What Is a Presentation Request, and Who Controls What Gets Asked For?
Resident control begins before a credential is presented, with rules that determine what information can be requested.
When a government agency decides to issue verifiable digital credentials, one of the first technical decisions is the format of those credentials. It is a choice that shapes what wallets can hold the credential, what verifiers can process it, what privacy features are available, and what the migration path looks like if requirements change years down the road. It is also a decision in which the trade-offs are worth understanding before committing to a direction.
What is a Credential Format?
A credential format is the technical specification that defines how a verifiable digital credential is structured, encoded, and signed. It determines the rules for how claims are expressed, how the issuer's signature is attached, and how a verifier confirms the credential is genuine.
Think of it as the file type for a digital credential. Just as a PDF and a Word document can contain the same text but have different properties and work with different software, credentials in different formats can convey the same claims but have meaningfully different capabilities, compatibility profiles, and implementation requirements.
The format choice touches interoperability, privacy, and the long-term flexibility of a program, which is why it is worth treating as a program decision, not just a technical one.
The Main Formats in Use Today
Four credential formats are most relevant to government and enterprise programs today.
ISO/IEC 18013-5 and 18013-7 (mDLs): These international standards were developed specifically for mobile driver's licenses. They carry strong government adoption, TSA acceptance, and a standardized presentation flow for travel and age verification, with both online and offline presentation modes defined. The scope is intentionally narrow - the format was designed for driver's licenses, which makes it well-suited to that use case and less directly applicable to other credential types. Best fit: state DMVs, airports, traffic enforcement, and age verification at the point of sale.
ISO/IEC 23220 (mdocs): This extends the ISO framework beyond driver's licenses to encompass a broader range of mobile documents, including passports, residence permits, and other government-issued documents. It shares the same underlying technical approach as mDL but is designed for wider applicability. Adoption is growing, but not yet as widespread as mDL. Best fit: immigration, cross-border travel, and civil registries looking for a consistent ISO-based approach across credential types.
W3C Verifiable Credentials: The W3C VC data model provides a flexible, broadly applicable framework for any type of verifiable digital credential. It supports advanced privacy techniques and is highly extensible. Interoperability across implementations can vary depending on the security mechanism and credential format profile used, so strong governance and profile alignment matter. As explored in How Do Verifiable Digital Credentials Work? A Non-Technical Explanation, the W3C model is designed to be issuer-agnostic and use-case-agnostic. Best fit: governments experimenting with general-purpose digital ID, universities, employers, and financial services.
SD-JWT (Selective Disclosure JWT): bring privacy-preserving features to the massive JWT ecosystem already used in enterprise IT. They enable easy adoption without new infrastructure and support selective disclosure. However, they have limited expressive power compared to VCs and are less mature for long-term portability. Best fit: enterprises, healthcare, fintech, where JWTs are already dominant.
The Tradeoffs Worth Understanding
No single format is the right fit for every program. The decision usually turns on four considerations:
Verifier ecosystem: A credential format that is not widely supported in the target ecosystem typically means additional integration work, translation layers, new verifier integrations, or both. It is worth asking early which other systems in the ecosystem have already committed to the format being considered.
Privacy features: Not all formats support selective disclosure natively. If a program involves credentials with sensitive attributes that should not always be disclosed in full, the format needs to support attribute-level disclosure.
Implementation complexity: Simpler formats are easier to implement and debug, which affects both time to deployment and the vendor ecosystem available to support the program. More expressive formats offer more capability but require more specialized tooling.
Migration: This is the tradeoff that is easiest to underweight at the start of a program. Changing credential formats after a program is live could require reissuing all credentials, which means re-enrolling holders or running a parallel transition period. Understanding this early helps programs make the format decision with a clearer picture of what a future change would involve.
Interoperability Without Lock-In: Why Standards Matter addresses why open standards and documented format choices reduce the risk of being locked into a decision that is difficult to revisit.
What to Specify in Procurement
Agencies evaluating credential systems are well served by specifying the format requirement before going to market, and by requiring vendors to document which version of the relevant specification they implement and how they handle format changes over time.
It is also worth identifying early in the process which other systems (within the agency, across agencies, and in the verifier ecosystem) will need to accept credentials in the chosen format, and whether those systems are already capable of doing so or will require additional integration work.
The format choice is a program decision as much as a technical one, and understanding it tends to produce better outcomes than leaving it to vendor defaults. SpruceID has worked with states issuing credentials across multiple formats and can help agencies determine which approach best fits their requirements. If you are at an early stage of that decision, get in touch.
Building digital services that scale take the right foundation.
About SpruceID: SpruceID builds digital trust infrastructure for government. We help states and cities modernize identity, security, and service delivery — from digital wallets and SSO to fraud prevention and workflow optimization. Our standards-based technology and public-sector expertise ensure every project advances a more secure, interoperable, and citizen-centric digital future.
