXRlIjoiMjAyMS0wMy0xMVQyMzowNjozMi4zNDdaIiwiZXhwaXJhdGlvbkRhdGUiOiIyMDQ2LTAzLTExVDIzOjA2OjMyLjM0N1oiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiRG9tYWluTGlua2FnZUNyZWRlbnRpYWwiXSwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6aW9uOkVpQ29QQUlDWFRiS0NJdldPQnA5NkxLSExRdUhrVmRscm1zWWV2WlBXOEFqV3c6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZGZPRFJsTldWbVkyTWlMQ0p3ZFdKc2FXTkxaWGxLZDJzaU9uc2lZM0oySWpvaWMyVmpjREkxTm1zeElpd2lhM1I1SWpvaVJVTWlMQ0o0SWpvaVJWZzVZemRSVjJ4MlprMU5kVVJRWnpsMFNqQjRXa1JMYW1SUVNqSkpPV2R1U210S2RVMXBZVnBpZHlJc0lua2lPaUk0VWtRelYweHRhRUpUUTBwUFZIRkViRzlWZG5wWlgwNVBTbTVQV1dKRmJuUTBRemRZVldWUVR6VTRJbjBzSW5CMWNuQnZjMlZ6SWpwYkltRjFkR2hsYm5ScFkyRjBhVzl1SWl3aVlYTnpaWEowYVc5dVRXVjBhRzlrSWwwc0luUjVjR1VpT2lKRlkyUnpZVk5sWTNBeU5UWnJNVlpsY21sbWFXTmhkR2x2Ymt0bGVUSXdNVGtpZlYwc0luTmxjblpwWTJWeklqcGJleUpwWkNJNklteHBibXRsWkdSdmJXRnBibk1pTENKelpYSjJhV05sUlc1a2NHOXBiblFpT25zaWIzSnBaMmx1Y3lJNld5Sm9kSFJ3Y3pvdkwzZDNkeTUyWTNOaGRHOXphR2t1WTI5dEx5SmRmU3dpZEhsd1pTSTZJa3hwYm10bFpFUnZiV0ZwYm5NaWZWMTlmVjBzSW5Wd1pHRjBaVU52YlcxcGRHMWxiblFpT2lKRmFVUjVTbHBhYlVGM2MxSlBTR056VGtSYVZDMXpOMnhhYkV4Q1gwWjViVFY2U0hCWVJWRXhWV0ZDY0RSM0luMHNJbk4xWm1acGVFUmhkR0VpT25zaVpHVnNkR0ZJWVhOb0lqb2lSV2xDYldSU1ExWjRUMU5WWm5WdVVtVjFVVGRhVmxGZlQzRXRlVFZETUd3d2RtOHRhelp3TUZFek1tSk9RU0lzSW5KbFkyOTJaWEo1UTI5dGJXbDBiV1Z1ZENJNklrVnBRVWwxTUVaUE1XbFVia0pUY3pJeWQzTlZaa3BaVldaRVZVZFJhMVJqTTE5bVJuSjRaVVZOWlhwZlpGRWlmWDAiLCJvcmlnaW4iOiJodHRwczovL3d3dy52Y3NhdG9zaGkuY29tLyJ9fX0.N6h3bUkpgu-NzVSTenquiJdwiXEARAXXyCU_jV0l0_wFEAv9l5-g25SQqKzl1oS0GdW5zN9Z8Fqo8_6Hx9u0FA"
  ]
}

§ Requesting Verifiable Credentials

A Specific VC type MUST be requested using Presentation Exchange syntax in the Self-Issued OP request as defined in section 8 of OpenID4VP ID1. presentation_definition property defined in Presentation Exchange MUST be included in a vp_token property as defined in OpenID4VP ID1, which MUST be included in a claims parameter defined in OIDC.

Below is a non-normative example of a claims parameter:

{
  "claims": {
    "vp_token": {
      "presentation_definition": {
        "id": "c278823a-f9d7-4a22-9a73-4a1bcd87f60e",
        "input_descriptors": [
          {
            "id": "InteropExampleVC",
            "name": "InteropExampleVC",
            "purpose": "We need to verify that you have a valid InteropExampleVC Verifiable Credential.",
            "schema": [
              {
                "uri": "InteropExampleVC"
              }
            ]
          }
        ]
      }
    }
  }
}

When the Self-Issued OP displays the consent screen to the user, it is RECOMMENDED to display the domain name obtained using Linked Domains. Displaying details of the consent using registration parameters such as client_name, logo_uri, and client_purpose defined in Registration Metadata is OPTIONAL.

Note that displaying the domain name of the Verifier/RP helps the End-users to identify malicious Verifiers/RPs who has copied registration parameters of good Verifiers/OP and are impersonating them.

§ Authorization Response

Authorization Response is sent as an HTTPS POST request to the RP’s endpoint indicated in redirect_uri in the request.

Note that when this response_mode is used, the user will finish the transaction on the device with a Self-Issued OP, which is a different device than on which the user initiated a request. It is up to the implementations to enable further user interaction with the Verifier/RP on the device used to initiate the request.

§ Structure of Authentication Response

Since requested VCs are returned in a VP Token, two artifacts MUST be returned:

  1. ID Token that serves as an authentication receipt and includes metadata about the VP Token
  2. VP Token that includes one or more Verifiable Presentations

presentation_submission object located inside an ID Token specifies metadata such as format and path of both VPs and VCs in the VP Token.

This profile currently supports including only a single VP in the VP Token. In such cases, as defined in section 5.2 of OpenID4VP ID1, when the Self-Issued OP returns a single VP in the vp_token, VP Token is not an array, and a single VP is passed as a vp_token. In this case, the descriptor map would contain a simple path expression “$”.

Note that when in the future use-cases multiple VPs are included in the VP Token, VP Token itself is not signed, and each VP included inside the VP Token MUST be signed.

This profile currently assumes that ID Token and a single VP passed as a VP Token are signed by the same Holder DID.

Note that a Holder DID signing the ID Token in its sub claim is user’s identifier within the RP/Verifier, while a Holder DID signing a VP in its iss claim is user’s identifier within the Issuer, and the two do not have the same connotation.

§ ID Token Validation

ID Token validation rules defined in section 10 of SIOPv2 ID1 MUST be followed. The ID Token MUST be signed by the End-User’s DID.

§ ID Token example

Below is a non-normative example of an ID Token:

EXAMPLE
{
    "alg": "ES256K",
    "kid": "did:ion:EiAN0g6ahFl9GuP2uVRJMj4n6EJfvp9B_CfuOipsl1kbng:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWduIiwicHVibGljS2V5SndrIjp7ImNydiI6InNlY3AyNTZrMSIsImt0eSI6IkVDIiwieCI6InBEd1JSbHpSNjJQU1RaR20tYTlwemh0X1NUZnBrb21ZOXliWGJLQXBqTHciLCJ5IjoiNmFUM3RkRXlTaWFtcWQ3YjFpaG5LMW5wR2p2cHA4QnBfYnp4ZWtaS2JZRSJ9LCJwdXJwb3NlcyI6WyJhdXRoZW50aWNhdGlvbiJdLCJ0eXBlIjoiRWNkc2FTZWNwMjU2azFWZXJpZmljYXRpb25LZXkyMDE5In1dfX1dLCJ1cGRhdGVDb21taXRtZW50IjoiRWlEbWlXQ3ZkWHNUajVpTUROX3NOVGxKakdaRmxfcklpd2VkMURic004a2JmZyJ9LCJzdWZmaXhEYXRhIjp7ImRlbHRhSGFzaCI6IkVpQ0ludDZlTFNMcGsyaGNwb3RrUHFmQUxTU2pjMEw0Y3Z0aEJGNFg1UXV1REEiLCJyZWNvdmVyeUNvbW1pdG1lbnQiOiJFaUNIeFFkSk5qYUtvS2gybklDY0w4ZTcyZTBkdVJGdUVVcWM2YVpfZnhkdGxBIn19#sign",
    "typ": "JWT"
  }.{
    "sub": "did:ion:EiAN0g6ahFl9GuP2uVRJMj4n6EJfvp9B_CfuOipsl1kbng:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWduIiwicHVibGljS2V5SndrIjp7ImNydiI6InNlY3AyNTZrMSIsImt0eSI6IkVDIiwieCI6InBEd1JSbHpSNjJQU1RaR20tYTlwemh0X1NUZnBrb21ZOXliWGJLQXBqTHciLCJ5IjoiNmFUM3RkRXlTaWFtcWQ3YjFpaG5LMW5wR2p2cHA4QnBfYnp4ZWtaS2JZRSJ9LCJwdXJwb3NlcyI6WyJhdXRoZW50aWNhdGlvbiJdLCJ0eXBlIjoiRWNkc2FTZWNwMjU2azFWZXJpZmljYXRpb25LZXkyMDE5In1dfX1dLCJ1cGRhdGVDb21taXRtZW50IjoiRWlEbWlXQ3ZkWHNUajVpTUROX3NOVGxKakdaRmxfcklpd2VkMURic004a2JmZyJ9LCJzdWZmaXhEYXRhIjp7ImRlbHRhSGFzaCI6IkVpQ0ludDZlTFNMcGsyaGNwb3RrUHFmQUxTU2pjMEw0Y3Z0aEJGNFg1UXV1REEiLCJyZWNvdmVyeUNvbW1pdG1lbnQiOiJFaUNIeFFkSk5qYUtvS2gybklDY0w4ZTcyZTBkdVJGdUVVcWM2YVpfZnhkdGxBIn19",
    "nonce": "O1mZGnuet++Ilg2c1jR4jA==",
    "_vp_token": {
      "presentation_submission": {
        "id": "8af49176-21ff-4e53-a568-081696aa549c",
        "definition_id": "c278823a-f9d7-4a22-9a73-4a1bcd87f60e",
        "descriptor_map": [
          {
            "id": "InteropExampleVC",
            "format": "jwt_vp",
            "path": "$",
            "path_nested": {
              "id": "InteropExampleVC",
              "format": "jwt_vc",
              "path": "$.verifiableCredential[0]"
            }
          }
        ]
      }
    },
    "aud": "did:ion:EiAv0eJ5cB0hGWVH5YbY-uw1K71EpOST6ztueEQzVCEc0A:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfY2FiNjVhYTAiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiOG15MHFKUGt6OVNRRTkyRTlmRFg4ZjJ4bTR2X29ZMXdNTEpWWlQ1SzhRdyIsInkiOiIxb0xsVG5rNzM2RTNHOUNNUTh3WjJQSlVBM0phVnY5VzFaVGVGSmJRWTFFIn0sInB1cnBvc2VzIjpbImF1dGhlbnRpY2F0aW9uIiwiYXNzZXJ0aW9uTWV0aG9kIl0sInR5cGUiOiJFY2RzYVNlY3AyNTZrMVZlcmlmaWNhdGlvbktleTIwMTkifV0sInNlcnZpY2VzIjpbeyJpZCI6ImxpbmtlZGRvbWFpbnMiLCJzZXJ2aWNlRW5kcG9pbnQiOnsib3JpZ2lucyI6WyJodHRwczovL3N3ZWVwc3Rha2VzLmRpZC5taWNyb3NvZnQuY29tLyJdfSwidHlwZSI6IkxpbmtlZERvbWFpbnMifV19fV0sInVwZGF0ZUNvbW1pdG1lbnQiOiJFaUFwcmVTNy1Eczh5MDFnUzk2cE5iVnpoRmYxUlpvblZ3UkswbG9mZHdOZ2FBIn0sInN1ZmZpeERhdGEiOnsiZGVsdGFIYXNoIjoiRWlEMWRFdUVldERnMnhiVEs0UDZVTTNuWENKVnFMRE11M29IVWNMamtZMWFTdyIsInJlY292ZXJ5Q29tbWl0bWVudCI6IkVpREFkSzFWNkpja1BpY0RBcGFxV2IyZE95MFRNcmJKTmllNmlKVzk4Zk54bkEifX0",
    "iss": "https://self-issued.me/v2/openid-vc",
    "iat": 1646308737,
    "exp": 1646769537
  }.[Signature]

