Verify ISO 23220-4 Photo ID as mDoc
A Photo ID is a digital identity credential carrying a holder’s core identity data together with a portrait, serving as a general-purpose mobile identity document. It follows the ISO/IEC TS 23220-4 Photo ID profile, which defines the doctype org.iso.23220.photoid.1 and reuses the generic eID data elements from ISO/IEC TS 23220-2, presented here in the mdoc format.
This page provides a presentation template payload for verifying Photo ID credentials.
Creating verifier root X509 certificate
Before you can create the presentation template for Photo ID verification, you need to set up a verifier root x509 certificate with a P-256 key.
The certificates guide contains detailed guidance on creating a certificate. We recommend creating your initial certificate through the dashboard.
Alternatively, if your verifier certificate needs to be signed by an external certificate authority, you can create a certificate signing request and import the externally signed certificate into Paradym.
Setting up a trusted entity
To control which issuers you accept Photo ID credentials from, you need to create one or multiple trusted entities configured with the trusted root X.509 certificates used for issuance of the credential. Without a trusted entity linked, the presentation template will accept any issuer.
- If you issued the credential yourself, you can find the issuer root certificate (
issuerRoot) in the Paradym dashboard, under the My Certificates section of the “Trust” tab. If you don’t have one yet, see Creating a Root Certificate. - If the issuer is external, you must obtain the root certificate used for issuance from the issuer, and add it to the trusted entity. If you’re unsure where to find it, ask the issuer of the credential.
Once you have the root certificate, create a trusted entity with it. Note the id of the created trusted entity, as you’ll need it to link the trusted entity to the presentation template below.
Creating the presentation template
We recommend creating this template through the API, as it allows you to exactly copy the payload as defined below. You can also select this as a pre-made template in the dashboard. See the API reference for Create presentation template for more information.
The template below requests a reasonable subset of the Photo ID attributes that covers a typical identity check: name, date of birth, portrait, document validity and issuer details. It deliberately does not request every attribute (such as the VIZ/latin1 duplicates, the full set of age_over_NN flags, or the ICAO data groups in org.iso.23220.datagroups.1). Apply data minimisation and request only the attributes you actually need: for example an age check needs just age_over_18, while an identity check typically needs family_name, given_name, birth_date and portrait. Add or remove entries to match your use case.
The trustedIssuers array below links the trusted entity you created to this credential, so that only credentials issued by that trusted entity are accepted. Replace <TRUSTED_ENTITY_ID> with the id of the trusted entity you created.
{
"name": "Verify Photo ID",
"description": "This information is requested to verify your Photo ID",
"verifier": {
"signer": "certificate",
"keyType": "P-256"
},
"credentials": [
{
"name": "Photo ID",
"description": "Photo ID compliant with the ISO/IEC TS 23220-4 Photo ID profile",
"format": "mdoc",
"type": "org.iso.23220.photoid.1",
"trustedIssuers": [
"<TRUSTED_ENTITY_ID>"
],
"attributes": {
"org.iso.23220.1": {
"properties": {
"family_name": {},
"given_name": {},
"birth_date": {},
"portrait": {},
"issue_date": {},
"expiry_date": {},
"issuing_authority": {},
"issuing_country": {},
"age_over_18": {},
"nationality": {},
"document_number": {},
"sex": {}
}
},
"org.iso.23220.photoid.1": {
"properties": {
"person_id": {},
"birth_country": {}
}
}
}
}
]
}Credential template
If you want to issue Photo ID credentials before verifying them, refer to the Photo ID credential template for the credential template setup.