Skip to main content

What is the EUDIW Connector?

Truvity EUDIW Connector is an API-first solution that enables your organization to verify and issue digital credentials with EU Digital Identity Wallets (EUDI Wallets). The connector runs in dedicated infrastructure and you integrate it through a REST API. The connector handles the complexity of the OpenID for Verifiable Presentations (OID4VP) and OpenID for Verifiable Credential Issuance (OID4VCI) protocols, eIDAS 2.0 compliance, and cryptographic operations, so you can focus on your business logic and user experience.

The challenge

Organizations across the EU face increasing pressure to adopt digital identity verification for customer onboarding, authentication, and regulatory compliance. The European Union's eIDAS 2.0 regulation mandates that member states provide EUDI Wallets to citizens by December 2026, creating both an opportunity and a challenge for businesses.

Integrating with EUDI Wallets presents significant technical and regulatory hurdles. You must implement the OID4VP protocol, which requires deep expertise in OAuth 2.0, JWT encryption, and digital signature standards. The Architecture Reference Framework (ARF) defines hundreds of specific requirements that your implementation must satisfy. Managing X.509 access certificates, trust chains, and revocation checking adds operational complexity. Supporting multiple wallet implementations across EU member states requires continuous testing and updates as each country rolls out its infrastructure.

Banks, insurance companies, government services, and other organizations need a solution that shields them from this complexity while maintaining full compliance, security, and interoperability across all EU member states.

The solution

Truvity is a solution provider whose software runs in dedicated infrastructure. The EUDIW Connector provides a complete infrastructure layer that sits between your systems and EUDI Wallets. You are the Relying Party—the connector handles protocol implementation, cryptographic operations, and compliance enforcement on your behalf.

When you integrate the connector, you gain immediate access to the entire EUDI Wallet ecosystem without building the underlying infrastructure yourself. The connector maintains protocol compatibility as standards evolve, validates trust chains against member state registries, and helps your implementation remain aligned with eIDAS 2.0 requirements.

The connector abstracts away complexity through a simple REST API. It handles protocol negotiation, encryption, signature validation, revocation checking, and trust evaluation.

Key capabilities

Same-device and cross-device flows

The connector supports users regardless of how they access your service.

In the same-device flow, a user clicks a link on their phone, and their EUDI Wallet app opens automatically. They approve the request with biometric authentication, and your app immediately receives the verified data. This flow requires no device switching, making it the most direct path for mobile users.

In the cross-device flow, a user visits your website on desktop and scans a QR code with their EUDI Wallet. They approve the request on their phone, and your desktop app receives the verified data. This enables credential verification in contexts where the wallet is not installed on the device being used.

Both flows provide the same security guarantees and deliver identical credential data. The connector automatically handles session management, state synchronization, and timeout handling for both patterns.

Selective disclosure

EUDI Wallets enable users to share only the specific information required for a transaction. Instead of presenting an entire credential (like a full passport), users can selectively disclose individual attributes or prove properties without revealing exact values. For details, see Selective disclosure.

Cryptographic verification

Every credential presentation undergoes comprehensive verification before the connector delivers data to your systems.

Signature validation ensures that trusted authorities issued credentials by validating digital signatures against issuer public keys. This confirms credentials have not been tampered with and come from legitimate sources.

Key binding validation confirms that the presenter legitimately possesses the credential through cryptographic proofs. This prevents unauthorized parties from using stolen credentials.

Revocation checking verifies credential status against issuer revocation lists in real time. If a credential has been revoked (due to loss, theft, or validity expiration), the presentation fails verification.

All verification happens automatically. You receive only successfully verified credential data through your callback, with complete audit trails for compliance reporting.

Credential issuance

The connector enables your organization to issue digital credentials to EUDI Wallets using the OpenID for Verifiable Credential Issuance (OID4VCI) protocol. You create a credential offer through the management API, and the connector handles the protocol exchange with the wallet, including token management, cryptographic key binding, and credential signing.

The connector supports the pre-authorized code flow, where your backend pre-authorizes credential issuance after authenticating the user. The wallet holder receives a credential offer as a QR code (cross-device) or deep link (same-device), approves the issuance in their wallet, and receives the signed credential.

When the issuance flow completes, the connector delivers a callback to your backend with the outcome—whether the credential was successfully issued, the flow failed, or the session expired. This callback-based model lets you update your systems in response to issuance events without polling.