§ VP Token example

Below is a non-normative example of a Base64URL encoded VP Token:

EXAMPLE
eyJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6aW9uOkVpQU4wZzZhaEZsOUd1UDJ1VlJKTWo0bjZFSmZ2cDlCX0NmdU9pcHNsMWtibmc6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZHVJaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbXQwZVNJNklrVkRJaXdpZUNJNkluQkVkMUpTYkhwU05qSlFVMVJhUjIwdFlUbHdlbWgwWDFOVVpuQnJiMjFaT1hsaVdHSkxRWEJxVEhjaUxDSjVJam9pTm1GVU0zUmtSWGxUYVdGdGNXUTNZakZwYUc1TE1XNXdSMnAyY0hBNFFuQmZZbnA0Wld0YVMySlpSU0o5TENKd2RYSndiM05sY3lJNld5SmhkWFJvWlc1MGFXTmhkR2x2YmlKZExDSjBlWEJsSWpvaVJXTmtjMkZUWldOd01qVTJhekZXWlhKcFptbGpZWFJwYjI1TFpYa3lNREU1SW4xZGZYMWRMQ0oxY0dSaGRHVkRiMjF0YVhSdFpXNTBJam9pUldsRWJXbFhRM1prV0hOVWFqVnBUVVJPWDNOT1ZHeEtha2RhUm14ZmNrbHBkMlZrTVVSaWMwMDRhMkptWnlKOUxDSnpkV1ptYVhoRVlYUmhJanA3SW1SbGJIUmhTR0Z6YUNJNklrVnBRMGx1ZERabFRGTk1jR3N5YUdOd2IzUnJVSEZtUVV4VFUycGpNRXcwWTNaMGFFSkdORmcxVVhWMVJFRWlMQ0p5WldOdmRtVnllVU52YlcxcGRHMWxiblFpT2lKRmFVTkllRkZrU2s1cVlVdHZTMmd5YmtsRFkwdzRaVGN5WlRCa2RWSkdkVVZWY1dNMllWcGZabmhrZEd4QkluMTkjc2lnbiIsInR5cCI6IkpXVCJ9.eyJub25jZSI6Ik8xbVpHbnVldCsrSWxnMmMxalI0akE9PSIsInZwIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sInR5cGUiOlsiVmVyaWZpYWJsZVByZXNlbnRhdGlvbiJdLCJ2ZXJpZmlhYmxlQ3JlZGVudGlhbCI6WyJleUpoYkdjaU9pSkZVekkxTmtzaUxDSnJhV1FpT2lKa2FXUTZhVzl1T2tWcFJEZE5PRkpaYmxWMWFYSXlZbTB5TVhWMUxUVlpiVmRqY1hGUlJXbGxMVlF0YWxsRlQwVkNaVVZYU2xFNlpYbEthMXBYZURCWlUwazJaWGxLZDFsWVVtcGhSMVo2U1dwd1ltVjVTbWhaTTFKd1lqSTBhVTlwU25sYVdFSnpXVmRPYkVscGQybGFSemxxWkZjeGJHSnVVV2xQYm5OcFkwaFdhV0pIYkdwVE1sWTFZM2xKTmxjemMybGhWMUZwVDJsS2VtRlhaSFZKYVhkcFkwaFdhV0pIYkdwVE1sWTFVMjVrY2tscWNEZEpiVTU1WkdsSk5rbHVUbXhaTTBGNVRsUmFjazFUU1hOSmJYUXdaVk5KTmtsclZrUkphWGRwWlVOSk5rbHVUbTVoYldoVVpGWkdjMXByWkZsV2FtY3hVV3hXVTFkclp6VmhSWFJSVWpKU2FGUkVVbXhaYldSVFRqQmtSVkpGVWtaaWEwcDBaVmhOYVV4RFNqVkphbTlwVWtkM05Gb3paSEZoZWxKUVRqSm9OV05FVm5GV2FscHFWV3BHUTFRemJEQmxiRGxVVTFWYWRFNHdiR3BYVld4elRGaENjV1F4U2xWV1UwbzVURU5LZDJSWVNuZGlNMDVzWTNsSk5sZDVTbWhrV0ZKdldsYzFNR0ZYVG1oa1IyeDJZbWxLWkV4RFNqQmxXRUpzU1dwdmFWSlhUbXRqTWtaVVdsZE9kMDFxVlRKaGVrWlhXbGhLY0ZwdGJHcFpXRkp3WWpJMVRGcFlhM2xOUkVVMVNXNHhaR1pZTVdSTVEwb3hZMGRTYUdSSFZrUmlNakYwWVZoU2RGcFhOVEJKYW05cFVsZHNRbFZxV2xkaWFteElaVWRLYVZOR2FFVmpSRUp2V21wc05rNVdPVnBVTTJkNlkwWkthRnBYWkRWTVZrWlZaRVZ3TTFscVRrUmpWV1JEWkhsS09VeERTbnBrVjFwdFlWaG9SVmxZVW1oSmFuQTNTVzFTYkdKSVVtaFRSMFo2WVVOSk5rbHJWbkJSTURWb1lrUmFXVlZ1VmpWV2FrWnJXREp3TWxWc1drVmliWEJHVkZoT2NWTlZTa3hhYWtVeVZucFplR1JFUmpKamJtUlBXakZSZEdKV1JXbE1RMHA1V2xkT2RtUnRWbmxsVlU1MllsY3hjR1JITVd4aWJsRnBUMmxLUm1GVlNtOVBWMUp5VTBSQ1JXUldXazlWUjJONVZHNUtiVmRwTUhwYU1VSnRXWHBhV0Zac09VTk9NMlJQV2pGb1RscFhiRUpsYTNoQ1lVUkdia2x1TVRramMybG5iaUlzSW5SNWNDSTZJa3BYVkNKOS5leUp6ZFdJaU9pSmthV1E2YVc5dU9rVnBRVTR3WnpaaGFFWnNPVWQxVURKMVZsSktUV28wYmpaRlNtWjJjRGxDWDBObWRVOXBjSE5zTVd0aWJtYzZaWGxLYTFwWGVEQlpVMGsyWlhsS2QxbFlVbXBoUjFaNlNXcHdZbVY1U21oWk0xSndZakkwYVU5cFNubGFXRUp6V1ZkT2JFbHBkMmxhUnpscVpGY3hiR0p1VVdsUGJuTnBZMGhXYVdKSGJHcFRNbFkxWTNsSk5sY3pjMmxoVjFGcFQybEtlbUZYWkhWSmFYZHBZMGhXYVdKSGJHcFRNbFkxVTI1a2NrbHFjRGRKYlU1NVpHbEpOa2x1VG14Wk0wRjVUbFJhY2sxVFNYTkpiWFF3WlZOSk5rbHJWa1JKYVhkcFpVTkpOa2x1UWtWa01VcFRZa2h3VTA1cVNsRlZNVkpoVWpJd2RGbFViSGRsYldnd1dERk9WVnB1UW5KaU1qRmFUMWhzYVZkSFNreFJXRUp4VkVoamFVeERTalZKYW05cFRtMUdWVTB6VW10U1dHeFVZVmRHZEdOWFVUTlpha1p3WVVjMVRFMVhOWGRTTW5BeVkwaEJORkZ1UW1aWmJuQTBXbGQwWVZNeVNscFNVMG81VEVOS2QyUllTbmRpTTA1c1kzbEpObGQ1U21oa1dGSnZXbGMxTUdGWFRtaGtSMngyWW1sS1pFeERTakJsV0VKc1NXcHZhVkpYVG10ak1rWlVXbGRPZDAxcVZUSmhla1pYV2xoS2NGcHRiR3BaV0ZKd1lqSTFURnBZYTNsTlJFVTFTVzR4WkdaWU1XUk1RMG94WTBkU2FHUkhWa1JpTWpGMFlWaFNkRnBYTlRCSmFtOXBVbGRzUldKWGJGaFJNMXByVjBoT1ZXRnFWbkJVVlZKUFdETk9UMVpIZUV0aGEyUmhVbTE0Wm1OcmJIQmtNbFpyVFZWU2FXTXdNRFJoTWtwdFdubEtPVXhEU25wa1YxcHRZVmhvUlZsWVVtaEphbkEzU1cxU2JHSklVbWhUUjBaNllVTkpOa2xyVm5CUk1HeDFaRVJhYkZSR1RrMWpSM041WVVkT2QySXpVbkpWU0VadFVWVjRWRlV5Y0dwTlJYY3dXVE5hTUdGRlNrZE9SbWN4VlZoV01WSkZSV2xNUTBwNVdsZE9kbVJ0Vm5sbFZVNTJZbGN4Y0dSSE1XeGlibEZwVDJsS1JtRlZUa2xsUmtaclUyczFjVmxWZEhaVE1tZDVZbXRzUkZrd2R6UmFWR041V2xSQ2EyUldTa2RrVlZaV1kxZE5NbGxXY0daYWJtaHJaRWQ0UWtsdU1Ua2lMQ0pxZEdraU9pSXlOVFZoTTJNM05pMWhOVEl5TFRRME1XSXRZVEEwTVMxbU16Sm1abU5qWkRGak16UWlMQ0oyWXlJNmV5SkFZMjl1ZEdWNGRDSTZXeUpvZEhSd2N6b3ZMM2QzZHk1M015NXZjbWN2TWpBeE9DOWpjbVZrWlc1MGFXRnNjeTkyTVNKZExDSjBlWEJsSWpwYklsWmxjbWxtYVdGaWJHVkRjbVZrWlc1MGFXRnNJaXdpU1c1MFpYSnZjRVY0WVcxd2JHVldReUpkTENKamNtVmtaVzUwYVdGc1UzVmlhbVZqZENJNmV5Sk1hV0p5WVhKNUlFNWhiV1VpT2lKWGIyOWtaM0p2ZG1VZ1RHbGljbUZ5ZVNJc0lrMWxiV0psY2tsa0lqb2lPVFF6T0RVMk1qQTRJbjBzSW1OeVpXUmxiblJwWVd4VGRHRjBkWE1pT25zaWFXUWlPaUoxY200NmRYVnBaRG8zWm1GalpqUXhZeTB4WkdNMUxUUTRObUl0T0RkbE5pMDFPRGRrTURFMVpUYzJaRGNfWW1sMExXbHVaR1Y0UFRFd0lpd2lkSGx3WlNJNklsSmxkbTlqWVhScGIyNU1hWE4wTWpBeU1WTjBZWFIxY3lJc0luTjBZWFIxYzB4cGMzUkpibVJsZUNJNklqRXdJaXdpYzNSaGRIVnpUR2x6ZEVOeVpXUmxiblJwWVd3aU9pSmthV1E2YVc5dU9rVnBSRGROT0ZKWmJsVjFhWEl5WW0weU1YVjFMVFZaYlZkamNYRlJSV2xsTFZRdGFsbEZUMFZDWlVWWFNsRTZaWGxLYTFwWGVEQlpVMGsyWlhsS2QxbFlVbXBoUjFaNlNXcHdZbVY1U21oWk0xSndZakkwYVU5cFNubGFXRUp6V1ZkT2JFbHBkMmxhUnpscVpGY3hiR0p1VVdsUGJuTnBZMGhXYVdKSGJHcFRNbFkxWTNsSk5sY3pjMmxoVjFGcFQybEtlbUZYWkhWSmFYZHBZMGhXYVdKSGJHcFRNbFkxVTI1a2NrbHFjRGRKYlU1NVpHbEpOa2x1VG14Wk0wRjVUbFJhY2sxVFNYTkpiWFF3WlZOSk5rbHJWa1JKYVhkcFpVTkpOa2x1VG01aGJXaFVaRlpHYzFwclpGbFdhbWN4VVd4V1UxZHJaelZoUlhSUlVqSlNhRlJFVW14WmJXUlRUakJrUlZKRlVrWmlhMHAwWlZoTmFVeERTalZKYW05cFVrZDNORm96WkhGaGVsSlFUakpvTldORVZuRldhbHBxVldwR1ExUXpiREJsYkRsVVUxVmFkRTR3YkdwWFZXeHpURmhDY1dReFNsVldVMG81VEVOS2QyUllTbmRpTTA1c1kzbEpObGQ1U21oa1dGSnZXbGMxTUdGWFRtaGtSMngyWW1sS1pFeERTakJsV0VKc1NXcHZhVkpYVG10ak1rWlVXbGRPZDAxcVZUSmhla1pYV2xoS2NGcHRiR3BaV0ZKd1lqSTFURnBZYTNsTlJFVTFTVzR4WkdaWU1XUk1RMG94WTBkU2FHUkhWa1JpTWpGMFlWaFNkRnBYTlRCSmFtOXBVbGRzUWxWcVdsZGlhbXhJWlVkS2FWTkdhRVZqUkVKdldtcHNOazVXT1ZwVU0yZDZZMFpLYUZwWFpEVk1Wa1pWWkVWd00xbHFUa1JqVldSRFpIbEtPVXhEU25wa1YxcHRZVmhvUlZsWVVtaEphbkEzU1cxU2JHSklVbWhUUjBaNllVTkpOa2xyVm5CUk1EVm9Za1JhV1ZWdVZqVldha1pyV0RKd01sVnNXa1ZpYlhCR1ZGaE9jVk5WU2t4YWFrVXlWbnBaZUdSRVJqSmpibVJQV2pGUmRHSldSV2xNUTBwNVdsZE9kbVJ0Vm5sbFZVNTJZbGN4Y0dSSE1XeGlibEZwVDJsS1JtRlZTbTlQVjFKeVUwUkNSV1JXV2s5VlIyTjVWRzVLYlZkcE1IcGFNVUp0V1hwYVdGWnNPVU5PTTJSUFdqRm9UbHBYYkVKbGEzaENZVVJHYmtsdU1Ua19jMlZ5ZG1salpUMUpaR1Z1ZEdsMGVVaDFZaVp4ZFdWeWFXVnpQVmN6YzJsaVYxWXdZVWM1YTBscWIybFJNamx6WWtkV2FtUkhiSFppYms1U1pGZFdlV1ZUU1hOSmJrNXFZVWRXZEZsVFNUWkpiV2d3WkVoQ2VrOXBPSFprZWs1d1drTTFkbU50WTNaa2JVMTBZek5TYUdSSVZucE1WM2h3WXpOUmRFMXFRWGxOVXpreVRWTkpjMGx0T1dsaGJWWnFaRVZzYTBscWIybGFhbXhxV1ZSR2JVNUVRWFJQUkdjd1RsTXdNRTVYUlRGTVZHZDNUbGRaZEZsNlNteE9WMHBxVGtSYWFFNHlTVFZKYmpGa0luMTlMQ0pwYzNNaU9pSmthV1E2YVc5dU9rVnBSRGROT0ZKWmJsVjFhWEl5WW0weU1YVjFMVFZaYlZkamNYRlJSV2xsTFZRdGFsbEZUMFZDWlVWWFNsRTZaWGxLYTFwWGVEQlpVMGsyWlhsS2QxbFlVbXBoUjFaNlNXcHdZbVY1U21oWk0xSndZakkwYVU5cFNubGFXRUp6V1ZkT2JFbHBkMmxhUnpscVpGY3hiR0p1VVdsUGJuTnBZMGhXYVdKSGJHcFRNbFkxWTNsSk5sY3pjMmxoVjFGcFQybEtlbUZYWkhWSmFYZHBZMGhXYVdKSGJHcFRNbFkxVTI1a2NrbHFjRGRKYlU1NVpHbEpOa2x1VG14Wk0wRjVUbFJhY2sxVFNYTkpiWFF3WlZOSk5rbHJWa1JKYVhkcFpVTkpOa2x1VG01aGJXaFVaRlpHYzFwclpGbFdhbWN4VVd4V1UxZHJaelZoUlhSUlVqSlNhRlJFVW14WmJXUlRUakJrUlZKRlVrWmlhMHAwWlZoTmFVeERTalZKYW05cFVrZDNORm96WkhGaGVsSlFUakpvTldORVZuRldhbHBxVldwR1ExUXpiREJsYkRsVVUxVmFkRTR3YkdwWFZXeHpURmhDY1dReFNsVldVMG81VEVOS2QyUllTbmRpTTA1c1kzbEpObGQ1U21oa1dGSnZXbGMxTUdGWFRtaGtSMngyWW1sS1pFeERTakJsV0VKc1NXcHZhVkpYVG10ak1rWlVXbGRPZDAxcVZUSmhla1pYV2xoS2NGcHRiR3BaV0ZKd1lqSTFURnBZYTNsTlJFVTFTVzR4WkdaWU1XUk1RMG94WTBkU2FHUkhWa1JpTWpGMFlWaFNkRnBYTlRCSmFtOXBVbGRzUWxWcVdsZGlhbXhJWlVkS2FWTkdhRVZqUkVKdldtcHNOazVXT1ZwVU0yZDZZMFpLYUZwWFpEVk1Wa1pWWkVWd00xbHFUa1JqVldSRFpIbEtPVXhEU25wa1YxcHRZVmhvUlZsWVVtaEphbkEzU1cxU2JHSklVbWhUUjBaNllVTkpOa2xyVm5CUk1EVm9Za1JhV1ZWdVZqVldha1pyV0RKd01sVnNXa1ZpYlhCR1ZGaE9jVk5WU2t4YWFrVXlWbnBaZUdSRVJqSmpibVJQV2pGUmRHSldSV2xNUTBwNVdsZE9kbVJ0Vm5sbFZVNTJZbGN4Y0dSSE1XeGlibEZwVDJsS1JtRlZTbTlQVjFKeVUwUkNSV1JXV2s5VlIyTjVWRzVLYlZkcE1IcGFNVUp0V1hwYVdGWnNPVU5PTTJSUFdqRm9UbHBYYkVKbGEzaENZVVJHYmtsdU1Ua2lMQ0pwWVhRaU9qRTJORFl6TURnM016Y3NJbTVpWmlJNk1UWTBOak13T0Rjek55d2laWGh3SWpveE5qYzNPRGN6TlRNM2ZRLnBvbjlqMnhrVkJBQXM3TklQSjJ5MmdEVUU2Z0R3djZxMnB1ZnVSeTA1NnRwdmdYM2xDM3JZc2tJclVGSGwwZXNZWGFMNnFrVUhYQnY2SkFaWG5weVh3Il19LCJhdWQiOiJkaWQ6aW9uOkVpQXYwZUo1Y0IwaEdXVkg1WWJZLXV3MUs3MUVwT1NUNnp0dWVFUXpWQ0VjMEE6