Photo ID Credential Issuance
The Photo ID Credential Issuance extension enables a Qualified Trust Service Provider (QTSP) or other authorised issuer to issue Photo ID credentials to customers' EUDI Wallets. The credential is derived from an electronic Machine-Readable Travel Document (eMRTD) and follows ISO/IEC TS 23220-4 (E) Annex C as profiled in EWC RFC013 - Issue Photo ID.
How it works
- The organisation enables the Photo ID Credential Issuance extension from the dashboard.
- An administrator configures the identity proofing method (PID-based matching or unattended eMRTD proofing with liveness) and the attributes to include in the issued credential.
- When a customer requests a Photo ID, an OpenID4VCI credential offer is generated and shared via QR code or deep link.
- The customer accepts the offer in their EUDI Wallet, completes identity proofing (presenting a PID or scanning an eMRTD) and the wallet completes the authorisation code flow.
- The system issues the Photo ID credential to the wallet in SD-JWT VC and/or mdoc (ISO/IEC 18013-5) format, cryptographically bound to the wallet key.
Configuration
Identity proofing
Select how the customer's identity is verified before issuance:
| Method | Description |
|---|---|
| PID-based proofing | Customer presents a PID credential (EWC RFC003); data is matched against the eMRTD scan |
| Unattended eMRTD proofing | Customer scans their passport and performs a liveness and face-matching check |
Credential attributes
Select which attribute groups to include in the issued credential:
| Attribute group | Examples |
|---|---|
| ISO 23220-1 core | given_name, family_name, birth_date, portrait, issue_date, expiry_date, issuing_authority, issuing_country, document_number, sex, nationality, resident_address |
| Age indicators | age_over_18, age_in_years, age_birth_year |
Photo ID namespace (org.iso.23220.photoid.1) | person_id, birth_country, birth_state, birth_city, travel_document_number, administrative_number |
| DTC data groups | MRZ (DG1), portrait (DG2), SOD and additional data groups (DG3–DG16) |
Issuance settings
| Setting | Description |
|---|---|
| Credential formats | vc+sd-jwt and/or mso_mdoc |
| Validity period | Lifetime of the issued credential |
| Issuance flow | Authorization Code flow (OpenID4VCI) |
| Level of assurance | Extended LoIP required for QEAA issuance |
Integration
Once configured, the system exposes the standard OpenID4VCI endpoints for discovery and issuance.
API endpoints:
- GET
/v3/config/extension/photoid-issuance- Retrieve current configuration
Caution: Disabling the Photo ID Credential Issuance extension deletes its configuration. Previously issued Photo IDs remain valid until their expiry but cannot be refreshed from this issuer. This action is not reversible.