Skip to content

Developer Guide: Building an Age Verification App

This guide is for Member States and other implementers building a production Age Verification application based on the EU Age Verification open-source toolbox. It covers how to get started, what to build on top of the open source, and what needs to be in place before going to production.

The open-source toolbox is designed for a stand-alone Age Verification App; a single-purpose app that stores and presents Proof of Age attestations. Age verification functionality can also be integrated into a broader digital wallet alongside other credentials, but that is outside the scope of this guide and the open-source implementation.

0. Quick Start: Try It Before You Build

Before starting development, we recommend experiencing the full flow using the ready-made demo components that include a hosted verifier, a hosted issuer, and installable wallet apps are available without any local setup.

See Installing and Configuring the Age Verification App to get started.

1. Before You Start

The following topics are not covered in this technical guide, but must be addressed before or alongside your implementation. We list them here so they are not overlooked.

Governance and legal compliance. Deploying an age verification solution involves regulatory obligations that vary by Member State. This includes compliance with the Digital Services Act, national age verification requirements, and data protection law. These are not addressed in this guide.

Enrolment method selection. You need to decide which enrolment methods your implementation will support. For example, NFC passport scanning, national eID, third-party identity providers, or on-site enrolment. The choice depends on your national context, the available identity infrastructure, and the assurance level required. The open-source toolbox provides reference implementations for some methods, but the selection and validation of methods for your deployment is your responsibility.

Issuer governance. Your issuer must be registered on the AV Trusted List to be recognised by verifiers. The process for registration and the governance model around it are separate from the technical implementation.

Age thresholds. The current implementation focuses on age_over_18. Supporting additional thresholds requires validating appropriate enrolment methods for the target age group and aligning with relevant legal frameworks.

2. Understand the Architecture

The Age Verification Solution consists of four main components. Understanding how they fit together is essential before starting implementation.

The Age Verification App is what you are building. It stores Proof of Age attestations on the user's device and presents them to verifiers when needed. The open-source codebase for Android and iOS is your starting point.

The Issuer Service issues Proof of Age attestations to the app using OpenID4VCI. In production, this must be a service you operate and that is registered on the AV Trusted List. A reference implementation is available for development and testing.

The Verifier is the online service that requests and validates Proof of Age attestations from the app.

The AV Trusted List is maintained by the European Commission and lists authorised issuers. Your production issuer must be registered here. A test trusted list is available for development.

For a full description of the architecture and component interactions, see the Overall Architecture.

3. Build the App

The open-source app is available for both Android and iOS. Both provide a working implementation you can build on and you do not need to start from scratch.

Steps needed for production readiness

The open-source blueprint gives you a working foundation, but it does not cover everything needed for a production deployment. Before going live, a number of technical tasks must be completed by the implementer — covering areas such as app hardening, secure storage, issuer setup, key management, issuance flow security, document-based enrolment, user authentication, and localisation.

A full description of each task is provided in the Implementer Checklist.

Note that this checklist covers technical tasks only. Legal compliance, governance agreements, issuer registration on the AV Trusted List, and enrolment method validation are equally important and must be addressed in parallel.

4. Connect to an Issuer

The app needs an issuer to obtain Proof of Age attestations. During development, you can use the publicly hosted demo issuer provided by the toolbox and no setup is required.

For production, you must operate your own issuer service.

5. Testing

Test your implementation against the public demo verifier at verifier.ageverification.dev. This is ready to be used and no setup required on the verifier side.

For interoperability testing across different implementations, contact the project team via Support to coordinate end-to-end testing with other ecosystem participants such as Member States and verifier providers.

6. Further Resources

  • Overall architecture: https://ageverification.dev/av-doc-technical-specification/docs/architecture-and-technical-specifications/
  • AV Profile (technical specification): https://ageverification.dev/av-doc-technical-specification/docs/annexes/annex-A/annex-A-av-profile/
  • AV Trusted List: https://ageverification.dev/AV%20Trusted%20List/
  • Support and contact: https://ageverification.dev/Support/