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZGZZMkZpTmpWaFlUQWlMQ0p3ZFdKc2FXTkxaWGxLZDJzaU9uc2lZM0oySWpvaWMyVmpjREkxTm1zeElpd2lhM1I1SWpvaVJVTWlMQ0o0SWpvaU9HMTVNSEZLVUd0Nk9WTlJSVGt5UlRsbVJGZzRaako0YlRSMlgyOVpNWGROVEVwV1dsUTFTemhSZHlJc0lua2lPaUl4YjB4c1ZHNXJOek0yUlROSE9VTk5VVGgzV2pKUVNsVkJNMHBoVm5ZNVZ6RmFWR1ZHU21KUldURkZJbjBzSW5CMWNuQnZjMlZ6SWpwYkltRjFkR2hsYm5ScFkyRjBhVzl1SWl3aVlYTnpaWEowYVc5dVRXVjBhRzlrSWwwc0luUjVjR1VpT2lKRlkyUnpZVk5sWTNBeU5UWnJNVlpsY21sbWFXTmhkR2x2Ymt0bGVUSXdNVGtpZlYwc0luTmxjblpwWTJWeklqcGJleUpwWkNJNklteHBibXRsWkdSdmJXRnBibk1pTENKelpYSjJhV05sUlc1a2NHOXBiblFpT25zaWIzSnBaMmx1Y3lJNld5Sm9kSFJ3Y3pvdkwzTjNaV1Z3YzNSaGEyVnpMbVJwWkM1dGFXTnliM052Wm5RdVkyOXRMeUpkZlN3aWRIbHdaU0k2SWt4cGJtdGxaRVJ2YldGcGJuTWlmVjE5ZlYwc0luVndaR0YwWlVOdmJXMXBkRzFsYm5RaU9pSkZhVUZ3Y21WVE55MUVjemg1TURGblV6azJjRTVpVm5wb1JtWXhVbHB2YmxaM1Vrc3diRzltWkhkT1oyRkJJbjBzSW5OMVptWnBlRVJoZEdFaU9uc2laR1ZzZEdGSVlYTm9Jam9pUldsRU1XUkZkVVZsZEVSbk1uaGlWRXMwVURaVlRUTnVXRU5LVm5GTVJFMTFNMjlJVldOTWFtdFpNV0ZUZHlJc0luSmxZMjkyWlhKNVEyOXRiV2wwYldWdWRDSTZJa1ZwUkVGa1N6RldOa3BqYTFCcFkwUkJjR0Z4VjJJeVpFOTVNRlJOY21KS1RtbGxObWxLVnprNFprNTRia0VpZlgwIiwiaXNzIjoiZGlkOmlvbjpFaUFOMGc2YWhGbDlHdVAydVZSSk1qNG42RUpmdnA5Ql9DZnVPaXBzbDFrYm5nOmV5SmtaV3gwWVNJNmV5SndZWFJqYUdWeklqcGJleUpoWTNScGIyNGlPaUp5WlhCc1lXTmxJaXdpWkc5amRXMWxiblFpT25zaWNIVmliR2xqUzJWNWN5STZXM3NpYVdRaU9pSnphV2R1SWl3aWNIVmliR2xqUzJWNVNuZHJJanA3SW1OeWRpSTZJbk5sWTNBeU5UWnJNU0lzSW10MGVTSTZJa1ZESWl3aWVDSTZJbkJFZDFKU2JIcFNOakpRVTFSYVIyMHRZVGx3ZW1oMFgxTlVabkJyYjIxWk9YbGlXR0pMUVhCcVRIY2lMQ0o1SWpvaU5tRlVNM1JrUlhsVGFXRnRjV1EzWWpGcGFHNUxNVzV3UjJwMmNIQTRRbkJmWW5wNFpXdGFTMkpaUlNKOUxDSndkWEp3YjNObGN5STZXeUpoZFhSb1pXNTBhV05oZEdsdmJpSmRMQ0owZVhCbElqb2lSV05rYzJGVFpXTndNalUyYXpGV1pYSnBabWxqWVhScGIyNUxaWGt5TURFNUluMWRmWDFkTENKMWNHUmhkR1ZEYjIxdGFYUnRaVzUwSWpvaVJXbEViV2xYUTNaa1dITlVhalZwVFVST1gzTk9WR3hLYWtkYVJteGZja2xwZDJWa01VUmljMDA0YTJKbVp5SjlMQ0p6ZFdabWFYaEVZWFJoSWpwN0ltUmxiSFJoU0dGemFDSTZJa1ZwUTBsdWREWmxURk5NY0dzeWFHTndiM1JyVUhGbVFVeFRVMnBqTUV3MFkzWjBhRUpHTkZnMVVYVjFSRUVpTENKeVpXTnZkbVZ5ZVVOdmJXMXBkRzFsYm5RaU9pSkZhVU5JZUZGa1NrNXFZVXR2UzJneWJrbERZMHc0WlRjeVpUQmtkVkpHZFVWVmNXTTJZVnBmWm5oa2RHeEJJbjE5IiwiaWF0IjoxNjQ2MzA4NzM3LCJuYmYiOjE2NDYzMDg3MzcsImV4cCI6MTY0Njc2OTUzN30.BmifPHKuRPMpqbU6NnV6n0D1kNqg72l8e1dy4Ju0VBwEGr6XESBpLgymPOgy0CtzWQop2CxoXdGiHnTvAIlc5Q&state=djEDnND6B/1xbrpZ1AiC+YTLcD88eDcEoE5jrZLk/4XIYyQHuvyy5xVZM5Hs7HL31DfgdS9CJt8Je8su8cHrWDGr0dQcFlYN4mEJV3HVo1M9u6x/iBNzJ5coOG2nyVs+FhFOuNGtKfRp+KzecA2CYRHKzGNiTZxCI1/9s2thWFs+sEvJcHhdkreM97v6zafUocl1nnVHEDA4zJ7KSpZB4tRyabSO26HxTgWesQwoIE2T+qOTQvs48lSRHfXnK7BBHA4SK2+Kmz5ypdn/RSqng+2v81vBdkewSXihbErnmk5rtnxRLyqCUaf/DUDfzrq8I/HOCUrGH91EBzFgW2T7qI08dfO8u7zayGjfvvOkYJrxSo+Aum/IWFXWYHLydho/9NzNEhW33/9O9rQ95MmNX9t/juRzi/RjR6ZEKMYUkzpIktlOzGInRq4/Ycfxn8YP3T14dMWMU6KTsYABXpcnJ8h/NNp51h13lxke1ZmwmU36PUYjqByDZ75d3I39hH4++lJJyESr9sFi2OiF1jRPxyAJgfNPq+j962I/N9z7kkA/E+1tEVj+kVqZ18hU9rIdmfudjewo+mFFTnh7yAqZUWiqC018TUs/m+Ei4OrxHCll67js6R74IkUF3zBuxOrCrXrPJxdvM8xcFyVkXQpPvRVSmgS9QwjD6Ug7vIG1dyn6O8/ocQ6L5DZP6CM3O77TOB10wRF8jhDwWLZ3zR8RWsO4o4S3BwPy1W4iG9IIQXYE7vFBI2Z4AGyC1WSvnyDEVhEZEGnxkkwuT+jIU/Eti70DSB1FiaJcfvrUNqDdBfX6a387QDGPEmWoY7Jt128gdDhLvjG81DzCTot3GZfRsa6RDP5Cnbafu0LnGX8exf332L3nt1V8MPJTOaIvWtce0rVy9hqALisAdwlgQ74QDVqNCWgTurZdVd9z0hR+xau+WNIi6laUt6ROYQijuhVbtFzdyl/P141ezTk/Pn3eOSWPdM1tXHTE1CfJkb03cp22leMI1qRk6F3MmpiAhhF5CIMTUKyQ4d7wulTIFZimoxoIGd+Ji8WDKjl7x/2u72pR+L259WisTW95kO7g/RUOrOg2mgj9tC3xD+5icn6GS9zY4YDuFx+0XIdzgzteNdiTbpkCYhmMaYRiKv8IDJmuLK1cCDLyOSmjksJdfyrIA21/uRYU+3BKKCcaQbzCO2x81xNoSiL3P/vp5qXwigxmFOG7ZHqcNhSjxeTJJ7jijegW+GevNPo36Y5f0vLjo1HOroNdfPw6hjb783/d6h0ZFiQxNy8tDCY5q+WxBL1j6NSLFgkYJ3aBYXmQkfLMpMRTmfOeBxlBvReuU52YI/q0Suya/FVfcjZjf2by/I60Guu4ZySVv3eZVZju7K/OclViZT8zOkS7QAYlgehqVrYBWcGfTYEc95UIIdXgB+ReCGB0EoFjmWjkb1Gt09jP4bZP/fl/vaMZzBqSrjPo34jgO4ZB5a1pZOB0nugZhypfUVFv1pAmITszIsksHfyL2KMeVsSfPhkXY+93t2OB3L48pbvJSfAFjzUMRhRzy/SzRzHb39dXbQV/FmtW5rEIYEcudJurFdKAvQnk36bHxwCDCRkzquZuv9PzdH9woQMJDze1KS0KtTPU4EXkcYTFezn1uuw8IbbZxHU0EUf9VXN3hKOKSBMlLTLuZoDJiERNsVPm8S/9lL6/iHvP9zzvp9Zloj3eytJ5jmGVjROjnM+YCKP5IMy3y/BTq1WlQVixVLki6euMlR8PLdRICPDXNYRt

