On 28.9.2025, the laws to introduce an electronic ID in Switzerland have been accepted in a public vote. This law was a second, fixed attempt after the rejection in 2021. The first, refused, attempt proposed to let private companies run the infrastructure for the eID. The amended law now requires the government to operate that infrastructure itself.

In preparation of the law, a beta version of the proposed architecture has already been implemented. After that vote, I took a look at the beta implementation. Not only is it government operated, but it also is fully open source to allow anyone to verify the implementation. There is quite some documentation available. Some of the guides have not kept up with development - but i guess its called "beta" for a reason and development is moving fast.

The ecosystem consists of the "registry" (operated by the government) that is used to check certificates, the "wallet" app to contain IDs (called Swiyu), identity "issuers" (with the main one that issues the eID operated by the government, but the wallet can also store data from other issuers) and finally "verifiers" that ask for information.

Image: The architecture of the eID infrastructure. Source: swiyu

From a consumer perspective, the system is actually quite simple: My application specifies the fields it needs to know from an ID, my verifier service issues a QR code resp. deeplink for the eID wallet and if the wallet owner allows it, my application receives the requested values. Behind the scenes, there is quite a bit of complexity of course, which guarantees that my application can legally trust the answer just as well as in a physical interaction where I look at the customers passport.

The eID system has been built around data minimization. Rather than always giving access to the full information like with a physical passport, my application has to indicate the specific fields it requires, and the user is shown which fields they would reveil. Besides name, birthdate and other detailed facts, there are also flags like "is over 16 years old" (the minimum age to legally buy beer), "is over 18 years old" (legally adult, allowed to drive, allowed to buy strong alkohol) or "is over 65 years" (the age people usually retire in Switzerland). That way, the exchange can be restricted to the information that actually matters.

Requesting verified data

To get started, I had to set up the verifier application. The easiest way to run that application is to use their docker image. After a rather involved setup procedure of creating keys, uploading them to the base infrastructure and then getting a manual approval for Liip as a verifier in the eID infrastructure, I had the necessary credentials to configure the verifier. With that solved, the rest was quite simple: I can send web requests to my verifier, telling it which fields I want from the customer. Those requests consist of some boilerplate plus the list of fields to request, specified as paths:

"constraints": {
    "fields": [
        {
            "path": [
                "$.age_over_18"
            ]
        }
    ]
}

The response to this request is a verification URL that needs to be rendered as a QR code and presented to the wallet. (Or alternatively a deep link that opens the wallet for this verification, to be used when visiting the website on the mobile phone that has the wallet installed.) The user has to scan the code with the wallet app (or tap the deep link). The wallet app then prompts them to allow sharing this specific list of information. On confirmation, the app communicates with my verifier service to provide the information. Meanwhile, my application polls for the status of the verification. Once it succeeds, it can fetch the result, which contains a boolean for this example. I can also request texts like given name, family name or birthday, or even the portrait image. A full list of the available fields is in this catalog on admin.ch.

Image: Confirmation screen after scanning the QR code with the Swiyu App. Source: Screenshot with test profile

Conclusions

The Swiss eID provides a - from consumer perspective - simple way of asking a user to prove that they are of age, or to provide their name. The API is (once the setup is done) rather simplistic. The really spectacular part about this is that the information received is provided by the swiss government, securely validated and satisfies legal requirements. It has the same value as being shown a physical passport, but without having to show more information than necessary.

It remains to be seen if verifiers adhere to the data minimization or ask for to many details like full name or birthdate unnecessarily. As with the permissions management for mobile apps, a company could ask for too much and refuse to work with less. The swiyu app unfortunately does not offer to transfer less than the requested data. Hopefully the Swiss government consumer protection and data protection services can get companies to refrain from gathering unnecessary data.