Skip to main content

Credential Request schema

The Credential Request is the JSON body the wallet POSTs to the Credential Endpoint to obtain one or more credentials. It is defined in Section 8, Credential Endpoint of OpenID4VCI v1.0. It references the credential configuration being requested and carries the proof(s) of possession.

Body parameters

ParameterStatusMeaning
credential_configuration_idconditionalIdentifier of a credential_configurations_supported entry from Issuer metadata. One of this or credential_identifier is required.
credential_identifierconditionalAlternative to credential_configuration_id, from the Token Response credential_identifiers.
proofsOPTIONALObject keyed by proof type (e.g. jwt) whose value is a non-empty array of proofs. Use proofs to request a batch bound to multiple keys.
proofOPTIONALA single proof object. Mutually exclusive with proofs.
credential_response_encryptionOPTIONALParameters requesting an encrypted Credential Response.
proof vs proofs

A request carries either a single proof or the proofs array, never both. The proofs.jwt array is how one Credential Request asks for a batch of credentials, each bound to a different attested key.

OpenID4VCI vs TS3

Both profiles use the same request body. With a Key Attestation each carries a single proof in proofs.jwt, and the Issuer batches from attested_keys; they differ in the proof's kid and which key signs it. Switch tabs to compare.

A single proof carrying the KA, signed by one of the attested keys (kid present):

{
  "credential_configuration_id": "eu.europa.ec.eudi.pid.1",
  "proofs": {
    "jwt": [
      "eyJ0eXAiOiJvcGVuaWQ0dmNpLXByb29mK2p3dC... (one proof, PoP of one attested key)"
    ]
  }
}

See the proof of possession schema for how a single proof binds the whole batch, and try both in the playground. The N-element proofs.jwt array (one proof per key) is OpenID4VCI's path without a Key Attestation.