Receive DC API verification response
POST/v2/config/digital-wallet/openid/sdjwt/verification/history/:presentationExchangeId/receive
Receives an OpenID4VP Authorization Response delivered over the W3C Digital Credentials API (DC API) transport for a previously created verification request.
The verifier frontend invokes the browser's navigator.credentials.get() with the request returned in dcApiRequest. The browser routes the request to the holder's wallet, which produces a credential response. The frontend forwards that response to this endpoint.
This endpoint is a transparent gateway: it authenticates the caller, looks up the verification record by presentationExchangeId, then proxies the request body byte-for-byte to the underlying digital wallet deployment, where JWE decryption (when responseMode is dc_api.jwt), VP Token parsing per OID4VP 1.0 §8.1, DCQL structure validation, and persistence are performed. The wallet's response body and HTTP status are returned to the caller unchanged.
Use this endpoint only when the verification request was created with responseMode set to dc_api or dc_api.jwt. For direct_post and direct_post.jwt flows the wallet posts the response directly to the verifier's redirect_uri and this endpoint is not used.
Request
Path Parameters
Unique identifier of the presentation exchange record tracking a single OpenID4VP verification lifecycle.
- application/json
Body
required
Body must contain exactly one of the two fields below. Field names are case-sensitive (lowercase, snake_case). Any additional fields are silently ignored downstream; the presentation submission is not sent; it is derived downstream from the DCQL query and the structure of vp_token.
- response (string)
- vp_token (object)
For responseMode = dc_api.jwt: JWE compact serialization (five base64url segments separated by .) returned by the wallet. The downstream wallet decrypts it with the encryption key minted for this verification record and extracts vp_token from the decrypted payload.
For responseMode = dc_api (alternative form): a JSON-encoded string whose decoded form is {"vp_token": { ... }}.
vp_token objectrequired
Map of input descriptor / DCQL credential ID to the wallet's Verifiable Presentation(s). Encoding of each VP depends on credential format (dc+sd-jwt, mso_mdoc, jwt_vc_json).
May be supplied as a parsed JSON object or as a JSON-encoded string; the wallet parses string values automatically.
Map of input descriptor / DCQL credential ID to the wallet's Verifiable Presentation(s). Encoding of each VP depends on credential format (dc+sd-jwt, mso_mdoc, jwt_vc_json).
May be supplied as a parsed JSON object or as a JSON-encoded string; the wallet parses string values automatically.
Responses
- 200
- 400
- 401
- 404
- 500
- 502
Wallet processed the DC API response. Body is the wallet's response forwarded verbatim; the updated verification record, including dcApiRequest, dcApiProtocol, parsed presentation, and verification status.
Response Headers
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
request_sent: The OpenID4VP Authorization Request has been created and is waiting for the holder.request_received: The holder's wallet has received/scanned the Authorization Request.presentation_acked: The holder has submitted the Verifiable Presentation and the verifier has processed it.direct_post: Response sent via HTTP POST to the verifier'sredirect_uriwithout encryption.direct_post.jwt: Response sent via HTTP POST encrypted as a JWE.dc_api: Response delivered over the W3C Digital Credentials API transport without JWE encryption. Compatible with bothsignedandunsigneddcApiRequestTypevalues.dc_api.jwt: Response delivered over the W3C Digital Credentials API transport encrypted as a JWE.openid4vp-v1-unsigned: The Authorization Request is passed unencrypted to the browser's DC API. The browser can inspect the request for risk analysis. Use for development/testing only.openid4vp-v1-signed: The Authorization Request is signed by the verifier's key and passed as an opaque string to the browser's DC API. Provides verifier authentication. Recommended for production. Only present whenresponseModeisdc_apiordc_api.jwt.- Array [
- For
openid4vp-v1-signed: Contains{ "request": "<signed-JWT>" }, a JWT signed by the verifier's key. - For
openid4vp-v1-unsigned: Contains the full Authorization Request object withclient_metadata,dcql_query,nonce,response_mode,response_type. - For
openid4vp-v1-signed: Contains{ "request": "<signed-JWT>" }, a JWT signed by the verifier's key. - For
openid4vp-v1-unsigned: Contains the full Authorization Request object withclient_metadata,dcql_query,nonce,response_mode,response_type. - ]
- Array [
- For
openid4vp-v1-signed:{ "request": "<signed-JWT>" }. - For
openid4vp-v1-unsigned: the full inline Authorization Request object (response_type,response_mode,nonce,dcql_query,client_metadata, …). - ]
- Array [
- ]
Unique identifier for the verification exchange record, tracking the full lifecycle of a single OpenID for Verifiable Presentation (OpenID4VP) verification request.
