Skip to content

openvc

A small, dependency-light Verifiable Credentials core for Python. It signs and verifies credentials in three proof formats — VC-JWT (JOSE), SD-JWT VC (selective disclosure), and Data Integrity (eddsa-rdfc-2022 / ecdsa-rdfc-2019 and the selective-disclosure ecdsa-sd-2023 over RDF, plus eddsa-jcs-2022 / ecdsa-jcs-2019 over RFC 8785 JCS with no pyld) — resolves issuer keys by DID (did:key, did:jwk, did:web, did:webvh), by /.well-known/jwt-vc-issuer, or by X.509 x5c chain (with EU Trusted List anchors), issues and checks status-list revocation, verifies holder presentations (VP-JWT, ldp_vc, and a stateless OpenID4VP 1.0 vp_token — including experimental ISO 18013-5 mso_mdoc over the W3C Digital Credentials API and HAIP JWE-encrypted responses), and — via an optional plugin — verifies against the EBSI trust registries. Post-quantum ML-DSA (RFC 9964) signing and verification is available behind an explicit opt-in. Private keys can live behind an HSM/Vault and never enter the process.

pip install openvc-core                    # core
pip install "openvc-core[data-integrity]"  # + eddsa-rdfc-2022 / ecdsa-rdfc-2019 (pyld)
pip install "openvc-core[ebsi]"            # + the EBSI registry client (httpx)

The one-call verifier

from openvc import verify_credential, VerificationPolicy

# `credential` is a VC-JWT / SD-JWT string, or a Data Integrity / enveloped dict.
result = verify_credential(
    credential,
    policy=VerificationPolicy(expected_types=["VerifiableCredential"]),
    resolve_status_list=fetch_verified_status_list,   # needed if it declares a status
)
print(result.format, result.issuer, result.subject)

verify_credential detects the format, resolves the issuer key, verifies the proof, and applies policy (types, audience, fail-closed status). This site is the API reference, generated from the docstrings; the task-oriented manual — guides per proof format, presentations, status lists, trust, HSM integration, the security model — lives on the project wiki, and the examples are runnable scripts of every flow.

How it fits together

Layer Modules
One-call verifier openvc.verify
Presentations OpenID4VP 1.0 vp_token, ISO mdoc mso_mdoc
Proof suites VC-JWT, SD-JWT VC, Data Integrity, VP-JWT
Issuer keys DIDs & signing keys, well-known / x5c / WRPAC discovery
Trust anchors EU Trusted Lists
Revocation status lists
Errors one OpenvcError root

Every error descends from a single OpenvcError, so except OpenvcError catches any openvc failure.