# Aadhaar SD-JWT Specifications ## **1. Introduction** This document defines the **Aadhaar Verifiable Credential (VC)** format in accordance with the **Selective Disclosure JSON Web Token (SD-JWT)** standard ([RFC 9901](https://datatracker.ietf.org/doc/rfc9901/)). The credential allows Aadhaar Number Holders (ANHs) to present Aadhaar demographic attributes in a **privacy-preserving**, **cryptographically verifiable**, and **selectively disclosable** format. The specification is aligned with: * **IETF SD-JWT** ([RFC 9901](https://datatracker.ietf.org/doc/rfc9901/)) * **W3C Verifiable Credentials** (v1) * **OpenID4VP** for verifiable presentation This document covers **only** the SD-JWT credential structure. ## **2. High-Level Structure** An SD-JWT Credential is delivered as: ``` ~ ``` Where: * The **issuer-signed component** contains digests of claims. * The **disclosures** contain claim plaintexts that the holder chooses to reveal. ## **3. Protected Header Requirements** The SD-JWT **protected header** contains: ``` { "alg": "ES256", "typ": "vc+sd-jwt", "kid": "abcd12354" } ``` #### Whereas * **alg** * **ES256**. * **typ** * `vc+sd-jwt` as per SD-JWT standard. * **kid** * References the UIDAI issuer signing key stored in the JWKS endpoint. ## **4. Issuer-Signed Payload (SD-JWT)** The payload includes: ### **4.1 Mandatory Fields** | Field | Type | Description | | --------- | ------ | -------------------------------------- | | `iss` | string | `https://uidai.gov.in` | | `id` | string | Unique credential identifier (UUID v4) | | `iat` | number | UNIX timestamp of issuance | | `exp` | number | UNIX timestamp of expiry | | `status` | string | URL to status endpoint | | `_sd_alg` | string | `SHA-256` | | `_sd` | array | Salted claim digests | | `cnf` | object | Holder-binding JWK | ### **4.2 Holder Binding (`cnf.jwk`)** The credential binds to a public key controlled by the holder (aadhaar app). Supported key types: * EC P-256 ``` "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "", "y": "", "kid": "", "alg": "ES256" } } ``` ## **5. Claim Encoding and Selective Disclosure** Aadhaar demographic attributes are encoded using **salted-hash digests**. ### **5.1 Claim Process** For every claim: ``` digest = SHA-256( base64url(salt) || base64url(name) || base64url(value) ) ``` The digest is included in `_sd`. The corresponding disclosure is: ``` [name, value, salt] ``` #### Example digest list: ``` "_sd": [ "Pwb8CAFTk6KYrhJDNzdW37MFZJ-sxaHAf0Q7AGZrwXg", "wuj7vq4gOtFPsuhYivf6mHi1O9xcmKhs-TOHDTGlaAM", ... ] ``` ## **6. Aadhaar Claim Set** All listed claims are **selectively disclosable (Y)** — meaning the holder can share them individually. | **Field** | **Description / Meaning** | **Selectively Disclosable** | | --------------------- | ------------------------------------------------- | --------------------------- | | CredentialIssuingDate | Credential Issuance Date | Y | | EnrolmentDate | Enrolment Date | Y | | EnrolmentNumber | Enrolment Number | Y | | IsNRI | Whether the Resident is an NRI or not | Y | | IsResidentForeigner | Whether the resident is a foreign national | Y | | AadhaarType | Type of Aadhaar (RF / NRI / IN) | Y | | AadhaarExpiresOn | Date of Expiry for the Aadhaar | Y | | MaskedUID | Masked UID of Resident | Y | | ResidentName | Name of the Aadhaar Holder | Y | | LocalResidentName | Local language name of the Aadhaar Holder | Y | | Dob | Date of Birth | Y | | Email | Email ID of resident | Y | | MaskedEmail | Masked Email | Y | | Mobile | Mobile number | Y | | MaskedMobile | Masked mobile number | Y | | Gender | Gender of the Aadhaar Holder | Y | | ResidentImage | Photo of the Aadhaar holder | Y | | AgeAbove18 | Is age above 18 years? | Y | | AgeAbove50 | Is age above 50 years? | Y | | AgeAbove60 | Is age above 60 years? | Y | | AgeAbove75 | Is age above 75 years? | Y | | CareOf | Guardian / Head of Family name | Y | | LocalCareOf | Guardian / HOF name in local language | Y | | Building | Building details | Y | | LocalBuilding | Building details in local language | Y | | Locality | Locality details | Y | | LocalLocality | Locality in local language | Y | | Street | Street details | Y | | LocalStreet | Street in local language | Y | | Landmark | Landmark details | Y | | LocalLandmark | Landmark in local language | Y | | Vtc | Village / Town / City | Y | | LocalVtc | Village / Town / City in local language | Y | | SubDistrict | Sub-district details | Y | | LocalSubDistrict | Sub-district in local language | Y | | District | District details | Y | | LocalDistrict | District in local language | Y | | State | State details | Y | | LocalState | State in local language | Y | | PoName | Post Office Name | Y | | LocalPoName | Post Office name in local language | Y | | Pincode | Pin code | Y | | Address | Full address (individual fields also disclosable) | Y | | RegionalAddress | Address in local language | Y | ## **8. Credential Status** The `status` field contains a stable URL that returns signed VC status metadata. ``` https://pehchaan.uidai.gov.in/credentials/status/ ``` Status values: * `active` * `suspended` * `revoked` Status response is digitally signed. ## 9. Example SD-JWT Payload (Normalised) ``` { "iss": "https://uidai.gov.in", "id": "02bf1830-46e4-4564-b5ca-734280901673", "iat": 1711805307, "exp": 1711895307, "status": "https://pehchaan.uidai.gov.in/credentials/status/02bf1830-46e4-4564-b5ca-734280901673", "cnf": { "jwk": { "kty": "EC", "crv": "P-256", "x": "", "y": "", "kid": "", "alg": "ES256" } }, "_sd_alg": "SHA-256", "_sd": [ "Pwb8CAFTk6KYrhJDNzdW37MFZJ-sxaHAf0Q7AGZrwXg", "wuj7vq4gOtFPsuhYivf6mHi1O9xcmKhs-TOHDTGlaAM", ... ] } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.uidai.gov.in/readme/verifiable-credential-specifications/aadhaar-sd-jwt-specifications.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.