mDoc in one minute: the DocType
The DocType is a string, defined by ISO 18013-5, that names the kind of document the credential represents. It’s the credential’s type identifier: a verifier reading an mDoc looks at itsdocType field to know what kind of document it is, what namespaces and fields to expect, and how to interpret them. Two mDocs with the same DocType are the same kind of document.
The convention is reverse-DNS — but unlike SD-JWT’s VCT, this is a bare string, not a URL: it never resolves to anything; it’s just an identifier.
The DocType is the bridge between everyone who touches the credential:
- The preset declares the DocType in its
templateType. - The issued credential carries the DocType in its
docTypefield. - The presentation request uses the DocType in
templateCredentials[].typeto filter the holder’s wallet down to credentials of the right kind.
<author> and <code> — you supply it explicitly at preset creation. The convention is reverse-DNS:
The shape, end to end
Identifier and metadata
The shared metadata fields (id, author, code, templateName, templateDescription, credentialFormat) are documented on the credential presets intro. The fields specific to mDoc are below.
templateType (the DocType)
The DocType for this preset (see mDoc in one minute). Author-supplied; not derived.
issuerConfig
Always certificate-based; mDoc has no DID option:
keyType (P-256 or Ed25519) narrows the selection to a specific algorithm. ISO 18013-5 mDLs in practice require P-256; verifier compatibility for other key types depends on the verifier.
The platform picks an active certificate from the tenant’s certificate pool that matches keyType. Manage the pool through the Certificates API.
validUntil
How long the issued credentials remain valid. Required (not optional, unlike SD-JWT) and capped at 365 days:
There’s no
start field — mDoc validity is always counted from issuance.
templateAttributes: the namespaced fields
mDoc credentials carry their attributes inside namespaces. The outer key of templateAttributes is a namespace; each namespace has a properties map of attribute name → definition.
mDoc has no
alwaysDisclosed field — its selective-disclosure mechanism works at presentation time via the verifier’s intentToRetain flag rather than per-attribute settings on the credential.
mDoc also has no nested object types. The namespace is the grouping mechanism; if you need finer-grained grouping, declare a second namespace.
What happens at issuance time
When an issuer issues a credential against the preset, the platform uses its structure directly:- The issuer calls the issuance endpoint with
presetIdand anattributesmap of namespace → values. - The platform validates the attributes against
templateAttributes: required fields must be present, types must match, namespaces and keys must be declared. - It produces an mDoc credential with the preset’s
templateTypeas the DocType, signed by the matching certificate from the tenant’s pool, with the validity window fromvalidUntil. - The credential is offered to the holder’s wallet, where they can accept it.
- Once accepted, the credential lives in the wallet, ready to be used in any presentation request that asks for credentials of this DocType from a trusted issuer.