Unique identifier for this verification exchange record. Same value as presentationExchangeId.
OpenID4VP Authorization Request URI encoded for QR code display or deep link. The holder's wallet scans or clicks this to initiate the presentation flow. Empty when using DC API response modes (dc_api or dc_api.jwt).
State parameter for the OpenID4VP Authorization Request, used to correlate the request with the response.
Full OpenID4VP Authorization Request URI or payload. Empty when using DC API response modes (dc_api or dc_api.jwt).
presentationSubmission objectrequired
Wrapper containing the Presentation Submission object received from the holder's wallet.
presentation_submission objectrequired
DIF Presentation Exchange Submission object mapping the holder's credentials to the verifier's requirements.
Identifier of the Presentation Definition that this submission fulfills.
descriptor_map object[]required
Array of Descriptor Map entries mapping each requested credential to its location in the Verifiable Presentation.
Credential format of the matched credential (e.g. jwt_vc_json, dc+sd-jwt, mso_mdoc).
Identifier of the Input Descriptor from the Presentation Definition that this entry satisfies.
JSONPath expression pointing to the Verifiable Credential within the Verifiable Presentation token.
path_nested object
Nested path descriptor for credentials wrapped in envelope formats (e.g. JWT inside a VP JWT).
Credential format of the nested credential (e.g. jwt_vc_json, dc+sd-jwt, mso_mdoc).
Identifier of the Input Descriptor from the Presentation Definition that this nested entry satisfies.
JSONPath expression pointing to the credential within the nested envelope.
Unique identifier for this Presentation Submission.
Possible values: [request_sent, request_received, presentation_acked]
Lifecycle status of the verification exchange:
Result of verifying the Verifiable Presentation: validates cryptographic signatures, credential status, and the Presentation Submission against the Presentation Definition.
Unix timestamp (in seconds) when this verification record was created.
Unix timestamp (in seconds) when this verification record was last modified.
Identifier of the presentation definition used for this verification request.
Identifier of the OpenID4VP organisation that initiated this verification request.
holder objectrequired
Contains the metadata describing a holder. For e.g. Name, location, logo e.t.c
Identifier of the holder. For .e.g. DID or Name obtained from client metadata if available.
Wallet Unit Attestation credential presented by the holder during the verification flow.
Proof of Possession for the holder's Wallet Unit Attestation.
Indicates whether the holder's Wallet Unit Attestation was successfully verified.
Array of decoded credential objects presented by the holder.
Array of Verifiable Presentation JWTs received from the holder.
transactionData object
Transaction data confirmed by the holder during the presentation flow.
Transaction data confirmed by the holder during the presentation flow.
Base64-encoded transaction data included in the presentation.
Array of validation results for each credential in the presentation, including signature verification, expiry checks, and revocation status.
Array of validation results for the holder's Wallet Unit Attestation.
Possible values: [redirect_uri, did, verifier_attestation, x509_san_dns]
Client ID scheme used by the verifier in the OpenID4VP Authorization Request.
URI the wallet redirects to after posting the Authorization Response. Empty when using DC API response modes (dc_api or dc_api.jwt).
Possible values: [direct_post, direct_post.jwt, dc_api, dc_api.jwt]
OpenID4VP response mode determining how the Authorization Response is delivered:
Verifier Attestation JWT sent to the holder, proving the verifier's authorization.
Identifier of the individual the verification request was sent to.
Mapper identifier linking the verification to an external individual record.
Data agreement referencing the terms governing this verification.
Cryptographic nonce used in the OpenID4VP Authorization Request to ensure freshness and prevent replay attacks.
Possible values: [openid4vp-v1-unsigned, openid4vp-v1-signed]
Digital Credentials API exchange protocol identifier returned when the presentation definition is configured for DC API response modes.
Identifies the protocol variant used with the W3C Digital Credentials API (navigator.credentials.get()):
dcApiRequest object
Request object for the W3C Digital Credentials API, structured for browser invocation via navigator.credentials.get().
Contains browser-specific request formats for Chrome and Safari.
Only present when responseMode is dc_api or dc_api.jwt.
chrome object
Digital Credentials API request format for Chromium-based browsers. Uses the providers structure per the W3C Digital Credentials API specification.
digital object
Digital credential request options for Chromium-based browsers.
providers object[]
Array of credential request providers, each specifying a protocol and request data.
