A developer toolkit for OpenID4VC — decode, issue, and present verifiable credentials, run a testing wallet, or proxy live wallet traffic for debugging.

• Testing Wallet — stateful CLI wallet with file persistence, OID4VP/VCI flows, QR scanning, and OS URL scheme registration (wallet)
• Reverse Proxy — intercept, classify, and decode OID4VP/VCI wallet traffic in real time (proxy)
• Web UI — paste, decode, and validate credentials in a split-pane browser interface (serve)
• Unified Decode — a single decode command handles SD-JWT, JWT VC, JWT, mDOC, OID4VCI offers, OID4VP requests, and ETSI trust lists
• QR Screen Capture — scan a QR code straight from your screen to decode credentials or OpenID requests (decode --screen)
• Offline Decode & Validate — SD-JWT, JWT VC, mDOC, JWT with signature verification and trust list support
• DCQL Generation — generate Digital Credentials Query Language queries from existing credentials

Download the latest binary for your platform from Releases.

go install github.com/dominikschlosser/oid4vc-dev@latest

git clone https://github.com/dominikschlosser/oid4vc-dev.git
cd oid4vc-dev
go build -o oid4vc-dev .

docker pull ghcr.io/dominikschlosser/oid4vc-dev:latest
docker run -p 8085:8085 -p 8086:8086 ghcr.io/dominikschlosser/oid4vc-dev

The default CMD starts the wallet server with pre-loaded PID credentials in headless mode — ready for automated verifier testing out of the box.

→ Full Docker & verifier testing guide → OIDF conformance notes

oid4vc-dev [--json] [--no-color] [-v] <command> [flags] [input]

Input can be a file path, URL, raw credential string, or piped via stdin.

A stateful testing wallet with file persistence, CLI-driven OID4VP/VCI flows, QR scanning, and OS URL scheme registration.

oid4vc-dev wallet generate-pid          # Generate PID credentials
oid4vc-dev wallet serve                 # Start web UI + OID4VP endpoints
oid4vc-dev wallet ca-cert --out wallet-ca-cert.pem
oid4vc-dev wallet tls-cert --out wallet-tls-cert.pem
oid4vc-dev wallet accept 'openid4vp://authorize?...'
oid4vc-dev wallet scan --screen         # QR scan → auto-dispatch

Security: The wallet server exposes unauthenticated HTTP endpoints for credential management and presentation flows. It is designed exclusively for local development and testing — never expose it to untrusted networks.

wallet serve starts the local wallet UI plus HTTP and HTTPS wallet endpoints for presentation, issuer metadata, trust lists, status lists, and test registrar responses. wallet generate-pid gives you a ready-to-use PID wallet, issue ... --wallet adds new credentials into the same wallet context, and wallet ca-cert / wallet tls-cert export the trust root or exact HTTPS leaf certificate when a verifier needs them.

For day-to-day use, the main commands are:

• wallet serve to run the wallet
• wallet generate-pid to preload PID credentials
• wallet trust-list to get the verifier trust-list URL or JWT
• wallet ca-cert and wallet tls-cert to export certificate material
• wallet --mode debug|strict and --preferred-format ... to control runtime behavior

When a wallet exposes multiple trust-list profiles, /api/trustlists gives you the available IDs and routes. Use the entry's relative path when you access the wallet through Docker port mappings or similar local indirection.

→ Full documentation — subcommands, flags, endpoints, trust lists, storage, URL scheme registration

Generate test SD-JWT, JWT, or mDOC credentials for development and testing.

oid4vc-dev issue sdjwt --pid
oid4vc-dev issue jwt --claims '{"name":"Test","age":30}'
oid4vc-dev issue mdoc --claims '{"name":"Test"}' --doc-type com.example.test
oid4vc-dev issue sdjwt | oid4vc-dev decode

→ Full documentation — all flags, round-trip examples

Intercept and debug OID4VP/VCI traffic between a wallet and a verifier/issuer with a live web dashboard.

oid4vc-dev proxy --target http://localhost:8080

Wallet  <-->  Proxy (:9090)  <-->  Verifier/Issuer (:8080)
                  |
            Live dashboard (:9091)

→ Full documentation — traffic classification, features, flags

Start a local web UI for decoding and validating credentials in the browser.

oid4vc-dev serve
oid4vc-dev serve --port 3000
oid4vc-dev serve credential.txt

Opens a split-pane interface at http://localhost:8080 (default) with auto-decode on paste, format detection, collapsible sections, signature verification, and dark/light theme. Pass a credential as an argument to pre-fill the input on load.

Warning: Only run locally — credentials are sent to the local server for decoding.

Auto-detect and decode credentials (SD-JWT, JWT VC, mDOC), OpenID4VCI/VP requests, and ETSI trust lists.

oid4vc-dev decode credential.txt
oid4vc-dev decode 'openid4vp://authorize?...'
oid4vc-dev decode --screen                    # QR scan from screen

→ Full documentation — auto-detection order, format override, QR scanning, flags

Verify signatures, check expiry, and check revocation status.

oid4vc-dev validate --key issuer-key.pem credential.txt
oid4vc-dev validate --trust-list trust-list.jwt credential.txt
oid4vc-dev validate credential.txt

→ Full documentation — flags, trust list explanation

Generate a DCQL (Digital Credentials Query Language) query from a credential's claims. Always outputs JSON.

oid4vc-dev dcql credential.txt

The wallet evaluates credential_sets constraints when processing DCQL queries, selecting the best matching option from each set.

Example output (SD-JWT):

{
  "credentials": [
    {
      "id": "urn_eudi_pid_1",
      "format": "dc+sd-jwt",
      "meta": { "vct_values": ["urn:eudi:pid:de:1"] },
      "claims": [
        { "path": ["birth_date"] },
        { "path": ["family_name"] },
        { "path": ["given_name"] }
      ]
    }
  ]
}

See docs/spec-compliance.md for detailed compliance status against OID4VP 1.0, OID4VCI 1.0, the currently implemented HAIP subset, SD-JWT, mDoc (ISO 18013-5), ETSI trust lists, and RFC 9596.

Apache-2.0