Overview

What TCS does for you

1. Wraps the protocol stack. TCS handles the credential issuance and verification protocols so you call REST endpoints, not spec code. Under the hood that is OID4VCI, OID4VP, SD-JWT VC, DPoP, JWK proofs, and nonce management — terms defined in Standards & Interoperability. You never construct a DPoP proof or resolve a DID by hand.

2. Provides a Trust Anchor and Governance Layer. A built-in Trust Registry answers who is allowed to issue and a built-in Schema Registry answers what a valid credential looks like. Most toolkits leave this to you. TCS makes it part of the platform.

3. Ships standards-conformant out of the box. Issuance and verification are tested against the OpenID Foundation conformance suite. The credential format is IETF SD-JWT VC (dc+sd-jwt). HAIP-compatible profiles supported via ES256 + X.509.

---

Who it’s for

Verifiers — financial institutions, regulated businesses, government services — accept verified identity, KYC, or qualification credentials from any TCS-connected issuer through a single API call, without rebuilding your own verification stack or auditing each upstream issuer one by one. The Trust Registry tells you which issuers are vetted; you receive the result of a verified presentation.

Issuers — credential authorities, employers, schools, certifying bodies — sign and deliver credentials your end users can hold and present elsewhere, without writing OID4VCI / SD-JWT code yourself.

System integrators and developers — wire issuer or verifier flows into an existing product through clean REST endpoints, without reading 600 pages of OAuth and SD-JWT specs.

---

Two operating modes

• Custodial mode (recommended) — TCS runs the Holder Service as a general-purpose cloud wallet management service exposed via REST API. Your backend orchestrates Issuer + Holder + Verifier through TCS APIs on behalf of end users, without writing any wallet-protocol code. Most TCS deployments run this way.
• Non-custodial mode — Holders use their own standards-compliant wallet apps; TCS only runs the issuance and verification surface. Pick this when you’ve already implemented OID4VCI / OID4VP yourself or you’re integrating with an established external wallet ecosystem.

The mode decides only who plays the Holder role — everything else is shared. See Custodial vs Non-Custodial Mode for the full comparison.

---

Standards & conformance

Area	Standard
Issuance	OID4VCI v1
Presentation	OID4VP v1
Credential format	IETF SD-JWT VC (dc+sd-jwt)
Token binding	DPoP (RFC 9449)
HAIP profile	ES256 + X.509 supported
Selective disclosure	SD-JWT _sd mechanism

See Standards & Interoperability for the full picture.

---

Where to go next

Read these in order

1. Thinking in IHV Model — the mental model: who plays what role in a credential exchange, and which TCS service serves each role.
2. Quick Start — issue your first credential in 5 minutes.
3. Pick the integration guide that matches your role: Issuer, Verifier, or set up Trust & Schemas first.