PID-Provider
Release notes
February 04, 2026
1.19.0
- Stores personal eID data as encrypted and signed JWT
- Improves internal handling of blocked eIDs
January 21, 2026
1.18.0
- Adds /health endpoint for external health check
- Adjusts values for
source_document_typein PID - Removes
age_in_yearsandage_birth_yearfrom PID
January 08, 2026
1.17.1
- Sets
ValidityInfoattributesvalidFromandsignedin MSO-mDoc to same value
January 06, 2026
1.17.0
- Adjusts
vctvalue for SD-JWT - Rounds timestamps for
iatandexpin SD-JWT - Rounds timestamps for
ValidityInfoattributesvalidFromandvalidUntilin MSO-mDoc
December 15, 2025
1.16.1
- Adds missing parameters
client_attestation_signing_alg_values_supportedandclient_attestation_pop_signing_alg_values_supportedfor client attestation to the OAuth authorization server metadata - Fixes intermittent "Invalid code verifier" errors in PKCE verification
December 10, 2025
1.16.0
- Removes validation of the
issclaim in the Client Attestation JWT - Adds Cache-Control and Pragma headers to authorization server responses
November 24, 2025
1.15.0
- Changes URLs and certificates for root and issuance
- Adjusts
birth_placeandnationalityin PID according to PID-Rulebook 1.3 - Removes trust anchor from SD-JWT VC and MSO mdoc certificate chain in header
November 15, 2025
1.14.3
- Removes undefined parameters
vctanddoctypefrom credential request body - Fixes structure of
credentialsin credential response - Changes the key attestation validation to comparison of JWK thumbprint instead of whole JWK
November 12, 2025
1.14.1
- Removes the check whether Client Attestation key and DPoP key are the same
November 10, 2025
1.14.0
- Makes DPoP key-attestation optional
- Adds the server identity to the authorization request
- Renders mDoc birth_date as DATE data type
- Increases length of random secure string to 44 for AuthorizationCode, AccessToken, Redirect Uri, DPoPNonce, CNonce and IssuerState
October 29, 2025
1.13.0
- Fixes faulty check if expiration time claim in the client attestation JWT is too far in the future
- Removes check for expiration time claim in the client attestation PoP JWT
October 14, 2025
1.12.0
- Adds a restriction to ensure that number of attested keys does not exceed the maximum batch size
- Fixes the metadata response for jwt accept header
September 30, 2025
1.11.0
- Supports longer-lived key attestations for DPoP
- Provides signed issuer metadata
- Introduces the
source_document_typefield to the PID - Renames the key attestation type to
key-attestation+jwt - Adds a credential error response:
unknown_credential_configuration - Includes examples of eID requests and responses in the documentation
- Updates issuer certificate used to sign the credentials in the documentation
September 16, 2025
1.10.0
- Adds rejection for eIDs without full birthdate
- Fixes serialization of attested keys as JSON object
- Restructures the api-documentation to improve the navigation
September 03, 2025
1.9.0
- Adds Key Attestation validation for DPoP JWTs at the token endpoint
- Adjusts metadata for client authentication method
- Removes flow-variant (c1) from paths and metadata
- Includes release dates in the release notes
August 20, 2025
1.8.0
- Removes all flows except C'
- Sets
DEas default nationality if it's not present in eID-data - Adds support for Key Attestation as proof type
- Updates Wallet Attestation to use
OAuth-Client-AttestationandOAuth-Client-Attestation-PoPheaders and removes support forclient_assertionrequest parameter - Adds decoy elements in nationalities for SD-JWT
- Makes SD-JWT credential object claims selectively disclosable
August 11, 2025
1.7.0
- Changes credential format identifier from
vc+sd-jwttodc+sd-jwt - Adds an option to use
credential_configuration_idin the credential request - Adds nonce endpoint and removes
c_nonceandc_nonce_expiresfrom credential and token responses - Adds wallet attestations as defined in annex E of OpenID4VCI (draft 15), but still using client_assertion and client_assertion_type request parameters
- Enables non-breaking extensibility for PAR, token requests and credential requests (fixes #375)
- Changes credential response to always return an array
December 16, 2024
1.6.0
- Provides
batch_credential_issuance.batch_sizeinformation in Credential Issuer Metadata - Publishes Verifiable Credential Type metadata under /credentials/pid/1.0 and
adapts
vctclaim in SD-JWT format PIDs accordingly - Implements basic PID revocation on user request:
- Provides a revocation web app via /revocation
- Provides a status list service according to Token Status List (draft-ietf-oauth-status-list-05) via /status
- Integrates revocation status retrieval information according to Token Status List (draft-ietf-oauth-status-list-05) into PIDs in both, SD-JWT and MSO mdoc formats
October 08, 2024
1.5.0
- Adapts flow variant B' according to Architecture Proposal for the German eIDAS Implementation –
Release V2.2:
- Accept grant type
urn:ietf:params:oauth:grant-type:seed_credentialfor token request - Issue seed credential and initialize PIN retry counter on credential instead of finish authorization request
- Expect and verify PIN and device key signed nonces as JWTs for seed and final credential issuance
- Rename nonce to session endpoint and provide its URL in credential issuer metadata
- Accept grant type
- Adapts both, flow variant B and flow variant B' according to Architecture Proposal for the German eIDAS Implementation –
Release V2.2:
- Use credential format
mso_mdoc_authenticated_channelfor authenticated channel flows - Pass in relying party's ephemeral public key through JSON attribute
verifier_pubin credential request
- Use credential format
August 20, 2024
1.4.0
- Adds flow variant B' with PIN management.
- Adds flow variant C''.
- Disables client attestation for all flow variants, except flow variant B'.
August 05, 2024
1.3.0
- Adds flow variant B' with seed credential, but still without PIN management.
July 23, 2024
1.2.0
- Adds flow variant B with HMAC authenticated SD-JWT and MSO mdoc credentials.
July 15, 2024
1.1.0
- Adds flow variant C' with seed credential.
- Adds batch issuance on credential endpoint to flow variant C and C'.
- Disables client attestation for flow variant C.
- Requires DPOP for flow variants C and C'.
- Supports credential format MSO mdoc for flow variants C and C'.
July 15, 2024
1.0.0
- Published Increment 1 of the PID Issuer for SPRIND Funke EUDI Wallet Prototype.
- A detailed feature description can be found on the flow variant and the credential format pages.