MATTR mDocs Holder React Native

Table of Contents

• Licensing
• Features
• System requirements
• Getting started

Licensing

Request or download the MATTR Pi SDK Trial License Agreement and the MATTR Customer Agreement and review these terms.

Features

• Interface with an issuer to obtain an mDoc as per OpenID4VCI (OpenID for Verifiable Credential Issuance).
• Interface with a verifier and present an issued mDoc for verification/inspection:
  • In-person via Bluetooth as per ISO/IEC 18013-5:2021.
  • Remotely via internet connection as per ISO/IEC 18013-7:2024 and OID4VP.
• Generate, store and manage access to:
  • mDocs issued to an application integrating the SDK.
  • Device keys which are bound to issued mDocs.
• Manage lists of:
  • Trusted issuer certificates which issued mDocs can be validated against.
  • Trusted verifier certificates which are used to validate OID4VP (OpenID for Verifiable Presentations) authorization requests fetched as part of an mDoc retrieval flow.
• Use referenced Status lists to to check mDocs’ revocation status.

System requirements

iOS

Technology	Version
Xcode	16.4 or higher
iOS	15(*) or higher
iPhone	iPhone 6S or higher

• Although the SDK features require iOS 15 or higher, the minimum deployment target is set to iOS 13. This allows the app to launch on iOS 13 devices without crashing, provided that the SDK is not initialized.

Android

Technology	Version
Android Gradle Plugin	8.3.0
Gradle	8.3
Kotlin	1.9.0
JDK	17
Android min API level	24
Android target API level	34

React Native

Technology	Version
Node	v18 or higher
React Native	0.78.x or higher

SDK was tested with react-native 0.78.2, and 0.81.0.

Getting started

Get access

Refer to our SDK Docs landing page for step-by-step instructions to gain access to any of our SDKs.

Please reach out in case you need any assistance.

Install dependencies

1. Add the SDK as a dependency to your React Native app:

yarn add @mattrglobal/mobile-credential-holder-react-native
Copy

Linking the package manually is not required from React Native 0.60 and higher that supports Autolinking.

The SDK relies on the following peer dependencies:

• react
• react-native

Install pods (iOS)

Install the pods (via Cocoapods) to complete the linking.

npx pod-install ios
Copy

Register local Maven repository (Android)

The precompiled MATTR Mobile Credential Holder Android Native SDK is provided in the published NPM package.

To bundle the native libraries, append the following changes to the android/build.gradle script:

 allprojects {
   repositories {
     …
     google()
+    maven {
+      url = "$rootDir/../node_modules/@mattrglobal/mobile-credential-holder-react-native/android/frameworks"
+    }
   }
 }
Copy

Configure the SDK (Android)

Add the following activity to your app's android manifest:

    <application>
        ...
+       <activity
+           android:name="global.mattr.mobilecredential.common.webcallback.WebCallbackActivity"
+           android:exported="true"
+           android:label="@string/web_callback_activity_label" >
+           <intent-filter>
+              <action android:name="android.intent.action.VIEW" />
+               <category android:name="android.intent.category.DEFAULT" />
+               <category android:name="android.intent.category.BROWSABLE" />
+              <data android:scheme="${mattrScheme}"
+                   android:host="${mattrDomain}" />
+           </intent-filter>
+       </activity>
        ...
  </application>
Copy

This configuration allows your Android app to receive authentication results from the browser. The specified values are used to construct the URI that the SDK will use to redirect the user back to your app after they complete authentication with the issuer:

• mattrScheme : Can be any path that is handled by your application and registered with the issuer.
• mattrDomain : Can be any path, however our best practice recommendation is to configure this to be credentials, as the standard format for the redirect URI is {redirect.scheme}://credentials/callback.

The combination of these values ({mattrScheme}://{mattrDomain}/*) must exactly match a redirect URI that has been whitelisted for the OAuth client used to authenticate the holder. This is required for the SDK to successfully retrieve credentials.

Using with compatible MATTR SDKs

This SDK can be used in the same application with version 8.0.0 of the React Native mDocs Verifier SDK (mobile-credential-verifier-react-native).

Error handling

The SDK distinguishes between expected and unexpected errors to help you write clearer and more predictable code.

Expected errors are part of the normal operation of a function. In these cases, the SDK function will be wrapped in a Result object from the neverthrow library, with an explicit error type you can handle programmatically. Some functions do not have expected failure modes. When that’s the case, their return type will not be wrapped in a Result object. Although this pattern is more verbose, it encourages the handling of possible errors and reserves throwing exceptions for truly exceptional situations.

