TL;DR: EUDI wallets are shifting digital identity toward privacy-preserving credential presentation, but verification still depends on OAuth 2.0 for authorization and API control, according to Curity. The architecture matters because wallet adoption changes verifier identity, token design, and how enterprises separate authentication from authorization.
NHIMG editorial — based on content published by Curity: EUDI wallets, verifier identity, and wallet-ready security architecture
Questions worth separating out
Q: How should security teams integrate EUDI wallets with existing OAuth 2.0 architectures?
A: Security teams should place wallet verification ahead of token issuance and keep OAuth 2.0 as the authorization layer.
Q: Why do digital credentials not replace authorization controls in enterprise systems?
A: Digital credentials prove something about the subject, but they do not by themselves decide what that subject can do.
Q: What breaks when verifier identity is not governed in wallet-based flows?
A: Wallet-based flows break when the verifier is treated as a generic application instead of a trusted identity actor.
Practitioner guidance
- Separate verifier governance from application onboarding Define who can act as a verifier, what attributes they may request, and which registration evidence they must supply before any wallet interaction is enabled.
- Keep OAuth 2.0 as the authorization boundary Use wallet-verified attributes as input to token issuance, but continue to enforce audience, scope, and policy decisions in the authorization server.
- Externalize wallet protocol handling from apps Route OpenID4VCI and OpenID4VP handling through the identity layer so application and API teams do not carry credential exchange complexity in code.
What's in the full article
Curity's full article covers the operational detail this post intentionally leaves for the source:
- Protocol flow detail for OpenID4VCI and OpenID4VP issuance and presentation.
- How the authorization server consumes wallet attributes and converts them into access token claims.
- Examples of wallet-ready API architecture that keeps integration complexity out of application code.
- The verifier registration model for enterprises that want to consume wallet attributes.
👉 Read Curity's analysis of EUDI wallets, verifier identity, and OAuth 2.0 →
Eudi wallets and verifier identity: what IAM teams need now?
Explore further