Inferensys

Glossary

OpenID for Verifiable Credentials (OID4VC)

A protocol family extending OpenID Connect to enable the issuance and presentation of W3C Verifiable Credentials using standard OAuth 2.0 flows.
Finance professional using AI FP&A copilot on laptop, board presentation visible on screen, home office work session.
PROTOCOL DEFINITION

What is OpenID for Verifiable Credentials (OID4VC)?

A protocol family extending OpenID Connect to enable the issuance and presentation of W3C Verifiable Credentials using standard OAuth 2.0 flows.

OpenID for Verifiable Credentials (OID4VC) is a protocol family that extends the widely adopted OpenID Connect and OAuth 2.0 frameworks to support the secure issuance and cryptographically verifiable presentation of W3C Verifiable Credentials. It standardizes how a digital identity wallet requests a credential from an issuer and how a holder presents that credential to a verifier, bridging existing federated identity infrastructure with decentralized identity models.

The specification defines three primary flows: Credential Issuance, Verifiable Presentation, and Self-Issued OpenID Provider v2 (SIOPv2). By leveraging established OAuth 2.0 authorization mechanisms, OID4VC enables selective disclosure of claims and integrates with Decentralized Identifiers (DIDs) for cryptographic binding, ensuring interoperability between sovereign identity wallets and enterprise relying parties without requiring a centralized identity provider.

PROTOCOL ARCHITECTURE

Key Features of OID4VC

OpenID for Verifiable Credentials (OID4VC) extends the ubiquitous OAuth 2.0 and OpenID Connect framework to enable the cryptographically secure issuance and presentation of W3C Verifiable Credentials. It bridges the gap between existing enterprise identity infrastructure and the emerging decentralized identity ecosystem.

04

OAuth 2.0 Attachments

OID4VC leverages the native security and extensibility of OAuth 2.0, including DPoP (Demonstration of Proof-of-Possession) tokens to bind access tokens to a specific client's key, preventing token replay attacks. It also utilizes OAuth 2.0 Rich Authorization Requests (RAR) to express complex authorization details, and OAuth 2.0 Pushed Authorization Requests (PAR) to improve security by keeping request parameters off the front-channel. This allows OID4VC to inherit decades of battle-tested security infrastructure.

05

Format-Agnostic Design

The protocol family is designed to be credential-format agnostic. While it natively supports W3C Verifiable Credentials Data Model v1.1 and v2.0, it is extensible to other formats like ISO mdoc (ISO 18013-5) for mobile driving licenses and AnonCreds for privacy-preserving ZKP-based credentials. This is achieved through a pluggable Credential Format Profile mechanism, allowing the same issuance and presentation flows to work with different cryptographic suites such as BBS+ or SD-JWT.

OID4VC CLARIFIED

Frequently Asked Questions

Clear, technically precise answers to the most common questions about the OpenID for Verifiable Credentials protocol family, designed for identity architects and government IT directors implementing sovereign identity infrastructure.

OpenID for Verifiable Credentials (OID4VC) is a protocol family that extends OpenID Connect and OAuth 2.0 to enable the secure issuance and presentation of W3C Verifiable Credentials. It works by defining standardized endpoints and flows: the Credential Issuer exposes an API where a Holder (typically a digital wallet) authenticates using OAuth 2.0 and receives tamper-evident credentials. For presentation, the Verifier sends a Presentation Request to the wallet, which responds with a Verifiable Presentation containing only the required claims. The core specifications are OpenID4VCI (Issuance) and OpenID4VP (Presentation), which leverage existing OAuth 2.0 authorization servers and rely on DID methods or traditional X.509 certificates for cryptographic binding. This architecture bridges the gap between legacy federated identity systems and the emerging decentralized identity ecosystem, allowing governments and enterprises to issue credentials like mobile driver's licenses (conforming to ISO 18013-5) using familiar security infrastructure.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.