Email Verification API support with SD-JWT for native email verification

[hieuwu]

Summary

As of now, native Android app can get Digital Credential, extract SD-JWT token to perform email verification directly in the app. This brings a lot of convenience over traditional email verification via link sent to email. With this new experience, it would be nice if Supabase can support some mechanism to set up and an API to verify email with SD-JWT.

Limitation

No direct support from API so can not build a robust end-to-end solution from SDK
This new SD-JWT has nothing to do with OIDC so can not take advantage of any current Auth API

Work around solution

We can achieve the whole flow with Edge Function, but it requires complex set up and not developer-friendly. Below is my solution built with supabase-kt.

High level

sequenceDiagram
    participant App as Android App
    participant CM as Credentials Manager
    participant EF as Edge Function
    participant Google as Google Identity Services

    App->>CM: 1. Request Digital Credentials
    CM-->>App: 2. Return Digital Credentials (SD-JWT)

    App->>App: 3. Extract SD-JWT Token

    App->>EF: 4. Send SD-JWT Token

    EF->>Google: 5. Validate Issuer + Signature
    Google-->>EF: Validation Result

    alt Validation Successful
        EF->>EF: 6. Update Email Verification Status
        EF-->>App: Success Response
    else Validation Failed
        EF-->>App: Error Response
    end

    Note over App,Google: High-level Email Verification Flow using Google Digital Credentials

Loading

Screenshot

Email.verification.mp4

Implementation of sd-jwt token extract from Android
supabase-community/supabase-kt-plugins#96

Send the token to Edge Function
supabase-community/supabase-kt#1316

Reference

Implement email verification with the Digital Credentials API
OpenID for Verifiable Presentations 1.0
SD-JWT Implementation in JS (TypeScript)