Verify Mobile Driver's Licenses (ISO/IEC 18013-7 mDL) via OID4VP

This guide provides a comprehensive walkthrough for verifying an mDL based on the ISO/IEC 18103-7 standard using the walt.id Enterprise Verifier API. The verification process will utilize the OID4VP protocol.

Enterprise Service Dependencies

To verify credentials, you need to have the following enterprise services setup:

  1. Verifier Service - Have a running verifier service. Setup instructions can be found here.

Verification Process

  1. Set mDL as the credential type to request from a user.
  2. Specify the claims from the mDL that are subject to presentation.
  3. Optionally provide a success and failure redirect URL, which the user will be redirected to after the verification process is completed.

After you have provided the required information, the Verifier API:

  1. Generates an appropriate DCQL Query
  2. Returns a URL which can passed to a compliant wallet to fulfill the request.

Example Verification Request

CURL

Endpoint: /v1/{target}/verifier2-service-api/verification-session/create | API Reference

Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/verifier-service-api/credentials/verify' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "dcql_query": {
    "credentials": [
      {
        "id": "my_photoid",
        "format": "mso_mdoc",
        "meta": {
          "doctype_value": "org.iso.23220.photoid.1"
        },
        "claims": [
          { "path": [ "org.iso.18013.5.1", "family_name_unicode" ] },
          { "path": [ "org.iso.18013.5.1", "given_name_unicode" ] },
          { "path": [ "org.iso.18013.5.1", "issuing_authority_unicode" ] },
          {
            "path": [ "org.iso.18013.5.1", "resident_postal_code" ],
            "values": [ 1180, 1190, 1200, 1210 ]
          },
          {
            "path": [ "org.iso.18013.5.1", "issuing_country" ],
            "values": [ "AT" ]
          },

          { "path": [ "org.iso.23220.photoid.1", "person_id" ] },
          { "path": [ "org.iso.23220.photoid.1", "resident_street" ] },
          { "path": [ "org.iso.23220.photoid.1", "administrative_number" ] },
          { "path": [ "org.iso.23220.photoid.1", "travel_document_number" ] },

          { "path": [ "org.iso.23220.dtc.1", "dtc_version" ] },
          { "path": [ "org.iso.23220.dtc.1", "dtc_dg1" ] }
        ]
      }
    ]
  },
  "policies": {
    "vcPolicies": [
      { "policy": "signature" },
      {
        "policy": "vical",
        "vical": "<base64 encoded VICAL file>",
        "enableDocumentTypeValidation": false,
        "enableTrustedChainRoot": false,
        "enableSystemTrustAnchors": false,
        "enableRevocation": false
      }
    ]
  }
}'

Path Parameters

  • orgID: Your organization ID (e.g., test for test.enterprise-sandbox.waltid.dev)
  • target: The verifier service target path (e.g., waltid.verifier1)

Header Parameters

  • Authorization: Bearer token authentication is required for enterprise stack

Body

{
  "dcql_query": {
    "credentials": [
      {
        "id": "my_photoid",
        "format": "mso_mdoc",
        "meta": {
          "doctype_value": "org.iso.23220.photoid.1"
        },
        "claims": [
          { "path": [ "org.iso.18013.5.1", "family_name_unicode" ] },
          { "path": [ "org.iso.18013.5.1", "given_name_unicode" ] },
          { "path": [ "org.iso.18013.5.1", "issuing_authority_unicode" ] },
          {
            "path": [ "org.iso.18013.5.1", "resident_postal_code" ],
            "values": [ 1180, 1190, 1200, 1210 ]
          },
          {
            "path": [ "org.iso.18013.5.1", "issuing_country" ],
            "values": [ "AT" ]
          },

          { "path": [ "org.iso.23220.photoid.1", "person_id" ] },
          { "path": [ "org.iso.23220.photoid.1", "resident_street" ] },
          { "path": [ "org.iso.23220.photoid.1", "administrative_number" ] },
          { "path": [ "org.iso.23220.photoid.1", "travel_document_number" ] },

          { "path": [ "org.iso.23220.dtc.1", "dtc_version" ] },
          { "path": [ "org.iso.23220.dtc.1", "dtc_dg1" ] }
        ]
      }
    ]
  },
  "policies": {
    "vcPolicies": [
      { "policy": "signature" },
      {
        "policy": "vical",
        "vical": "<base64 encoded VICAL file>",
        "enableDocumentTypeValidation": false,
        "enableTrustedChainRoot": false,
        "enableSystemTrustAnchors": false,
        "enableRevocation": false
      }
    ]
  },
  "redirects": {
    "successRedirectUrl": "https://example.com/success",
    "errorRedirectUrl": "https://example.com/error"
  },
  "urlHost": "https://example.com",
  "urlPrefix": "openid4vp://authorize",
  "preset": "cross_device_flow",
  "signedRequest": true,
  "encryptedResponse": true,
}

Body Parameters

  • dcql_query: The DCQL query to be used for the verification.
  • policies: The policies to be applied to the verification. You can find a list of all policies here.
    • vical: The VICAL file to be used for the verification. This is a key part of the validation of mDoc credentials. You can find more information about the VICAL policy here.
  • redirects - An object containing the success and error redirect URLs. In previous versions of the verifier service, the redirect URLs were passed through headers successRedirectUri and errorRedirectUri.
  • urlHost - The host of the URL to be used for the verification session. In previous versions of the verifier service, the urlHost was passed through header authorizeBaseUrl.
  • urlPrefix - The prefix of the URL to be used for the verification session.
  • preset - The preset to be used for the verification session. Options are cross_device_flow and same_device_flow.
  • signedRequest - Whether the request should be signed.
  • encryptedResponse - Whether the response should be encrypted.

Example Response

The verification endpoint will return a presentation session with a URL that can be used to complete the verification process:

mdoc-openid4vp://authorize?client_id=waltid.verifier1&request_uri=https://test.enterprise-sandbox.waltid.dev/v1/waltid.verifier1/verifier-service-api/openid4vc/request&response_type=vp_token&response_mode=direct_post.jwt&scope=openid&state=1234567890

Validating the Verification Session

You can query the verification session by using the following endpoint:

CURL
curl -X 'GET' \
  'http://{orgID}.enterprise-sandbox.waltid.dev/v1/{creationTarget}/verifier2-service-api/verification-session/info' \
  -H 'accept: application/json'
  -H 'Authorization: Bearer {yourToken}'

Path Parameters

  • orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is named test, your default Base URL will be test.enterprise-sandbox.walt.dev when using the sandbox environment.
  • creationTarget: resourceIdentifier - The target creation target returned when creating the verification session. It is a concatenation of the target resource and the session ID.

This will return the verficiation session object containing the following useful fields:

  • status: The status of the verification session.
  • attempted: Whether the verification session has been attempted.
  • reattemptable: Whether the verification session can be retried.
  • policyResults: The results of the policies applied to the verification session.
  • presentedRawData: The raw data verifiable presentation token.
  • presentedCredentials: The parsed credentials presented by the user.

Policy results will be split into vcPolicy and vpPolicy results. More information about the policy results can be found here.

Alternatively, if you do not want to poll the verification session you can use a callback or Server Sent Events (SSE) to be notified when the verification session is completed.

Last updated on November 4, 2025
Verifying SD-JWT VC Credentials via OID4VCCredential Verification