Below is a non-normative example of a decoded VP Token:

EXAMPLE
{
  "alg": "ES256K",
  "kid": "did:ion:EiAN0g6ahFl9GuP2uVRJMj4n6EJfvp9B_CfuOipsl1kbng:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWduIiwicHVibGljS2V5SndrIjp7ImNydiI6InNlY3AyNTZrMSIsImt0eSI6IkVDIiwieCI6InBEd1JSbHpSNjJQU1RaR20tYTlwemh0X1NUZnBrb21ZOXliWGJLQXBqTHciLCJ5IjoiNmFUM3RkRXlTaWFtcWQ3YjFpaG5LMW5wR2p2cHA4QnBfYnp4ZWtaS2JZRSJ9LCJwdXJwb3NlcyI6WyJhdXRoZW50aWNhdGlvbiJdLCJ0eXBlIjoiRWNkc2FTZWNwMjU2azFWZXJpZmljYXRpb25LZXkyMDE5In1dfX1dLCJ1cGRhdGVDb21taXRtZW50IjoiRWlEbWlXQ3ZkWHNUajVpTUROX3NOVGxKakdaRmxfcklpd2VkMURic004a2JmZyJ9LCJzdWZmaXhEYXRhIjp7ImRlbHRhSGFzaCI6IkVpQ0ludDZlTFNMcGsyaGNwb3RrUHFmQUxTU2pjMEw0Y3Z0aEJGNFg1UXV1REEiLCJyZWNvdmVyeUNvbW1pdG1lbnQiOiJFaUNIeFFkSk5qYUtvS2gybklDY0w4ZTcyZTBkdVJGdUVVcWM2YVpfZnhkdGxBIn19#sign",
  "typ": "JWT"
}.{
  "nonce": "O1mZGnuet++Ilg2c1jR4jA==",
  "vp": {
    "@context": [
      "https://www.w3.org/2018/credentials/v1"
    ],
    "type": [
      "VerifiablePresentation"
    ],
    "verifiableCredential": [
      "eyJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6aW9uOkVpRDdNOFJZblV1aXIyYm0yMXV1LTVZbVdjcXFRRWllLVQtallFT0VCZUVXSlE6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZHVJaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbXQwZVNJNklrVkRJaXdpZUNJNkluTm5hbWhUZFZGc1prZFlWamcxUWxWU1drZzVhRXRRUjJSaFREUmxZbWRTTjBkRVJFUkZia0p0ZVhNaUxDSjVJam9pUkd3NFozZHFhelJQTjJoNWNEVnFWalpqVWpGQ1QzbDBlbDlUU1VadE4wbGpXVWxzTFhCcWQxSlVWU0o5TENKd2RYSndiM05sY3lJNld5SmhkWFJvWlc1MGFXTmhkR2x2YmlKZExDSjBlWEJsSWpvaVJXTmtjMkZUWldOd01qVTJhekZXWlhKcFptbGpZWFJwYjI1TFpYa3lNREU1SW4xZGZYMWRMQ0oxY0dSaGRHVkRiMjF0YVhSdFpXNTBJam9pUldsQlVqWldiamxIZUdKaVNGaEVjREJvWmpsNk5WOVpUM2d6Y0ZKaFpXZDVMVkZVZEVwM1lqTkRjVWRDZHlKOUxDSnpkV1ptYVhoRVlYUmhJanA3SW1SbGJIUmhTR0Z6YUNJNklrVnBRMDVoYkRaWVVuVjVWakZrWDJwMlVsWkVibXBGVFhOcVNVSkxaakUyVnpZeGRERjJjbmRPWjFRdGJWRWlMQ0p5WldOdmRtVnllVU52YlcxcGRHMWxiblFpT2lKRmFVSm9PV1JyU0RCRWRWWk9VR2N5VG5KbVdpMHpaMUJtWXpaWFZsOUNOM2RPWjFoTlpXbEJla3hCYURGbkluMTkjc2lnbiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkaWQ6aW9uOkVpQU4wZzZhaEZsOUd1UDJ1VlJKTWo0bjZFSmZ2cDlCX0NmdU9pcHNsMWtibmc6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZHVJaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbXQwZVNJNklrVkRJaXdpZUNJNkluQkVkMUpTYkhwU05qSlFVMVJhUjIwdFlUbHdlbWgwWDFOVVpuQnJiMjFaT1hsaVdHSkxRWEJxVEhjaUxDSjVJam9pTm1GVU0zUmtSWGxUYVdGdGNXUTNZakZwYUc1TE1XNXdSMnAyY0hBNFFuQmZZbnA0Wld0YVMySlpSU0o5TENKd2RYSndiM05sY3lJNld5SmhkWFJvWlc1MGFXTmhkR2x2YmlKZExDSjBlWEJsSWpvaVJXTmtjMkZUWldOd01qVTJhekZXWlhKcFptbGpZWFJwYjI1TFpYa3lNREU1SW4xZGZYMWRMQ0oxY0dSaGRHVkRiMjF0YVhSdFpXNTBJam9pUldsRWJXbFhRM1prV0hOVWFqVnBUVVJPWDNOT1ZHeEtha2RhUm14ZmNrbHBkMlZrTVVSaWMwMDRhMkptWnlKOUxDSnpkV1ptYVhoRVlYUmhJanA3SW1SbGJIUmhTR0Z6YUNJNklrVnBRMGx1ZERabFRGTk1jR3N5YUdOd2IzUnJVSEZtUVV4VFUycGpNRXcwWTNaMGFFSkdORmcxVVhWMVJFRWlMQ0p5WldOdmRtVnllVU52YlcxcGRHMWxiblFpT2lKRmFVTkllRkZrU2s1cVlVdHZTMmd5YmtsRFkwdzRaVGN5WlRCa2RWSkdkVVZWY1dNMllWcGZabmhrZEd4QkluMTkiLCJqdGkiOiIyNTVhM2M3Ni1hNTIyLTQ0MWItYTA0MS1mMzJmZmNjZDFjMzQiLCJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiSW50ZXJvcEV4YW1wbGVWQyJdLCJjcmVkZW50aWFsU3ViamVjdCI6eyJMaWJyYXJ5IE5hbWUiOiJXb29kZ3JvdmUgTGlicmFyeSIsIk1lbWJlcklkIjoiOTQzODU2MjA4In0sImNyZWRlbnRpYWxTdGF0dXMiOnsiaWQiOiJ1cm46dXVpZDo3ZmFjZjQxYy0xZGM1LTQ4NmItODdlNi01ODdkMDE1ZTc2ZDc_Yml0LWluZGV4PTEwIiwidHlwZSI6IlJldm9jYXRpb25MaXN0MjAyMVN0YXR1cyIsInN0YXR1c0xpc3RJbmRleCI6IjEwIiwic3RhdHVzTGlzdENyZWRlbnRpYWwiOiJkaWQ6aW9uOkVpRDdNOFJZblV1aXIyYm0yMXV1LTVZbVdjcXFRRWllLVQtallFT0VCZUVXSlE6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZHVJaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbXQwZVNJNklrVkRJaXdpZUNJNkluTm5hbWhUZFZGc1prZFlWamcxUWxWU1drZzVhRXRRUjJSaFREUmxZbWRTTjBkRVJFUkZia0p0ZVhNaUxDSjVJam9pUkd3NFozZHFhelJQTjJoNWNEVnFWalpqVWpGQ1QzbDBlbDlUU1VadE4wbGpXVWxzTFhCcWQxSlVWU0o5TENKd2RYSndiM05sY3lJNld5SmhkWFJvWlc1MGFXTmhkR2x2YmlKZExDSjBlWEJsSWpvaVJXTmtjMkZUWldOd01qVTJhekZXWlhKcFptbGpZWFJwYjI1TFpYa3lNREU1SW4xZGZYMWRMQ0oxY0dSaGRHVkRiMjF0YVhSdFpXNTBJam9pUldsQlVqWldiamxIZUdKaVNGaEVjREJvWmpsNk5WOVpUM2d6Y0ZKaFpXZDVMVkZVZEVwM1lqTkRjVWRDZHlKOUxDSnpkV1ptYVhoRVlYUmhJanA3SW1SbGJIUmhTR0Z6YUNJNklrVnBRMDVoYkRaWVVuVjVWakZrWDJwMlVsWkVibXBGVFhOcVNVSkxaakUyVnpZeGRERjJjbmRPWjFRdGJWRWlMQ0p5WldOdmRtVnllVU52YlcxcGRHMWxiblFpT2lKRmFVSm9PV1JyU0RCRWRWWk9VR2N5VG5KbVdpMHpaMUJtWXpaWFZsOUNOM2RPWjFoTlpXbEJla3hCYURGbkluMTk_c2VydmljZT1JZGVudGl0eUh1YiZxdWVyaWVzPVczc2liV1YwYUc5a0lqb2lRMjlzYkdWamRHbHZibk5SZFdWeWVTSXNJbk5qYUdWdFlTSTZJbWgwZEhCek9pOHZkek5wWkM1dmNtY3ZkbU10YzNSaGRIVnpMV3hwYzNRdE1qQXlNUzkyTVNJc0ltOWlhbVZqZEVsa0lqb2laamxqWVRGbU5EQXRPRGcwTlMwME5XRTFMVGd3TldZdFl6SmxOV0pqTkRaaE4ySTVJbjFkIn19LCJpc3MiOiJkaWQ6aW9uOkVpRDdNOFJZblV1aXIyYm0yMXV1LTVZbVdjcXFRRWllLVQtallFT0VCZUVXSlE6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZHVJaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbXQwZVNJNklrVkRJaXdpZUNJNkluTm5hbWhUZFZGc1prZFlWamcxUWxWU1drZzVhRXRRUjJSaFREUmxZbWRTTjBkRVJFUkZia0p0ZVhNaUxDSjVJam9pUkd3NFozZHFhelJQTjJoNWNEVnFWalpqVWpGQ1QzbDBlbDlUU1VadE4wbGpXVWxzTFhCcWQxSlVWU0o5TENKd2RYSndiM05sY3lJNld5SmhkWFJvWlc1MGFXTmhkR2x2YmlKZExDSjBlWEJsSWpvaVJXTmtjMkZUWldOd01qVTJhekZXWlhKcFptbGpZWFJwYjI1TFpYa3lNREU1SW4xZGZYMWRMQ0oxY0dSaGRHVkRiMjF0YVhSdFpXNTBJam9pUldsQlVqWldiamxIZUdKaVNGaEVjREJvWmpsNk5WOVpUM2d6Y0ZKaFpXZDVMVkZVZEVwM1lqTkRjVWRDZHlKOUxDSnpkV1ptYVhoRVlYUmhJanA3SW1SbGJIUmhTR0Z6YUNJNklrVnBRMDVoYkRaWVVuVjVWakZrWDJwMlVsWkVibXBGVFhOcVNVSkxaakUyVnpZeGRERjJjbmRPWjFRdGJWRWlMQ0p5WldOdmRtVnllVU52YlcxcGRHMWxiblFpT2lKRmFVSm9PV1JyU0RCRWRWWk9VR2N5VG5KbVdpMHpaMUJtWXpaWFZsOUNOM2RPWjFoTlpXbEJla3hCYURGbkluMTkiLCJpYXQiOjE2NDYzMDg3MzcsIm5iZiI6MTY0NjMwODczNywiZXhwIjoxNjc3ODczNTM3fQ.pon9j2xkVBAAs7NIPJ2y2gDUE6gDwv6q2pufuRy056tpvgX3lC3rYskIrUFHl0esYXaL6qkUHXBv6JAZXnpyXw"
    ]
  },
  "aud": "did:ion:EiAv0eJ5cB0hGWVH5YbY-uw1K71EpOST6ztueEQzVCEc0A:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWdfY2FiNjVhYTAiLCJwdWJsaWNLZXlKd2siOnsiY3J2Ijoic2VjcDI1NmsxIiwia3R5IjoiRUMiLCJ4IjoiOG15MHFKUGt6OVNRRTkyRTlmRFg4ZjJ4bTR2X29ZMXdNTEpWWlQ1SzhRdyIsInkiOiIxb0xsVG5rNzM2RTNHOUNNUTh3WjJQSlVBM0phVnY5VzFaVGVGSmJRWTFFIn0sInB1cnBvc2VzIjpbImF1dGhlbnRpY2F0aW9uIiwiYXNzZXJ0aW9uTWV0aG9kIl0sInR5cGUiOiJFY2RzYVNlY3AyNTZrMVZlcmlmaWNhdGlvbktleTIwMTkifV0sInNlcnZpY2VzIjpbeyJpZCI6ImxpbmtlZGRvbWFpbnMiLCJzZXJ2aWNlRW5kcG9pbnQiOnsib3JpZ2lucyI6WyJodHRwczovL3N3ZWVwc3Rha2VzLmRpZC5taWNyb3NvZnQuY29tLyJdfSwidHlwZSI6IkxpbmtlZERvbWFpbnMifV19fV0sInVwZGF0ZUNvbW1pdG1lbnQiOiJFaUFwcmVTNy1Eczh5MDFnUzk2cE5iVnpoRmYxUlpvblZ3UkswbG9mZHdOZ2FBIn0sInN1ZmZpeERhdGEiOnsiZGVsdGFIYXNoIjoiRWlEMWRFdUVldERnMnhiVEs0UDZVTTNuWENKVnFMRE11M29IVWNMamtZMWFTdyIsInJlY292ZXJ5Q29tbWl0bWVudCI6IkVpREFkSzFWNkpja1BpY0RBcGFxV2IyZE95MFRNcmJKTmllNmlKVzk4Zk54bkEifX0",
  "iss": "did:ion:EiAN0g6ahFl9GuP2uVRJMj4n6EJfvp9B_CfuOipsl1kbng:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWduIiwicHVibGljS2V5SndrIjp7ImNydiI6InNlY3AyNTZrMSIsImt0eSI6IkVDIiwieCI6InBEd1JSbHpSNjJQU1RaR20tYTlwemh0X1NUZnBrb21ZOXliWGJLQXBqTHciLCJ5IjoiNmFUM3RkRXlTaWFtcWQ3YjFpaG5LMW5wR2p2cHA4QnBfYnp4ZWtaS2JZRSJ9LCJwdXJwb3NlcyI6WyJhdXRoZW50aWNhdGlvbiJdLCJ0eXBlIjoiRWNkc2FTZWNwMjU2azFWZXJpZmljYXRpb25LZXkyMDE5In1dfX1dLCJ1cGRhdGVDb21taXRtZW50IjoiRWlEbWlXQ3ZkWHNUajVpTUROX3NOVGxKakdaRmxfcklpd2VkMURic004a2JmZyJ9LCJzdWZmaXhEYXRhIjp7ImRlbHRhSGFzaCI6IkVpQ0ludDZlTFNMcGsyaGNwb3RrUHFmQUxTU2pjMEw0Y3Z0aEJGNFg1UXV1REEiLCJyZWNvdmVyeUNvbW1pdG1lbnQiOiJFaUNIeFFkSk5qYUtvS2gybklDY0w4ZTcyZTBkdVJGdUVVcWM2YVpfZnhkdGxBIn19",
  "iat": 1646308737,
  "nbf": 1646308737,
  "exp": 1646769537
}.[Signature]

Below is a non-normative example of a Base64URL encoded VC. Note that the VC MUST be obtained from path_nested in presentation_submission of the ID Token.