Digital Credentials API exchange protocol identifier (e.g. openid4vp-v1-signed, openid4vp-v1-unsigned).
request object
The OpenID4VP Authorization Request payload. Structure varies by protocol:
The OpenID4VP Authorization Request payload. Structure varies by protocol:
safari object
Digital Credentials API request format for Safari-based browsers. Uses the requests structure.
digital object
Digital credential request options for Safari-based browsers.
requests object[]
Array of credential requests for Safari, each containing data and protocol.
JSON-stringified Authorization Request payload (Safari's DC API expects a string, not an object).
Decoding it yields the same structure that Chrome receives in request:
Digital Credentials API exchange protocol identifier (e.g. openid4vp-v1-signed, openid4vp-v1-unsigned).
Indicates whether the OpenID4VP Authorization Response must be encrypted as a JWE. true when responseMode is direct_post.jwt or dc_api.jwt. false when responseMode is direct_post or dc_api.
When false, the signature stamp is hidden in signed PDFs.
Possible values: >= 4, <= 4
Coordinates for signature placement in signed PDFs as [x1, y1, x2, y2].
files object[]
List of files generated during the verification, including signed and unsigned PDF documents.
Identifier of the credential associated with this file.
Error code if signing failed, null otherwise.
Detailed error message if signing failed, null otherwise.
URL of the signed PDF file.
URL of the unsigned PDF file.
{
"presentationExchangeId": "string",
"id": "string",
"vpTokenQrCode": "string",
"vpTokenRequestState": "string",
"vpTokenRequest": "string",
"presentationSubmission": {
"presentation_submission": {
"definition_id": "string",
"descriptor_map": [
{
"format": "string",
"id": "string",
"path": "string",
"path_nested": {
"format": "string",
"id": "string",
"path": "string"
}
}
],
"id": "string"
}
},
"status": "request_sent",
"verified": true,
"createdAt": 0,
"updatedAt": 0,
"presentationDefinitionId": "string",
"openIdOrganisationId": "string",
"holder": {
"name": "string"
},
"walletUnitAttestation": "string",
"walletUnitAttestationPoP": "string",
"walletUnitAttestationVerified": true,
"presentation": [
{}
],
"vpTokenResponse": [
"string"
],
"transactionData": {},
"transactionDataBase64": "string",
"presentationValidity": [
{}
],
"walletUnitValidity": [
{}
],
"clientIdScheme": "redirect_uri",
"directPostRedirectUri": "string",
"responseMode": "direct_post",
"verifierAttestation": "string",
"individualId": "string",
"mapperId": "string",
"dataAgreement": {},
"nonce": "string",
"dcApiProtocol": "openid4vp-v1-unsigned",
"dcApiRequest": {
"chrome": {
"digital": {
"providers": [
{
"protocol": "string",
"request": {}
}
]
}
},
"safari": {
"digital": {
"requests": [
{
"data": "string",
"protocol": "string"
}
]
}
}
},
"requiresEncryption": true,
"signatureStamp": true,
"signatureCoordinate": [
0
],
"files": [
{
"credentialId": "string",
"error": "string",
"errorDescription": "string",
"signedFile": "string",
"unsignedFile": "string"
}
]
}
Invalid request. Either the gateway could not resolve the organisation/wallet deployment or read the body, or the wallet rejected the payload (responseMode mismatch, missing/unparsable response/vp_token, no encryption key bound to the verification record, JWE decryption failed, VP Token structure or validation failed). Wallet errors are forwarded with their original status and body.
Response Headers
- application/json
- Schema
- Example (from schema)
Schema
{
"errorCode": 400,
"errorDescription": "Bad input parameter"
}
Unauthorized.
Response Headers
- application/json
- Schema
- Example (from schema)
Schema
{
"errorCode": 400,
"errorDescription": "Bad input parameter"
}
Verification history not found for the supplied presentationExchangeId.
Response Headers
- application/json
- Schema
- Example (from schema)
Schema
{
"errorCode": 400,
"errorDescription": "Bad input parameter"
}
Internal server error (failed to create the upstream request, or to read the wallet response body).
Response Headers
- application/json
- Schema
- Example (from schema)
Schema
{
"errorCode": 400,
"errorDescription": "Bad input parameter"
}
Failed to forward the DC API response to the digital wallet deployment.
Response Headers
- application/json
- Schema
- Example (from schema)
Schema
{
"errorCode": 400,
"errorDescription": "Bad input parameter"
}