A comprehensive, production-ready .NET ecosystem for Selective Disclosure JSON Web Tokens (SD-JWTs) and the complete verifiable credential stack. This project provides enterprise-grade implementations of cutting-edge identity and credential standards with enhanced security, performance optimization, and multi-platform support.
# Core SD-JWT functionality
dotnet add package SdJwt.Net
# Verifiable Credentials
dotnet add package SdJwt.Net.Vc
# Try comprehensive samples
git clone https://github.com/openwallet-foundation-labs/sd-jwt-dotnet.git
cd sd-jwt-dotnet/samples/SdJwt.Net.Samples
dotnet run| Package | Release | Specification | Status |
|---|---|---|---|
| SdJwt.Net | NuGet (MinVer) | RFC 9901 | Stable |
Core SD-JWT functionality with RFC 9901 compliance, JWS JSON Serialization, and enterprise security.
| Package | Release | Specification | Status |
|---|---|---|---|
| SdJwt.Net.Vc | NuGet (MinVer) | draft-ietf-oauth-sd-jwt-vc-15 | Draft-15 |
| SdJwt.Net.StatusList | NuGet (MinVer) | draft-ietf-oauth-status-list-18 | Draft-18 |
Complete verifiable credential lifecycle with revocation, suspension, and status management.
| Package | Release | Specification | Status |
|---|---|---|---|
| SdJwt.Net.Oid4Vci | NuGet (MinVer) | OpenID4VCI 1.0 | Stable |
| SdJwt.Net.Oid4Vp | NuGet (MinVer) | OpenID4VP 1.0 | Stable |
Complete credential issuance and presentation verification protocols.
| Package | Release | Specification | Status |
|---|---|---|---|
| SdJwt.Net.OidFederation | NuGet (MinVer) | OpenID Federation 1.0 | Stable |
| SdJwt.Net.PresentationExchange | NuGet (MinVer) | DIF PEX v2.1.1 | Stable |
| SdJwt.Net.HAIP | NuGet (MinVer) | HAIP 1.0 | Draft |
Enterprise federation, trust management, intelligent credential selection, and high assurance compliance.
| Package | Release | Specification | Status |
|---|---|---|---|
| SdJwt.Net.Mdoc | NuGet (MinVer) | ISO 18013-5 mDL | Stable |
ISO 18013-5 mobile document (mdoc/mDL) support for driver's licenses and government credentials.
| Package | Release | Specification | Status |
|---|---|---|---|
| SdJwt.Net.Wallet | NuGet (MinVer) | Generic wallet with plugin architecture | Stable |
| SdJwt.Net.Eudiw | NuGet (MinVer) | eIDAS 2.0 EU Wallet ARF | Stable |
Digital credential wallet infrastructure with EU Digital Identity Wallet (EUDIW) support.
| Package | Release | Specification / Design Source | Status |
|---|---|---|---|
| SdJwt.Net.AgentTrust.Core | NuGet (MinVer) | Capability SD-JWT profile (project proposal) | Preview |
| SdJwt.Net.AgentTrust.Policy | NuGet (MinVer) | Rule-based policy and delegation model | Preview |
| SdJwt.Net.AgentTrust.AspNetCore | NuGet (MinVer) | ASP.NET Core middleware integration | Preview |
| SdJwt.Net.AgentTrust.Maf | NuGet (MinVer) | MAF/MCP middleware and adapter integration | Preview |
Capability-based trust enforcement for bounded agent-to-tool and agent-to-agent calls.