EXAMPLE
eyJhbGciOiJFUzI1NksiLCJraWQiOiJkaWQ6aW9uOkVpRDdNOFJZblV1aXIyYm0yMXV1LTVZbVdjcXFRRWllLVQtallFT0VCZUVXSlE6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZHVJaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbXQwZVNJNklrVkRJaXdpZUNJNkluTm5hbWhUZFZGc1prZFlWamcxUWxWU1drZzVhRXRRUjJSaFREUmxZbWRTTjBkRVJFUkZia0p0ZVhNaUxDSjVJam9pUkd3NFozZHFhelJQTjJoNWNEVnFWalpqVWpGQ1QzbDBlbDlUU1VadE4wbGpXVWxzTFhCcWQxSlVWU0o5TENKd2RYSndiM05sY3lJNld5SmhkWFJvWlc1MGFXTmhkR2x2YmlKZExDSjBlWEJsSWpvaVJXTmtjMkZUWldOd01qVTJhekZXWlhKcFptbGpZWFJwYjI1TFpYa3lNREU1SW4xZGZYMWRMQ0oxY0dSaGRHVkRiMjF0YVhSdFpXNTBJam9pUldsQlVqWldiamxIZUdKaVNGaEVjREJvWmpsNk5WOVpUM2d6Y0ZKaFpXZDVMVkZVZEVwM1lqTkRjVWRDZHlKOUxDSnpkV1ptYVhoRVlYUmhJanA3SW1SbGJIUmhTR0Z6YUNJNklrVnBRMDVoYkRaWVVuVjVWakZrWDJwMlVsWkVibXBGVFhOcVNVSkxaakUyVnpZeGRERjJjbmRPWjFRdGJWRWlMQ0p5WldOdmRtVnllVU52YlcxcGRHMWxiblFpT2lKRmFVSm9PV1JyU0RCRWRWWk9VR2N5VG5KbVdpMHpaMUJtWXpaWFZsOUNOM2RPWjFoTlpXbEJla3hCYURGbkluMTkjc2lnbiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkaWQ6aW9uOkVpQU4wZzZhaEZsOUd1UDJ1VlJKTWo0bjZFSmZ2cDlCX0NmdU9pcHNsMWtibmc6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZHVJaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbXQwZVNJNklrVkRJaXdpZUNJNkluQkVkMUpTYkhwU05qSlFVMVJhUjIwdFlUbHdlbWgwWDFOVVpuQnJiMjFaT1hsaVdHSkxRWEJxVEhjaUxDSjVJam9pTm1GVU0zUmtSWGxUYVdGdGNXUTNZakZwYUc1TE1XNXdSMnAyY0hBNFFuQmZZbnA0Wld0YVMySlpSU0o5TENKd2RYSndiM05sY3lJNld5SmhkWFJvWlc1MGFXTmhkR2x2YmlKZExDSjBlWEJsSWpvaVJXTmtjMkZUWldOd01qVTJhekZXWlhKcFptbGpZWFJwYjI1TFpYa3lNREU1SW4xZGZYMWRMQ0oxY0dSaGRHVkRiMjF0YVhSdFpXNTBJam9pUldsRWJXbFhRM1prV0hOVWFqVnBUVVJPWDNOT1ZHeEtha2RhUm14ZmNrbHBkMlZrTVVSaWMwMDRhMkptWnlKOUxDSnpkV1ptYVhoRVlYUmhJanA3SW1SbGJIUmhTR0Z6YUNJNklrVnBRMGx1ZERabFRGTk1jR3N5YUdOd2IzUnJVSEZtUVV4VFUycGpNRXcwWTNaMGFFSkdORmcxVVhWMVJFRWlMQ0p5WldOdmRtVnllVU52YlcxcGRHMWxiblFpT2lKRmFVTkllRkZrU2s1cVlVdHZTMmd5YmtsRFkwdzRaVGN5WlRCa2RWSkdkVVZWY1dNMllWcGZabmhrZEd4QkluMTkiLCJqdGkiOiIyNTVhM2M3Ni1hNTIyLTQ0MWItYTA0MS1mMzJmZmNjZDFjMzQiLCJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiSW50ZXJvcEV4YW1wbGVWQyJdLCJjcmVkZW50aWFsU3ViamVjdCI6eyJMaWJyYXJ5IE5hbWUiOiJXb29kZ3JvdmUgTGlicmFyeSIsIk1lbWJlcklkIjoiOTQzODU2MjA4In0sImNyZWRlbnRpYWxTdGF0dXMiOnsiaWQiOiJ1cm46dXVpZDo3ZmFjZjQxYy0xZGM1LTQ4NmItODdlNi01ODdkMDE1ZTc2ZDc_Yml0LWluZGV4PTEwIiwidHlwZSI6IlJldm9jYXRpb25MaXN0MjAyMVN0YXR1cyIsInN0YXR1c0xpc3RJbmRleCI6IjEwIiwic3RhdHVzTGlzdENyZWRlbnRpYWwiOiJkaWQ6aW9uOkVpRDdNOFJZblV1aXIyYm0yMXV1LTVZbVdjcXFRRWllLVQtallFT0VCZUVXSlE6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZHVJaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbXQwZVNJNklrVkRJaXdpZUNJNkluTm5hbWhUZFZGc1prZFlWamcxUWxWU1drZzVhRXRRUjJSaFREUmxZbWRTTjBkRVJFUkZia0p0ZVhNaUxDSjVJam9pUkd3NFozZHFhelJQTjJoNWNEVnFWalpqVWpGQ1QzbDBlbDlUU1VadE4wbGpXVWxzTFhCcWQxSlVWU0o5TENKd2RYSndiM05sY3lJNld5SmhkWFJvWlc1MGFXTmhkR2x2YmlKZExDSjBlWEJsSWpvaVJXTmtjMkZUWldOd01qVTJhekZXWlhKcFptbGpZWFJwYjI1TFpYa3lNREU1SW4xZGZYMWRMQ0oxY0dSaGRHVkRiMjF0YVhSdFpXNTBJam9pUldsQlVqWldiamxIZUdKaVNGaEVjREJvWmpsNk5WOVpUM2d6Y0ZKaFpXZDVMVkZVZEVwM1lqTkRjVWRDZHlKOUxDSnpkV1ptYVhoRVlYUmhJanA3SW1SbGJIUmhTR0Z6YUNJNklrVnBRMDVoYkRaWVVuVjVWakZrWDJwMlVsWkVibXBGVFhOcVNVSkxaakUyVnpZeGRERjJjbmRPWjFRdGJWRWlMQ0p5WldOdmRtVnllVU52YlcxcGRHMWxiblFpT2lKRmFVSm9PV1JyU0RCRWRWWk9VR2N5VG5KbVdpMHpaMUJtWXpaWFZsOUNOM2RPWjFoTlpXbEJla3hCYURGbkluMTk_c2VydmljZT1JZGVudGl0eUh1YiZxdWVyaWVzPVczc2liV1YwYUc5a0lqb2lRMjlzYkdWamRHbHZibk5SZFdWeWVTSXNJbk5qYUdWdFlTSTZJbWgwZEhCek9pOHZkek5wWkM1dmNtY3ZkbU10YzNSaGRIVnpMV3hwYzNRdE1qQXlNUzkyTVNJc0ltOWlhbVZqZEVsa0lqb2laamxqWVRGbU5EQXRPRGcwTlMwME5XRTFMVGd3TldZdFl6SmxOV0pqTkRaaE4ySTVJbjFkIn19LCJpc3MiOiJkaWQ6aW9uOkVpRDdNOFJZblV1aXIyYm0yMXV1LTVZbVdjcXFRRWllLVQtallFT0VCZUVXSlE6ZXlKa1pXeDBZU0k2ZXlKd1lYUmphR1Z6SWpwYmV5SmhZM1JwYjI0aU9pSnlaWEJzWVdObElpd2laRzlqZFcxbGJuUWlPbnNpY0hWaWJHbGpTMlY1Y3lJNlczc2lhV1FpT2lKemFXZHVJaXdpY0hWaWJHbGpTMlY1U25kcklqcDdJbU55ZGlJNkluTmxZM0F5TlRack1TSXNJbXQwZVNJNklrVkRJaXdpZUNJNkluTm5hbWhUZFZGc1prZFlWamcxUWxWU1drZzVhRXRRUjJSaFREUmxZbWRTTjBkRVJFUkZia0p0ZVhNaUxDSjVJam9pUkd3NFozZHFhelJQTjJoNWNEVnFWalpqVWpGQ1QzbDBlbDlUU1VadE4wbGpXVWxzTFhCcWQxSlVWU0o5TENKd2RYSndiM05sY3lJNld5SmhkWFJvWlc1MGFXTmhkR2x2YmlKZExDSjBlWEJsSWpvaVJXTmtjMkZUWldOd01qVTJhekZXWlhKcFptbGpZWFJwYjI1TFpYa3lNREU1SW4xZGZYMWRMQ0oxY0dSaGRHVkRiMjF0YVhSdFpXNTBJam9pUldsQlVqWldiamxIZUdKaVNGaEVjREJvWmpsNk5WOVpUM2d6Y0ZKaFpXZDVMVkZVZEVwM1lqTkRjVWRDZHlKOUxDSnpkV1ptYVhoRVlYUmhJanA3SW1SbGJIUmhTR0Z6YUNJNklrVnBRMDVoYkRaWVVuVjVWakZrWDJwMlVsWkVibXBGVFhOcVNVSkxaakUyVnpZeGRERjJjbmRPWjFRdGJWRWlMQ0p5WldOdmRtVnllVU52YlcxcGRHMWxiblFpT2lKRmFVSm9PV1JyU0RCRWRWWk9VR2N5VG5KbVdpMHpaMUJtWXpaWFZsOUNOM2RPWjFoTlpXbEJla3hCYURGbkluMTkiLCJpYXQiOjE2NDYzMDg3MzcsIm5iZiI6MTY0NjMwODczNywiZXhwIjoxNjc3ODczNTM3fQ.pon9j2xkVBAAs7NIPJ2y2gDUE6gDwv6q2pufuRy056tpvgX3lC3rYskIrUFHl0esYXaL6qkUHXBv6JAZXnpyXw

Below is a non-normative example of a decoded VC in a JSON format, signed as a JWT:

EXAMPLE
{
    "alg": "ES256K",
    "kid": "did:ion:EiD7M8RYnUuir2bm21uu-5YmWcqqQEie-T-jYEOEBeEWJQ:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWduIiwicHVibGljS2V5SndrIjp7ImNydiI6InNlY3AyNTZrMSIsImt0eSI6IkVDIiwieCI6InNnamhTdVFsZkdYVjg1QlVSWkg5aEtQR2RhTDRlYmdSN0dERERFbkJteXMiLCJ5IjoiRGw4Z3dqazRPN2h5cDVqVjZjUjFCT3l0el9TSUZtN0ljWUlsLXBqd1JUVSJ9LCJwdXJwb3NlcyI6WyJhdXRoZW50aWNhdGlvbiJdLCJ0eXBlIjoiRWNkc2FTZWNwMjU2azFWZXJpZmljYXRpb25LZXkyMDE5In1dfX1dLCJ1cGRhdGVDb21taXRtZW50IjoiRWlBUjZWbjlHeGJiSFhEcDBoZjl6NV9ZT3gzcFJhZWd5LVFUdEp3YjNDcUdCdyJ9LCJzdWZmaXhEYXRhIjp7ImRlbHRhSGFzaCI6IkVpQ05hbDZYUnV5VjFkX2p2UlZEbmpFTXNqSUJLZjE2VzYxdDF2cndOZ1QtbVEiLCJyZWNvdmVyeUNvbW1pdG1lbnQiOiJFaUJoOWRrSDBEdVZOUGcyTnJmWi0zZ1BmYzZXVl9CN3dOZ1hNZWlBekxBaDFnIn19#sign",
    "typ": "JWT"
  }.{
    "sub": "did:ion:EiAN0g6ahFl9GuP2uVRJMj4n6EJfvp9B_CfuOipsl1kbng:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWduIiwicHVibGljS2V5SndrIjp7ImNydiI6InNlY3AyNTZrMSIsImt0eSI6IkVDIiwieCI6InBEd1JSbHpSNjJQU1RaR20tYTlwemh0X1NUZnBrb21ZOXliWGJLQXBqTHciLCJ5IjoiNmFUM3RkRXlTaWFtcWQ3YjFpaG5LMW5wR2p2cHA4QnBfYnp4ZWtaS2JZRSJ9LCJwdXJwb3NlcyI6WyJhdXRoZW50aWNhdGlvbiJdLCJ0eXBlIjoiRWNkc2FTZWNwMjU2azFWZXJpZmljYXRpb25LZXkyMDE5In1dfX1dLCJ1cGRhdGVDb21taXRtZW50IjoiRWlEbWlXQ3ZkWHNUajVpTUROX3NOVGxKakdaRmxfcklpd2VkMURic004a2JmZyJ9LCJzdWZmaXhEYXRhIjp7ImRlbHRhSGFzaCI6IkVpQ0ludDZlTFNMcGsyaGNwb3RrUHFmQUxTU2pjMEw0Y3Z0aEJGNFg1UXV1REEiLCJyZWNvdmVyeUNvbW1pdG1lbnQiOiJFaUNIeFFkSk5qYUtvS2gybklDY0w4ZTcyZTBkdVJGdUVVcWM2YVpfZnhkdGxBIn19",
    "jti": "255a3c76-a522-441b-a041-f32ffccd1c34",
    "vc": {
      "@context": [
        "https://www.w3.org/2018/credentials/v1"
      ],
      "type": [
        "VerifiableCredential",
        "InteropExampleVC"
      ],
      "credentialSubject": {
        "Library Name": "Woodgrove Library",
        "MemberId": "943856208"
      },
      "credentialStatus": {
        "id": "urn:uuid:7facf41c-1dc5-486b-87e6-587d015e76d7?bit-index=10",
        "type": "RevocationList2021Status",
        "statusListIndex": "10",
        "statusListCredential": "did:ion:EiD7M8RYnUuir2bm21uu-5YmWcqqQEie-T-jYEOEBeEWJQ:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWduIiwicHVibGljS2V5SndrIjp7ImNydiI6InNlY3AyNTZrMSIsImt0eSI6IkVDIiwieCI6InNnamhTdVFsZkdYVjg1QlVSWkg5aEtQR2RhTDRlYmdSN0dERERFbkJteXMiLCJ5IjoiRGw4Z3dqazRPN2h5cDVqVjZjUjFCT3l0el9TSUZtN0ljWUlsLXBqd1JUVSJ9LCJwdXJwb3NlcyI6WyJhdXRoZW50aWNhdGlvbiJdLCJ0eXBlIjoiRWNkc2FTZWNwMjU2azFWZXJpZmljYXRpb25LZXkyMDE5In1dfX1dLCJ1cGRhdGVDb21taXRtZW50IjoiRWlBUjZWbjlHeGJiSFhEcDBoZjl6NV9ZT3gzcFJhZWd5LVFUdEp3YjNDcUdCdyJ9LCJzdWZmaXhEYXRhIjp7ImRlbHRhSGFzaCI6IkVpQ05hbDZYUnV5VjFkX2p2UlZEbmpFTXNqSUJLZjE2VzYxdDF2cndOZ1QtbVEiLCJyZWNvdmVyeUNvbW1pdG1lbnQiOiJFaUJoOWRrSDBEdVZOUGcyTnJmWi0zZ1BmYzZXVl9CN3dOZ1hNZWlBekxBaDFnIn19?service=IdentityHub&queries=W3sibWV0aG9kIjoiQ29sbGVjdGlvbnNRdWVyeSIsInNjaGVtYSI6Imh0dHBzOi8vdzNpZC5vcmcvdmMtc3RhdHVzLWxpc3QtMjAyMS92MSIsIm9iamVjdElkIjoiZjljYTFmNDAtODg0NS00NWE1LTgwNWYtYzJlNWJjNDZhN2I5In1d"
      }
    },
    "iss": "did:ion:EiD7M8RYnUuir2bm21uu-5YmWcqqQEie-T-jYEOEBeEWJQ:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJzaWduIiwicHVibGljS2V5SndrIjp7ImNydiI6InNlY3AyNTZrMSIsImt0eSI6IkVDIiwieCI6InNnamhTdVFsZkdYVjg1QlVSWkg5aEtQR2RhTDRlYmdSN0dERERFbkJteXMiLCJ5IjoiRGw4Z3dqazRPN2h5cDVqVjZjUjFCT3l0el9TSUZtN0ljWUlsLXBqd1JUVSJ9LCJwdXJwb3NlcyI6WyJhdXRoZW50aWNhdGlvbiJdLCJ0eXBlIjoiRWNkc2FTZWNwMjU2azFWZXJpZmljYXRpb25LZXkyMDE5In1dfX1dLCJ1cGRhdGVDb21taXRtZW50IjoiRWlBUjZWbjlHeGJiSFhEcDBoZjl6NV9ZT3gzcFJhZWd5LVFUdEp3YjNDcUdCdyJ9LCJzdWZmaXhEYXRhIjp7ImRlbHRhSGFzaCI6IkVpQ05hbDZYUnV5VjFkX2p2UlZEbmpFTXNqSUJLZjE2VzYxdDF2cndOZ1QtbVEiLCJyZWNvdmVyeUNvbW1pdG1lbnQiOiJFaUJoOWRrSDBEdVZOUGcyTnJmWi0zZ1BmYzZXVl9CN3dOZ1hNZWlBekxBaDFnIn19",
    "iat": 1646308737,
    "nbf": 1646308737,
    "exp": 1677873537
  }.[Signature]

§ Decentralized Identifiers

This profile utilizes Decentralized Identifiers (DIDs) as a cryptographically verifiable identifier of the Verifier/RP and Self-Issued OP and that resolve to cryptographic key material.

ION DIDs can operate in both long-form and short-form. Implementations of this profile MUST be able to consume both long-form and short-form DIDs regardless of whether they are anchored.

The Verifier/RP should always check DIDs against an ION node to validate their current states. Just because a long form DID has been used, doesn’t mean the state hasn’t changed on ION.

§ Short-Form DID

Short Form DIDs are DIDs written on a Bitcoin Blockchain. They are also known as anchored DIDs. These types of DIDs give the organization and user the most flexibility because the underlying components of the DID Document, such as public keys and service endpoints, can change without altering the DID itself.

Below is a non-normative example of a short-form DID:

did:ion:EiDC8qe_kwtm02IVoVZ8epcGi90XnL1NYI6baJIwHVBgrg

Below is a non-normative example of a DID Document obtained by resolving a short-form DID using an ION Node:

EXAMPLE
{
  "@context": "https://w3id.org/did-resolution/v1",
  "didDocument": {
    "id": "did:ion:EiDC8qe_kwtm02IVoVZ8epcGi90XnL1NYI6baJIwHVBgrg",
    "@context": [
      "https://www.w3.org/ns/did/v1",
      {
        "@base": "did:ion:EiDC8qe_kwtm02IVoVZ8epcGi90XnL1NYI6baJIwHVBgrg"
      }
    ],
    "service": [
      {
        "id": "#domain-1",
        "type": "LinkedDomains",
        "serviceEndpoint": "https://erickuhn19.com"
      }
    ],
    "verificationMethod": [
      {
        "id": "#key-1",
        "controller": "",
        "type": "EcdsaSecp256k1VerificationKey2019",
        "publicKeyJwk": {
          "kty": "EC",
          "crv": "secp256k1",
          "x": "0DByK_buTNM5ljoJeFDMIoqEaCv92e25H6qj_36zYbs",
          "y": "dY6MXrr70VZ_1VfHuBELDGzPk8Nxbpv1B76f6NnpVF8"
        }
      }
    ],
    "authentication": [
      "#key-1"
    ]
  },
  "didDocumentMetadata": {
    "method": {
      "published": true,
      "recoveryCommitment": "EiDRUgxeC0hdpch7zehFkH5_TmVLmbXWJ0O0faw5Inj_Dg",
      "updateCommitment": "EiBnjYiBQ-gXaVRH_IoAp25QrcR_EeEf2pXTDHuV33_Vgg"
    },
    "canonicalId": "did:ion:EiDC8qe_kwtm02IVoVZ8epcGi90XnL1NYI6baJIwHVBgrg"
  }
}

§ Long-Form DID

Long-form DIDs are DIDs not written on a Bitcoin Blockchain. They are also known as unanchored DIDs.

Long-form DIDs have the entire DID Document encapsulated into the DID itself. This means that public keys cannot be rotated without modifying a DID

Below is a non-normative example of a long-form DID:

EXAMPLE
did:ion:EiDC8qe_kwtm02IVoVZ8epcGi90XnL1NYI6baJIwHVBgrg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJrZXktMSIsInB1YmxpY0tleUp3ayI6eyJjcnYiOiJzZWNwMjU2azEiLCJrdHkiOiJFQyIsIngiOiIwREJ5S19idVROTTVsam9KZUZETUlvcUVhQ3Y5MmUyNUg2cWpfMzZ6WWJzIiwieSI6ImRZNk1YcnI3MFZaXzFWZkh1QkVMREd6UGs4TnhicHYxQjc2ZjZObnBWRjgifSwicHVycG9zZXMiOlsiYXV0aGVudGljYXRpb24iXSwidHlwZSI6IkVjZHNhU2VjcDI1NmsxVmVyaWZpY2F0aW9uS2V5MjAxOSJ9XSwic2VydmljZXMiOlt7ImlkIjoiZG9tYWluLTEiLCJzZXJ2aWNlRW5kcG9pbnQiOiJodHRwczovL2VyaWNrdWhuMTkuY29tIiwidHlwZSI6IkxpbmtlZERvbWFpbnMifV19fV0sInVwZGF0ZUNvbW1pdG1lbnQiOiJFaUJuallpQlEtZ1hhVlJIX0lvQXAyNVFyY1JfRWVFZjJwWFRESHVWMzNfVmdnIn0sInN1ZmZpeERhdGEiOnsiZGVsdGFIYXNoIjoiRWlBS1BzQnRaLWw2N3h1RXFHVFZHVjBvYmFIRDZOajZxWTdVbkJuVUl2ZHVYQSIsInJlY292ZXJ5Q29tbWl0bWVudCI6IkVpRFJVZ3hlQzBoZHBjaDd6ZWhGa0g1X1RtVkxtYlhXSjBPMGZhdzVJbmpfRGcifX0

Below is a non-normative example of a DID Document obtained by resolving a long-form DID using an ION Node:

