Callback events
The Truvity EUDIW Connector delivers callback events to your callback endpoint during verification and issuance flows. Verification callbacks are sent at the end of the flow. Issuance callbacks are sent at multiple points—when the offer is created and when the flow completes. The status field indicates the outcome.
Verification callback events
The connector delivers a Presented Credentials Event at the end of each presentation flow.
Verification event statuses
| Status | Description |
|---|---|
FULFILLED | Verification succeeded and credentials are available in the event payload |
REJECTED | The wallet declined the presentation request |
EXPIRED | The session expired before the wallet responded |
PROCESSING_ERROR | Internal processing failure (decryption, state validation) |
VERIFICATION_FAILED | Credential verification failed (invalid signatures, DCQL mismatch, transaction data hash failures) |
Verification payload fields by status
The event payload contains different fields depending on the status value.
| Field | FULFILLED | REJECTED | EXPIRED | PROCESSING_ERROR | VERIFICATION_FAILED |
|---|---|---|---|---|---|
status | Always | Always | Always | Always | Always |
state | Always | Always | Always | Always | Always |
credentials | Present | Absent | Absent | Absent | Absent |
credentialsRaw | Present | Absent | Absent | Absent | Absent |
errorDetails | Absent | Present | Absent | Present | Present |
responseCode | Same-device only | Absent | Absent | Absent | Absent |
errorDetails field
The errorDetails field provides context for non-success statuses.
| Status | errorDetails contents |
|---|---|
REJECTED | The wallet's OAuth 2.0 error code and optional description (for example, access_denied or access_denied: User canceled) |
PROCESSING_ERROR | A human-readable description of the internal error (for example, decryption errors or state validation failures) |
VERIFICATION_FAILED | Credential verification failure details (for example, invalid signatures, DCQL mismatches, or transaction data hash failures) |
responseCode field
For same-device flows, the event includes a responseCode field. The wallet redirects the user's browser back to your app with this code as a query parameter, allowing you to correlate the browser redirect with the callback event.
Issuance callback events
The connector delivers Issuance Events at various points during the issuance flow.
Issuance event statuses
| Status | Description |
|---|---|
OFFER_CREATED | Credential offer was created successfully |
ISSUED | Credential successfully issued to the wallet |
FAILED | Issuance failed (issuer unavailable, internal error) |
EXPIRED | Session TTL expired before the wallet completed the flow |
The OFFER_CREATED status is informational—it confirms the offer was created and the session is active. Use it for audit logging or to start a timeout timer in your backend.
Issuance payload fields by status
| Field | OFFER_CREATED | ISSUED | FAILED | EXPIRED |
|---|---|---|---|---|
eventId | Always | Always | Always | Always |
status | Always | Always | Always | Always |
offerId | Always | Always | Always | Always |
errorDetails | Absent | Absent | Present | Absent |
eventId(string)—correlation key tied to the offer lifecycle. Set to the same value asofferId, allowing you to group all status transitions for a single offer. To deduplicate retries of the same callback delivery, combineeventIdwithstatus.status(string)—one ofOFFER_CREATED,ISSUED,FAILED, orEXPIREDofferId(string)—correlation with the original offererrorDetails(string, nullable)—present forFAILEDstatus, describes the failure reason
Issuance payload examples
OFFER_CREATED:
{
"eventId": "abc123def456",
"status": "OFFER_CREATED",
"offerId": "abc123def456"
}
ISSUED:
{
"eventId": "abc123def456",
"status": "ISSUED",
"offerId": "abc123def456"
}
FAILED:
{
"eventId": "abc123def456",
"status": "FAILED",
"offerId": "abc123def456",
"errorDetails": "issuer service error: signing key validation failed"
}
EXPIRED:
{
"eventId": "abc123def456",
"status": "EXPIRED",
"offerId": "abc123def456"
}
Credential object fields
Each entry in the credentials map (present on FULFILLED events) is keyed by the credential ID from the DCQL query. Each value is an array of credential objects with the following fields.
| Field | Type | Description |
|---|---|---|
issuer | string | The value of the credential's iss claim |
claims | object | The disclosed claims requested in the DCQL query, keyed by claim name |
signatureIsValid | boolean | Whether the credential's cryptographic signature is valid |
kbSignatureIsValid | boolean | Whether the key binding signature is valid. Present when the credential includes a key binding proof |
kbKeyId | string | The key identifier from the key binding proof. Present when kbSignatureIsValid is true |
validFrom | string | ISO 8601 timestamp from the credential's iat claim. Present when the credential includes an issued-at time |
validUntil | string | ISO 8601 timestamp from the credential's exp claim. Present when the credential includes an expiration time |
supportRevocation | boolean | Whether the credential includes a Status List revocation entry |
isRevoked | boolean | Whether the credential has been revoked via Status List. Present when supportRevocation: true |
supportTrustAnchor | boolean | Whether the credential was signed with an X.509 certificate chain (x5c header). When true, the isTrusted and isCertificateRevoked fields are also present |
isTrusted | boolean | Whether the certificate chain terminated at a configured trust anchor and the last certificate's signature was verified against it. Present when supportTrustAnchor: true. false when trust anchor verification is off. See Revocation mechanisms |
isCertificateRevoked | boolean | Whether any certificate in the issuer's X.509 chain was found on a CRL. Present when supportTrustAnchor: true. false when trust anchor verification is off. See Revocation mechanisms |
transactionDataHashes | array | Hashes of transaction data included in the presentation. Present when the presentation request included transaction data |
Raw credential object fields
Each entry in the credentialsRaw map (present on FULFILLED events) uses the same key structure as credentials. Each value is an array of raw credential objects with the following fields.
| Field | Type | Description |
|---|---|---|
claims | string | Base64-encoded JSON containing the disclosed claims from the credential. Decode from base64 and then parse as JSON to access claim values |
issuer | string | The value of the credential's iss claim. Present when the credential includes an issuer |
validFrom | string | ISO 8601 timestamp from the credential's iat claim. Present when the credential includes an issued-at time |
validUntil | string | ISO 8601 timestamp from the credential's exp claim. Present when the credential includes an expiration time |
kbKeyId | string | The key identifier from the key binding proof. Present when the credential includes a key binding proof |
transactionDataHashes | array | Base64url-encoded transaction data hashes from the credential. Present when the credential includes transaction data |
Further reading
- Error codes—wallet-facing HTTP error responses
- Handle verification and issuance errors—implement error handling and retry logic for non-success statuses
- Issue a credential—create credential offers and handle issuance callbacks
- Connector architecture—how the connector processes requests and delivers results
- Revocation mechanisms—how credential and certificate revocation checking works