We're the team behind iGrant.io. Last week we shipped three free, browser-based developer tools for the EUDI Wallet ecosystem, timed to the ETSI EAA Plugtests:
The ETSI EAA Plugtests are running through 1 June 2026 with focus on SD-JWT VC and ISO 18013-5. Curious what tooling everyone is reaching for when an IssuerSigned structure or COSE_Sign1 envelope doesn't decode cleanly.
Our team got tired of pasting CBOR into half-broken local scripts (or worse, online decoders that upload to a server), so we built a browser-only one:
https://docs.igrant.io/docs/devt...
It surfaces the IssuerSigned tree, COSE_Sign1 protected/unprotected headers, the Mobile Security Object, every namespace, and the issuer x5chain.
SD-JWT VC adds a lot of moving parts on top of plain JWT disclosures, key-binding JWTs, salt, and an issuer key resolution chain (x5c, jwk, did:key, did:jwk).
If you've never picked one apart byte-by-byte, paste any sample into the JWT/SD-JWT decoder we built and watch each piece light up:
https://docs.igrant.io/docs/devt...
It auto-derives the issuer key, parses every disclosure inline, and gives you one-click signature verification.
DCQL (Digital Credentials Query Language) is the part of OpenID4VP that decides "what does the verifier ask for, and how flexibly?" The spec examples are great but skinny what does it look like when you wire it to real use cases?
We documented seven we run end-to-end:
Basic query with trusted authority https://docs.igrant.io/docs/dcql...
Age verification (claim set) https://docs.igrant.io/docs/dcql...
Most EUDI conversation is about person wallets. The EU Business Wallet (organisation wallet) is a parallel track issuing, holding, and presenting credentials on behalf of a legal entity. The shape is similar but the trust model is different.
A lot of "online decoders" upload your token to a server. For credentials that's a real problem even test data often contains personal claims, real x5c chains, and signatures tied to live keys.
We wrote our three tools as pure browser apps. Paste, drop, or upload nothing leaves your machine, no server logs, no analytics on the payloads.
One of the cleaner real-world wins from EUDI Wallet adoption: login forms disappear. The wallet presents a verified attribute (email, PID, or whatever your relying party trusts) and the password field is gone.
We documented the flow we run:
https://docs.igrant.io/docs/eudi...
Underneath, it's an OpenID4VP request with a DCQL query, the wallet builds an SD-JWT VP with key-binding, the verifier checks the signature, you're in.
Two free, browser-based decoders for EUDI Wallet and EU Business Wallet developers:
• mdoc CBOR Decoder (new): Inspect ISO/IEC 18013-5 IssuerSigned structures: COSE_Sign1 issuer authentication, the Mobile Security Object, namespaces, and x5chain certificates.
• JWT / SD-JWT Decoder (enhanced): Parse headers, payloads, signatures, SD-JWT disclosures, and key-binding JWTs. Issuer keys auto-derived from x5c, jwk, did:key, or did:jwk for one-click verification.
