OID4VP DCQL + direct_post.jwt

Verifier creates a signed authorization request and publishes request_uri. Wallet fetches it, creates an encrypted JWE response containing a signed inner JWT (typ=oauth-authz-resp+jwt) with vp_token, and posts to response_uri. Verifier decrypts and validates (OID4VP §5, §8.3.1).

Try in Looking Glass
Presentation Verificationdirect_post.jwtEncrypted Response

Sequence Diagram

Click any step for details

VerifierWallet1Create Signed Request Object2Fetch Request Object3Wallet Encrypted Response4Decrypt + Validate + Policy Decision
Request
Response
Redirect
Internal

Step-by-Step Breakdown

1
Create Signed Request Object
VerifierWallet
2
Fetch Request Object
WalletVerifier
3
Wallet Encrypted Response
WalletVerifier
4
Decrypt + Validate + Policy Decision
VerifierVerifier

Token Inspector

Specs for this flow

Sections of the protocol that normatively define this flow, plus the security considerations that apply to it.

Security & privacy

· Dedicated security and privacy considerations.