- RFC 9901 Compliant: Full implementation with security hardening
- HAIP Support: High Assurance Interoperability Profile for government and enterprise
- Algorithm Enforcement: Blocks weak algorithms (MD5, SHA-1), enforces SHA-2 family
- Attack Prevention: Protection against timing attacks, replay attacks, signature tampering
- Zero-Trust Architecture: Cryptographic verification at every layer
- Multi-Platform Optimized: .NET 8, 9, 10 and .NET Standard 2.1
- Modern Cryptography: Platform-specific optimizations (SHA256.HashData() on .NET 6+)
- Scalable Operations: Optimized for high-throughput issuance and verification
- Memory Efficient: Optimized allocation patterns for high-volume scenarios
- IETF Standards: RFC 9901 and SD-JWT VC draft-15
- OpenID Foundation: Complete protocol implementations
- W3C Alignment: Verifiable Credentials data model compatibility
- DIF Integration: Presentation Exchange v2.1.1 support
- HAIP Compliance: High assurance security profiles
- Comprehensive Samples: 19 hands-on tutorials organized by skill level
- Fluent APIs: Intuitive, discoverable interfaces
- Rich Documentation: Detailed guides with security considerations
- Production Ready: Battle-tested with 1400+ comprehensive tests
// Digital identity for citizens accessing government services
var citizenCredential = await governmentIssuer.IssueDigitalIdAsync(citizen);
var ageProof = citizen.CreateAgeVerificationPresentation(minimumAge: 18);
await servicePortal.VerifyAndGrantAccessAsync(ageProof);// University issues degree, student presents to employer
var degree = await university.IssueDegreeCredentialAsync(graduate);
var jobPresentation = graduate.CreateProfessionalPresentation(
disclosure => disclosure.ClaimName is "degree" or "gpa" or "honors");
await employer.VerifyQualificationsAsync(jobPresentation);// Patient shares medical data with specialist
var medicalRecord = await hospital.IssueMedicalCredentialAsync(patient);
var specialistPresentation = patient.CreateSelectiveMedicalPresentation(
shareConditions: ["allergies", "current_medications"],
protectInfo: ["full_history", "mental_health"]);
await specialist.ProcessPatientDataAsync(specialistPresentation);// Privacy-preserving loan application with HAIP compliance
var employmentCredential = await employer.IssueEmploymentVerificationAsync(applicant);
var incomePresentation = applicant.CreateIncomeVerificationPresentation(
disclose: ["employment_status", "salary_range"],
protect: ["exact_salary", "performance_reviews"]);
await bank.ProcessLoanApplicationAsync(incomePresentation);// DMV issues mDL, citizen presents at TSA checkpoint
using SdJwt.Net.Mdoc.Issuer;
using SdJwt.Net.Mdoc.Namespaces;
var mdl = await new MdocIssuerBuilder()
.WithDocType("org.iso.18013.5.1.mDL")
.WithIssuerKey(dmvSigningKey)
.WithDeviceKey(citizenDeviceKey)
.AddMdlElement(MdlDataElement.FamilyName, "Johnson")
.AddMdlElement(MdlDataElement.GivenName, "Alice")
.AddMdlElement(MdlDataElement.AgeOver21, true)
.BuildAsync(cryptoProvider);
// Citizen presents only age verification (not birthdate)
await checkpoint.VerifyAgeOnlyAsync(mdl, selectElements: ["age_over_21"]);graph TB
subgraph ApplicationLayer[Application Layer]
WalletApp[Wallet Application]
IssuerApp[Issuer Service]
VerifierApp[Verifier Service]
GovApp[Government Portal]
end
subgraph ProtocolLayer[Protocol Layer]
OID4VCI[SdJwt.Net.Oid4Vci: Credential Issuance]
OID4VP[SdJwt.Net.Oid4Vp: Presentations]
PEx[SdJwt.Net.PresentationExchange: DIF PE v2.1.1]
