Presenting a proof of age attestation
When the user wants to access an age-restricted service, they are required to present a valid Proof of Age Attestation before being granted access. For demonstration purposes, a public verifier is available at verifier.ageverification.dev, which can be used to test the process.
The verifier can process the presentation using either OpenID for Verifiable Presentations (OpenID4VP) or the Digital Credentials API (DC API). OpenID4VP is an OpenID-based protocol that allows the user to present verifiable credentials through a secure, standards-based exchange between the wallet and the verifier. The Digital Credentials API, on the other hand, is a browser-integrated API designed to make credential presentations more seamless and user-friendly by enabling direct interactions between the verifier (web service) and the user’s digital wallet on the same or cross device. It is currently being standardized by the World Wide Web Consortium (W3C) as part of the web platform to enable interoperable, privacy-preserving and secure credential exchange across browsers and devices. Further information about the specification is available at: https://www.w3.org/TR/digital-credentials-api/
For future-proof interoperability and a smoother user experience, it is recommended to use the Digital Credentials API whenever possible, as it represents the standard presentation interface for digital credentials within the AV and EUDI Wallet ecosystem.
OpenId for Verifiable Presentations
To begin verification, the user either opens their Age Verification App or scans the verifier’s QR code directly with the device’s camera. Upon scanning, the app recognizes that a Proof of Age is being requested and displays a prompt indicating that an age verification is required for the selected service.
The user is then given the option to approve the request. To ensure security and user consent, the app asks for PIN or biometric confirmation (such as face recognition). Once the user confirms, the necessary data is securely transmitted to the verifier service.
The verifier receives the Proof of Age Attestation, validates its authenticity and trust status using the AV Trusted List, and then displays the result of the verification process. This allows both the user and the service provider to immediately see whether the age verification has been successful.
Digital Credentials API
The demo application available at verifier.ageverification.dev is configured to automatically detect whether the user’s browser supports the Digital Credentials API. If DC API support is available, the website does not display a QR code. Instead, it presents a button that allows the user to initiate the credential presentation directly through the DC API.
If the browser does not support the DC API, the verifier automatically falls back to OpenID for Verifiable Presentations and displays a QR code that can be scanned with the Age Verification App.
When the process is started using the DC API, the credential data is requested directly from the wallet on the same device and the user is prompted to confirm the data sharing within the browser. In contrast, when using OpenID4VP, the user must be on the same Wi-Fi network and have Bluetooth enabled to support a cross-device presentation between the verifier and the Age Verification App.
Once the user approves the data sharing, the verifier performs the same validation steps as in the OpenID4VP flow, including authenticity and trust checks and then displays the verification results on the webpage.
Validation
During the enrollment process, it is important that the user can choose whether they trust a specific issuer and whether they wish to receive a Proof of Age Attestation indicating that they are over 18 years old (or not). The corresponding Proof of Age Attestation is then issued by the selected issuer and securely stored in the Age Verification App as the result of the enrollment.
To verify whether an issuer is authorized to issue such attestations, the verifier uses an AV Trusted List, which includes the demo issuer used in the public environment. For custom or production deployments, the backend also provides a sample Trusted List that can be adapted to include the appropriate trusted issuers. The verifier backend stores this Trusted List in its GitHub repository under the following path: src/main/resources/av-etsi-trusted-list.xml
The verifier receives the Proof of Age Attestation, validates its authenticity and trust status using the AV Trusted List, and then displays the result of the verification process. This allows both the user and the service provider to immediately see whether the age verification has been successful.