SD-JWT .NET Reference Patterns¶
Reference architecture patterns for building privacy-preserving credential, wallet, verifier, trust, status, and agent-governance workflows on .NET.
These patterns are not turnkey products, compliance certifications, or guaranteed business outcomes. Read How to Read These Patterns for maturity labels, code block conventions, and navigation guidance.
What are you trying to prove?¶
| Question | Pattern | Start here |
|---|---|---|
| A person owns a credential | SD-JWT VC / mdoc / OID4VP | DC API Web Verification |
| A credential is still valid | Status List | Incident Response |
| An issuer is trusted | OpenID Federation / trust policy | Cross-Border Government |
| A verifier should ask only for required claims | Presentation Exchange | Policy-First Data Minimization |
| A browser should mediate wallet presentation | DC API + OID4VP | DC API Web Verification |
| An AI agent is allowed to call a tool | Agent Trust capability token | AI Agent Authorization |
| An AI system should only see verified minimum facts | Verified Context Gate | Financial AI |
Choose your path¶
Developer path¶
Start with intuitive examples, then move to browser verification, identity, agent trust, and operations.
- E-Commerce Returns -- verifiable receipts, status lists, federation
- DC API Web Verification -- browser-mediated credential presentation
- Enterprise KYC Onboarding -- credential issuance and verification flows
- AI Agent Authorization -- scoped capability tokens for tool calls
- Incident Response -- trust containment and revocation
Enterprise architect path¶
Business value, governance, data minimization, and operating model.
- Financial AI -- verified context gate for AI copilots
- Policy-First Data Minimization -- audit-ready selective disclosure
- Enterprise KYC Onboarding -- workforce credential verification
- Incident Response -- trust containment workflows
- AI Agent Authorization -- agent governance architecture
- Enterprise API Access -- verified client context for APIs
Wallet / identity architect path¶
Wallet interoperability, EUDIW, mdoc, and verifier flows.
- EUDIW Cross-Border -- ARF reference verification
- mdoc Identity Verification -- ISO 18013-5 mobile documents
- DC API Web Verification -- browser-mediated presentation
- Cross-Border Government -- cross-border credential exchange
- Enterprise KYC Onboarding -- verifiable onboarding flows
Agent security path¶
Least privilege, revocation, fraud, audit, and containment.
- AI Agent Authorization -- scoped capability tokens
- Incident Response -- trust containment workflows
- Policy-First Data Minimization -- provable data minimization
- Telecom eSIM -- fraud-resistant credential lifecycle
- E-Commerce Returns -- single-use credential controls
Choose by business problem¶
| Business problem | Use case |
|---|---|
| AI agents with too-broad permissions | AI Agent Authorization |
| AI copilot accessing more data than necessary | Financial AI |
| API authorization beyond OAuth scopes | Enterprise API Access |
| Return fraud costing millions annually | E-Commerce Returns |
| eSIM fraud and SIM-swap attacks | Telecom eSIM |
| Oversharing in healthcare credential exchanges | Healthcare Credentials |
| Slow, document-heavy employee onboarding | Enterprise KYC Onboarding |
| Document-heavy supplier onboarding | Supplier Onboarding |
| Qualification verification without transcripts | Education and Skills Passport |
| Untrusted evidence in insurance claims | Insurance Claims Evidence |
| Chasing PDFs across construction workflows | Construction Readiness Passport |
| Cross-border government data sharing with AI | Cross-Border Government |
| EU cross-border credential acceptance | EUDIW Cross-Border |
| Age or license verification on websites | DC API Web Verification |
| Mobile identity at airport checkpoints | mdoc Identity Verification |
| Credential compromise containment | Incident Response |
| Proving data minimization for auditors | Policy-First Data Minimization |
Choose by technical pattern¶
| Technical pattern | Use cases |
|---|---|
| Selective disclosure (SD-JWT VC) | All use cases |
| Status lists (revocation/lifecycle) | E-Commerce Returns, Telecom eSIM, Incident Response, Insurance Claims |
| OpenID Federation (trust chains) | Cross-Border Government, E-Commerce Returns, Telecom eSIM, Supplier Onboarding |
| HAIP profile validation | DC API Web Verification, EUDIW Cross-Border, Financial AI |
| Presentation Exchange (PEX) | Healthcare Credentials, Enterprise KYC, Telecom eSIM, Supplier Onboarding, Education |
| Agent Trust (capability tokens) | AI Agent Authorization, Financial AI, Enterprise API Access |
| mdoc (ISO 18013-5) | mdoc Identity Verification, EUDIW Cross-Border |
| EUDIW / ARF reference models | EUDIW Cross-Border, Cross-Border Government |
| OID4VCI (credential issuance) | Education and Skills Passport, Construction Readiness |
Core reusable patterns¶
These trust patterns appear across multiple industry use cases. Each pattern describes a single composable building block.
