PHPackages                             k2gl/sd-jwt-vc - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. k2gl/sd-jwt-vc

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

k2gl/sd-jwt-vc
==============

SD-JWT-based Verifiable Credentials (SD-JWT VC) in pure PHP: issue and verify dc+sd-jwt credentials

1.0.0(4d ago)041↑50%MITPHP &gt;=8.1

Since Jul 7Compare

[ Source](https://github.com/k2gl/sd-jwt-vc)[ Packagist](https://packagist.org/packages/k2gl/sd-jwt-vc)[ Docs](https://github.com/k2gl/sd-jwt-vc)[ RSS](/packages/k2gl-sd-jwt-vc/feed)WikiDiscussions Synced today

READMEChangelog (1)Dependencies (11)Versions (2)Used By (0)

k2gl/sd-jwt-vc
==============

[](#k2glsd-jwt-vc)

[![CI](https://camo.githubusercontent.com/035d9991219a6eadd0b22bed5f1e0b0bffbaf9cae7fe7cae22fd5687ec971529/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f6b32676c2f73642d6a77742d76632f63692e796d6c3f6272616e63683d6d61696e266c6162656c3d4349266c6f676f3d676974687562)](https://github.com/k2gl/sd-jwt-vc/actions)[![Latest Stable Version](https://camo.githubusercontent.com/e414d7be9a78173ffbbda9ebfed00d428ef631563f7f01df6f3db6196dacc8ff/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6b32676c2f73642d6a77742d7663)](https://packagist.org/packages/k2gl/sd-jwt-vc)[![Total Downloads](https://camo.githubusercontent.com/634fd72494f6c8698d5950496ec2e16bd92119335e7fdeb653a7cb0c2199b7b9/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6b32676c2f73642d6a77742d7663)](https://packagist.org/packages/k2gl/sd-jwt-vc)[![PHPStan](https://camo.githubusercontent.com/4f0c17b6f2d649d1bd4381b961b7402dc6acf3544cc143003c551ee06e37c36a/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f5048505374616e2d6c6576656c253230392d326135656137)](https://phpstan.org/)[![License](https://camo.githubusercontent.com/fc440cb29ee6025e9aabbda15b6940089c7dca5ff9c14ab0aee00084b7767059/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6b32676c2f73642d6a77742d7663)](https://packagist.org/packages/k2gl/sd-jwt-vc)

SD-JWT-based Verifiable Credentials ([draft-ietf-oauth-sd-jwt-vc](https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/)) in pure PHP: issue and verify `dc+sd-jwt` credentials — the format HAIP and the EU Digital Identity Wallet build on. RFC 9901 processing is provided by [k2gl/sd-jwt](https://github.com/k2gl/sd-jwt); this package adds the credential layer: the `typ`/`vct` rules, the protected-claims rules, and Issuer key discovery.

Tracks **draft -17** (at the IESG for publication). The test suite verifies the draft's own worked examples byte for byte. The most churn-prone surface across draft revisions has been the media type; the verifier accepts both `dc+sd-jwt` and the pre-2024 `vc+sd-jwt`(switchable off).

Install
-------

[](#install)

```
composer require k2gl/sd-jwt-vc
```

Requires PHP 8.1+. The JWT VC Issuer Metadata resolver speaks PSR-18/PSR-17, so bring any HTTP client (or none, if you pin keys or use x5c).

Usage
-----

[](#usage)

### Verify a presentation (Verifier / relying party)

[](#verify-a-presentation-verifier--relying-party)

```
use K2gl\SdJwt\KeyBinding;
use K2gl\SdJwtVc\JwtVcIssuerMetadata;
use K2gl\SdJwtVc\SdJwtVcVerifier;

$verifier = new SdJwtVcVerifier;

$credential = $verifier->verifyPresentation(
    $compact,
    new JwtVcIssuerMetadata($psr18Client, $psr17RequestFactory), // resolves /.well-known/jwt-vc-issuer
    KeyBinding::required(audience: 'https://verifier.example.org', nonce: $nonce),
);

$credential->vct();      // "https://credentials.example.com/identity_credential"
$credential->claims();   // the Processed SD-JWT Payload
$credential->status();   // the status claim, if any (e.g. Token Status List reference)
```

Key discovery mechanisms (Section 2.5), all pluggable via `IssuerKeyResolver`:

- `JwtVcIssuerMetadata` — web-based resolution from `/.well-known/jwt-vc-issuer`, `jwks`or `jwks_uri`, kid-aware, `issuer`⇔`iss` identity enforced.
- `X5cIssuerKeys` — the `x5c` header chain, validated against your trust anchors (signatures, validity windows, anchor membership; revocation is out of scope).
- `StaticIssuerKeys` — keys pinned in configuration.
- Any k2gl/dsse `Verifier` directly, when there is exactly one trusted key.

