WIA schema (oauth-client-attestation+jwt)
The Wallet Instance Attestation (WIA) is a JWT with media type
oauth-client-attestation+jwt. In OpenID4VCI v1.0 it is specified in
Appendix E, Wallet Attestations in JWT format.
Appendix E says the Wallet Attestation format follows the Client Attestation JWT
of the referenced OAuth attestation draft, and additionally includes the
wallet-specific claims below.
JOSE header
| Field | Status | Notes |
|---|---|---|
typ | REQUIRED | MUST be oauth-client-attestation+jwt. |
alg | REQUIRED | Asymmetric signature algorithm (e.g. ES256). |
kid / x5c | (one of) | Key identification. Appendix E's example uses kid; the playground uses x5c carrying the Wallet Provider certificate (checked against the Wallet Provider Trusted List). |
Payload claims
Base claims (via the Client Attestation JWT format that Appendix E points to):
| Claim | Status | Meaning |
|---|---|---|
iss | REQUIRED | The Wallet Provider that issued the attestation. |
sub | REQUIRED | Identifies the wallet (its client identifier). |
exp | REQUIRED | Expiry. |
cnf | REQUIRED | Confirmation key (RFC 7800): the instance key bound to the WIA, as a jwk. |
iat | OPTIONAL | Issued-at. |
nbf | OPTIONAL | Not-before. |
Additional claims defined by OpenID4VCI v1.0 Appendix E:
| Claim | Status | Meaning |
|---|---|---|
wallet_name | OPTIONAL | Human-readable name of the Wallet. |
wallet_link | OPTIONAL | URL for further information about the Wallet and Wallet Provider. |
status | OPTIONAL | Status mechanism for the Wallet Attestation (token status list). |
OpenID4VCI v1.0 vs TS3 v1.5
The WIA is an oauth-client-attestation+jwt under both profiles, but TS3 v1.5
profiles it: it drops iss (identity comes from x5c), makes sub the client
identifier URL, adds wallet and revocation metadata, and keeps a short
time-to-live. Switch tabs to compare the decoded WIA each profile signs.
- OpenID4VCI v1.0
- TS3 v1.5
Header:
{
"typ": "oauth-client-attestation+jwt",
"alg": "ES256",
"x5c": ["MIIB4DCC... (Wallet Provider certificate)"]
}
Payload (OpenID4VCI v1.0 Appendix E claims):
{
"iss": "https://wallet-provider.igrant.io",
"sub": "urn:wallet-unit:igrant:6f9a1c20",
"iat": 1780737559,
"exp": 1781342359,
"wallet_name": "Data Wallet by iGrant.io",
"wallet_link": "https://www.igrant.io/datawallet-for-eudi-wallet.html",
"cnf": {"jwk": {"kty": "EC", "crv": "P-256", "x": "...", "y": "..."}}
}
Header (same media type; identity comes from x5c):
{
"typ": "oauth-client-attestation+jwt",
"alg": "ES256",
"x5c": ["MIIB4DCC... (Wallet Provider certificate)"]
}
Payload (no iss / iat; sub is the client_id URL; adds wallet and status metadata):
{
"sub": "https://wallet.igrant.io",
"wallet_name": "Data Wallet by iGrant.io",
"wallet_version": "1.0.1",
"wallet_link": "https://www.igrant.io/datawallet-for-eudi-wallet.html",
"wallet_solution_certification_information": "https://wallet-provider.igrant.io/certification/DataWallet/1-0-1/",
"exp": 1781342359,
"client_status": {
"status": {"status_list": {"idx": 1337, "uri": "https://wallet-provider.igrant.io/wia-statuslists/42"}},
"exp": 1783934359
},
"cnf": {"jwk": {"kty": "EC", "use": "sig", "crv": "P-256", "x": "...", "y": "..."}}
}
The WIA attests the instance; attesting the keys is the job of the Key Attestation. Together they form the WUA.