Aadhaar SD-JWT Specifications

This page defines the specifications of Aadhaar SD-JWT

1. Introduction

This document defines the Aadhaar Verifiable Credential (VC) format in accordance with the Selective Disclosure JSON Web Token (SD-JWT) standard (RFC 9901). The credential allows Aadhaar Number Holders (ANHs) to present Aadhaar demographic attributes in a privacy-preserving, cryptographically verifiable, and selectively disclosable format.

The specification is aligned with:

IETF SD-JWT (RFC 9901)
W3C Verifiable Credentials (v1)
OpenID4VP for verifiable presentation

This document covers only the SD-JWT credential structure.

2. High-Level Structure

An SD-JWT Credential is delivered as:

<issuer-signed-sd-jwt> ~ <disclosures...>

Where:

The issuer-signed component contains digests of claims.
The disclosures contain claim plaintexts that the holder chooses to reveal.

3. Protected Header Requirements

The SD-JWT protected header contains:

{
  "alg": "ES256",
  "typ": "vc+sd-jwt",
  "kid": "abcd12354"
}

Whereas

alg
- ES256.
typ
- vc+sd-jwt as per SD-JWT standard.
kid
- References the UIDAI issuer signing key stored in the JWKS endpoint.

4. Issuer-Signed Payload (SD-JWT)

The payload includes:

4.1 Mandatory Fields

Field

Type

Description

iss

string

https://uidai.gov.in

id

string

Unique credential identifier (UUID v4)

iat

number

UNIX timestamp of issuance

exp

number

UNIX timestamp of expiry

status

string

URL to status endpoint

_sd_alg

string

SHA-256

_sd

array

Salted claim digests

cnf

object

Holder-binding JWK

4.2 Holder Binding (`cnf.jwk`)

The credential binds to a public key controlled by the holder (aadhaar app).

Supported key types:

EC P-256

"cnf": {
  "jwk": {
    "kty": "EC",
    "crv": "P-256",
    "x": "<base64url>",
    "y": "<base64url>",
    "kid": "<holder-key-id>",
    "alg": "ES256"
  }
}

5. Claim Encoding and Selective Disclosure

Aadhaar demographic attributes are encoded using salted-hash digests.

5.1 Claim Process

For every claim:

digest = SHA-256( base64url(salt) || base64url(name) || base64url(value) )

The digest is included in _sd.

The corresponding disclosure is:

[name, value, salt]

Example digest list:

"_sd": [
  "Pwb8CAFTk6KYrhJDNzdW37MFZJ-sxaHAf0Q7AGZrwXg",
  "wuj7vq4gOtFPsuhYivf6mHi1O9xcmKhs-TOHDTGlaAM",
  ...
]

6. Aadhaar Claim Set

All listed claims are selectively disclosable (Y) — meaning the holder can share them individually.

Field

Description / Meaning

Selectively Disclosable

CredentialIssuingDate

Credential Issuance Date

EnrolmentDate

Enrolment Date

EnrolmentNumber

Enrolment Number

IsNRI

Whether the Resident is an NRI or not

IsResidentForeigner

Whether the resident is a foreign national

AadhaarType

Type of Aadhaar (RF / NRI / IN)

AadhaarExpiresOn

Date of Expiry for the Aadhaar

MaskedUID

Masked UID of Resident

ResidentName

Name of the Aadhaar Holder

LocalResidentName

Local language name of the Aadhaar Holder

Dob

Date of Birth

Email ID of resident

MaskedEmail

Masked Email

Mobile

Mobile number

MaskedMobile

Masked mobile number

Gender

Gender of the Aadhaar Holder

ResidentImage

Photo of the Aadhaar holder

AgeAbove18

Is age above 18 years?

AgeAbove50

Is age above 50 years?

AgeAbove60

Is age above 60 years?

AgeAbove75

Is age above 75 years?

CareOf

Guardian / Head of Family name

LocalCareOf

Guardian / HOF name in local language

Building

Building details

LocalBuilding

Building details in local language

Locality

Locality details

LocalLocality

Locality in local language

Street

Street details

LocalStreet

Street in local language

Landmark

Landmark details

LocalLandmark

Landmark in local language

Vtc

Village / Town / City

LocalVtc

Village / Town / City in local language

SubDistrict

Sub-district details

LocalSubDistrict

Sub-district in local language

District

District details

LocalDistrict

District in local language

State

State details

LocalState

State in local language

PoName

Post Office Name

LocalPoName

Post Office name in local language

Pincode

Pin code

Address

Full address (individual fields also disclosable)

RegionalAddress

Address in local language

8. Credential Status

The status field contains a stable URL that returns signed VC status metadata.

https://pehchaan.uidai.gov.in/credentials/status/<credential-id>

Status values:

active
suspended
revoked

Status response is digitally signed.

9. Example SD-JWT Payload (Normalised)

{
  "iss": "https://uidai.gov.in",
  "id": "02bf1830-46e4-4564-b5ca-734280901673",
  "iat": 1711805307,
  "exp": 1711895307,
  "status": "https://pehchaan.uidai.gov.in/credentials/status/02bf1830-46e4-4564-b5ca-734280901673",

  "cnf": {
    "jwk": {
      "kty": "EC",
      "crv": "P-256",
      "x": "<base64url-x>",
      "y": "<base64url-y>",
      "kid": "<holder-key-id>",
      "alg": "ES256"
    }
  },

  "_sd_alg": "SHA-256",
  "_sd": [
    "Pwb8CAFTk6KYrhJDNzdW37MFZJ-sxaHAf0Q7AGZrwXg",
    "wuj7vq4gOtFPsuhYivf6mHi1O9xcmKhs-TOHDTGlaAM",
    ...
  ]
}

PreviousISO 18013-5 Aadhaar mDoc Specs NextApp-to-App Credential Flows

Last updated 1 month ago

hashtag1. Introduction

hashtag2. High-Level Structure

hashtag3. Protected Header Requirements

hashtagWhereas

hashtag4. Issuer-Signed Payload (SD-JWT)

hashtag4.1 Mandatory Fields

hashtag4.2 Holder Binding (cnf.jwk)

hashtag5. Claim Encoding and Selective Disclosure

hashtag5.1 Claim Process

hashtagExample digest list:

hashtag6. Aadhaar Claim Set

hashtag8. Credential Status

hashtag9. Example SD-JWT Payload (Normalised)

1. Introduction

2. High-Level Structure

3. Protected Header Requirements

Whereas

4. Issuer-Signed Payload (SD-JWT)

4.1 Mandatory Fields

4.2 Holder Binding (`cnf.jwk`)

5. Claim Encoding and Selective Disclosure

5.1 Claim Process

Example digest list:

6. Aadhaar Claim Set

8. Credential Status

9. Example SD-JWT Payload (Normalised)