Certificate management

Digital certificates authenticate your organization to EUDI Wallets and establish trust in credential exchanges. You are responsible for obtaining and managing your certificates. The connector uses the following certificates:

For verification:

  1. Access certificates contain cryptographic keys for authenticating your Relying Party to wallets and ensure requests have not been tampered with. You obtain these from a Certificate Authority (CA) or member state registrar.
  2. Registration certificates declare what data you can request and for what purposes. These contain registered intended uses (like "identity verification for account opening") and prove your authorization to request specific credentials and attributes.

For issuance:

  1. Issuer Signing Certificate signs the credentials your organization issues. This certificate is included in the credential's cryptographic header so wallets can verify the credential's authenticity. It uses a separate key from the verification access certificate.
  2. Access certificate proves your organization's participation in the EUDI ecosystem and signs your issuer metadata. Wallets use this to verify that your connector is a legitimate credential issuer.

For development purposes, the connector supports self-signed certificates. You can generate test certificates instantly to develop and test your integration without waiting for registration with member state authorities. These work for development but are not trusted by production wallets.

For more details on certificate types and trust establishment, see the certificates explanation.

Deployment

The connector supports two deployment models. In both, your organization acts as the Relying Party (RP) directly.

Dedicated

Truvity deploys and manages a single-tenant connector instance on your behalf (for example, in a dedicated cloud account). You focus on integration and business logic while Truvity handles infrastructure operations, updates, and scaling.

Self-managed

You deploy and manage the connector in your own infrastructure. This gives you full control over servers, networking, storage, and operational procedures.

What you need

Both deployment models require:

  • X.509 access certificates from a Certificate Authority (CA) or member state registrar
  • A callback endpoint to receive verification and issuance results
  • Relying Party registration with your member state authority
  • For issuance: an Issuer Signing Certificate and credential type metadata configured in the connector

For details on certificates and trust establishment, see the certificates explanation. For regulatory requirements, see Compliance and regulations.

Supported credential formats

The connector supports the SD-JWT VC credential format defined by the Architecture Reference Framework (ARF). SD-JWT VC (SD-JWT-based Verifiable Credentials) combines selective disclosure with cryptographic key binding:

  • Selective disclosure: Holders share only the specific claims a Relying Party requests while keeping all other attributes private. Issuers sign the entire credential, and holders can prove they possess undisclosed claims without revealing their values.
  • Key binding: Cryptographic proof that the presenter legitimately possesses the credential. The wallet signs a challenge using a private key bound to the credential, preventing stolen credentials from being used by unauthorized parties.

Benefits

Compliance-ready

eIDAS 2.0 aligned

The connector implements requirements from eIDAS 2.0 regulation (EU 2024/1183) for Relying Party operations. As regulatory updates and Implementing Acts are published, the connector is updated to reflect them.

ARF aligned

The connector follows the Architecture Reference Framework specifications for wallet interoperability. This includes alignment with high-level requirements for Relying Parties across all functional areas.

HAIP-first

The connector implements the High Assurance Interoperability Profile (HAIP) to ensure compatibility with official EUDI Wallets from all EU member states.

Developer-friendly

REST API

The connector provides a simple, intuitive REST API following modern best practices.

Comprehensive documentation

Detailed guides cover every integration scenario—from KYC verification to passwordless authentication and credential issuance. Code examples, sequence diagrams, and troubleshooting guides accelerate your implementation.

Self-signed certificates

Start developing immediately without waiting for official registration. Generate self-signed access certificates and begin testing credential flows within minutes.

Secure by design

End-to-end encryption

All credential presentations use end-to-end encryption. The connector decrypts presentations only in memory, processes verification, and immediately discards encryption keys.

Ephemeral data model

The connector processes credential data in memory and delivers verified results to your callback. Encryption keys are created per request and deleted after use. This ephemeral approach minimizes the attack surface and reduces data breach risk. See the ephemeral data model explanation for details.

Get access

To get access to a connector instance, test credentials, and onboarding support, contact hello@truvity.com.

Get started

Ready to integrate EUDI Wallet verification or issuance into your systems?

  1. Understand the ecosystem: read EUDI Wallet ecosystem context to learn how the connector fits into the broader digital identity landscape and understand the roles of PIDs, attestation providers, wallet holders, and Relying Parties.
  2. Review compliance: explore Compliance and regulations to understand eIDAS 2.0 requirements and your responsibilities as a Relying Party or credential issuer.
  3. Explore use cases: see Use cases for real-world scenarios including bank account opening (KYC), passwordless authentication, and Account Ownership Credential (AOC) issuance.
  4. Start building (verification): follow the verification quickstart to create your first presentation request, implement a callback handler, and test the complete verification flow.
  5. Start building (issuance): follow the issuance quickstart to create your first credential offer and issue a credential to a wallet. For a complete walkthrough, try the AOC issuance tutorial.

Further reading