SD-JWT (Selective Disclosure JSON Web Token) is a privacy-preserving extension to JSON Web Tokens (JWTs), developed by the Internet Engineering Task Force (IETF). It introduces selective disclosure capabilities to the massive JWT ecosystem already utilized across enterprise IT, allowing holders to reveal only specific claims from a credential while keeping others hidden.
What problem does SD-JWT solve?
Traditional JWTs contain all their claims in a single signed package. When you present a JWT, the verifier sees everything it contains. This is problematic for privacy: if a credential contains your name, birthdate, address, and ID number, every verifier who checks it sees all of that data, even if they only need one piece of information.
SD-JWT addresses this by allowing the issuer to create a token where individual claims can be selectively disclosed. The holder receives the full credential but can present proofs that reveal only specific attributes, proving "I am over 21" without revealing the exact birthdate, for example.
How does SD-JWT work?
When an issuer creates an SD-JWT, they cryptographically blind certain claims. The holder receives the blinded token along with "disclosures," data that can reveal specific claims when needed.
At presentation time, the holder's wallet returns the SD-JWT with only the disclosures for the claims the verifier requested. The verifier can verify the issuer's signature and confirm that the disclosed claims are valid, but they cannot view the blinded claims that weren't disclosed.
SD-JWT+KB (SD-JWT with Key Binding) adds holder authentication, ensuring the credential is being presented by its rightful owner. The holder signs a challenge from the verifier with their bound key, proving they control the credential.
Why does enterprise adoption matter?
JWTs are already ubiquitous in enterprise IT. Virtually every modern web application, API, and identity system uses JWTs for authentication and authorization. By extending JWTs with selective disclosure, SD-JWT enables privacy-preserving credentials without requiring organizations to adopt entirely new infrastructure.
Many platforms already support JWT libraries, making the implementation barrier low. An active IETF working group ensures ongoing evolution and interoperability. SD-JWT is also actively supported in the European Union's EUDI Wallet program, signaling strong international adoption.
What are the limitations?
SD-JWT has limited expressive power compared to W3C Verifiable Credentials, it's primarily designed for issuer-to-verifier flows rather than complex, multi-credential scenarios. Interoperability depends on well-defined profiles that constrain SD-JWT's flexibility.
The format is also still emerging in production-scale deployments compared to ISO mDL, requiring policy guardrails and rigorous wallet enforcement to prevent verifiers from requesting unnecessary attributes and causing over-disclosure.
Want to keep learning?
Subscribe to our blog.
