{"id":22267769,"url":"https://github.com/transmute-industries/vc-jwt-sd","last_synced_at":"2025-07-28T11:32:43.206Z","repository":{"id":188264547,"uuid":"678402370","full_name":"transmute-industries/vc-jwt-sd","owner":"transmute-industries","description":"Experimental implementation of sd-jwt for W3C Verifiable Credentials","archived":false,"fork":false,"pushed_at":"2024-08-10T22:54:59.000Z","size":1412,"stargazers_count":5,"open_issues_count":5,"forks_count":3,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-08-11T23:17:30.906Z","etag":null,"topics":["jose","jsonld","jwt","sd-jwt","selective-disclosure","yaml"],"latest_commit_sha":null,"homepage":"https://github.com/transmute-industries/vc-jwt-sd","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/transmute-industries.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-08-14T13:22:19.000Z","updated_at":"2024-08-10T22:55:02.000Z","dependencies_parsed_at":"2023-12-07T19:30:43.844Z","dependency_job_id":null,"html_url":"https://github.com/transmute-industries/vc-jwt-sd","commit_stats":null,"previous_names":["transmute-industries/vc-jwt-sd"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/transmute-industries%2Fvc-jwt-sd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/transmute-industries%2Fvc-jwt-sd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/transmute-industries%2Fvc-jwt-sd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/transmute-industries%2Fvc-jwt-sd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/transmute-industries","download_url":"https://codeload.github.com/transmute-industries/vc-jwt-sd/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227905542,"owners_count":17837906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["jose","jsonld","jwt","sd-jwt","selective-disclosure","yaml"],"created_at":"2024-12-03T11:08:48.408Z","updated_at":"2024-12-03T11:08:49.320Z","avatar_url":"https://github.com/transmute-industries.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# @transmute/vc-jwt-sd\n\n[![CI](https://github.com/transmute-industries/vc-jwt-sd/actions/workflows/ci.yml/badge.svg)](https://github.com/transmute-industries/vc-jwt-sd/actions/workflows/ci.yml)\n![Branches](./badges/coverage-branches.svg)\n![Functions](./badges/coverage-functions.svg)\n![Lines](./badges/coverage-lines.svg)\n![Statements](./badges/coverage-statements.svg)\n![Jest coverage](./badges/coverage-jest%20coverage.svg)\n\n\u003c!-- [![NPM](https://nodei.co/npm/@transmute/vc-jwt-sd.png?mini=true)](https://npmjs.org/package/@transmute/vc-jwt-sd) --\u003e\n\n🚧 Experimental implementation of sd-jwt for use with W3C Verifiable Credentials. 🔥\n\n\u003cimg src=\"./transmute-banner.png\" /\u003e\n\n#### [Questions? Contact Transmute](https://transmute.typeform.com/to/RshfIw?typeform-source=vc-jwt-sd)\n\n## Usage\n\n```bash\nnpm i @transmute/vc-jwt-sd --save\n```\n\n```ts\nimport sd from \"@transmute/vc-jwt-sd\";\n```\n\n### Issuer Claims\n\nThis implementation relies on custom yaml tags to indicate disclosability:\n\n```yaml\n# Based on https://w3c.github.io/vc-data-model/#example-a-simple-example-of-a-verifiable-credential\n\"@context\":\n  - https://www.w3.org/ns/credentials/v2\n  - https://www.w3.org/ns/credentials/examples/v2\nid: http://university.example/credentials/3732\ntype:\n  - VerifiableCredential\n  - ExampleDegreeCredential\nissuer:\n  id: https://university.example/issuers/565049\n  name:\n    - value: test value 0\n      lang: en\n    - !sd # indicates a disclosable claim\n      value: test value 1\n      lang: en\n    - value: test value 2\n      lang: en\n    - !sd # indicates a disclosable claim\n      value: test value 3\n      lang: en\n    - value: test value 4\n      lang: en\nvalidFrom: 2015-05-10T12:30:00Z\ncredentialStatus:\n  - id: https://vendor.example/status-list/urn:uuid:d31ada5d-1d3d-4f68-8587-8ff9bb3038d6#0\n    type: StatusList2021Entry\n    statusPurpose: revocation\n    statusListIndex: \"0\"\n    statusListCredential: https://vendor.example/status-list/urn:uuid:d31ada5d-1d3d-4f68-8587-8ff9bb3038d6\ncredentialSubject:\n  id: did:example:ebfeb1f712ebc6f1c276e12ec21\n  degree:\n    type: ExampleBachelorDegree\n    subtype: Bachelor of Science and Arts\n```\n\n### Credential Issuance\n\n```ts\nconst alg = \"ES384\";\nconst claimset = `... yaml example above ... `;\n\nconst issuerRole = await sd.key.generate(alg);\nconst issuerId = \"https://university.example/issuers/565049\";\nconst issuerKeyId = `${issuerId}#key-42`;\n\nconst holderRole = await sd.key.generate(alg); // or get it some other way.