SD-JWT (Selective Disclosure JSON Web Token)

SD-JWT (Selective Disclosure JSON Web Token) is a credential format specified by the IETF that extends the widely used JSON Web Token (JWT) standard with built-in selective disclosure capabilities. In a standard JWT, all claims are visible to any party that receives the token. SD-JWT addresses this by hashing individual claims with unique salts during issuance; the holder then selectively reveals specific claims by providing the corresponding salt values, while other claims remain hidden as opaque hash values.

This enables privacy-preserving credential presentations without requiring advanced cryptographic techniques like zero-knowledge proofs. The Architecture Reference Framework for the EUDIW has adopted SD-JWT as one of the two mandatory credential formats (alongside mdoc). SD-JWT is particularly well suited for web-based and API-driven interactions, as it builds on the JSON and JOSE standards that are already ubiquitous in web development.

The format supports key binding, which ties the credential to a specific holder key, preventing credential transfer or theft. SD-JWT also supports batch issuance and can carry complex claim structures including nested objects and arrays. For developers and organisations building EUDIW integrations, SD-JWT is a practical and accessible format.

Its foundation on established web standards means that existing JWT libraries and infrastructure can be extended to support it, reducing implementation effort. When combined with OpenID4VC protocols, SD-JWT provides a complete stack for credential issuance and selective presentation. Organisations that already use JWTs for API authentication or identity federation will find SD-JWT a natural extension of their existing technology stack, making it an attractive option for early adoption of EUDIW-compatible credential handling.