.png)
In late April 2026, Google added Aadhaar Verifiable Credentials to Google Wallet for India. Around the same time, Chrome 141 and iOS 26 both shipped the W3C Digital Credentials API, and the EU confirmed its end-of-year deadline for every member state to have a wallet in citizens' hands. The announcements came from different companies with different motivations, but they are converging pieces of the same infrastructure shift.
Google Wallet and Aadhaar
On April 28, 2026, Google rolled out Aadhaar Verifiable Credentials in Google Wallet, built through its partnership with UIDAI. The feature does more than spare users from carrying a physical card.
The integration uses the W3C Verifiable Credentials model and ISO/IEC 18013-5, the same standard that underpins mobile driving licenses globally. Credentials are stored encrypted on-device rather than on Google's servers. The feature uses selective disclosure: if a cinema needs to verify age, the user shares only that attribute, not their full Aadhaar number or address. This is in line with India's Digital Personal Data Protection Act, which has shaped how government-issued credentials can be shared digitally.
Early partners include PVR INOX for age verification, BharatMatrimony for verified profiles, and Atlys for auto-filling international visa applications. Mygate and Snabbit have announced support for gig economy and residential society use cases. The partner list is less interesting than the base: Aadhaar enrollment covers close to the entire adult population of India. Digital credentials now have distribution at a scale no other rollout has reached.
The same announcement also expanded Google Wallet's passport-based ID passes to Singapore, Brazil, and Taiwan, alongside existing support for the US and UK.
Apple's Digital ID and the DC API
.png)
Apple shipped Digital ID in iOS 26 (September 2025), letting US passport holders store a cryptographically verified ID in Apple Wallet. It works at over 250 TSA checkpoints for domestic flights. Apple has since extended it to age verification for app downloads and account creation. The underlying format is mdoc (ISO/IEC 18013-5), with selective disclosure so only the fields needed for a given check are transmitted.
The move that matters more for web developers was Apple's support for the W3C Digital Credentials API (DC API), also announced at WWDC 2025. With that, any iOS Safari user can share verified credentials from their wallet to a website through a standardised browser flow, without installing anything or switching apps. Apple was the second major platform to ship this, after Chrome reached general availability with version 141 in October 2025. Both major mobile ecosystems now support the API.
Before the DC API existed, presenting a credential from a wallet to a website meant either a QR code scan or a custom URL scheme. Custom schemes have real problems: on iOS, multiple apps can register shared schemes like mdoc-oid4vp:// with no way for the website to know which wallet will handle the request, and the last app installed for a given scheme wins. The DC API replaces this with a browser-mediated flow. Wallets register with the OS declaring what credential types they support by docType, and when a request comes in the user sees a selector showing only the matching wallets and credentials they hold. The site declares what it needs, the browser handles wallet selection, and the user approves before anything is shared. The browser also passes the verified requesting origin to the wallet, so phishing via a lookalike site is much harder to pull off.
For cross-device flows (a laptop browser requesting a credential held in a phone wallet), a QR code scan is still involved, but what happens after the scan is different. The browser uses the CTAP 2.2 hybrid flow to establish a secure tunnel between the browser and the device where the wallet is installed, the same flow used by WebAuthn and passkeys. The BLE proximity check means the phone and laptop need to be physically near each other, which shuts down relay attacks where someone intercepts a QR code and reuses it from a different location. The credential payload itself travels via the chosen presentation protocol (OpenID4VP or ISO 18013-7), with CTAP handling only the device pairing and proximity assurance
The EU Digital Identity Wallet
Every EU member state must provide citizens with a European Digital Identity Wallet by the end of 2026. eIDAS 2.0 sets this as a hard legal deadline. By December 2027, banks, payment providers, and other regulated industries must accept it as a valid method of identity verification.
The EUDI Wallet will let EU citizens store government-issued credentials, professional qualifications, health records, and more, then present them across borders with legal equivalence. ENISA signed a contribution agreement in February 2026 for EUR 1.6 million to support national certification schemes. Several member states are in active development: Malta is building a national wallet app, Ireland completed a 500-person civil servant pilot and is drafting legislation to give digital credentials legal status, and Denmark is building an eIDAS-compatible wallet on top of its existing MitID system.
The architecture follows the same pattern as Google and Apple: credentials on device, selective disclosure, standardised formats. The difference is that in Europe it is infrastructure the public sector is legally required to provide and the private sector is legally required to accept.
Mobile driving licenses
Mobile driving licenses based on ISO/IEC 18013-5 have moved well past the pilot stage in the US. As of early 2026, 21 states plus Puerto Rico have active programs that the TSA accepts at checkpoints. Around 41% of Americans live in states with live mDL programs, and about 76% live in states with programs either active or in development. New York reported over 200,000 enrollments in Mobile ID as of March 2025.99
Internationally, the EU Parliament approved a European digital driving license in October 2025, using ISO/IEC 18013-5 as the technical baseline. Australia, South Korea, and several Gulf states have active programs.
A second edition of ISO/IEC 18013-5 is in the ballot process, with publication expected by Q3 2026. The update matters for cross-jurisdiction interoperability and is what the EUDI Wallet depends on for proximity use cases.
The DC API
The Digital Credentials API is the piece that makes credential presentation work on the web regardless of which wallet or issuer is involved, so it is worth going through how it actually works.
The W3C Federated Identity Working Group published the first public working draft in July 2025. Chrome 141 shipped it enabled by default in October 2025, with iOS 26 adding Safari support at the same time. It could reach Candidate Recommendation status in 2026 or 2027, timed roughly with the EUDI Wallet rollout.
The API call itself is straightforward: a website calls navigator.credentials.get() with a credential request, the browser identifies which wallets on the device can satisfy it, the user picks one and approves, and the browser returns a cryptographically signed response. The protocol underneath does not matter to the API. It works with mdoc, W3C VCs, and SD-JWT VCs. The registry of supported protocols sits outside the API spec so it can grow without requiring browser updates.
How digital credentials fit alongside passkeys
.png)
Digital credentials and passkeys solve different problems. Passkeys handle account authentication: you prove you are the account holder for a given service. Digital credentials handle identity claims: you prove you are a specific person, or that you meet an age or eligibility threshold. We covered this relationship in depth in Digital credentials explained: how they complement passkeys in modern authentication.
In practice they combine well. A user authenticates to a service with a passkey. If that service then needs identity verification or an age check, it uses the DC API to request a verifiable credential from the user's wallet. The user approves, the service receives cryptographic proof, and no raw identity data needs to be stored. This matters most for financial services onboarding, age-gating, and cross-border KYC flows where re-verifying a user from scratch each time is expensive and slow.
Where things stand
Google, Apple, and the EU have all shipped or committed to their respective credential infrastructure. The browser API now has coverage across both major mobile ecosystems, and Aadhaar's integration puts the standards-based credential model in front of a billion-plus Android users.
The remaining gap is verifier adoption: how many services actually request credentials. The early India integrations (cinemas, travel apps, matrimony platforms) and TSA acceptance in the US show the pattern. One use case at a time, until checking a credential becomes as routine as tapping to pay.
.svg)
.avif)
.avif)
