I've been digging into the OID4VP specification and wanted to share a clear breakdown of the flow.
## The Players
1. **Verifier** - The service requesting credentials (e.g., your app via CredLyr)
2. **Wallet** - The user's credential wallet (mobile app)
3. **Holder** - The user presenting credentials
## The Flow
### Step 1: Authorization Request
The verifier creates a request specifying what credentials are needed:
```json
{
"response_type": "vp_token",
"client_id": "https://verifier.example.com",
"redirect_uri": "https://verifier.example.com/callback",
"presentation_definition": {
"id": "age_verification",
"input_descriptors": [{
"id": "age_credential",
"constraints": {
"fields": [{
"path": ["$.vc.credentialSubject.ageOver18"]
}]
}
}]
}
}
```
### Step 2: Wallet Processing
The wallet:
1. Parses the presentation definition
2. Finds matching credentials
3. Prompts user for consent
4. Applies selective disclosure
### Step 3: VP Token Response
The wallet returns a Verifiable Presentation:
```json
{
"vp_token": "<signed_vp>",
"presentation_submission": {
"definition_id": "age_verification",
"descriptor_map": [...]
}
}
```
### Step 4: Verification
The verifier (CredLyr) validates:
- Signature on the VP
- Credential signatures
- Issuer trust
- Presentation matches request
## CredLyr Simplifies This
CredLyr abstracts this complexity. You just define a policy and we handle the OID4VP details:
```typescript
const session = await credlyr.verifications.create({
policyId: 'pol_age_over_18'
});
// That's it - we generate the full OID4VP request
```
Questions welcome!