Skip to content
FIDO4VC FIDO4VC

Repositories

The FIDO4VC project is split across separate repositories under the fido4vc GitHub org, one per component. This page lists them with descriptions of role and integration relationships.

Demo

Section titled “Demo”

Walk-through of the full DID-creation → issuance → presentation flow against the Docker-Compose stack in fido4vc/demo.

Core components

Section titled “Core components”
fido-vc-cryptosuite-ts TypeScript reference implementation of the fido4vc-jcs-2026 W3C VC Data Integrity cryptosuite. The canonical implementation; all other components depend on it.
fido-vc-middleware Express middleware bridging FIDO/WebAuthn (browser) and the walt.id Wallet API. Orchestrates registration, issuance, and presentation flows; computes WebAuthn challenges from canonicalized VPs.
fido-vc-verifier-sidecar Thin Express service exposing fido-vc-cryptosuite-ts verification over HTTP. Lets non-Node verifier stacks (notably walt.id JVM) validate fido4vc-jcs-2026 signatures without porting the cryptosuite.
fido-vc-wallet-ui Next.js 16 / React 19 user-facing wallet UI. Drives the three flows (register, receive, present) and talks to fido-vc-middleware and the walt.id Wallet API.

Upstream fork

Section titled “Upstream fork”
fido4vc/waltid-identity Fork of walt.id with the FIDO4VC integration applied. Adds the signature_ld-vp policy, ldp_vp support in issuer / verifier APIs, and the external-signature exchange flow in the Wallet API.

How it fits together

Section titled “How it fits together”
fido-vc-wallet-ui (Next.js, browser-side WebAuthn invocation)
        
        ├── HTTP ─► fido-vc-middleware
        │              │   ──── signer side ────
        │              │   cryptosuite.canonicalize(unsignedVP)
        │              │   → derive WebAuthn challenge
        │              │   → wrap the resulting WebAuthn assertion as a
        │              │     DataIntegrityProof on the VP
        │              │
        │              └── uses ──►  fido-vc-cryptosuite-ts
        
        └── HTTP ─► waltid-identity  (walt.id Wallet / Issuer / Verifier APIs)
                       
                       └── HTTP policy ──►  fido-vc-verifier-sidecar
                                               │   ──── verifier side ────
                                               │   cryptosuite.verify(signedVP)
                                               │   → recompute challenge
                                               │   → validate FIDO assertion
                                               │     against did:jwk pubkey
                                               
                                               └── uses ──►  fido-vc-cryptosuite-ts

The cryptosuite is a single library used at both ends of the protocol:

  • Signer sidefido-vc-middleware calls cryptosuite.canonicalize() to compute the WebAuthn challenge over a JCS-canonicalized VP. The middleware never signs anything itself; the FIDO authenticator does, and the middleware wraps the resulting assertion as a DataIntegrityProof with cryptosuite="fido4vc-jcs-2026".
  • Verifier sidefido-vc-verifier-sidecar calls cryptosuite.verify() to validate a signed VP: recomputes the expected challenge, confirms it matches clientData.challenge, and verifies the FIDO signature against the public key resolved from the proof’s did:jwk.

The Wallet UI itself never sees the cryptosuite — it uses @simplewebauthn/browser only to invoke WebAuthn in the browser.

Running locally

Section titled “Running locally”

End-to-end orchestration lives in its own fido4vc/demo repo. By default it pulls all six prebuilt images from ghcr.io/fido4vc/* — no host JDK, Node toolchain, or Gradle build required. Cold pull is ~2–5 min depending on bandwidth.

Terminal window
git clone https://github.com/fido4vc/demo
cd demo
docker compose up -d

What gets started (seven containers):

ServicePortImage
wallet-ui3000ghcr.io/fido4vc/fido-vc-wallet-ui
middleware8080ghcr.io/fido4vc/fido-vc-middleware
verifier-sidecar8081ghcr.io/fido4vc/fido-vc-verifier-sidecar
waltid-wallet-api7001ghcr.io/fido4vc/waltid-wallet-api
waltid-issuer-api7002ghcr.io/fido4vc/waltid-issuer-api
waltid-verifier-api7003ghcr.io/fido4vc/waltid-verifier-api
db3306mysql:8 (stores FIDO credential records)

End-to-end demo flow:

  1. Open the Wallet UI at http://localhost:3000, register, and sign in
  2. Add a FIDO key via the DID tab (creates a did:jwk:...)
  3. Mint a credential offer with the walt.id Issuer API (POST /openid4vc/jwt/issue)
  4. Paste the offer URL into the Wallet UI Credentials → Receive Credential, complete the FIDO flow
  5. Mint a presentation request with the walt.id Verifier API (POST /openid4vc/verify)
  6. Paste the presentation URL into the Wallet UI, present with FIDO
  7. Verify the result via GET /openid4vc/session/<state> — look for "verified": true

Need to hack on a component? Clone the sibling repos and run docker compose up -d --build instead — see the Build from source section of the demo README.

The demo README has the full curl payloads, troubleshooting matrix, and architecture diagram.

Licensing

Section titled “Licensing”

All FIDO4VC component repositories are licensed under the Apache License 2.0. The walt.id fork inherits Apache-2.0 from upstream.

Where to next

Section titled “Where to next”