light-mode-image
Learn
Web

Build a web application that can request and verify credentials via the Digital Credentials API

Overview

DC API support is currently offered as a tech preview. As such, functionality may be limited, may not work in all scenarios, and could change or break without prior notice.

This guide demonstrates how to use the Verifier Web SDK to verify credentials using the Digital Credentials API (DC API).

Prerequisites

This guide builds on the Verifier Web SDK tutorial. It is recommended to complete that tutorial first, then return here to add support for the DC API workflow.

You will also need:

  • Version 2.1.0 or later of the Verifier Web SDK.
  • A web browser that supports the Digital Credentials API:
    • Chrome or a Chromium based browser v138 or later.
    • Safari v26 or later.
  • A wallet application that supports the Digital Credentials API for testing:
    • Google Wallet with a compliant credential, or Google's developer wallet with a test credential.
    • Apple Wallet (requires iOS 26 on an iPhone 11 or later) with a compliant credential or a Wallet Identity Developer profile installed.
    • MATTR Labs wallet, available to selected MATTR customers/partners.

Adjusting your web application to use the DC API

Most of the Verifier Web SDK integration remains the same when using the DC API. The Verifier Web SDK automatically uses the DC API when all of the following conditions are met:

  1. The MATTR VII verifier application configuration has DC API support enabled.
  2. The user's browser supports the DC API.
  3. The credential request is for a single credential (DC API doesn't support multiple credentials in one request).
  4. No walletProviderId is provided in the request options.

If any condition is not met, the SDK falls back to the standard OID4VP flow.

These are the adjustments needed to make sure your verifier web application meets these conditions:

Add DC API support to your verifier application configuration

Add the dcApiConfiguration block to your verifier application configuration:

Request
PUT /v2/presentations/applications/{applicationId}
Request body
{
  // ... your existing configuration
  "dcApiConfiguration": {
    "supportedBrowserPlatforms": {
      "mobile": true,
      "desktop": true
    }
  }
}
  • supportedBrowserPlatforms: Specify which platforms should use DC API:
    • mobile: Set to true to enable DC API on mobile browsers.
    • desktop: Set to true to enable DC API on desktop browsers.

Conditionally omit the walletProviderId when calling the requestCredentials method

When requesting credentials via the DC API, the walletProviderId must be omitted (set to undefined) to allow the SDK to use the DC API flow.

You can achieve this by using the SDK's isDigitalCredentialsApiSupported method to check if the user's browser supports DC API and adjusting the request options accordingly (This method returns true if the browser supports DC API, false otherwise):

Request credentials with DC API
const options: MATTRVerifierSDK.RequestCredentialsOptions = {
  // The array must contain exactly one query to align with the DC API's single credential requirement.
  credentialQuery: [credentialQuery],
  challenge: MATTRVerifierSDK.utils.generateChallenge(),
  openid4vpConfiguration: {
    redirectUri: window.location.origin,
    walletProviderId: MATTRVerifierSDK.isDigitalCredentialsApiSupported() ? undefined : "your-wallet-provider-id",
  },
};

const results = await MATTRVerifierSDK.requestCredentials(options);

Accepting credentials from an Apple Wallet via DC API

When accepting credentials from Apple Wallets via the DC API, trust is anchored in an external root CA certificate issued by Apple Business Connect. You must manually create a verification request signer in MATTR VII and link it to the Apple-issued certificate. See external certificates for background.

This involves the following steps:

  1. Setup an Apple Business Connect account.
  2. Create a verification request signer on your MATTR VII tenant.
  3. Create a matching Apple Business Connect certificate.
  4. Activate the verification request signer.

Setup an Apple Business Connect account

Set up an Apple Business Account for your company, and register with Apple. See Apple Business Connect User Guide for more details.

Create a Certificate Signing Request (CSR)

Next you will use MATTR VII to create a Certificate Signing Request (CSR). This will be shared with Apple Business Connect to create a matching certificate.