\nconst holderId = \"did:example:ebfeb1f712ebc6f1c276e12ec21\";\nconst holderKeyId = `${holderId}#${holderRole.publicKeyJwk.kid}`;\n\nconst vc = await sd\n  .issuer({\n    iss: issuerId,\n    kid: issuerKeyId,\n    typ: `application/vc-ld+sd-jwt`,\n    signer: await sd.jws.signer(issuerRole.privateKeyJwk),\n  })\n  .issue({\n    kid: holderKeyId,\n    claimset,\n  });\n```\n\n### Holder Disclosure\n\nThis implementation relies on yaml to indicate holder disclosures:\n\n```yaml\n\"@context\":\n  - https://www.w3.org/ns/credentials/v2\n  - https://www.w3.org/ns/credentials/examples/v2\nid: http://university.example/credentials/3732\ntype:\n  - VerifiableCredential\n  - ExampleDegreeCredential\nissuer:\n  id: https://university.example/issuers/565049\n  name:\n    - value: test value 0\n      lang: en\n    - value: test value 1 # The value or True can be provided to signal intentional disclosure.\n      lang: en\n    - value: test value 2\n      lang: en\n    - False # This boolean indicates that this claim should not be disclosed in a presentation\n    - value: test value 4\n      lang: en\nvalidFrom: 2015-05-10T12:30:00Z\ncredentialStatus:\n  - id: https://vendor.example/status-list/urn:uuid:d31ada5d-1d3d-4f68-8587-8ff9bb3038d6#0\n    type: StatusList2021Entry\n    statusPurpose: revocation\n    statusListIndex: \"0\"\n    statusListCredential: https://vendor.example/status-list/urn:uuid:d31ada5d-1d3d-4f68-8587-8ff9bb3038d6\ncredentialSubject:\n  id: did:example:ebfeb1f712ebc6f1c276e12ec21\n  degree:\n    type: ExampleBachelorDegree\n    subtype: Bachelor of Science and Arts\n```\n\n### Presentation with Holder Binding\n\n```ts\nconst audience = \"aud-9877\";\nconst nonce = \"nonce-5486168\";\nconst disclosure = `... yaml example above ... `;\nconst vp = await sd\n  .holder({\n    iss: holderId,\n    kid: holderKeyId,\n    signer: await sd.jws.signer(holderRole.privateKeyJwk),\n  })\n  .issue({\n    token: vc,\n    disclosure,\n    audience,\n    nonce,\n  });\n```\n\n### Verification by Key Resolution\n\nSome protocols allow for discovery of public keys from identifiers.\n\n🍃 This interface is safer,\nsince it performs verification internally,\nwhich will fail closed when the incorrect public key is provided.\n\n```ts\nconst verification = await sd\n  .verifier({\n    resolver: {\n      resolve: async (kid: string) =\u003e {\n        if (kid === issuerKeyId) {\n          return issuerRole.publicKeyJwk;\n        }\n        if (kid === holderKeyId) {\n          return holderRole.publicKeyJwk;\n        }\n        throw new Error(\"Unsupported kid: \" + kid);\n      },\n    },\n  })\n  .verify({\n    token: vp,\n    audience,\n    nonce,\n  });\n```\n\n### Verification by Token\n\nSome protocols require disovery of public keys from protected header and payload claims.\n\n🍂 This interface is less safe, but more flexible.\nWhen misconfigured, this interface can lead to decoded values being treated as if they had been verified.\n\n```ts\n// for testing, not a real dereferencer\nconst dereference = async (url: string) =\u003e {\n  if (url.startsWith(\"https://university.example/issuers/565049\")) {\n    return {\n      id: issuerKeyId,\n      type: \"JsonWebKey\",\n      controller: issuerId,\n      publicKeyJwk: issuerRole.publicKeyJwk,\n    };\n  }\n  if (url.startsWith(\"did:example:ebfeb1f712ebc6f1c276e12ec21\")) {\n    return {\n      id: holderKeyId,\n      type: \"JsonWebKey\",\n      controller: holderId,\n      publicKeyJwk: holderRole.publicKeyJwk,\n    };\n  }\n  throw new Error(\"Unsupported didUrl: \" + didUrl);\n};\nconst verification = await sd\n  .verifier({\n    verifier: {\n      verify: async (token: string) =\u003e {\n        const jwt = token.split(\"~\")[0];\n        const decodedHeader = decodeProtectedHeader(jwt);\n        if (decodedHeader.typ === \"application/vc-ld+sd-jwt\") {\n          const decodedPayload = decodeJwt(jwt);\n          const iss = (decodedHeader.iss || decodedPayload.iss) as string;\n          const kid = decodedHeader.kid as string;\n          const absoluteDidUrl =\n            kid \u0026\u0026 kid.startsWith(iss) ? kid : `${iss}#${kid}`;\n          const { publicKeyJwk } = await dereference(absoluteDidUrl);\n          const verifier = await sd.jws.verifier(publicKeyJwk);\n          return verifier.verify(jwt);\n        }\n        if (decodedHeader.typ === \"kb+jwt\") {\n          const decodedPayload = decodeJwt(jwt);\n          const iss = (decodedHeader.iss || decodedPayload.iss) as string;\n          const kid = decodedHeader.kid as string;\n          const absoluteDidUrl =\n            kid \u0026\u0026 kid.startsWith(iss) ? kid : `${iss}#${kid}`;\n          const { publicKeyJwk } = await dereference(absoluteDidUrl);\n          const verifier = await sd.jws.verifier(publicKeyJwk);\n          return verifier.verify(jwt);\n        }\n        throw new Error(\"Unsupported token typ\");\n      },\n    },\n  })\n  .verify({\n    token: vp,\n    audience,\n    nonce,\n  });\n```\n\n### Validation\n\n🚧 This library does not perform validation currently.\nThis is the result of the verification operations above:\n\n```json\n{\n  \"protectedHeader\": {\n    \"alg\": \"ES384\",\n    \"kid\": \"https://university.example/issuers/565049#key-42\",\n    \"typ\": \"application/vc-ld+sd-jwt\"\n  },\n  \"claimset\": {\n    \"iss\": \"https://university.example/issuers/565049\",\n    \"cnf\": {\n      \"kid\": \"did:example:ebfeb1f712ebc6f1c276e12ec21#Sw_eFytRRCLX22cd-ReZxnndRL4ydwNcWWTcuFO5ljw\"\n    },\n    \"@context\": [\n      \"https://www.w3.org/ns/credentials/v2\",\n      \"https://www.w3.org/ns/credentials/examples/v2\"\n    ],\n    \"id\": \"http://university.example/credentials/3732\",\n    \"type\": [\"VerifiableCredential\", \"ExampleDegreeCredential\"],\n    \"issuer\": {\n      \"id\": \"https://university.example/issuers/565049\",\n      \"name\": [\n        {\n          \"value\": \"test value 0\",\n          \"lang\": \"en\"\n        },\n        {\n          \"value\": \"test value 1\",\n          \"lang\": \"en\"\n        },\n        {\n          \"value\": \"test value 2\",\n          \"lang\": \"en\"\n        },\n        {\n          \"value\": \"test value 4\",\n          \"lang\": \"en\"\n        }\n      ]\n    },\n    \"validFrom\": \"2015-05-10T12:30:00Z\",\n    \"credentialStatus\": [\n      {\n        \"id\": \"https://vendor.example/status-list/urn:uuid:d31ada5d-1d3d-4f68-8587-8ff9bb3038d6#0\",\n        \"type\": \"StatusList2021Entry\",\n        \"statusPurpose\": \"revocation\",\n        \"statusListIndex\": \"0\",\n        \"statusListCredential\": \"https://vendor.example/status-list/urn:uuid:d31ada5d-1d3d-4f68-8587-8ff9bb3038d6\"\n      }\n    ],\n    \"credentialSubject\": {\n      \"id\": \"did:example:ebfeb1f712ebc6f1c276e12ec21\",\n      \"degree\": {\n        \"type\": \"ExampleBachelorDegree\",\n        \"subtype\": \"Bachelor of Science and Arts\"\n      }\n    }\n  }\n}\n```\n\n## Develop\n\n```bash\nnpm i\nnpm t\nnpm run lint\nnpm run build\n```\n\n## Integration Tests\n\nSynching tests cases from reference implementation\n\n```\ngit clone git@github.com:danielfett/sd-jwt.git\ncd sd-jwt\npython3 -m venv venv\nsource venv/bin/activate\npip install git+https://github.com/danielfett/sd-jwt.git\ncd tests/testcases\nsd-jwt-generate example\ncd ..\ncp -r ./testcases ../../testcases\n```\n\nOther implementations\n\n- https://github.com/openwallet-foundation-labs/sd-jwt-python\n- https://github.com/oauth-wg/oauth-selective-disclosure-jwt\n- https://github.com/danielfett/sd-jwt\n- https://github.com/christianpaquin/sd-jwt\n- https://github.com/chike0905/sd-jwt-ts\n- https://github.com/or13/vc-sd-jwt\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftransmute-industries%2Fvc-jwt-sd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftransmute-industries%2Fvc-jwt-sd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftransmute-industries%2Fvc-jwt-sd/lists"}