OidFed[SdJwt.Net.OidFederation: Trust Chains]
end
subgraph ComplianceLayer[Compliance Layer]
HAIP[SdJwt.Net.HAIP: Level 1 / 2 / 3]
end
subgraph CoreLayer[Core Layer]
Core[SdJwt.Net: RFC 9901]
Vc[SdJwt.Net.Vc: W3C VC]
Status[SdJwt.Net.StatusList: Revocation]
Mdoc[SdJwt.Net.Mdoc: ISO 18013-5]
end
WalletApp --> OID4VP
WalletApp --> OID4VCI
IssuerApp --> OID4VCI
VerifierApp --> OID4VP
VerifierApp --> PEx
GovApp --> HAIP
OID4VCI --> HAIP
OID4VP --> HAIP
PEx --> HAIP
OidFed --> HAIP
HAIP --> Core
HAIP --> Vc
HAIP --> Status
HAIP --> Mdoc
OidFed --> Core
OID4VP --> Mdoc
style HAIP fill:#d62828,color:#fff
style Core fill:#1b4332,color:#fff
style Mdoc fill:#2a6478,color:#fff
using SdJwt.Net.Issuer;
// Create issuer
var issuer = new SdIssuer(signingKey, SecurityAlgorithms.EcdsaSha256);
// Issue with selective disclosure
var credential = issuer.Issue(claims, new SdIssuanceOptions
{
DisclosureStructure = new { email = true, address = new { city = true } }
});
// Holder creates presentation
var holder = new SdJwtHolder(credential.Issuance);
var presentation = holder.CreatePresentation(
disclosure => disclosure.ClaimName == "email");using SdJwt.Net.Vc.Issuer;
using SdJwt.Net.HAIP;
// Government issuer with Level 3 compliance
var haipValidator = new HaipCryptoValidator(HaipLevel.Level3_Sovereign, logger);
var keyValidation = haipValidator.ValidateKeyCompliance(signingKey, "ES512");
if (keyValidation.IsCompliant)
{
var vcIssuer = new SdJwtVcIssuer(issuerKey, algorithm);
var credential = vcIssuer.Issue("https://gov.example/national-id", vcPayload, options);
}using SdJwt.Net.StatusList.Issuer;
// Create status list
var statusManager = new StatusListManager(statusKey, algorithm);
var statusValues = new byte[] { 0, 1, 2 }; // valid, invalid, suspended
var statusList = await statusManager.CreateStatusListTokenAsync(
statusListUrl, statusValues, bits: 2);
// Check credential status
var statusVerifier = new StatusListVerifier(httpClient);
var statusResult = await statusVerifier.CheckStatusAsync(statusClaim, keyResolver);
var isValid = statusResult.IsValid;
// Verify presentation with expected nonce
var result = await verifier.VerifyAsync(presentation, validationParams, kbParams, "expected-nonce");- Approved: SHA-256, SHA-384, SHA-512, ECDSA P-256/384/521
- Blocked: MD5, SHA-1 (automatically rejected)
- Enhanced: Constant-time operations, secure random generation
- Level 1 (High): ES256+, PS256+, proof of possession
- Level 2 (Very High): ES384+, PS384+, wallet attestation, DPoP
- Level 3 (Sovereign): ES512+, PS512+, HSM backing, qualified signatures
- Signature Tampering: Cryptographic detection and prevention
- Replay Attacks: Nonce and timestamp validation
- Timing Attacks: Constant-time comparison operations
- Key Confusion: Strong key binding validation
- Selective Disclosure: Granular claim-level privacy control
- Zero-Knowledge Patterns: Prove properties without revealing data
- Context Isolation: Audience-specific presentations
- Correlation Resistance: Multiple unlinkable presentations
- .NET 8.0 - Full support with modern optimizations
- .NET 9.0 - Latest features and optimal performance
- .NET 10.0 - Full support
- .NET Standard 2.1 - Backward compatibility for legacy systems
- Windows (x64, x86, ARM64)
- Linux (x64, ARM64)
- macOS (x64, Apple Silicon)
- Container Ready (Docker, Kubernetes)
- Cloud Native (Azure, AWS, GCP)
Performance is measured with a real BenchmarkDotNet harness in benchmarks/SdJwt.Net.Benchmarks.