Currently this action can only be performed via an API request.

Make the following request to your MATTR VII tenant to create a verification request signer:

Request
POST /v2/presentations/certificates/verifier-signers
Request body
{
  "emailAddress": "user@example.com",
  "country": "US",
  "stateOrProvinceName": "AL",
  "commonName": "my-verifier.example.com",
  "organizationName": "MATTR Learn",
  "caType": "apple"
}
  • emailAddress: The email address of the domain (or IT) administrator.
  • country: The two-letter country code (ISO 3166-1 alpha-2) representing your company's location.
  • stateOrProvinceName: The company's officially recognized state, province, region, or locale.
  • commonName: Fully qualified domain name (FQDN) where the verifier application is hosted.
  • organizationName: The official name of your company.
  • caType: Set to apple to indicate that this signer is for Apple Wallet verification requests.

Response

A successful 201 response indicates that the verification request signer was created successfully:

Response body
{
  "id": "782f1885-c7c2-4459-8426-b6d7c111b0b1", 
  "csrPem": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDXTCCAkWgAwIBAgIJAL5...\n-----END CERTIFICATE REQUEST-----", 
  "active": false,
  "caType": "apple"
}

Make note of the following values:

  • id: The verification request signer ID. You will use it later to activate the signer after creating the matching Apple Business Connect certificate.
  • csrPem: You will need it in the next step to create a matching Apple Business Connect certificate in your Apple Developer account.

Create an Apple Business Connect certificate

Log into the Apple Business Connect portal and create a new Apple Business Connect certificate using the CSR you obtained in the previous step. For detailed instructions, see Apple's documentation.

Once you create the certificate in Apple Business Connect, download the certificate file in pem format. You will use it in the next step to activate the verification request signer in your MATTR VII verifier tenant.

Activate the verification request signer

To activate the verification request signer you created earlier, make the following request to your MATTR VII tenant to update the verification request signer and activate it:

Request
PUT /v2/presentations/certificates/verifier-signers/{verifierSignerId}
  • verifierSignerId: The ID of the verification request signer you created earlier.
Request body
{
  "active": true,
  "certificatePem": "-----BEGIN CERTIFICATE-----\nMIIDXTCCAkWgAwIBAgIJAL5...\n-----END CERTIFICATE-----"
}
  • active: Set to true to activate the signer.
  • certificatePem: The Apple Business Connect certificate you created in the previous step, in pem format.

Once the verification request signer is activated, requests coming from your MATTR VII verifier tenant can be validated, as they are signed using the private key associated with this certificate.

Test the DC API workflow

To test DC API integration, you need:

  1. A supported browser (see compatibility above).
  2. A DC API-compatible wallet with matching credentials:
    • Google Developer Wallet: Available on supported Android devices.
    • Apple Wallet: Available on iOS 26 on an iPhone 11 or later, with either a valid credential or a Wallet Identity Developer profile installed.
    • MATTR Labs Wallet: Contact us to get access.

The user experience should be seamless—the wallet interface appears directly in the browser without leaving your application.

Important considerations

  • Apple Wallet limitations: To accept credentials from Apple Wallets in production environments, your verifier application must be registered and approved by Apple. For more information, see Apple's documentation.
  • No pre-flight check: There's no way to check in advance if the user has a matching credential in a DC API-compatible wallet. If they don't, the wallet will show a "No matching credentials found" message.
  • Error handling: Always implement robust error handling for scenarios where the user lacks compatible credentials or denies consent.

How would you rate this page?

Tutorial

Previous Page

Overview

Next Page

On this page

OverviewPrerequisitesAdjusting your web application to use the DC APIAdd DC API support to your verifier application configurationConditionally omit the walletProviderId when calling the requestCredentials methodAccepting credentials from an Apple Wallet via DC APISetup an Apple Business Connect accountCreate a Certificate Signing Request (CSR)Create an Apple Business Connect certificateActivate the verification request signerTest the DC API workflowImportant considerations