| Pattern | Summary |
|---|---|
| Verified Context Gate | Attach verified, minimized context to a request before processing |
| Policy-First Data Minimization | Define disclosure policy before requesting data |
| Scoped Agent Capability Token | Scope each agent tool call to a specific action, resource, and time window |
| Status List Lifecycle Control | Revoke, suspend, or expire credentials in real time |
| Federated Trust Onboarding | Dynamically resolve issuer trust across organizations |
| Multi-Format Verifier | Accept both SD-JWT VC and mdoc credentials in one verifier |
| Browser-Mediated Presentation | Use the browser as a credential presentation channel |
| Trust Containment | Contain credential incidents through federation and status updates |
Reference pattern catalogue¶
Flagship patterns¶
These patterns best explain the ecosystem's positioning as trust infrastructure.
Financial AI / Verified Context Gate¶
Problem: AI copilots need member data but sharing full records creates regulatory risk. Pattern: SD-JWT VC provides verifiable data minimization so copilots operate within regulatory boundaries. Packages: SD-JWT VC, Status Lists, HAIP, PEX. Status: Stable primitives; verified context gate is a reference architecture. Read the full pattern
AI Agent Authorization¶
Problem: Agents often use broad credentials to call tools. Pattern: Scoped SD-JWT capability tokens per tool call. Packages: AgentTrust.Core, Policy, MCP, AspNetCore. Status: Preview reference pattern. Read the full pattern
Policy-First Data Minimization¶
Problem: Proving to auditors that only required data was requested and received. Pattern: Policy-defined presentation exchange with auditable evidence. Packages: PEX, OID4VP, Status Lists. Status: Stable primitives. Read the full pattern
Incident Response¶
Problem: Issuer key compromise requires fast, coordinated containment. Pattern: Federation trust updates and status list revocation in parallel. Packages: OpenID Federation, Status Lists, HAIP. Status: Stable primitives. Read the full pattern
Developer-friendly examples¶
These patterns are intuitive to understand and easier to prototype.