Run benchmarks locally:
dotnet run --configuration Release --project benchmarks/SdJwt.Net.Benchmarks/SdJwt.Net.Benchmarks.csproj -- --job short --warmupCount 1 --iterationCount 3 --exporters markdown jsonBenchmark results are generated in:
benchmarks/SdJwt.Net.Benchmarks/BenchmarkDotNet.Artifacts/results/
The CI performance-benchmarks job executes the same harness and uploads result artifacts for each run.
- Documentation Portal - Main entry point to all documentation
- 15-Minute Quickstart - Tutorial to get up and running quickly
- Ecosystem Architecture - Deep dive into system architecture
- Interactive Samples - 19 tutorials with interactive CLI (Beginner to Advanced)
- Package Documentation - Core package API reference
- Verifiable Credentials - SD-JWT VC specification
- Status Lists - Credential lifecycle management
- OpenID4VCI - Credential issuance protocols
- OpenID4VP - Presentation protocols
- mdoc/mDL - ISO 18013-5 mobile documents
- OpenID Federation - Trust chain management
- Presentation Exchange - Credential selection
- HAIP Compliance - High assurance security profiles
- Agent Trust Core - Capability token minting and verification
- Agent Trust Policy - Rule and delegation engine
- Agent Trust ASP.NET Core - Inbound token verification middleware
- Agent Trust MAF - Outbound token propagation for tool calls
- Agent Trust Guide - End-to-end integration walkthrough
- Agent Trust Concepts - Architecture and flow model
- Enterprise Roadmap - Strategic roadmap with ISO mDL/mdoc, DC API, eIDAS 2.0
dotnet add package SdJwt.Net# Full verifiable credential stack
dotnet add package SdJwt.Net
dotnet add package SdJwt.Net.Vc
dotnet add package SdJwt.Net.StatusList
# OpenID protocols
dotnet add package SdJwt.Net.Oid4Vci
dotnet add package SdJwt.Net.Oid4Vp
# Advanced features
dotnet add package SdJwt.Net.OidFederation
dotnet add package SdJwt.Net.PresentationExchange
dotnet add package SdJwt.Net.HAIP
# ISO credential formats
dotnet add package SdJwt.Net.Mdoc
# Agent trust kits
dotnet add package SdJwt.Net.AgentTrust.Core
dotnet add package SdJwt.Net.AgentTrust.Policy
dotnet add package SdJwt.Net.AgentTrust.AspNetCore
dotnet add package SdJwt.Net.AgentTrust.Mafgit clone https://github.com/openwallet-foundation-labs/sd-jwt-dotnet.git
cd sd-jwt-dotnet/samples/SdJwt.Net.Samples
dotnet runWe welcome contributions! Please see the CONTRIBUTING.md file for detailed guidelines and instructions.
- Documentation: Comprehensive guides and API reference
- Discussions: GitHub Discussions for community questions
- Issues: GitHub Issues for bug reports
- Security: Report security issues to tldinteractive@gmail.com or see SECURITY.md
- Open Wallet Foundation: Part of the OpenWallet Foundation ecosystem
- Standards Participation: Active in IETF OAuth WG, OpenID Foundation, DIF
- Industry Collaboration: Working with implementers across industries
Licensed under the Apache License 2.0 - see the LICENSE file for details.
This permissive license allows commercial use, modification, distribution, and private use while providing license and copyright notice requirements.
This project builds upon the excellent work of the global identity standards community:
- IETF OAuth Working Group - SD-JWT and Status List specifications
- OpenID Foundation - OpenID4VCI, OpenID4VP, Federation, and HAIP standards
- DIF - Presentation Exchange specification
- W3C - Verifiable Credentials data model
- Open Wallet Foundation - Digital identity standards advancement
- All specification editors and contributors
- Early adopters and feedback providers
- Security researchers and auditors
- The broader .NET and identity communities