Unexpected errors represent bugs, SDK misuse, or system-level failures. In these cases the SDK will throw an exception which results in a rejected promise. Because the root cause is unknown or unrecoverable, we recommend handling them with a generic fallback strategy (e.g., showing an error screen or logging the issue) appropriate to your app’s context.

This separation ensures you know which errors to handle explicitly and which indicate deeper issues that need broader handling.

Example expected error handling

import { initialize } from "@mattrglobal/mobile-credential-holder-react-native";

const initializeWalletResult = await initialize();

if (initializeWalletResult.isErr()) {
  // Handle error from initializeWalletResult.error
  return;
}

const wallet = initializeWalletResult.value;
Copy

unwrap utility function

A utility function is provided for convenience if you decide not to handle your errors as results. This function will simply throw an error if the function passed in returns a Result where Result.isErr() is true.

import { unwrap } from "@mattrglobal/mobile-credential-holder-react-native";

try {
  const wallet = unwrap(await initialize());
} catch (error) {
  // Handle thrown error
}
Copy

Change Log

8.1.0

OID4VCI manual redirect support

This enhancement allows applications to implement the OpenID4VCI issuance workflow within embedded WebViews while maintaining full control over the redirect flow.

Applications can now:

1. Call the new createAuthorizationSession method to initiate the flow. This returns an AuthorizationSession object containing both the authorizeUrl and codeVerifier properties.
2. Load the returned authorizeUrl in a WebView to handle user authentication and consent.
3. After successful authentication, capture the redirect using the configured redirectUri, then extract the authorization code from the returned URL.
4. Complete the issuance workflow by calling the new retrieveCredentialsUsingAuthorizationSession method, passing in the AuthorizationSession and extracted authorization code.

Bug fixes

• Remove usage of const from enums: UserAuthenticationBehavior and UserAuthenticationType

iOS Platform

• Fixed an issue where the passcode fallback button was not displayed when biometric authentication failed and UserAuthenticationType was set to .biometricOrPasscode.
• Fixed an issue where calling addCredential with a credential that could not be verified against any stored trusted issuer certificate incorrectly threw AddMobileCredentialError.certificateNotFound instead of AddMobileCredentialError.invalidCredential.

Android Platform

• Fixed an issue where closing the embedded browser during the OpenID4VCI authorization flow caused retrieveCredentials to hang indefinitely.

8.0.0

Breaking changes

• The React Native supported versions for the SDK is now 0.78.x or higher, including React Native’s New Architecture.

Spelling standardization change (UK → US English)

The following changes reflect the update of the SDK's spelling convention from UK English to US English.

• Methods:
  • Renamed the initialise function to initialize.
  • Renamed the deinitialise function to deinitialize.
• Errors:
  • Renamed MobileCredentialHolderError.AuthenticationCancelled to MobileCredentialHolderError.AuthenticationCanceled.
  • Renamed MobileCredentialHolderError.InvalidAuthorisationRequestUri to MobileCredentialHolderError.InvalidAuthorizationRequestUri.
  • Renamed MobileCredentialHolderError.InvalidAuthorisationRequestVerifiedByCertificate to MobileCredentialHolderError.InvalidAuthorizationRequestVerifiedByCertificate.
  • Renamed MobileCredentialHolderError.InvalidAuthorisationRequestVerifiedByDomain to MobileCredentialHolderError.InvalidAuthorizationRequestVerifiedByDomain.

Error handling consolidation

• The getCredential method was updated as follows:
  • Added a new verification failure reason MobileCredentialVerificationFailureType.TrustedIssuerCertificateNotFound when the credential cannot be verified due to missing a matched trusted issuer certificate.

Features

• Added a msoHash to the MobileCredential and MobileCredentialMetadata types. This property represents a hashed mobile security object, defined in ISO/IEC 18013-5:2021. Note that this property is distinct from the id property and should not be used in the getCredential method.

• iOS Platform

  • The SDK now includes a check for empty CBOR arrays. Previously the SDK allowed credentials with an empty IssuerNamespaces field, but according to the Concise Data Definition Language (CDDL) specification defined in ISO/IEC 18013-5, this field must contain at least one entry. This update enforces that requirement, improving interoperability and ensuring issued credentials are standards-compliant.

