W3C Digital Credentials API publication: the next step to privacy-preserving identities on the web

This week some W3C staff members, including myself, will contribute to a series of conversations about the future of identity on the web at the Global Digital Collaboration in Geneva. The timing is great from a W3C perspective because we have recently published multiple specifications that I believe will contribute to the next chapter of identity on the web. 

Verifiable Credentials 2.0

Credentials such as driver’s licenses, passports, diplomas, and payment methods all play an important role in our daily lives. In a growing number of situations, people want to exchange these credentials digitally, and governments are beginning to push for interoperable technologies to support the demand. The foundation of trust in a credential ecosystem is that parties can cryptographically verify these credentials. I lead W3C’s security activities, and so am particularly focused on the secure exchange of these credentials. 

In May, W3C published version 2 Recommendations of the Verifiable Credentials family of standards (see the press release). These standards enable the secure, privacy-respecting, and cryptographically verifiable expression of digital credentials. 

For flexibility across a broad range of applications and governmental mandates, the new standards support a variety of encoding schemas (e.g., JSON-LD, SD-JWT). The Verifiable Credentials family also provides multiple ways to attach or embed cryptographic proofs to claims. Because the crypto landscape is quickly evolving, the standards are designed to be “crypto-modular” to accommodate emerging cryptographic approaches such as Post-Quantum Cryptography (PQC) and Zero-Knowledge Proofs (ZKP). With selective disclosure and the capability to combine multiple credentials into verified presentations, this model ensures secure, efficient, and privacy-preserving user data management. 

Digital Credentials API

The unifying goal of the standards is to empower people to exchange verifiable information securely, privately, and seamlessly on the web. But how do people exchange these credentials, for example, when prompted by a site to provide a national identity? That is the role of the Digital Credentials API, conceived in the Web Incubator Community Group, and now on the standards track in the Federated Identity Working Group. That group published the First Public Working Draft on 01 July 2025.

The Digital Credentials API enables websites to request credentials, and for users to consent to return credentials that they carry around in digital wallets. Above, I said “seamlessly” and that’s where the user agent (browser typically) plays a critical role. The user experience of understanding what is being requested by a site, selecting from among relevant credentials, consenting to share the credentials, and getting new credentials from issuers (e.g., universities, the department of motor vehicles, a bank) must be excellent, and the browser is uniquely positioned to support that experience. 

Because the Digital Credentials API has been incubated for some time, both Google and Apple are already shipping early implementations, so people can check out demos and conduct experiments. This experimentation will inform the evolution of the specification. 

This is only the First Public Working Draft, and the Working Group still needs to address some important security and privacy issues. For example, one of the hot topics is how to balance data privacy with the ability of the user agent to create a secure credential selection experience. Although the Digital Credentials API already expects credentials to be encrypted and signed by wallets (before being handed back to the user agent as output from the Digital Credentials API), there are ongoing conversations about the role of unlinkability for data input to the API. There is more work to do on this and other topics, and I encourage people to join the Federated Identity Working Group discussions.

The ecosystem

As I mentioned, the APIs being standardized at W3C involve interactions with wallets. The current W3C expectation is that the wallet ecosystem will be enabled by a broader ecosystem of operating systems and standards from partner SDOs, including the FIDO Alliance, OpenID Foundation, IETF, and ISO. A lot of the current push for all of these parties to work together comes from the European Union’s Digital Identity Wallet (EUDI) initiative. A number of large-scale pilots are underway, and they will inform the ultimate EU regulation around the wallet ecosystem.

The Open Wallet Foundation has organized next week’s Global Digital Collaboration to bring together the broader ecosystem, including governments interested in open standards for wallets, certification programs, and a role for governments. W3C is one of the event’s co-organizers, and W3C staff will host sessions on Threat Modeling Digital Wallets, focusing on Privacy, a Holistic Security view for Digital Identities, one focused session on the Digital Credentials API, and one for W3C Verifiable Credentials.

My colleagues and I look forward to joining these conversations to represent core values of the W3C mission, such as those reflected in recent W3C Statements such as Privacy Principles for the Web and Ethical Web Principles. For example, a core principle upheld in the W3C APIs is that users maintain control over their digital identities, which need not correspond directly to their legal identities. W3C emphasizes enabling users to present multiple identities across contexts, including ephemeral or anonymous identities, when necessary. User agents (such as browsers or other user interfaces) thus play a critical role in mediating interactions between users and online services, dynamically ensuring digital privacy and security. This approach balances user protection from undesired identification while facilitating intentional recognition, in simultaneous pursuit of both privacy and usability.

I look forward to sharing my experiences from the conference in a follow-up post.