| Internet-Draft | Delegate SD-JWT | April 2026 |
| Oliver | Expires 23 October 2026 | [Page] |
This document specifies an extension to Selective Disclosure JSON Web Tokens to support further delegation from the Holder to a Delegate Holder. This is done by allowing the Key Binding JWT to also be an SD-JWT, optionally with its own Key Binding. This has particular applicability to Agentic systems.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 23 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
This is an extension to SD-JWTs [RFC9901], to allow for the creation and delegation of new credentials using an existing SD-JWT+KB.¶
SD-JWT provides a mechanism for ensuring minimal disclosure in a three party model. This allows an intermediary party (the Holder) to choose to remove claims when only a subset is needed by a verifier. Additionally SD-JWT+KB allows for proof of possession by the Holder using the cnf claim. The Verifier need only trust the Issuer and its policy regarding the cnf key to trust the resulting presentation.¶
This is achieved using a composite structure of an Issuer-Signed JWT containing salted hashes and associated optional disclosures that can be omitted by the Holder. An optional KB-JWT containing transaction-specific data and signed by the private key cnf key is used to provide cryptographic key binding.¶
While it is possible for a Verifier to forward and further down-scope a SD-JWT, it is not able to prove that it was the recipient of the original SD-JWT+KB presentation, nor is it able to downscope parts of the transaction data, which may be relevant for privacy reasons.¶
This capability is useful for a ‘delegation’ model, where the Holder delegates further presentations of the SD-JWT+KB to a Delegate Holder. Additionally, the Holder should be able to provide additional (optionally disclosable) claims as part of the Delegation.¶
One example usecase is to delegate to an AI agent the ability to perform purchases on the users behalf, along with constraints on valid fulfillment conditions. The AI Agent can then prove to a merchant that it has been authorized to perform a purchase at this merchant on a Holders behalf, without revealing what other merchants may have been able to fulfill this purchase.¶
The approach taken here is to extend te KB-JWT so that it can be used as the start of a new SD-JWT or SD-JWT+KB, linking the resulting SD-JWT to the original one.¶
This specification defines extensions to the SD-JWT and SD-JWT+KB formats:¶
dSD-JWT which is a composite structure consisting of an SD-JWT and a Key Binding SD-JWT. The KB-SD-JWT signs over a delegate JSON Payload with zero or more disclosures.¶
dSD-JWT+KB which extends dSD-JWT to include Key Binding, allowing the Delegate Holder to prove proof of possession.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].¶
This specification uses the terms "Disclosure", "Selectively Disclosable JWT (SD-JWT)", "Key Binding", "Key Binding JWT (KB-JWT)", "Selectively Disclosable JWT with Key Binding (SD-JWT+KB)" defined by [RFC9901].¶
Delegated SD-JWT(dSD-JWT): A composite structure consisting of an SD-JWT and a Key Binding SD-JWT (KB-SD-JWT). It acts as a chain of SD-JWTs where the Key Binding of the previous SD-JWT is used to sign the new one, allowing the Verifier to link presentations back to the initial Issuer.¶
Delegated SD-JWT with Key Binding (dSD-JWT+KB): An extension of the dSD-JWT that includes a final Key Binding JWT (KB-JWT). This allows the Delegate Holder to demonstrate proof of possession of the dSD-JWT.¶
Key Binding SD-JWT (KB-SD-JWT): An alternative format for a KB-JWT used to secure a nested, selectively disclosable JSON object (the Delegate Payload). It serves as the KB-JWT for the preceding SD-JWT in a chain.¶
Key Binding SD-JWT+KB (KB-SD-JWT+KB): A specific type of KB-SD-JWT where the typ parameter is set to "kb+sd-jwt+kb". This type requires the Delegate Payload to include a cnf claim.¶
Delegate Payload: A JSON object (which may be nested and selectively disclosable) over which the KB-SD-JWT signs. In a dSD-JWT+KB, this payload MUST include a cnf claim to establish the Delegate Holder's key.¶
Issuer: An entity that creates the initial SD-JWT.¶
Holder: An entity that receives the initial SD-JWT from the Issuer and has control of it. They may present the SD-JWT to a Verifier directly or delegate it to a Delegate Holder.¶
Delegate Holder: An intermediary entity to whom the original Holder delegates the SD-JWT. The Delegate Holder can perform further presentations or delegations of the SD-JWT.¶
Verifier: An entity that requests, checks and extracts the claims of the SD-JWT or dSD-JWT.¶
Delegation: Delegation in this document refers to a Holder or Delegate Holder presenting a credential to a Delegate Holder for the purpose of further presentation.¶
+----------------------------------------+
| |
| Issuer |
| |
+----------------------------------------+
|
Issues SD-JWT+KB and
all Disclosures
|
v
+----------------------------------------+
| |
| Holder |
| |
+----------------------------------------+
|
Delegates SD-JWT+KB,
selected Disclosures and
Payload to create a
dSD-JWT or dSD-JWT+KB,
including all new disclosures
|
v
+----------------------------------------+
| |
| Delegate Holder(s) |
| |
+--+-------------------------------------+
| | |
+---+---+-----------------------------+
| |
+---+-----------------------------+
|
Presents dSD-JWT or
dSD-JWT+KB and selected
Disclosures
|
v
+----------------------------------------+
| |
| Verifier(s) |
| |
+--+-------------------------------------+
| | |
+---+---+-----------------------------+
| |
+---+-----------------------------+
At a high level, a dSD-JWT acts as a chain of SD-JWTs where the KB-JWT in the proceeding SD-JWT+KB fulfills the role of the Issuer-JWT for the next. This allows the Verifier to know the full chain that the dSD-JWT went through and link the presentations back to the initial Issuer while preserving the principles of Data Minimization.¶
An dSD-JWT has two different sets of Selective Disclosures:¶
A Delegate Holder may always choose to include or omit selective disclosures from the Delegate Payload. If the Holder wishes to allow the Delegate Holder to omit selective disclosures from the proceeding SD-JWT it MUST omit the sd_hash claim from the KB-JWT and include the issuer_jwt_hash claim instead.¶
Keybinding is required for the initial SD-JWTs and all KB-SD-JWTs except the final one. It is optional for key binding to be used for the final KB-SD-JWT. When it is used, the Delegate Holder’s public key information is included in the Delegate Payload of the final KB-SD-JWT. This allows the Delegate Holder to create a KB-JWT in future presentations using the private key associated with the included public key, demonstrating proof of possession.¶
At a high level verification works as follows:¶
cnf claim of the previous SD-JWT is used.¶
A dSD-JWT with a single delegation is composed of:¶
A dSD-JWT+KB with a single delegation is composed of:¶
A dSD-JWT or dSD-JWT+KB with multiple delegations is composed of:¶
The dSD-JWT format extends the existing SD-JWT+KB format as follows:¶
<SD-JWT>~~<KB-JWT>~<Delegated Disclosure 1>~...~<Delegated Disclosure M>~¶
The <KB-JWT> along with its disclosures is called a KB-SD-JWT.¶
The dSD-JWT+KB format further extends the dSD-JWT format by appending a delegate KB-JWT:¶
<SD-JWT>~~<KB-SD-JWT>~<delegate KB-JWT>¶
This can be chained by replacing the KB-JWT with another KB-SD-JWT instead:¶
<SD-JWT>~~<KB-SD-JWT 1>~...~<KB-SD-JWT n>~<delegate KB-JWT>¶
To process a dSD-JWT or a dSD-JWT+KB, the string is split on ~ as usual. The resulting array of components MUST have an empty component between the last disclosure of each SD-JWT before the following KB-SD-JWT. The following KB-SD-JWT is then used as the KB-JWT for the proceeding SD-JWT.¶
dSD-JWT+KB and dSD-JWT formats are differentiated by a trailing ~ for dSD-JWT.¶
For both the General and Flattened JSON Serialization, the dSD-JWT or dSD-JWT+KB is represented as a JSON object. The only change in encoding is to the format of the kb-jwt in the unprotected header, which now MUST conform to the general or flattened JSON serialization of an sd-jwt.¶
The delegate payload disclosure is an Array disclosure, which is the base64urlencoding of [salt, JSON Object Payload].¶
The Disclosure Payload MUST follow all rules for the payload of the Issuer-signed JWT specified in [RFC9901] Section 4.1.¶
The Delegate Disclosures are created as per [RFC9901] Section 4.2.¶
The Delegate KB-JWT is a KB-JWT as per [RFC9901] Section 4.3 except that sd_hash, when present, is calculated over the proceeding SD-JWT or KB-SD-JWT and its associated disclosures.¶
This specifies two new extensions to the KB-JWT. The following additional parameter is include:¶
