Digital identity credentials for PHP
An SD-JWT (RFC 9901)
is a JWT where the issuer signs digests of claims instead of the claims themselves.
The holder keeps the actual values as separate disclosures and reveals only the ones a
verifier needs — a birth date without the address, a name without the document number.
SD-JWT VC (dc+sd-jwt) layers credential semantics on top:
a credential type (vct), protected claims, and rules for discovering the
issuer's keys.
This is the credential format underneath OpenID4VC and the EU Digital Identity Wallet. If your PHP service accepts wallet presentations — as a relying party — these packages do the verification: signature, disclosure digests, key binding, and the VC rules.
The packages
composer require k2gl/sd-jwt k2gl/sd-jwt-vc SD-JWT Verifiable Credentials (dc+sd-jwt): issue and verify. composer require k2gl/sd-jwt-vc Signature verification reuses k2gl/dsse's key handling — the same primitives as the supply-chain family, so a PEM or JWK issuer key plugs straight in.
Try it in the browser
Generate a demo SD-JWT with the claims you choose disclosable, then paste it into the debugger to see its disclosures, recomputed digests, and recreated claims. Both tools run on these packages.
Accepting presentations?
The relying-party flow — issuer signature, disclosures, key binding — is walked through in Verify an SD-JWT VC presentation; the short answer lives at EUDI wallet relying party in PHP?