OwlVerifier
Server-side client for verifying Owl ID SD-JWT VC presentations. Imported from @owlid/sdk.
Constructor
Methods
verify(presentation, challenge, audience?)
Confirm a single-credential SD-JWT VC presentation against a challenge. The platform checks the issuer signature (resolved via did:web against the on-chain issuer_registry), each disclosure's salt-hash, the holder's KB-JWT (audience + nonce binding), nbf/exp, and revocation (IETF Token Status List + on-chain revocation_registry) in a single round trip.
challenge must match what the holder bound into the KB-JWT. If you minted it via mintChallenge(), the platform consumes it atomically — replays fail. Pass audience to also assert the KB-JWT aud.
This is a thin wrapper over verifyDcql that builds a one-entry vp_token. For multi-credential presentations use verifyDcql directly.
verifyDcql(vpToken, challenge, audience?, query?)
Verify a DCQL vp_token (OpenID4VP 1.0 §6 + §8.1). vpToken is a map keyed by DCQL credential id; each value is an SD-JWT VC presentation. Every KB-JWT must be signed over the same challenge.
When query is omitted the platform accepts whatever the holder discloses. Pass a real DCQL query when you need format / meta / claims / credential_sets constraints enforced.
mintChallenge()
Mint a single-use server-managed challenge. The platform stores it and consumes it on the matching verify() call.
If you don't need platform-managed replay protection, you can also pass your own random string straight to verify().
requestPredicates(opts) — declarative one-call QR flow ⭐
Preferred API for the common case: ask the holder to satisfy a list of typed predicates, get back a verified result. No DCQL hand-rolling.
The full Predicates factory:
Each requestPredicates call opens a session, renders the QR via onQr, waits for the holder, runs verification, and returns the merged VerifyDcqlResponse. Browser-only (uses the global WebSocket). For server flows compose openPresentation() + your own WS client + verifyDcql.
buildDcqlRequest(predicates) — get the raw DCQL
Compile predicates to the on-wire DCQL request when you need it (publishing a request_uri, feeding an external wallet, etc.).
requestPresentation(options) — low-level QR flow
Same flow as requestPredicates but takes a raw DcqlRequest. Use this only when you need DCQL features the Predicates factory doesn't cover yet (e.g. credential_sets).
openPresentation() — manual control
If you need to manage the WebSocket yourself:
The session nonce becomes the challenge for the eventual verify() call.
subscribeRevocations(handler)
Browser-only. Subscribes to live revocation events so you can invalidate cached verification results.
In Node, call verifier.revocationFeedUrl() and connect with node:ws directly.
revocationFeedUrl()
Returns the WebSocket URL for the live revocation feed. Useful if you want to manage the connection yourself (Node, custom retry logic, etc.).
listIssuers()
List trusted issuers visible to your account.
listPredicates()
List every predicate the platform can prove. Render your proof selector / consent UI from this list rather than hard-coding claim names.
listCircuitDatasets() / getCircuitDataset(name)
List the set-membership datasets the circuits know about (name + version), or fetch one dataset's full contents. Used by InSet predicates such as nationality:eu.
verifierId()
The verifier's stable OID4VP client_id. Defaults to its baseUrl. Folded into per-verifier salts so two verifiers asking for the same allowed-set produce distinct on-chain attestation keys (anti-cross-verifier correlation on well-known policies).
computeAllowedSetHash(countries)
Off-chain SHA-256 commitment to your verifier-supplied country list. Useful for dashboards counting attestations under your own policy, or for publishing to an off-chain audit registry.
Canonicalises input (sort + dedupe + uppercase) before hashing, so request ordering doesn't matter. Same value the on-chain attestation key is bound to.
attestationKeyFor(credentialId, predicate)
Recompute the on-chain attestation lookup key for a (credential, predicate) pair. Useful for verifier dashboards or off-chain audit tools that need the key without round-tripping /predicates/attested.
Per-verifier salt is automatically folded in for set-membership predicates via verifierId().
Types
Errors
All methods throw on transport / auth failures. verify() itself returns { valid: false, error } for cryptographic failures (untrusted issuer, expired, revoked, KB-JWT audience/nonce mismatch, did:web doc-hash mismatch) — these are a normal part of the flow, not exceptions.