Digital ID & mobile driver's license (mDL) verification

Mobile driver's licenses are issued by US state DMVs and verified per ISO/IEC 18013-5. The mDL credential lives in Apple Wallet or Google Wallet, is presented to the verifier through a short-range protocol — Bluetooth Low Energy, NFC, or a QR-mediated handoff — and returned as a signed assertion containing only the attributes the user explicitly releases. Stile's API verifies the wallet's signature, validates the issuer certificate against the issuing authority's root (the AAMVA Digital Trust Service for US states), and returns an eligibility signal in the same shape as our document-scan flow. This page documents how the protocol surfaces in the API, what the signed webhook contains, and which jurisdictions are supported today.

How mDL verification works

Five-step sequence from session start to compliant signal. The Stile SDK abstracts the wallet handshake; the merchant integration only sees the signed webhook in step 5.

1. Device engagement. The verifier (your application via the Stile SDK) initiates a presentation request. The wallet establishes a short-range channel — BLE or NFC, depending on platform support — and exchanges ephemeral session keys per ISO/IEC 18013-5 §6.3. Engagement is unauthenticated; nothing about the holder is exposed yet.

2. Selective disclosure request. Stile's request specifies which attributes are required (typically age tier, jurisdiction, document number hash). The wallet renders a system-managed consent screen listing only those attributes. The user authenticates with the wallet's local biometric or passcode and explicitly approves release. Attributes outside the request are not even shown to the verifier.

3. Wallet response. The wallet emits a signed mDoc response containing only the released attributes. The signature is produced with a holder-bound key provisioned during issuance, and the holder's signing key chains to the issuer's signing certificate (the state DMV).

4. Server-side verification. The Stile backend validates the holder signature, validates the issuer certificate chain against the AAMVA Digital Trust Service root (or the issuing authority's equivalent for non-US jurisdictions), and checks revocation status against the OCSP-style endpoint exposed by the issuer. Verification runs server-side; the SDK does not hold the verification result.

5. Signed webhook. Stile delivers a signed webhook to the merchant containing the eligibility decision plus the releasable attributes. Source materials (full document number, raw date of birth, biometric template) are intentionally not transmitted to the merchant; the merchant receives a derived eligibility signal and one-way hashes of the underlying identifiers.

Signed webhook payload sample

Below is a representative payload from a successful mDL verification. The body itself is plain JSON; integrity is verified out of band via the request's stile-signature header, which carries an HMAC-SHA256 signature of the raw body keyed by your endpoint's webhook secret (format: t={timestamp},v1={signature}). The Stile SDK exposes stile.webhooks.fromRequest(req, secret) to verify and parse in one call — see the webhooks guide on docs.stile.id for the recommended pattern.

{

"id": "evt_01H8YQK9XR4N1F3Z7P2WVTM6BC",

"type": "verification_session.verified",

"livemode": true,

"created": 1746604800,

"data": {

"id": "vks_8f3a4c742b9e",

"object": "verification_session",

"status": "verified",

"type": "identity",

"credential_type": "mdl",

"wallet_provider": "AppleWallet",

"presentation_protocol": "ISO18013-5",

"released_attributes": {

"age_tier": "21+",

"jurisdiction_issued": "US-AZ",

"document_number_hash": "sha256:8f3a...c742",

"dob_hash": "sha256:c3b9...01ee"

},

"verification": {

"issuer_signature_valid": true,

"issuer_certificate_chain": "verified",

"holder_signature_valid": true,

"revocation_status": "active"

}

}

}

What's intentionally omitted from the body: the raw document number, the unhashed date of birth, the holder's full legal name, and any biometric template. The merchant receives only the eligibility tier (e.g., 21+), the issuing jurisdiction, and one-way hashes of the document number and DOB suitable for chargeback and fraud-investigation lookback. If a use case requires a stronger attribute set (full name, expiration date), it can be requested via the configured ruleset and surfaces in data.released_attributes; absent an explicit configuration, those attributes are never released.

US state mDL coverage

As of mid-2026, the following US states issue an ISO/IEC 18013-5-compliant mDL with at least one major-wallet integration. Coverage expands as new states ship; verify the current canonical list against the AAMVA Digital Trust Service participant register before contracting on a specific state. Where mDL is unavailable on the user's device, Stile's flow falls back to a physical document scan (passport, driver's license, national ID) verified through the same SDK and returning the same signed-webhook shape — the merchant integration is unchanged.

Arizona — issuance began 2021. Apple Wallet (iOS 15+), Google Wallet (Android 13+). Stile fallback: document scan.

Colorado — issuance began 2022. Apple Wallet (iOS 15+). Stile fallback: document scan.

Georgia — issuance began 2022. Apple Wallet, Google Wallet. Stile fallback: document scan.

Maryland — issuance began 2022. Apple Wallet, Google Wallet. Stile fallback: document scan.

Iowa — issuance began 2023. Apple Wallet, Google Wallet. Stile fallback: document scan.

Kentucky — issuance began 2023. Apple Wallet, Google Wallet. Stile fallback: document scan.

Ohio — issuance began 2023. Apple Wallet. Stile fallback: document scan.

New Mexico — issuance began 2023. Apple Wallet. Stile fallback: document scan.

California — pilot 2024. Apple Wallet (limited deployment). Stile fallback: document scan.

New York — pilot 2024. Google Wallet. Stile fallback: document scan.

Mississippi — issuance 2025. Apple Wallet, Google Wallet. Stile fallback: document scan.

Connecticut — pilot 2025. Apple Wallet. Stile fallback: document scan.

Issuance dates and wallet-support claims are derived from public state-DMV announcements. Treat this list as a starting point, not a contractual guarantee — confirm against the AAMVA participant register and the wallet provider's published mDL state list at the time of integration.

Digital ID verification fits inside Stile's broader verification flow — the same SDK handles age, identity, and liveness with mDL as one of several credential types. Related coverage:

Age verification — narrow age-tier flow that uses mDL when available and falls back to document scan otherwise.

Identity verification — full identity assertion flow with mDL as one credential path among many.

Regulated commerce — alcohol DTC, gambling, adult content, and cannabis flows where mDL releases the minimum attribute set legally required.

US state coverage — live map of which state laws apply and where Stile's mDL coverage maps to the regulator's enforcement intent.