Schema Definitions
This section documents the JWT schemas used in the context of the Wallet Unit Attestation (WUA), anchored to OpenID for Verifiable Credential Issuance (OpenID4VCI) v1.0. Each page lists the JOSE header and payload claims, marks them REQUIRED or OPTIONAL per the spec, points at the exact section, and shows a decoded example that matches the tokens the playground signs.
What makes up a WUA
A WUA is the pairing of two attestations issued by the Wallet Provider:
| Artifact | Media type | Attests | OpenID4VCI 1.0 |
|---|---|---|---|
| Wallet Instance Attestation (WIA) | oauth-client-attestation+jwt | the wallet instance (binds an instance key via cnf) | Appendix E |
| Key Attestation (KA) | key-attestation+jwt | the keys held in the WSCD (attested_keys) | Appendix D |
These are then used during issuance:
| Artifact | Media type | Role | OpenID4VCI 1.0 |
|---|---|---|---|
| Proof of Possession | openid4vci-proof+jwt | proves the wallet controls the key; carries the KA in its header | Appendix F.1, Section 8.2 |
| Credential Request | application/json | sends the proof(s) to the Credential Endpoint | Section 8 |
OpenID4VCI v1.0 vs TS3 v1.5
Claim definitions on these pages are stated against OpenID4VCI v1.0. The EUDI TS3 v1.5 profile diverges in the Key Attestation, the proof of possession and the Credential Request. On those pages an OpenID4VCI v1.0 / TS3 v1.5 tab toggles the decoded example, and a Show TS3 v1.5 changes checkbox reveals a table of exactly what the TS3 profile changes. Sample values are illustrative, not normative.