E-Commerce Returns¶
Problem: Return fraud costs retailers over $100B annually; tightening policies hurts honest customers. Pattern: Verifiable receipt credentials with status list lifecycle and federation trust. Packages: SD-JWT VC, Status Lists, Federation, PEX. Status: Proposed reference credential pattern. Read the full pattern
DC API Web Verification¶
Problem: Web applications need credential verification without browser extensions. Pattern: W3C Digital Credentials API with OID4VP backend verification. Packages: OID4VP, PEX, HAIP. Status: Spec-tracking (W3C draft). Read the full pattern
Enterprise KYC Onboarding¶
Problem: Employee and contractor onboarding is paper-heavy, slow, and fraud-prone. Pattern: Verifiable credentials for identity, right-to-work, and professional licensing. Packages: SD-JWT VC, OID4VCI, OID4VP, PEX, Status Lists, Federation. Status: Stable primitives. Read the full pattern
mdoc Identity Verification¶
Problem: Mobile identity verification across government, travel, and enterprise. Pattern: ISO 18013-5 mdoc with OID4VP and HAIP profile validation. Packages: Mdoc, OID4VP, HAIP, PEX. Status: Stable primitives. Read the full pattern
Enterprise workflows¶
Enterprise API Access¶
Problem: OAuth scopes are too coarse for context-aware API authorization. Pattern: Verified client context tokens attached to API requests. Packages: SD-JWT VC, OID4VP, AgentTrust.AspNetCore, Status Lists. Status: Reference architecture. Read the full pattern
Supplier Onboarding¶
Problem: Supplier verification is document-heavy, fraud-prone, and audit-heavy. Pattern: Verifiable credentials from authoritative sources with federation trust. Packages: SD-JWT VC, OID4VP, PEX, Federation, Status Lists. Status: Reference architecture. Read the full pattern
Education and Skills Passport¶
Problem: Qualification verification requires full transcripts and manual confirmation. Pattern: Selectively disclosable education credentials with OID4VCI issuance. Packages: SD-JWT VC, OID4VCI, OID4VP, PEX, Status Lists. Status: Reference architecture. Read the full pattern
Insurance Claims Evidence¶
Problem: Claims automation fails when evidence is untrusted. Pattern: Verifiable evidence credentials from authoritative providers. Packages: SD-JWT VC, PEX, Status Lists, OID4VP, Federation. Status: Reference architecture. Read the full pattern
Construction Readiness Passport¶
Problem: Construction readiness requires chasing PDFs across multiple authorities. Pattern: Verifiable readiness credentials with milestone-gated verification. Packages: SD-JWT VC, OID4VCI, OID4VP, PEX, Status Lists. Status: Reference architecture. Read the full pattern
Regulated and advanced ecosystem patterns¶
These patterns have high value but more legal, regulatory, and trust-framework complexity.
Healthcare Credentials¶
Problem: Healthcare data breaches average $9.77M per incident; HIPAA requires minimum necessary disclosure. Pattern: Selective disclosure for patient identity, insurance, and provider trust. Packages: SD-JWT VC, OID4VP, PEX, Status Lists, HAIP. Status: Stable primitives. Read the full pattern
Telecom eSIM¶
Problem: eSIM fraud and SIM-swap attacks exploit weak identity verification. Pattern: Verifiable subscriber credentials with status list lifecycle. Packages: SD-JWT VC, Status Lists, PEX, Federation, HAIP. Status: Proposed reference credential pattern. Read the full pattern
Cross-Border Government¶
Problem: Cross-border government services need verified citizen data with AI governance. Pattern: EUDIW, federation, and HAIP for cross-border credential exchange. Packages: EUDIW, OID4VP, Federation, HAIP, PEX. Status: Reference infrastructure. Read the full pattern
EUDIW Cross-Border¶
Problem: EU member states need interoperable credential verification infrastructure. Pattern: EUDIW / ARF reference verification with mdoc and SD-JWT VC support. Packages: EUDIW, Mdoc, OID4VP, HAIP. Status: Spec-tracking (eIDAS 2.0 / ARF). Read the full pattern
Common boundaries¶
Production deployments require work outside the library:
- Legal review -- regulatory compliance, data protection, contractual obligations
- Policy rules -- which claims to request, which issuers to trust, which actions to allow
- User experience -- consent flows, wallet selection, error handling
- Trust onboarding -- issuer and verifier enrollment, federation configuration
- Key custody -- hardware security modules, key rotation, secure storage
- Storage -- credential storage, audit log retention, session management
- Operations -- monitoring, alerting, incident response, scaling, security assessment
Further reading¶
- How to Read These Patterns -- maturity labels, code conventions, navigation
- Core Reusable Patterns -- composable trust building blocks
- Getting Started -- package installation and first steps
- Concepts -- protocol and architecture fundamentals
- Guides -- step-by-step procedures
- Package READMEs -- API-specific guidance