Digital identity credentials for PHP

An SD-JWT (RFC 9901) is a JWT where the issuer signs digests of claims instead of the claims themselves. The holder keeps the actual values as separate disclosures and reveals only the ones a verifier needs — a birth date without the address, a name without the document number. SD-JWT VC (dc+sd-jwt) layers credential semantics on top: a credential type (vct), protected claims, and rules for discovering the issuer's keys.

This is the credential format underneath OpenID4VC and the EU Digital Identity Wallet. If your PHP service accepts wallet presentations — as a relying party — these packages do the verification: signature, disclosure digests, key binding, and the VC rules.

The packages

k2gl/sd-jwt Selective Disclosure for JWTs (RFC 9901): issue, present, verify. composer require k2gl/sd-jwt k2gl/sd-jwt-vc SD-JWT Verifiable Credentials (dc+sd-jwt): issue and verify. composer require k2gl/sd-jwt-vc

Signature verification reuses k2gl/dsse's key handling — the same primitives as the supply-chain family, so a PEM or JWK issuer key plugs straight in.

Try it in the browser

Generate a demo SD-JWT with the claims you choose disclosable, then paste it into the debugger to see its disclosures, recomputed digests, and recreated claims. Both tools run on these packages.

Accepting presentations?

The relying-party flow — issuer signature, disclosures, key binding — is walked through in Verify an SD-JWT VC presentation; the short answer lives at EUDI wallet relying party in PHP?

Specs