API Design for Granular Identity Disclosure in EUDI Wallets

User-Centric GranularityDesign APIs that prioritize user control, allowing them to selectively disclose only necessary identity attributes, rather than entire credentials.

Standardization and InteroperabilityLeverage open standards like OpenID for Verifiable Credential Issuance (OID4VCI) and Presentation (OID4VP) to ensure seamless integration and broad adoption across ecosystems.

Privacy-Preserving ProofsImplement cryptographic techniques such as Zero-Knowledge Proofs (ZKPs) to enable verification without revealing underlying sensitive data, enhancing user privacy.

Robust Consent ManagementIntegrate explicit, informed consent mechanisms into the API flow, ensuring users understand and approve every data disclosure request.

The Promise of Granular Identity Disclosure in EUDI Wallets

The European Digital Identity (EUDI) Wallet is poised to revolutionize how citizens interact with digital services, offering a secure and convenient way to prove identity and share personal data. A cornerstone of this vision is granular identity disclosure – the ability for individuals to share only the specific pieces of information required for a transaction, rather than revealing their entire identity document or a broad set of attributes. For instance, proving one is over 18 without revealing their exact birth date, or confirming residency in a specific country without disclosing their full address. Achieving this requires meticulous API design.

Traditional identity systems often force an all-or-nothing approach. When you present a physical driver's license, you reveal your photo, name, address, date of birth, and license number, even if the only information needed is your age. In the digital realm, this translates to sharing entire blocks of data from a digital ID. The EUDI Wallet, however, aims to empower users with fine-grained control, significantly enhancing privacy and reducing the risk of data overexposure. But how do we translate this vision into practical, secure, and interoperable API designs?

Core Principles for Granular Disclosure API Design

Designing APIs for granular identity disclosure in EUDI Wallets demands adherence to several key principles:

1. Attribute-Level Request and Presentation

The API must enable Verifying Parties (VPs) to request specific attributes rather than entire verifiable credentials (VCs). For example, instead of requesting a "National ID Card" VC, the VP should be able to request "Date of Birth" and "Nationality." The EUDI Wallet's API then facilitates the user's consent and selection of these individual attributes from their stored VCs.

Practical Example: Age Verification

• Traditional API Request: POST /verify-id with a payload expecting a full ID document scan.
• Granular API Request: POST /verify-age with a payload like { "requested_attributes": [ { "type": "age_over", "value": 18 } ] }.

The user's EUDI Wallet receives this request, and instead of presenting their full ID, it generates a proof that the user's age is indeed over 18, without disclosing their exact birthdate. This is often achieved using Zero-Knowledge Proofs (ZKPs).

2. Standardized Request and Response Formats

Interoperability is paramount for the EUDI Wallet ecosystem. APIs must adhere to established standards for requesting and presenting verifiable credentials and their attributes. OpenID for Verifiable Credential Presentation (OID4VP) is a crucial standard here, defining how VPs can request specific VCs or attributes from a Wallet, and how the Wallet responds with verifiable presentations.

Practical Example: Residential Proof

• A service needs to confirm the user resides in Germany.
• VP Request (OID4VP): The VP constructs an authorization request URL containing a presentation_definition that specifies the need for a "Proof of Residency" credential, specifically requesting the "country" attribute to be "Germany."
• Wallet Response: The user's EUDI Wallet receives this, prompts the user for consent, and then presents a verifiable presentation that cryptographically proves the user's country of residence is Germany, potentially without disclosing the full address or other details from the underlying proof of address document.

3. Integration of Privacy-Enhancing Technologies (PETs)

To truly enable granular disclosure, APIs need to support underlying PETs, particularly Zero-Knowledge Proofs (ZKPs). ZKPs allow a user to prove a statement is true (e.g., "I am over 18") without revealing any additional information that would allow the verifier to deduce how that statement is true (e.g., the exact birthdate). This is the ultimate form of granular disclosure.

API Design for ZKPs:

• The API should specify the type of proof required (e.g., a ZKP for age over 18) in the request.
• The Wallet's API would then be responsible for generating this ZKP from the user's stored credentials.
• The VP's API would then verify the ZKP.

4. Robust Consent Management and User Interface

Granular disclosure is meaningless without explicit and informed user consent. The API design must bake in mechanisms for the EUDI Wallet to present clear, concise, and actionable consent requests to the user. This includes:

• Clearly listing the specific attributes requested.
• Stating the purpose of the data disclosure.
• Identifying the Verifying Party.
• Allowing the user to approve or deny the request.

The API should return a clear indication of user consent (or denial) back to the Verifying Party.

Architectural Considerations and Didit's Approach

Implementing these principles requires a robust architectural foundation. Didit's platform, designed as an all-in-one identity solution, inherently supports many of these requirements through its modular design and focus on user control.

Modular Identity Primitives

Didit's architecture is built on 18 composable modules, each representing a distinct identity primitive like ID document verification, liveness detection, or AML screening. This modularity directly aligns with granular disclosure. Instead of a monolithic identity check, businesses can select and combine only the necessary modules:

• ID Document Verification: Extracts specific data points (e.g., name, nationality) rather than sharing the entire image.
• Age Estimation: Provides a boolean "is_over_18" without revealing the exact birthdate, perfectly fitting granular age verification needs.
• Face Match 1:1: Confirms identity against a document photo, but the underlying biometric data is not shared, only a match score.

These modules can be orchestrated through Didit's visual Workflow Builder, allowing businesses to define precise data disclosure requirements for each use case, ensuring only essential information is processed.

Reusable KYC and eIDAS2 Compatibility

Didit's "Reusable KYC" module is a forward-looking feature that aligns with the EUDI Wallet's vision. Users verify once and can then reuse their identity across multiple platforms with biometric re-authentication. This system is designed to be eIDAS2 compatible, meaning it can facilitate the sharing of pre-verified credentials based on user consent, minimizing redundant data disclosures and streamlining user journeys.

Security and Privacy by Design

Didit processes sensitive data like selfies in memory and deletes them, and applications receive booleans (e.g., "match_successful") rather than raw biometrics. This "privacy by default" approach is crucial for building trust in granular disclosure systems, as it ensures that even when data is temporarily used for verification, it is handled with the utmost care and not persistently stored unnecessarily.

The Future of Digital Identity

As the EUDI Wallet gains traction, the demand for APIs that support granular, user-controlled identity disclosure will only grow. Developers and businesses must embrace these principles to build systems that are not only compliant but also foster trust and empower individuals. By focusing on attribute-level requests, leveraging standards, integrating PETs, and prioritizing user consent, we can unlock the full potential of digital identity, making it more private, secure, and efficient for everyone.

How Didit Helps

Didit provides a comprehensive platform that simplifies the implementation of granular identity disclosure. Our modular approach allows you to build custom identity workflows, requesting only the specific data points needed for verification. With features like Age Estimation, reusable KYC, and an API designed with privacy at its core, Didit empowers businesses to comply with upcoming EUDI Wallet requirements and deliver a superior, privacy-preserving user experience. Our commitment to open standards and robust security ensures your identity verification processes are future-proof and trustworthy.

Ready to Get Started?

Explore how Didit's flexible and secure identity platform can enhance your user onboarding and compliance efforts. Visit our pricing page to see our transparent, pay-as-you-go model, or dive into our technical documentation to begin integrating today. For a hands-on experience, check out our demo center or calculate your potential savings with our ROI calculator.