7.0.0

Breaking changes

OID4VCI Pre-authorized Code flow support

The SDK now supports credential claiming using the OID4VCI Pre-Authorized Code Flow. Accordingly, the following changes have been introduced:

Method Signatures:

• The retrieveCredentials method now accepts:
  • The original offer URL as a String, instead of the previous CredentialOfferResponse type for the credentialOffer parameter
  • An optional transactionCode
  • The autoTrustMobileIaca and redirectUri parameters are now set in the initialise method, whereas previously they were parameters of retrieveCredentials.
• The following properties no longer need to be exposed in the reponse of discoverCredentialOffer and are now managed interally to the SDK:
  • authorizeEndpoint,
  • tokenEndpoint,
  • credentialEndpoint,
  • mdocIacasUri
• New repsonse parameters added to discoverCredentialOffer:
  • TransactionCode struct

User authentication configuration

The initialise method now allows configuring how biometric authentication is performed. To allow this the following changes were introduced:

• Introduced a new UserAuthenticationConfiguration object:
  • UserAuthenticationConfiguration.userAuthenticationBehavior supports the following options:
    • UserAuthenticationBehavior.Always requires user authentication for all supported operations
    • UserAuthenticationBehavior.None no user authentication is required
    • UserAuthenticationBehavior.OnDeviceKeyAccess requires user authentication when presenting or issuing a credential
    • UserAuthenticationBehavior.OnInitialise requires user authentication when initialising the SDK
  • UserAuthenticationConfiguration.userAuthenticationType is iOS only and supports the following options:
    • UserAuthenticationType.BiometricOnly only biometric authentication is allowed
    • UserAuthenticationType.BiometricOrPasscode authentication with either biometrics or device passcode
• Replaced the userAuthRequiredOnInitialise boolean parameter in the initialise method with userAuthenticationConfiguration of type UserAuthenticationConfiguration.
• Renamed the MobileCredentialHolderErrorType.UserAuthenticationOnInitChanged error type to MobileCredentialHolderErrorType.UserAuthenticationConfigurationChanged.
• Renamed CredentialIssuanceOptions to CredentialIssuanceConfiguration

Error handling consolidation

In order to provide a more cohesive and manageable error handling in the OID4VCI flow, we have consolidated some error cases into broader ones. This change aims to make it easier for developers to handle errors consistently. Below is a summary of the changes:

• discoverCredentialOffer no longer throws the following errors:
  • DiscoverCredentialOfferErrorType.CredentialOfferNotFound
  • DiscoverCredentialOfferErrorType.SupportedCredentialsNotFound
  • DiscoverCredentialOfferErrorType.CredentialOfferNotInCredentialIssuerMetadata
  • DiscoverCredentialOfferErrorType.IssuerMetadataServiceError
• Instead, these errors were consolidated into:
  • DiscoverCredentialOfferErrorType.FailedToDiscoverCredentialOffer

To see the full list of errors that discoverCredentialOffer may throw, refer to this method in the SDK documentation.

---

• retrieveCredentials no longer throws the following errors:
  • RetrieveCredentialsErrorTypes.AuthCodeNotFound
  • RetrieveCredentialsErrorTypes.AuthenticationFailed
  • RetrieveCredentialsErrorTypes.CertificateNotFound
  • RetrieveCredentialsErrorTypes.DeviceKeyGenerationError
  • RetrieveCredentialsErrorTypes.GenerateAuthorisationUrlFailed
• Instead, these errors have been added:
  • RetrieveCredentialsErrorTypes.RedirectUriNotFound
  • RetrieveCredentialsErrorTypes.InvalidTransactionCode
  • RetrieveCredentialsErrorTypes.WebAuthenticationFailed
  • RetrieveCredentialsErrorTypes.FailedToDiscoverCredentialOffer

Enhancements

• Introduced support for future dated credentials. The addCredential method can now be used to add credentials with a future validity period to the storage.
• [iOS] The SDK's storage data protection class was changed from C (Protected Until First User Authentication) to B (Protected Unless Open). See Apple Platform Security forum for details.
• The SDK no longer checks the signature algorithm when adding verifier certificates. This aligns with ISO/IEC 18013-5:2021, which does not specify required algorithms for reader root certificates.

Bug fixes

• Fixed an issue where special characters in credential offers were escaped twice.
• Resolved a potential crash when establishing a BLE connection.
• Fixed an issue where the browser would retain focus after authenticating during credential retrieval via OpenID4VCI.
• Fixed validation for ES384 and ES512 signatures.
• Enabled using RSA as a digital signature algorithm for Reader Authentication root certificates.

6.0.0

Features

First GA release as a standalone SDK.

Previous versions of this SDK were only available as an extension. For a detailed list of previous changes to this SDK please refer to the React Native Holder SDK changelog under the Mobile Credential category.