“delegate_payload”: An array of JSON Objects. If it contains more than one element then they MUST all be replaced with disclosures. During the presentation of a dSD-JWT from a Delegate Holder to a Verifier exactly one of these MUST be disclosed.¶
KB-SD-JWTs MUST conform to all the requirements of a KB-JWT and an SD-JWT except as listed below:¶
KB-JWT changes:¶
The typ parameter value MUST be replaced with "kb+sd-jwt" for a KB-SD-JWT, and "kb+sd-jwt+kb" for a KB-SD-JWT+KB.¶
typ is KB-SD-JWT+KB then the Delegate Payload MUST include a cnf claim.¶
sd_hash parameter is OPTIONAL. If it is not present it MUST instead include a issuer_jwt_hash parameter that hashes over only the proceeding Issuer-signed jwt or KB-SD-JWT+KB and not any disclosures.¶
When calculating the sd_hash it is calculated from the proceeding Issuer JWT or KB-SD-JWT+KB.¶
SD-JWT changes:¶
_sd_hash payload MUST instead be claims in the Delegate Payload.¶
To perform verification of an dSD-JWT or dSD-JWT+KB the following steps must be followed.¶
Split the dSD-JWT into its component SD-JWTs¶
For each KB-SD-JWT except the final one:¶
delegate_payload array.¶
sd_hash claim is present, calculate the digest over the proceeding SD-JWT or KB-SD-JWT and it's disclosures, as described in [RFC9901] Section 9.10.
d. Otherwise, verify that the issuer_jwt_hash is present and matches the base64url encoded digest of the proceeding Issuer signed JWT or KB-SD-JWT+KB.
e. Verify the typ in the JWT Payload is “kb-sd-jwt+kb”¶
For the final KB-SD-JWT:¶
If the credential is a dSD-JWT+KB and Key Binding is required¶
If any of the steps fail then the presentation is invalid and processing MUST be aborted. Otherwise the list of processed SD-JWT and Delegate Payloads MAY be passed to the application to be used for their intended purpose.¶
Presentation mechanisms that allow specfication of additional transaction data within the KB-JWT can be used to perform delegation. Below is a description of how this can be done using the OpenID4VP presentation protocol.¶
OpenId4VP [OIDF.OID4VP] specifies transaction_data within the request, which is included within the KB-JWT. To delegate an dSD-JWT or dSD-JWT+KB the transaction_type delegate MAY be used. The following additional parameters are included in the transaction_data object:¶
dSD-JWT or dSD-JWT+KB¶
The delegate payload MUST NOT contain any disclosures not provided in delegate_disclosures. The KB-JWT includes the digest of the delegate_payload in the delegate_payload claim of the KB-JWT. _sd_hash may use any hash algorithm specified for hashing the transaction_data. The Wallet MAY include additional decoy digests.¶
Multiple delegate transaction_data MAY be included in the same request. In that case, each MUST have their digest included in the delegate_payload.¶
Security Considersations as described in [RFC9901] also apply to delegate SD-JWTs. When the Holder is performing a delegation, they are acting as an Issuer of an SD-JWT and so all security considerations of an issuer apply to them.¶
It is critical that the Verifier verifies each KB-SD-JWT in the chain and ensures that it is bound to the proceeding Issuer JWT or KB-SD-JWT with the sd_hash or issuer_jwt_hash. Without verifying the binding in both directions a malicious Delegate Holder may mis-match parts of the chain if the Holder cnf is reused.¶
An Issuer or Holder that wishes to limit delegation MAY include such constraints as visible claims in the Issuer signed JWT or KB-SD-JWT+KB.¶
While traditional mechanisms of credential revocation can be used with delegate SD-JWTs, they present a practical challenge as, unlike a traditional Issuer, an individual Holder can not easily distribute revocation information to Verifiers.¶
Having a short exp and using claims to constraining the usage of the delegated SD-JWT limits this problem, as does cases where the Holder and the Delegate Holder are managed by the same entity.¶
The privacy considerations in [RFC9901] Section 10 also apply to Delegate SD-JWTs.¶
This specification requests registration of the following Claims in the IANA "JSON Web Token Claims" registry [IANA.JWT] established by [RFC7519].¶
issuer_jwt_hash¶
This section requests registration of the following media types [RFC2046] in the "Media Types" registry [IANA.MediaTypes] in the manner described in [RFC6838].¶
To indicate that the content is a Key Binding SD-JWT:¶
Additional information:¶
To indicate that the content is a Key Binding SD-JWT+KB:¶
Additional information:¶