Glossary
This page defines key terms used throughout the Truvity EUDIW Connector documentation. For callback payload field definitions, see Callback events.
EUDI Wallet ecosystem
| Term | Definition |
|---|---|
| Attestation Provider | Organization that issues credentials to wallet holders. Also referred to as "issuer" in protocol contexts. |
| Attestation Rulebook | A specification defining the structure, semantics, and trust requirements for a specific credential type. |
| Attestation Scheme | A specification defining the logical organization of attributes within an attestation, including identifiers, encoding, allowed values, and serialization. |
| Batch Issuance | Issuing multiple instances of the same credential so the holder can use a different instance per presentation, reducing cross-session correlation. |
| EAA | Electronic Attestation of Attributes—any verified credential other than a PID (for example, a diploma or driver's license). |
| Issuance | The process by which the connector creates and delivers a credential to a wallet holder using the OID4VCI protocol. The connector supports the pre-authorized code flow for issuance. |
| PID | Personal Identification Data—government-issued digital identity credential. |
| PID Provider | Organization authorized by a member state to issue PID credentials to wallet holders. |
| PuB-EAA | EAA published under a specific legal basis other than the QTSP framework. |
| QEAA | Qualified EAA—attestations from qualified trust service providers. |
| Relying Party (RP) | Organization verifying credentials presented from a wallet. |
| Relying Party Instance | A specific deployment of hardware and software that a Relying Party uses to interact with Wallet Units. |
| Relying Party Intermediary (RPI) | A role defined by eIDAS 2.0 allowing a third party to act on behalf of a Relying Party. |
| Registrar | An entity designated by a member state to register Relying Parties, PID Providers, and attestation providers. |
| Short-lived Attestation | A credential with a validity period brief enough (typically under 24 hours) that revocation data is not required. |
| Triangle of Trust | A trust model where attestation providers, wallet holders, and Relying Parties establish mutual trust through cryptographic proofs and a shared framework. |
| Wallet Holder | An EU citizen or resident who owns and controls an EUDI Wallet, stores credentials, and decides when and with whom to share them. |
| Wallet Instance | A specific installation of a wallet on a device. |
| Wallet Provider | Organization that develops, operates, and maintains a Wallet Unit. |
| Wallet Unit | The secure app on a user's device that stores and presents credentials. |
| WSCD | Wallet Secure Cryptographic Device—the tamper-resistant component that stores private keys and performs cryptographic operations. |
Protocols and standards
| Term | Definition |
|---|---|
| Authorization Server | The component that issues access tokens to wallets after validating pre-authorized codes and transaction codes. See OID4VCI protocol. |
| DCQL | Digital Credentials Query Language—format for specifying what credentials to request. See DCQL. |
| DPoP | Demonstration of Proof-of-Possession (RFC 9449)—mechanism for sender-constrained access tokens during issuance. See DPoP. |
| ES256 | ECDSA using the P-256 curve and SHA-256, the signing algorithm mandated by HAIP. |
| HAIP | High Assurance Interoperability Profile—security requirements for OID4VP and OID4VCI. See HAIP. |
| JARM | JWT-Secured Authorization Response Mode—encrypts credential delivery from wallet to Relying Party. |
| JWT | JSON Web Token—a compact, URL-safe token format for representing claims between two parties (RFC 7519). |
| Key Binding (KB) | Cryptographic proof that the presenter possesses the private key bound to a credential. See Key binding. |
| mDoc | Mobile Document format based on ISO 18013-5. |
| OAuth 2.0 | Authorization framework (RFC 6749) that OID4VP extends for credential presentation flows. |
| OID4VCI | OpenID for Verifiable Credential Issuance—the protocol for issuing credentials to EUDI Wallets. See OID4VCI protocol. |
| OID4VP | OpenID for Verifiable Presentations—the protocol for requesting and receiving credentials. See OID4VP. |
| SD-JWT | Selective Disclosure JWT—credential format enabling selective disclosure of attributes. See SD-JWT. |
| SD-JWT VC | The Verifiable Credentials profile of SD-JWT, using the format identifier dc+sd-jwt. |
| Status List | A published bitstring where each bit denotes the revocation or suspension status of one credential. See Revocation mechanisms. |
