Skip to main content

Wallet Instance Attestation (WIA)

The Wallet Instance Attestation (WIA) is the part of the WUA that attests the wallet instance: the Wallet Provider asserts that this is a genuine instance of its wallet solution, in good standing, and binds the attestation to a key the instance controls.

It is a JWT with media type oauth-client-attestation+jwt, following the OAuth 2.0 Attestation-Based Client Authentication draft that OpenID4VCI references. Key points:

  • iss is the Wallet Provider; sub identifies the wallet instance (its client identifier).
  • cnf binds the WIA to an instance key (RFC 7800), used to prove possession of the WIA when authenticating.
  • The EUDI profile adds wallet metadata (for example a wallet name and an assurance level).
  • x5c carries the Wallet Provider signing certificate, which a relying party checks against the Wallet Provider Trusted List.

The WIA is about the instance. Attesting the keys a credential is bound to is the job of the Key Attestation. Together they form the WUA.

Generating sample keys and signing tokens…

Illustrative aid

Generated and signed in your browser. The exact WIA claim set is profiled by the OAuth attestation draft and the ARF; the shape here is representative, not normative.