Skip to content
BaseID Docs

Protocols

BaseID implements four credential exchange protocols, covering both OpenID-based and DIDComm-based ecosystems.

Protocol overview

Section titled “Protocol overview”
ProtocolPurposeFlowStandard
OID4VCICredential issuanceIssuer → WalletOpenID Foundation
OID4VPCredential presentationWallet → VerifierOpenID Foundation
SIOPv2Self-issued authenticationUser → Relying PartyOpenID Foundation
DIDComm v2Peer-to-peer messagingAny → AnyDIF / Aries

OID4VCI — OpenID for Verifiable Credential Issuance

Section titled “OID4VCI — OpenID for Verifiable Credential Issuance”

Enables a wallet to receive credentials from an issuer using OAuth 2.0 flows.

Flow

Section titled “Flow”
1. Issuer creates credential offer (pre-authorized code)
   
2. Wallet scans QR code / opens deep link
   
3. Wallet exchanges pre-auth code for access token
   POST /token  →  { access_token, c_nonce }
   
4. Wallet requests credential with proof of possession
   POST /credential  →  { credential: "eyJ..." }
   
5. Wallet stores credential

Key concepts

Section titled “Key concepts”
ConceptDescription
Credential OfferURI containing issuer metadata and pre-authorized code
Pre-authorized CodeOne-time code granting access to a specific credential
c_nonceServer-generated nonce for proof of possession
Proof of PossessionJWT proving the wallet controls the holder DID
Credential ConfigurationDescribes available credential types

BaseID implementation

Section titled “BaseID implementation”
  • baseid-oid4vci crate (62 tests)
  • Cloud: issuer metadata at /.well-known/openid-credential-issuer

OID4VP — OpenID for Verifiable Presentations

Section titled “OID4VP — OpenID for Verifiable Presentations”

Enables a verifier to request and receive credential presentations.

Flow

Section titled “Flow”
1. Verifier creates presentation request
   
2. Wallet receives request (QR, deep link, redirect)
   
3. Wallet matches credentials against presentation definition
   
4. Wallet creates VP token (selective disclosure if SD-JWT)
   
5. Wallet submits via direct_post
   
6. Verifier validates and extracts claims

Key concepts

Section titled “Key concepts”
ConceptDescription
Presentation DefinitionWhat credentials the verifier accepts
DCQLDigital Credentials Query Language — alternative query format
VP TokenVerifiable presentation with disclosed credentials
direct_postWallet POSTs directly to verifier callback

BaseID implementation

Section titled “BaseID implementation”
  • baseid-oid4vp crate (64 tests)

DIDComm v2 — Peer-to-peer messaging

Section titled “DIDComm v2 — Peer-to-peer messaging”

DID-based messaging where parties communicate directly using their DIDs.

When to use DIDComm vs REST

Section titled “When to use DIDComm vs REST”
ScenarioDIDCommREST API
Aries/ACA-Py walletYesNo
Server-to-serverNoYes
Multi-step protocol trackingYes (threads)Manual
Offline/async messagingYesNo

Supported protocols

Section titled “Supported protocols”
ProtocolMessages
Trust Ping 2.0pingping-response
Issue Credential 3.0offerrequestissue
Present Proof 3.0requestpresentation

BaseID implementation

Section titled “BaseID implementation”

SIOPv2 — Self-Issued OpenID Provider

Section titled “SIOPv2 — Self-Issued OpenID Provider”

Passwordless authentication using DIDs.

Flow

Section titled “Flow”
1. Relying Party creates auth request
2. User's wallet acts as OpenID Provider
3. Wallet creates ID Token signed with user's DID
4. Relying Party verifies DID signature → user authenticated

BaseID implementation

Section titled “BaseID implementation”
  • baseid-siop crate (43 tests)

Protocol selection guide

Section titled “Protocol selection guide”
Issuing a credential?           → OID4VCI
Requesting credentials?         → OID4VP (web) or DIDComm (Aries wallet)
Authenticating a user with DID? → SIOPv2
Peer-to-peer messaging?         → DIDComm v2
Simple server-to-server?        → Cloud REST API

See also

Section titled “See also”