
Digital Identity & Verifiable Credentials
LutraID
Issue and verify digital credentials with OpenID4VC, SD-JWT VC and ISO mdoc.
The challenge
The move toward eIDAS 2.0 and the EU Digital Identity Wallet pushes organizations to issue and verify interoperable digital credentials, but the underlying OpenID4VC stack is fragmented and hard to implement correctly. Teams must reconcile SD-JWT VC, ISO mdoc, DCQL, selective disclosure, holder binding, and HAIP profiles while proving conformance. Few production-ready platforms tie these standards together behind a usable operator surface.
What we built
Lutra Labs built LutraID, a platform for issuing and verifying digital documents across the OpenID4VC standards family. The backend implements OpenID4VCI issuance and OpenID4VP verification with SD-JWT VC and ISO mdoc/mDL formats, DCQL query generation, and configurable assurance profiles (a default generic-low profile plus a stricter HAIP-oriented technical profile). It handles the hard cryptographic surface directly: platform-managed X.509 issuer/verifier certificates, JWK and x5c credential proofs, JWE request/response encryption with ECDH-ES, holder binding, and trust-anchor stripping on outbound chains. Correctness is exercised against the OpenID Foundation conformance suite, and the system ships as a multi-tenant SaaS, a self-hosted edition, and a minimal public testing edition from one monorepo.
Highlights
- OpenID4VCI issuance with pre-authorized-code and authorization-code grants, PAR/PKCE, and by-value or by-reference credential offers
- OpenID4VP verification via signed request objects, DCQL, and both direct_post and direct_post.jwt response modes
- SD-JWT VC and ISO mdoc/mDL credentials with selective disclosure, holder binding, and platform-issued X.509 signing identities
- Encrypted issuance using compact JWE (ECDH-ES with A128GCM/A256GCM) for credential request and response
- Assurance profiles (generic-low and haip-technical) that gate proof types, attestation, and verifier posture per organization
- Validated against the OpenID Foundation OID4VCI issuer and OID4VP verifier conformance harness, with SaaS, self-hosted, and public editions
Outcome
Covers OpenID Foundation OID4VCI issuer and OID4VP verifier conformance scenarios for SD-JWT VC, including pre-authorized-code, authorization-code, and HAIP direct_post.jwt flows.
Tech stack
- TypeScript
- Hono
- Next.js
- Drizzle ORM
- PostgreSQL
- Valkey
- BullMQ
- Better Auth
- Stripe
- jose
- dcql
- SD-JWT VC
- ISO mdoc / mDL
- OpenID4VCI
- OpenID4VP
- DCQL
- AWS KMS
- HashiCorp Vault
- Docker Compose
- Nx
- pnpm