--- url: 'https://www.corbado.com/blog/apple-mdoc-support' title: 'Apple mDoc Support: iOS 26 enables ID Verification' description: 'Apple''s mDoc support arrives with the digital ID in iOS 26. Understand its strategic impact on W3C VCs and wallets & what it means for your business.' lang: 'en' author: 'Vincent Delitz' date: '2025-06-17T11:13:36.387Z' lastModified: '2026-03-27T07:01:34.463Z' keywords: 'apple digital credentials, mdoc support, macos mdoc, digital ID iOS 26, Apple mdoc, ios mdoc' category: 'Authentication' --- # Apple mDoc Support: iOS 26 enables ID Verification ## Key Facts - **iOS 26** enables websites to request verified digital IDs directly from Apple Wallet via Safari, using the W3C Digital Credentials API and the ISO 18013-5 mdoc standard. - **Selective disclosure** lets users share only required data fields like 'over 21' instead of their full ID, preserving privacy at the protocol level. - The **Digital Credentials API** calls `navigator.credentials.get()`, triggers a native biometric consent prompt and releases only the requested attributes to the requesting website. - Apple's prioritization of ISO 18013-5 creates a **dual-format ecosystem**: mdoc for government-issued IDs and W3C Verifiable Credentials for diplomas, employee badges and event tickets. - **Apple Wallet** holds a native integration advantage, compelling third-party wallet providers to rely on alternative protocols like OpenID4VP via universal links. ## 1. What Is Apple's mdoc Support in iOS 26? At [WWDC25](https://www.corbado.com/blog/wwdc25-passkeys-os26), Apple announced official support for mobile documents (mdocs) through the [Digital Credentials API](https://www.corbado.com/blog/digital-credentials-api), enabling websites to request and verify a user's **digital ID in iOS 26** directly from Safari. This brings **Apple's digital credentials**, compliant with the [ISO 18013-5](https://www.corbado.com/glossary/iso-18013-5) standard, to the web for secure, user-consented [identity verification](https://www.corbado.com/blog/digital-identity-guide). This update represents a major catalyst for the [digital identity](https://www.corbado.com/blog/digital-identity-guide) ecosystem. For years, online [identity proofing](https://www.corbado.com/blog/digital-identity-guide) has been plagued by friction, privacy risks, and fraud. By integrating standardized **Apple digital credentials**, the new framework streamlines verification for use cases like age checks, enterprise logins, and customer onboarding. This article breaks down what **Apple's mdoc support** means for developers and businesses, how it works at a high level, and how to prepare for its arrival in [iOS 26](https://www.corbado.com/blog/ios-26-passkeys). ## 2. The Core Technology: Understanding mDocs and Digital Credentials At the heart of this new identity paradigm is the **mdoc (mobile document)**, a standardized format for [digital identity](https://www.corbado.com/blog/digital-identity-guide) credentials stored in Apple [Wallet](https://www.corbado.com/blog/digital-wallet-assurance), such as a mobile Driver's License (mDL) or a corporate ID. A key feature of the [mdoc](https://www.corbado.com/glossary/mdoc) standard is **selective disclosure**, which allows users to share only the specific data fields required for a transaction (e.g., just "over 21") instead of their entire ID. This privacy-preserving capability is defined by the **ISO 18013-5** and **ISO 18013-7** standards, which govern how [mdocs](https://www.corbado.com/glossary/mdoc) are structured, secured, and presented online. ![mDocs-and-digital-credentials-flow.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/m_Docs_and_Digital_Credentials_flow_8d614ca08a.png) ## 3. How the Digital Credentials API Works in iOS 26 Safari The W3C [Digital Credentials API](https://www.corbado.com/blog/digital-credentials-api) serves as the bridge between websites and the user's Apple [Wallet](https://www.corbado.com/blog/digital-wallet-assurance). When a website needs to verify a user's identity, it no longer requires a custom app or redirects. Instead, the process is orchestrated by the browser. The typical verification flow is as follows: 1. **Request Initiation**: A website or web app calls the JavaScript API (`navigator.credentials.get()`) to request a specific credential, such as proof of age from an [mDL](https://www.corbado.com/blog/mobile-drivers-license). 2. **System Hand-Off**: [iOS 26](https://www.corbado.com/blog/ios-26-passkeys) intercepts this call and invokes the native Apple [Wallet](https://www.corbado.com/blog/digital-wallet-assurance) interface. 3. **User Consent**: The user is presented with a secure, OS-level prompt showing exactly which information is being requested (e.g., "This site is requesting your age verification"). The user must authenticate with [Face ID](https://www.corbado.com/faq/is-face-id-passkey) or Touch ID to consent. 4. **Secure Data Transfer**: Upon consent, the wallet releases only the requested data to the browser, which is then passed to the website for verification. This entire flow is designed to be secure and seamless, eliminating the need for users to upload physical ID photos or fill out forms. ![apple mdoc verification flow](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/apple_mdoc_verification_flow_ffc620915d.png) ## 4. Why Apple's mdoc Support is a Game-Changer ### 4.1 For Businesses & Developers - **Reduced Friction & Higher Conversion**: Drastically simplifies onboarding and verification processes. - **Enhanced Security & Fraud Reduction**: Relies on cryptographically signed credentials from trusted [issuers](https://www.corbado.com/glossary/issuer) (e.g., DMVs), minimizing the risk of fake IDs. - **Simplified Compliance**: Requesting only necessary attributes helps meet data minimization requirements under regulations like GDPR and CCPA. - **Interoperability**: Built on global standards (W3C, ISO), ensuring compatibility across platforms that adopt them. ### 4.2 For Users - **Full Control & Privacy**: Users explicitly consent to every data share. - **Convenience**: Eliminates the need to carry physical cards or manually enter identity information. - **Enhanced Security**: Reduces the risk of data over-sharing and [phishing](https://www.corbado.com/glossary/phishing) attacks. ## 5. Preparing for Apple Digital Credentials in your Web App While the deep technical implementation is covered in our guide to the [Digital Credentials](https://www.corbado.com/blog/digital-credentials-api) API, developers and product managers should start preparing now. Here are the key strategic steps: 1. **Identify Use Cases**: Pinpoint processes in your user journey that currently rely on manual [identity verification](https://www.corbado.com/blog/digital-identity-guide) (e.g., account creation, age-gated content, high-value transactions) and would benefit from instant, high-assurance [digital ID](https://www.corbado.com/blog/digital-identity-guide) checks. 