Wallet Unit Attestation, hands on.

An interactive walk through the Wallet Unit Attestation (WUA), the pairing of a Wallet Instance Attestation (WIA) and a Key Attestation (KA). Explore proof of possession, batch issuance, and exactly where OpenID4VCI v1.0 and TS3 v1.5 differ, with real, signed tokens you can decode.

Open the playground Read the docs

oauth-client-attestation+jwt

{
  "sub"Subject of the token (e.g. the Wallet Unit instance for a WIA).: "https://wallet.igrant.io",
  "wallet_name"Human-readable name of the wallet solution (WIA metadata).: "Data Wallet by iGrant.io",
  "wallet_version"Version of the wallet solution (TS3 WIA metadata).: "1.0.1",
  "wallet_link"URL with more information about the wallet solution (WIA metadata).: "https://www.igrant.io/datawallet-for-eudi-wallet.html",
  "wallet_solution_certification_information"URL with certification information for the wallet solution (TS3 WIA metadata).: "https://wallet-provider.igrant.io/certification/DataWallet/1-0-1/",
  "exp"Expiry time (Unix epoch seconds).: 1781342359,
  "client_status"TS3 WIA revocation reference (Token Status List) plus an exp maintenance commitment, for the WIA itself.: {
    "status"Revocation / status reference (IETF Token Status List).: {
      "status_list"Token Status List reference: an index (idx) into a list published at a URI.: {
        "idx"Index of this entry within the referenced Token Status List.: 1337,
        "uri"URL of the published Token Status List.: "https://wallet-provider.igrant.io/wia-statuslists/42"
      }
    },
    "exp"Expiry time (Unix epoch seconds).: 1783934359
  },
  "cnf"Confirmation claim (RFC 7800). Binds the credential / token to a key the holder controls.: {
    "jwk"Public key in JSON Web Key form (RFC 7517).: {
      "kty"JWK key type, e.g. EC (elliptic curve).: "EC",
      "use"JWK public key use, e.g. sig (signature).: "sig",
      "crv"Elliptic curve, e.g. P-256.: "P-256",
      "x"EC public key x-coordinate (base64url).: "...",
      "y"EC public key y-coordinate (base64url).: "..."
    }
  }
}

Data model shown is the EUDI TS3 v1.5 Wallet Unit Attestation profile

Building blocks

Wallet Instance AttestationThe WIA (oauth-client-attestation+jwt): the Wallet Provider attests the wallet instance.Key AttestationThe KA attests keys held in the WSCD. Drag N and flip the OpenID4VCI / TS3 profile.Proof of possessionThe openid4vci-proof+jwt that PoPs an attested key and carries the KA in its header.

Issuance at scale

Batch issuanceOne KA, many keys: credentials, WSCD signatures, and the keys that go to waste.OpenID4VCI vs TS3The profiling rules: with a KA both send one proof; TS3 pins it to attested_keys[0], drops kid and iss, and types keyattestation+jwt.How the Issuer verifiesStep through the KA and proof checks the Issuer performs, per each specification.