Skip to Content
API and DashboardStandards and protocols

Standards and Protocols used by Paradym

Paradym is built on open standards and protocols. For a truly interoperable internet, open standards and protocols are essential.

💡

When integrating with one of the supported wallets or identity ecosystems, the profiles, standards and protocols on this page are supported. This page acts as a guidance for integrating with Custom Wallets, or as reference to the underlying technical stack Paradym is built on. If the wallet you’re integrating with is not listed on the supported wallets page yet, please reach out to us on contact@paradym.id. We’re continuously working to add new wallets to the list of supported wallets. Reference the Country Explorer  for an up-to-date overview of the status of all EU Digital Identity wallets.

Interoperability profiles

Paradym primarily focuses on interoperability based on profiles. A profile bundles a specific set of credential formats, exchange protocols, trust mechanisms, cryptographic choices, and regulatory requirements into a coherent, testable target, so that any issuer, wallet, or verifier aligning with the same profile can interoperate. Profiles can be global (often defined by standard development organizations), or regional (often defined by governments).

The profile is the right starting point when integrating with Paradym: pick the profile your ecosystem or counterparties align with, and the underlying standards follow from it. The following interoperability profiles are currently supported by Paradym:

ProfileDescription
EU Digital Identity (EUDI) / ARF Wallets aligning with the EU Digital Identity (EUDI) framework and its Architecture Reference Framework (ARF) , the basis for the EUDI Wallet under eIDAS 2.0. Built around SD-JWT VC and ISO 18013-5 mDoc credentials exchanged over OpenID4VC, with X.509 / LoTE based trust. This is the recommended profile for EUDI ecosystems. The EUDI stack is built on the High Assurance Interoperability Profile.
High Assurance Interoperability Profile (HAIP) Wallets aligning with the OpenID4VC High Assurance Interoperability Profile. HAIP constrains OpenID4VCI and OpenID4VP to a high-assurance subset (SD-JWT VC and mDoc, key attestation, specific cryptographic choices) for use cases that need a strong, well-defined interoperability target.
Decentralized Identity Interoperability Profile (DIIP) Wallets aligning with the Decentralized Identity Interoperability Profile. DIIP targets decentralized ecosystems, combining SD-JWT VC over OpenID4VC with did:web based issuer identity, and is a good fit for ecosystems that want decentralized identifiers without the full EUDI regulatory scope.
Aries Interoperability Profile v2 (AIP v2) Wallets aligning with the Aries Interoperability Profile v2. AIP v2 is built around AnonCreds credentials exchanged over DIDComm, and supports zero-knowledge proofs and predicates. See the note below before adopting this profile for a new project.

AIP v2 / DIDComm has seen less development in recent years. While Paradym still aims to be fully aligned with Aries Interoperability Profile v2, the other profiles have matured more in several areas. Working with the DIDComm / Aries stack usually involves more complexity, more manual work, and requires a better understanding of the security tradeoffs of your design. For new projects we always recommend adopting one of the other profiles, unless you have specific reasons to adopt the Aries stack (for example existing AnonCreds-based ecosystems, or a need for the zero-knowledge proofs and predicates AnonCreds provides).

Standards and protocols

The profiles above are realized on top of a shared set of open standards and protocols. Just like there are different credential formats, there are different protocols for exchanging verifiable credentials. Choosing a protocol can be dependent on the required functionality or the required interoperability/support you want to achieve.

In practice the EUDI/ARF, HAIP and DIIP profiles are all built on SD-JWT VC / mDoc credentials exchanged over OpenID4VC, and differ mainly in which constraints, trust mechanisms and cryptographic choices they apply on top. The AIP v2 profile is built on AnonCreds credentials exchanged over DIDComm.

SD-JWT VCs / mDoc / OpenID4VC

Used by the EUDI/ARF, HAIP and DIIP profiles.

Description
OpenID for Verifiable Credential IssuanceOpenID for Verifiable Credential Issuance 1.0  (or drafts 11  through 14  for legacy projects) are supported for issuance of verifiable credentials from Paradym to a Holder Wallet. A wallet interacting with Paradym needs to support at least the Pre-Authorized Code Flow  with the jwt proof type. Either did:jwk or did:key are supported as subject identifiers for credentials issued with a DID in jwt proof. For credentials issued with an X509 certificate JWKs are supported as subject in jwt proof.
OpenID for Verifiable PresentationsOpenID for Verifiable Presentations 1.0  (or draft 21  for legacy projects) is used for verification of verifiable credentials in Paradym from a Holder Wallet.
SD-JWT-based Verifiable Credential (SD-JWT VC)SD-JWT-based Verifiable Digital Credentials - Draft 13  is used. SD-JWT Verifiable Credentials provide support for selective disclosure of attributes, increasing end-user privacy.
ISO 18013-5 mDocISO 18013-5 . mDoc credentials provide support for selective disclosure of attributes, and global adoption. Integration of mDoc with OpenID4VP is based on ISO 18013-7 .
Decentralized IdentifiersDecentralized Identifiers  are cryptographically verifiable identifiers not bound to a centralized registry. For issuance of SD-JWT Verifiable Credentials either an X509 certificate is used, or a DID with method did:web, did:webvh, did:cheqd:testnet or did:cheqd:mainnet is used. For subject binding in SD-JWT Verifiable Credentials either a JWK is supported, or a DID with method did:key or did:jwk is supported.
Token Status ListOAuth Status List - Draft 20  is used for revocation of SD-JWT VC and mDoc credentials. Each issued credential is assigned an index in a status list, which the issuer can update to mark a credential as revoked. The status list is hosted publicly by Paradym so that any verifier can check revocation status independently.
OpenID4VC High Assurance Interoperability Profile (HAIP)Hight Assurance Interoperability Profile 1.0  is supported, except for the iss value in the Authorization Response, which is currently not used.

AnonCreds / DIDComm

Used by the AIP v2 profile. See the note above — for new projects we recommend one of the OpenID4VC-based profiles unless you have specific reasons to adopt the Aries stack.

Description
Hyperledger AriesHyperledger Aries is leveraged for a secure and encrypted communication channel between Paradym and a Holder Wallet. The standards used within Hyperledger Aries also defines protocols to issue verifiable credentials from an issuer to a holder, and request presentations from a holder as a verifier.
Hyperledger AnonCredsHyperledger AnonCreds  provides support for zero-knowledge proofs verifiable credentials. Paradym supports issuance and verification of AnonCreds credentials
Decentralized IdentifiersDecentralized Identifiers  are cryptographically verifiable identifiers not bound to a centralized registry. For issuance of AnonCreds credenials did:web, did:webvh, did:cheqd:testnet or did:cheqd:mainnet DIDs are used.
Cheqdcheqd  is a blockchain network, built in the Cosmos ecosystem for Self-Sovereign Identity.
Last updated on