Verifiable Credentials
What are Verifiable Credentials?
A Verifiable Credential (VC) is a digital statement about an identity that can be cryptographically verified without calling anyone on the phone. Unlike a paper driver's license or a PDF diploma, a VC carries a signature that anyone can check against a public key on-chain — no central authority needs to be online at verification time.
Think of it this way: your university signs a credential saying you graduated. Years later, an employer checks that signature against the university's public DID on EID. If the math checks out, the credential is valid. The university does not even need to know the check happened.
The Trust Triangle
Three roles make verifiable credentials work:
| Role | What they do |
|---|---|
| Issuer | Makes claims about a subject and signs a credential. Examples: a university, a KYC provider, an employer. |
| Holder | Receives the credential and stores it (typically in a wallet). The holder decides when and to whom to present it. |
| Verifier | Receives a presentation from the holder and checks the issuer's signature. Examples: an app, a hiring portal, a service gate. |
The key insight: the issuer and verifier never need to talk to each other. The chain-anchored DID is the trust bridge.
How VCs Work in Elastos
- The issuer creates a credential containing claims (e.g., "name: Alice", "degree: CS") and signs it with their DID's private key.
- The holder stores the signed credential in their wallet.
- When a verifier requests proof, the holder packages one or more VCs into a Verifiable Presentation and signs that, too.
- The verifier resolves the issuer's DID Document from EID, extracts the public key, and verifies the credential signature. No back-channel to the issuer is required.
Because the issuer's public key is on-chain, verification can happen without the issuer being online or even aware. The chain is the source of truth.
Credential Types
| Type | Description | Example |
|---|---|---|
| Self-proclaimed | The holder creates and signs claims about themselves. Useful but carries less weight — you are vouching for yourself. | "My email is alice@example.com" |
| Third-party issued | An organization verifies something and issues a signed credential. Carries the issuer's reputation. | KYC provider issues an age-verification credential |
| Application credentials | App-specific data stored as credentials. Tied to a particular service context. | A gaming platform issues a "premium member" credential |
Verifiable Presentations
When a verifier asks for proof, the holder does not hand over raw credentials. Instead, they package one or more VCs into a Verifiable Presentation (VP):
- The VP is signed by the holder's DID, proving they possess the credentials.
- A nonce and realm can be included so the presentation cannot be replayed on a different site or at a different time.
- The holder can choose which credentials (or even which fields) to include — selective disclosure.
Use Cases
- KYC verification — prove your identity once, present the credential to multiple services.
- DID-based single sign-on — log in to apps with your DID and a presentation instead of a password.
- Data vault access control — grant a specific DID access to your Hive vault data using credential-based scripting.
- Reputation systems — accumulate verifiable endorsements from different issuers.
- Age or membership gates — prove you meet a requirement without revealing unnecessary personal data.
Code Example
Here is a brief example using the DID JS SDK to create and verify a credential:
import { DIDDocument, VerifiableCredential, Issuer } from "@elastosfoundation/did-js-sdk";
// Issuer creates a credential for the holder
const credential = await new Issuer(issuerDID)
.issueFor(holderDID)
.type("EmailCredential")
.property("email", "alice@example.com")
.seal(issuerPrivateKey);
// Holder stores the credential in their wallet
wallet.store(credential);
// Verifier checks the credential later
const isValid = await credential.verify(); // resolves issuer DID from chain
const isExpired = credential.isExpired();
const isRevoked = await credential.isRevoked();
if (isValid && !isExpired && !isRevoked) {
console.log("Credential is trustworthy");
}
Always check revocation status — a credential may have a valid signature but the issuer may have revoked it after issuance.
W3C Compliance
Elastos Verifiable Credentials conform to the W3C Verifiable Credentials Data Model. This means credentials issued by Elastos DIDs are structurally compatible with the broader decentralized identity ecosystem.
Resources
- DID Integration Guide — credential issuance and verification APIs
- DID Integration Guide — end-to-end integration walkthrough
- DID Login Tutorial — authenticate users with DIDs and presentations