2. **Review Data Needs**: Audit the identity attributes you currently collect. With **Apple's mdoc support**, plan to transition to requesting only the minimal data required for each transaction. 3. **Educate Your Team**: Familiarize your development and compliance teams with the relevant standards, including **ISO 18013-5** for [mdocs](https://www.corbado.com/glossary/mdoc) and the **W3C Digital Credentials** framework. 4. **Plan for Backend Verification**: The credential returned by the API must be cryptographically verified on your backend to ensure its authenticity and integrity. Plan for the server-side logic required to process these credentials. ## 6. Strategic Impact on the Digital Identity Ecosystem Apple's decision to integrate [mDocs](https://www.corbado.com/glossary/mdoc) directly into the web via its native wallet has significant strategic implications for the broader [digital identity](https://www.corbado.com/blog/digital-identity-guide) landscape. ### 6.1 Impact on Credential Formats (mDoc vs. W3C VCs) By prioritizing `mdoc` (ISO 18013-5), Apple establishes it as the primary standard for verifiable [government](https://www.corbado.com/passkeys-for-public-sector)-issued IDs (like driver's licenses) on the web. This gives the `mdoc` format enormous momentum for official identity use cases. However, this doesn't diminish the role of other formats like **W3C Verifiable Credentials (VCs)**, often based on `SD-JWT` or `JWT-VC`. These formats are critical for non-governmental credentials such as university diplomas, employee badges, or event tickets. The `Digital Credentials API` itself is designed to be extensible, meaning it could support these other formats in the future. The immediate result is a dual ecosystem: `mdoc` for official IDs, and other VC formats for the rest, all potentially accessible through the same underlying web standard. ### 6.2 Impact on Third-Party Wallet Providers The native integration gives **Apple Wallet** a distinct advantage, making it the default and most seamless option for users on [iOS](https://www.corbado.com/blog/webauthn-errors). This presents a challenge for third-party wallet apps. While the API could theoretically allow users to choose a different default wallet, the native OS experience is hard to compete with. Third-party providers will likely need to rely on alternative protocols like [OpenID4VP](https://www.corbado.com/glossary/open-id-4-vp) initiated via universal links, which may result in a less integrated user experience (e.g., requiring app switching). This move solidifies Apple [Wallet's](https://www.corbado.com/blog/digital-wallet-assurance) central role, compelling other providers to differentiate through specialized features, enterprise solutions, or by focusing on credential types not yet prioritized by Apple. ## 7. Conclusion: The Future of Digital Identity is here **Apple's mdoc support in iOS 26** is more than an API. It's a shift toward a more secure, private and user-centric internet. By embracing open standards, Apple has paved the way for a future where verifiable [digital credentials](https://www.corbado.com/blog/digital-credentials-api) replace outdated and insecure methods of [identity verification](https://www.corbado.com/blog/digital-identity-guide). For businesses, this is an opportunity to build next-generation user experiences based on trust and transparency. Start exploring how **Apple digital credentials** can transform your services today. ## Frequently Asked Questions ### How does the iOS 26 Digital Credentials API verification flow work step by step? A website calls `navigator.credentials.get()`, which iOS 26 intercepts to invoke the native Apple Wallet interface. The user sees an OS-level prompt listing exactly which data is requested and must authenticate with Face ID or Touch ID to consent. Only the specific requested fields are then released to the website. ### What is the difference between mdoc and W3C Verifiable Credentials in the Digital Credentials API? Apple's implementation prioritizes mdoc (ISO 18013-5) as the standard for government-issued IDs like driver's licenses. W3C Verifiable Credentials using SD-JWT or JWT-VC formats remain critical for non-governmental credentials like university diplomas, employee badges or event tickets. The Digital Credentials API is designed to be extensible and could support both formats. ### How does Apple Wallet's native mDoc support disadvantage third-party digital wallet providers? Apple Wallet becomes the default and most seamless option for iOS users, making it difficult for third-party providers to compete on user experience. Third-party wallet apps must rely on alternative protocols like OpenID4VP initiated via universal links, which can require app switching and produce a less integrated verification experience. ### What backend work do developers need to do to support Apple digital credentials from iOS 26? The credential returned by the Digital Credentials API must be cryptographically verified on the server to confirm its authenticity and integrity. Developers should also audit which identity attributes are strictly necessary per transaction, since the ISO 18013-5 mdoc framework is designed around requesting only minimal required data for each use case.