Publish the issuer metadata at /.well-known/openid-credential-issuer including credential_issuer, credential_endpoint, credentials_supported array with format, types, and cryptographic_binding_methods_supported
Implement the authorization code flow with PAR: the wallet sends the credential request parameters via PAR (RFC 9126), receives a request_uri, then redirects the user to the authorization endpoint
Issue a credential offer (credential_offer or credential_offer_uri) for pre-authorized code flow when appropriate; include the pre-authorized_code and tx_code if PIN is required
At the credential endpoint (POST /credentials), validate the Bearer access token, check the credential_identifier or format+types requested, verify the proof of possession JWT (proof.jwt) signed by the wallet's key
Generate the credential (W3C VC, SD-JWT VC, or mDL as requested), sign it, and return {credential, c_nonce, c_nonce_expires_in} in the response
Support the deferred issuance flow: return {acceptance_token} if the credential is not immediately available; implement the deferred endpoint (POST /deferred_credential) for polling
Known gotchas
OID4VCI final spec was approved September 16, 2025; earlier drafts had significant differences in the credential request structure and the proof parameter — check which draft version a given wallet SDK targets before implementing
The proof.jwt must contain an aud matching the credential_issuer URL and a nonce matching the c_nonce issued by the server in the token response; failing either check should return invalid_proof
Do not conflate OID4VCI (issuance) with OID4VP (presentation) — they are separate specifications with different endpoints and flows
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp