Interoperability with the swiyu Public Beta
This page displays the latest results of our interop testing with the Beta Credential Service (BCS) and wallet from the Swiss e-ID administration. The Public Beta is used to test the planned e-ID technology stack and offers:
- Issuer service
- Verifier service
- "swiyu" wallet for iOS and Android
- Base Registry for onboarding issuers and verifiers, managing public keys, and maintaining credential status lists
- Trust Registry to manage verification status of issuers and verifiers
What we test
| Category | Tested |
|---|---|
| Credential formats | IETF SD-JWT VC |
| Exchange protocols |
|
| Schemas | The BCS Issuer offers one credential schema for issuance and verification. We also test issuing with other schemas to the swiyu wallet. |
| DID creation and resolution | The Public Beta uses draft 0.3 of did:webvh for identification. |
| Revocation | Token Status List |
Components
| Component | Version |
|---|---|
| BCS Issuer | 2025.05.16 |
| BCS Verifier | 2025.05.16 |
| swiyu iOS Wallet | v1.6.2, build 837 |
| swiyu Android Wallet | v1.3.0, build 615 |
| Procivis One Core | 1.52.4 and associated Wallet and Verifier apps |
Results
The following results were obtained on or before 2025.05.16. The BCS Issuer and Verifier services do not provide version information but we assume they are deployments of particular configurations of the generic issuer and verifier services.
| Color | Meaning |
|---|---|
| Working | |
| Expected to work pending a known upcoming change | |
| Not working |
Issuance and verification
The external components tested here are maintained by third parties and may be updated without notice. Our test results include compatibility adjustments that may become outdated if upstream changes are deployed. We update these test results periodically but cannot guarantee they reflect the current state of all external dependencies.
| Issuer | Holder | Verifier | Status | Comment |
|---|---|---|---|---|
| BCS Issuer | Procivis One | Procivis One | This flow also works using the Procivis One Verifier app. | |
| BCS Issuer | Procivis One | BCS Verifier | ||
| BCS Issuer | swiyu iOS | Procivis One | ||
| BCS Issuer | swiyu Android | Procivis One | ||
| Procivis One | Procivis One | BCS Verifier | Not working due to the BCS configuration. We are working on guidelines explaining how to set up the generic verifier for interoperability. | |
| Procivis One | swiyu iOS | Procivis One | ||
| Procivis One | swiyu iOS | BCS Verifier | Not working due to the BCS configuration. We are working on guidelines explaining how to set up the generic verifier for interoperability. | |
| Procivis One | swiyu Android | Procivis One | ||
| Procivis One | swiyu Android | BCS Verifier | Not working due to the BCS configuration. We are working on guidelines explaining how to set up the generic verifier for interoperability. |
Revocation
Revocation and suspension works for all flows.
Test the Procivis One Wallet
With the release of v1.53 the Procivis One Wallet available in the app stores can receive the Beta-ID from the BCS Issuer and be verified by the BCS Verifier.
Test with the Trial environment
You can test the flows yourself using the Trial environment.
If you are completely new to the Procivis One Desk and the trial environment you may wish to complete some of the tutorials first.
Create your key and DID
If you want to set up testing as quickly as possible, and you are okay with not being a "trusted verifier", you can use the "Unverified" instructions below for creating keys and a DID.
If you want to show up in the swiyu wallet as a "trusted verifier", use the "Verified" instructions below.
- Unverified
- Verified
Create an ECDSA key:
- In the Procivis One Desk go to "Identifiers", choose the "Keys" tab and select "+ New".
- Use ECDSA.
Create a
did:webvh:- Switch to the "Identifiers" tab and select "+ New".
- Choose "DID" as the type and "did:webvh" as the Method.
- Leave "External Hosting URL" empty.
- On the "Keys" selection screen select your ECDSA key from Step 1 and delete all Roles except "Authentication" and "Assertion method".
Follow the swiyu onboarding instructions up to and including "Create a DID space". Store the URL of your "DID space" for later use. Once you get to the step to create a DID, you will return to Procivis One and create it there.
Create an ECDSA key:
- In the Procivis One Desk go to "Identifiers", choose the "Keys" tab and select "+ New".
- Use ECDSA.
Create a
did:webvh:- Switch to the "Identifiers" tab and select "+ New".
- Choose "DID" as the type and "did:webvh" as the Method.
- Input your "DID space" URL for "External Hosting URL".
- On the "Keys" selection screen select your ECDSA key from Step 2 and delete all Roles except "Authentication" and "Assertion method".
Get the DID ID:
- Get the identifer ID from the browser URL (
/identifier/{{id}}) - Call the identifier detail API with
the identifier ID; the Desk frontend makes this call when you select
the DID from the identifiers list so the
didIdis also available in the browser's network tab.
- Get the identifer ID from the browser URL (
Upload the DID log to your swiyu "DID space":
- Use a curl call to fetch the DID log, making sure to reference the DID ID from step 4:
curl -L 'https://desk.trial.procivis-one.com/ssi/did-webvh/v1/{{didId}}/did.jsonl' \
-H 'Accept: application/json' \- Follow the swiyu instructions for uploading the DID log.
Continue the swiyu instructions to "Become a trusted participant" by completing their online form. As soon as that is completed, your verification requests will appear with a green check mark.
Create a credential schema
Create a credential schema in the Procivis One Desk, keeping in mind the following restrictions:
- For "Wallet key storage type" choose either "Hardware" or "Software".
- Remote Secure Element does not work with the Public Beta.
- The swiyu wallet will ignore this request while the Procivis One Wallet will respect it.
- For "Credential format" choose "IETF SD-JWT VC (SWIYU)".
- For "Revocation method" choose "Token Status List" or "None".
- For "Document type" input the type of credential using only URL-safe
characters, then choose "Next step". - As a rule-of-thumb, use
A-Z,a-z,0-9,-,_,., or~. Do not use spaces.
Your credential design choices will be ignored by the swiyu wallet and respected by the Procivis One Wallet.
Issue
Use your credential schema to issue a credential, keeping in mind the following restrictions:
- For "Exchange" choose "OpenID4VCI (SWIYU)".
- For "Issuer" choose the
did:webvhyou created earlier.
Verify
Create a proof schema in the Procivis One Desk making sure to select the credential schema created earlier. When you make a request with your new proof schema, keep in mind the following restrictions:
- For "Exchange" choose "OpenID4VP draft 20 (SWIYU)".
- For "Verifier" choose the DID you created earlier.
Set it up yourself
With the release of v1.53 of the Core the configured interop elements are enabled by default. The relevant configuration adjustments are explained here.
- The BCS Issuer and Verifier frontend does not display version information. We try to include testing date information and assume the GitHub release versions are related.
Configuration
Credential format
We made small modifications to our SD-JWT VC credential formatter to enable interop with the Public Beta. To enable these modifications in the configuration we create a new instance of the format and set it to swiyu mode:
format:
SD_JWT_VC_SWIYU: // Give it a swiyu specific name
type: "SD_JWT_VC" // Use the normal format type
display:
en: "IETF SD-JWT VC (SWIYU)"
order: 201
params:
public:
leeway: 60
embedLayoutProperties: true
swiyuMode: true // Enable necessary format changes
OID4VCI
We made a new version of our OID4VCI draft 13 provider to enable interop with the Public Beta. To enable these modifications in the configuration we create an instance of this new type of issuance protocol and set two parameters:
- The swiyu wallet expects the entire credential offer to be encoded in the issuance QR code. Since our system normally provides claim value previews, and these previews would make the resulting QR code too large to be scannable, we use a parameter to withhold the value preview.
The swiyu wallet shows claim value previews because it automatically accepts the credential as soon as you scan the offer; declining the offer deletes the credential from the wallet but it still exists in the issuer's system.
The Procivis One Wallet previews the offer and allows the wallet user to accept or reject the offered credential.
- We set the URL scheme used by the Beta so the swiyu wallet knows how to parse the offered credential.
issuanceProtocol:
OPENID4VCI_DRAFT13_SWIYU:
display:
en: "OpenID4VCI (SWIYU)"
de: "OpenID4VCI (SWIYU)"
order: 2
type: "OPENID4VCI_DRAFT13_SWIYU" // New type with specific modifications
params:
public:
urlScheme: swiyu // URL scheme used by Beta
credentialOfferByValue: true // Prevent claim value preview
preAuthorizedCodeExpiresIn: 300
tokenExpiresIn: 86400
refreshExpiresIn: 7776000
redirectUri:
enabled: true
allowedSchemes: ["https"]
OID4VP
We made a new version of our OID4VP draft 20 provider to enable interop with the Public Beta. To enable these modifications in the configuration we create an instance of this new type of verification protocol and set a few parameters:
-
The Public Beta only supports
didas the client ID scheme so we restrict accordingly. -
The BCS Verifier is missing some mandatory client metadata. We use a parameter to override the metadata it sends to our wallet and replace it with predefined content.
verificationProtocol:
OPENID4VP_DRAFT20_SWIYU:
display:
en: "OpenID4VP draft 20 (SWIYU)"
de: "OpenID4VP draft 20 (SWIYU)"
order: 7
type: "OPENID4VP_DRAFT20_SWIYU" // New type with specific modifications
params:
public:
urlScheme: https
useRequestUri: true
verifier: // Needed for verifier instances
supportedClientIdSchemes: [did]
defaultClientIdScheme: did
holder:
supportedClientIdSchemes: [did] // Needed for wallet instances
redirectUri:
enabled: true
allowedSchemes: ["https"]
predefinedClientMetadata: // Predefine client metadata expected from the BCS Verifier
vp_formats:
dc+sd-jwt:
sd-jwt_alg_values: ["ES256"]
kb-jwt_alg_values: ["ES256"]
Data types
Notes for two data types:
OBJECT: this data type is currently incompatible with the Public Beta so the system is unable to support nested claims. Our Desk frontend takes this into consideration and disallows creating a schema with this data type. If you are not using the Desk you should consider this limitation.- Pictures: the Public Beta only supports JPEG with a particular encoding. To enable this we use a configured image data type:
datatype:
SWIYU_PICTURE: // Instance name must match this exactly
display:
en: "Picture (SWIYU)"
de: "Bild (SWIYU)"
type: "FILE" // Must be FILE type
order: 403
params:
public:
accept:
- image/jpeg // Only JPEG allowed
fileSize: 4194304
showAs: IMAGE
Keys, DIDs, and Revocation
No configuration modifications are needed.
Schemas
When using Procivis One as the issuer and verifier with the swiyu wallet, you can create whatever schemas you need as long as you are using the format and data types described above.
When using the BCS Issuer or Verifier, there is only one predefined schema:
the Beta-ID. In order to issue, hold, or verify the Beta-ID with the
Procivis One Desk you need to provide the system with the schema by
recreating it with the typical credential schema creation
workflow while setting the vct value
as a URN to betaid-sdjwt.
Users cannot set an external schema using the Desk; use the API directly.
If you are using the Procivis One Wallet or Verifier apps, the schema is already loaded.