| Token Endpoint | The OAuth 2.0 endpoint where wallets exchange a pre-authorized code for a DPoP-bound access token. |
| VCT | Verifiable Credential Type—a URI identifying the type of an SD-JWT VC credential. |
| Verifiable Credential (VC) | A digitally signed credential issued by an attestation provider. |
Regulatory and compliance
| Term | Definition |
|---|---|
| AML | Anti-Money Laundering—regulations requiring organizations to detect and prevent money laundering. |
| ARF | Architecture Reference Framework—technical blueprint for EUDI Wallet interactions. See ARF overview. |
| Commission Implementing Regulation | Detailed regulations implementing eIDAS 2.0 (for example, CIR 2024/2977, CIR 2024/2979, CIR 2024/2982, CIR 2025/848). |
| Data Minimization | GDPR principle (Article 5(1)(c)) requiring that personal data collection be limited to what is necessary. |
| eIDAS 2.0 | European regulation (EU 2024/1183) establishing the legal framework for EUDI Wallets. See eIDAS 2.0 requirements. |
| GDPR | General Data Protection Regulation (EU 2016/679)—governs processing and protection of personal data. |
| KYC | Know Your Customer—regulatory process requiring identity verification before providing services. |
| PSD2 | Payment Services Directive 2 (EU 2015/2366)—governs electronic payment services and requires SCA. |
| SCA | Strong Customer Authentication—PSD2 requirement mandating two of three authentication factors for electronic payments. |
Connector-specific terms
| Term | Definition |
|---|---|
| AOC | Account Ownership Credential—a credential type used in the connector's tutorials to demonstrate passwordless authentication through key binding. You define your own VCT for production use. |
| Authorization Request | The OID4VP request sent from the connector to a wallet, containing a DCQL query. |
| Callback | The HTTP endpoint that receives Presented Credentials Events and issuance events from the connector. See Callback events. |
| Credential Issuer Metadata | The OID4VCI discovery document served at GET /.well-known/openid-credential-issuer describing the connector's issuer capabilities. See OID4VCI protocol. |
credential_configuration_id | An OID4VCI identifier that selects which credential type to issue. Must match a credential type configured in the connector's Type Metadata. Passed in the POST /offers request body. |
| Credential offer | An invitation from an issuer to a wallet holder to receive a credential, delivered as a QR code or deep link using the openid-credential-offer:// URI scheme. |
| Credential Set | A DCQL construct defining alternative credential combinations that satisfy a presentation request. |
| Cross-device flow | OID4VP flow where the user scans a QR code on one device with their wallet on another device. |
| Deep link | A URI (for example, openid4vp://) that opens the wallet app directly on the same device. |
| Ephemeral Data Model | Architecture where credential data is never persisted—processed in memory and delivered via callback. See Ephemeral data model. |
| Issuer Signing Certificate | The X.509 certificate used by the connector to sign issued credentials. Must use a separate key pair from the access certificate. See Manage certificates. |
| Management API | The protected API on the connector's internal network interface (port 8081) used to create presentation requests and credential offers. |
| Presentation Response | The wallet's encrypted response containing requested credentials. |
| Presented Credentials Event | The payload delivered to the callback containing verification status and credentials. See Callback events. |
| Same-device flow | OID4VP flow where the user and their wallet are on the same device, using a deep link. |
| Selective disclosure | Privacy mechanism where holders share only the specific attributes requested. See Selective disclosure. |
| Signing Identity Key | The private key associated with a Relying Party's X.509 access certificate, used to sign authorization requests. |
| tx_code | A transaction code providing additional authorization during credential issuance. Configured in the offer request and validated by the authorization server. See Use transaction codes. |
| Type Metadata | A JSON configuration document defining a credential type the connector can issue. See Configure credential types. |
Further reading
- Callback events—payload field definitions and event statuses
- OID4VP protocol—how the presentation protocol works
- OID4VCI protocol—how the issuance protocol works
- Connector architecture—system design and component interactions
- eIDAS 2.0 requirements—regulatory context