EXAMPLE
{
  "@context": "https://w3id.org/did-resolution/v1",
  "didDocument": {
    "id": "did:ion:EiDC8qe_kwtm02IVoVZ8epcGi90XnL1NYI6baJIwHVBgrg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJrZXktMSIsInB1YmxpY0tleUp3ayI6eyJjcnYiOiJzZWNwMjU2azEiLCJrdHkiOiJFQyIsIngiOiIwREJ5S19idVROTTVsam9KZUZETUlvcUVhQ3Y5MmUyNUg2cWpfMzZ6WWJzIiwieSI6ImRZNk1YcnI3MFZaXzFWZkh1QkVMREd6UGs4TnhicHYxQjc2ZjZObnBWRjgifSwicHVycG9zZXMiOlsiYXV0aGVudGljYXRpb24iXSwidHlwZSI6IkVjZHNhU2VjcDI1NmsxVmVyaWZpY2F0aW9uS2V5MjAxOSJ9XSwic2VydmljZXMiOlt7ImlkIjoiZG9tYWluLTEiLCJzZXJ2aWNlRW5kcG9pbnQiOiJodHRwczovL2VyaWNrdWhuMTkuY29tIiwidHlwZSI6IkxpbmtlZERvbWFpbnMifV19fV0sInVwZGF0ZUNvbW1pdG1lbnQiOiJFaUJuallpQlEtZ1hhVlJIX0lvQXAyNVFyY1JfRWVFZjJwWFRESHVWMzNfVmdnIn0sInN1ZmZpeERhdGEiOnsiZGVsdGFIYXNoIjoiRWlBS1BzQnRaLWw2N3h1RXFHVFZHVjBvYmFIRDZOajZxWTdVbkJuVUl2ZHVYQSIsInJlY292ZXJ5Q29tbWl0bWVudCI6IkVpRFJVZ3hlQzBoZHBjaDd6ZWhGa0g1X1RtVkxtYlhXSjBPMGZhdzVJbmpfRGcifX0",
    "@context": [
      "https://www.w3.org/ns/did/v1",
      {
        "@base": "did:ion:EiDC8qe_kwtm02IVoVZ8epcGi90XnL1NYI6baJIwHVBgrg:eyJkZWx0YSI6eyJwYXRjaGVzIjpbeyJhY3Rpb24iOiJyZXBsYWNlIiwiZG9jdW1lbnQiOnsicHVibGljS2V5cyI6W3siaWQiOiJrZXktMSIsInB1YmxpY0tleUp3ayI6eyJjcnYiOiJzZWNwMjU2azEiLCJrdHkiOiJFQyIsIngiOiIwREJ5S19idVROTTVsam9KZUZETUlvcUVhQ3Y5MmUyNUg2cWpfMzZ6WWJzIiwieSI6ImRZNk1YcnI3MFZaXzFWZkh1QkVMREd6UGs4TnhicHYxQjc2ZjZObnBWRjgifSwicHVycG9zZXMiOlsiYXV0aGVudGljYXRpb24iXSwidHlwZSI6IkVjZHNhU2VjcDI1NmsxVmVyaWZpY2F0aW9uS2V5MjAxOSJ9XSwic2VydmljZXMiOlt7ImlkIjoiZG9tYWluLTEiLCJzZXJ2aWNlRW5kcG9pbnQiOiJodHRwczovL2VyaWNrdWhuMTkuY29tIiwidHlwZSI6IkxpbmtlZERvbWFpbnMifV19fV0sInVwZGF0ZUNvbW1pdG1lbnQiOiJFaUJuallpQlEtZ1hhVlJIX0lvQXAyNVFyY1JfRWVFZjJwWFRESHVWMzNfVmdnIn0sInN1ZmZpeERhdGEiOnsiZGVsdGFIYXNoIjoiRWlBS1BzQnRaLWw2N3h1RXFHVFZHVjBvYmFIRDZOajZxWTdVbkJuVUl2ZHVYQSIsInJlY292ZXJ5Q29tbWl0bWVudCI6IkVpRFJVZ3hlQzBoZHBjaDd6ZWhGa0g1X1RtVkxtYlhXSjBPMGZhdzVJbmpfRGcifX0"
      }
    ],
    "service": [
      {
        "id": "#domain-1",
        "type": "LinkedDomains",
        "serviceEndpoint": "https://erickuhn19.com"
      }
    ],
    "verificationMethod": [
      {
        "id": "#key-1",
        "controller": "",
        "type": "EcdsaSecp256k1VerificationKey2019",
        "publicKeyJwk": {
          "kty": "EC",
          "crv": "secp256k1",
          "x": "0DByK_buTNM5ljoJeFDMIoqEaCv92e25H6qj_36zYbs",
          "y": "dY6MXrr70VZ_1VfHuBELDGzPk8Nxbpv1B76f6NnpVF8"
        }
      }
    ],
    "authentication": [
      "#key-1"
    ]
  },
  "didDocumentMetadata": {
    "method": {
      "published": true,
      "recoveryCommitment": "EiDRUgxeC0hdpch7zehFkH5_TmVLmbXWJ0O0faw5Inj_Dg",
      "updateCommitment": "EiBnjYiBQ-gXaVRH_IoAp25QrcR_EeEf2pXTDHuV33_Vgg"
    },
    "equivalentId": [
      "did:ion:EiDC8qe_kwtm02IVoVZ8epcGi90XnL1NYI6baJIwHVBgrg"
    ],
    "canonicalId": "did:ion:EiDC8qe_kwtm02IVoVZ8epcGi90XnL1NYI6baJIwHVBgrg"
  }
}

§ serviceEndpoints

The following two serviceEndpoints MUST be supported in the DID Document, but only one is required.

  1. LinkedDomain vis Well Known DID spec
  2. Identity Hub (0.0.1 Predraft) (Decentralized Web Node v0.0.1 predraft))

§ Revocation

StatusList2021 MUST be used for revocation of VCs, as defined in Status List 2021.

§ credentialStatus

The issued VC MAY include a credentialStatus property

When credentialStatus is deinfed it MUST use StatusList2021 , as defined in section 5.1 of Status List 2021.

StatusList2021 MUST be discovered using either DID Relative URLs stored in an ID Hub or HTTPS URL.

An Issuer of a VC MAY have an ID Hub serviceEndpoint in the Issuer’s DID Document. ID Hubs are the single endpoint to look up objects associated with a DID, as defined in [Identity-Hub]. Below is a non-normative example of a DID Document that includes a serviceEndpoint:

"service": [
      {
        "id": "hubs",
        "type": "IdentityHub",
        "serviceEndpoint": [
          "https://hubs.microsoft.com",
          "https://datastore.protonmail.com"
        ]
      }
]
{
  "credentialStatus": {
    "id": "Qmdfr32sdf32546...",
    "type": "StatusList2021",
    "statusListIndex": "94567",
    "statusListCredential": 'did:ion:123?service=IdentityHub&relativeRef=?messages=[{ type: "CollectionsQuery", statement: { id: "Qmdfr32sdf32546..." }}]'
  }
}

§ Cryptographic Signature

While ION supports any public key JWK representation in a DID Document, implementors of this document MUST support JWT signature verification with the following Key Types and must support JWT signing with at least one.

Key Type JWT Algorithm
secp256k1 ES256K
Ed25519 EdDSA

Note: This profile leverages JWT for signature generation and verification only. There is a rich offering of Linked Data Cryptographic Suites which are not covered by this iteration of the profile. For reference and more information on LD signature suites see the Linked Data Cryptographic Suite Registry.

§ Credential type VerifiedEmployee

Below is a description of a credentialSubject for a credential type VerifiedEmployee. It is RECOMMENDED to be used with a Workplace Credential Use-Case defined below. However the usage of this credential type is OPTIONAL and is not required to be compliant with this profile.

"vc": {
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
    ],
    "type": [
      "VerifiableCredential",
      "VerifiedEmployee"
    ],
    "credentialSubject": {
      "displayName": "$.displayName",
      "givenName": "$.givenName",
      "jobTitle": "$.jobTitle",
      "surname": "$.surname",
      "preferredLanguage": "$.preferredLanguage",
      "mail": "$.mail",
      "photo": "data:image/jpeg;base64,ewrsfirGWRPrewFEW4..."
    }
  }
}

§ Use-Cases

§ Workplace Credential

Workplace credential refers to a use case scenario for Verifiable Credential, where it is issued to the user by its workplace organization. The user, in this case, could be an employee, student, staff, contractor, or vendor. It supports users’ journeys around Onboarding, access to workplace applications, and even Alumni access scenarios. The objective of workplace credentials is to:

Below is a storyboard that explains one concrete scenario using a workplace credential.

WorkplaceCredential Storyboard

§ Examples

Embedded or referenced non-normative examples

§ Implementations

§ Testing

Implementations may test conformance of the wallets to this profile using this verification website.

§ Test Vectors

Embedded or referenced test vectors.

§ References

§ Normative References

OIDC
Open ID Connect. Nat Sakimura, John Bradley, Michael B. Jones, Breno de Medeiros, Chuck Mortimore. 2014.11. Status: Approved Specification.
DID Core
Decentralized Identifiers (DIDs) v1.0. Manu Sporny, Dave Longley, Markus Sabadello, Drummond Reed, Orie Steele, Christopher Allen. 2021.08. Status: W3C Proposed Recommendation.
SIOPv2 ID1
Self-Issued OpenID Provider v2 (First Implementer’s Draft). Kristina Yasuda, Michael B. Jones, Torsten Lodderstedt. 2022.04. Status: Standards Track.
OpenID4VP ID1
OpenID for Verifiable Presentations (First Implementer’s Draft). Oliver Terbu, Torsten Lodderstedt, Kristina Yasuda, Adam Lemmon, Tobias Looker. 2022.04. Status: Standards Track.
VC Data Model v1.1
Verifiable Credentials Data Model v1.1. Manu Sporny, Dave Longley, David Chadwick. 2021.08. Status: W3C Proposed Recommendation.
Presentation Exchange v1.0.0
Presentation Exchange v1.0.0. Daniel Buchner, Brent Zundel, Martin Riedel.
did-web
Web DID Method. Oliver Terbu, Mike Xu, Dmitri Zagidulin, Amy Guy. Status: Registered in DID Specification Registry.
did-ion
ION DID Method. Various DIF contributors. Status: Registered in DID Specification Registry.
OIDC Registration
OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1. Nat Sakimura, John Bradley, Michael B. Jones. 2014.11. Status: Approved Specification.
Sidetree
Sidetree v1.0.0. Daniel Buchner, Orie Steele, Troy Ronda. 2021.03. Status: DIF Ratified Specification.
Well Known DID
Well Known DID Configuration. Daniel Buchner, Orie Steele, Tobias Looker. 2021.01. Status: DIF Working Group Approved Draft.
Identity Hub (0.0.1 Predraft)
Identity Hub - Decentralized Web Node 0.0.1 Predraft
Status List 2021
Status List 2021. Manu Sporny, Dave Longley, Orie Steele, Mike Prorock, Mahmoud Alkhraishi. 2022.04. Status: Draft Community Group Report.

§ Non-Normative References

JWP
JSON Web Proof. Jeremie Miller, David Waite, Michael B. Jones. Status: Internet-Draft.
JPA
JSON Proof Algorithms Jeremie Miller, Michael B. Jones. Status: Internet-Draft.
Table of Contents