### Issue a credential

[](#issue-a-credential)

```
use K2gl\SdJwt\Jws\JwsSigner;
use K2gl\SdJwt\Sd;
use K2gl\SdJwtVc\SdJwtVcIssuer;

$issuer = new SdJwtVcIssuer(JwsSigner::es256FromPem($pem));

$credential = $issuer->issue([
    'vct' => 'https://credentials.example.com/identity_credential',
    'iss' => 'https://issuer.example.com',
    'iat' => time(),
    'cnf' => ['jwk' => $holderJwk],
    'given_name' => Sd::hide('John'),
    'birthdate' => Sd::hide('1983-07-29'),
]);

$compact = $credential->toCompact();
```

The `typ` header is always `dc+sd-jwt`; `vct` is required; the claims that the draft forbids disclosing selectively (`iss`, `nbf`, `exp`, `cnf`, `vct`, `vct#integrity`, `status`) are rejected if wrapped in `Sd::hide()` — and rejected again at verification time if a foreign issuer tried it.

Presentation building (selecting disclosures, Key Binding) is the Holder side and lives in k2gl/sd-jwt's `Presentation`.

Scope
-----

[](#scope)

- `dc+sd-jwt` issuance and verification per draft -17, compact serialization.
- Key discovery: JWT VC Issuer Metadata (PSR-18), x5c chains, pinned keys.
- `status` claim surfaced for a status-mechanism check by the application; a Token Status List implementation is a separate concern.
- Type Metadata (Section 4: display, claim metadata, `vct#integrity`) is not implemented — it is wallet-display machinery, not needed to issue or verify.

License
-------

[](#license)

MIT © [Nick Harin](https://github.com/k2gl)

###  Health Score

40

—

FairBetter than 86% of packages

Maintenance99

Actively maintained with recent releases

Popularity9

Limited adoption so far

Community2

Small or concentrated contributor base

Maturity42

Maturing project, gaining track record

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Unknown

Total

1

Last Release

4d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/6bc4aa529c7f13ea593297497f6eae20d5c07f476baa0a551960d7e6ff1e5413?d=identicon)[k2gl](/maintainers/k2gl)

---

Tags

jwtidentitysd-jwtselective-disclosureeudiverifiable-credentialsopenid4vcsd-jwt-vcdigital-credentialshaip

###  Code Quality

TestsPHPUnit

Static AnalysisPHPStan

Code StyleLaravel Pint

Type Coverage Yes

### Embed Badge

![Health badge](/badges/k2gl-sd-jwt-vc/health.svg)

```
[![Health](https://phpackages.com/badges/k2gl-sd-jwt-vc/health.svg)](https://phpackages.com/packages/k2gl-sd-jwt-vc)
```

###  Alternatives

[tempest/framework

The PHP framework that gets out of your way.

2.2k34.4k15](/packages/tempest-framework)[flow-php/flow

PHP ETL - Extract Transform Load - Data processing framework

85036.3k](/packages/flow-php-flow)[cakephp/cakephp

The CakePHP framework

8.9k19.5M1.8k](/packages/cakephp-cakephp)[telnyx/telnyx-php

Official Telnyx PHP SDK — APIs for Voice, SMS, MMS, WhatsApp, Fax, SIP Trunking, Wireless IoT, Call Control, and more. Build global communications on Telnyx's private carrier-grade network.

35789.4k2](/packages/telnyx-telnyx-php)[typo3/cms

TYPO3 CMS is a free open source Content Management Framework initially created by Kasper Skaarhoj and licensed under GNU/GPL.

1.2k1.9M122](/packages/typo3-cms)[laudis/neo4j-php-client

Neo4j-PHP-Client is the most advanced PHP Client for Neo4j

185702.8k44](/packages/laudis-neo4j-php-client)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
