Learn IAM
Learn IAM

Verifiable Credentials (VCs)

Verifiable Credentials (VCs)

Overview

Verifiable Credentials (VCs) are cryptographically signed digital credentials that enable tamper-evident representation of identity information. Unlike traditional credentials stored in centralized databases, VCs are issued directly to holders who store them in digital wallets and selectively share them with verifiers. The issuer's digital signature (verifiable via their DID Document) proves authenticity without requiring real-time contact with the issuer. VCs are the data format that makes Self-Sovereign Identity (SSI) practical—enabling portable, privacy-preserving credentials for education, employment, healthcare, and government services. Standards like OpenID for Verifiable Credentials (OID4VC) bridge VCs with existing OAuth/OIDC infrastructure for enterprise adoption. Good looks like credentials verified in seconds without contacting issuers, users sharing only necessary information through selective disclosure, and reduced fraud through cryptographic verification.

Architecture & Reference Patterns

Pattern 1: VC Trust Triangle

The fundamental VC architecture involves three roles:

        Issuer (University, Government, Employer)
       /                                          \
      /                                            \
  Creates & Signs                              Trusts Issuer
  Credential                                   (via DID/Registry)
      ↓                                              ↑
   Holder (User) ──── Presents Credential ────→ Verifier
   (Wallet)                                    (Relying Party)

Verification flow:

  1. Verifier requests credential presentation
  2. Holder selects credentials and consent to share
  3. Holder creates Verifiable Presentation (VP)
  4. Verifier resolves issuer's DID, retrieves public key
  5. Verifier validates signature and claims

Pattern 2: OID4VC Integration

Use OpenID for Verifiable Credentials to integrate VCs with existing identity infrastructure:

OID4VCI (Issuance):
Authorization Server → Token → Credential Endpoint → VC to Wallet

OID4VP (Presentation):
Verifier Request → Wallet Selection → VP Creation → Verification

Benefits:

  • Familiar OAuth 2.0 / OIDC patterns
  • Works with existing IdP infrastructure
  • Standardized interoperability

Pattern 3: Enterprise VC Ecosystem

Deploy VCs for enterprise use cases:

  • Issue employee credentials for portable professional identity
  • Accept partner/vendor credentials for streamlined B2B onboarding
  • Issue customer credentials for privacy-preserving verification
  • Integrate with existing IGA for credential lifecycle management

Key Decisions

DecisionOptionsRecommendationNotes / Gotchas
Credential formatJSON-LD, JWT, SD-JWT, mDOCSD-JWT for enterpriseSelective disclosure, familiar format, good tooling
Issuance protocolOID4VCI, DIDComm, CustomOID4VCILeverages existing OAuth infrastructure
Presentation protocolOID4VP, DIDComm, CustomOID4VPStandards-based, interoperable
Wallet approachRecommend specific, Accept any, Build customAccept standards-compliantAvoid lock-in; focus on interoperability
Revocation methodStatus List, Accumulator, Short-lived credentialsStatus List 2021Balance privacy with revocation needs
Schema governanceCustom schemas, Established schemas, Schema registryEstablished + registryUse existing schemas where possible

Implementation Approach

Phase 0: Discovery

Inputs: Use case analysis, credential requirements, existing infrastructure, regulatory landscape Outputs: VC opportunity assessment, credential schema requirements, integration points, pilot use case selection

Phase 1: Design

Inputs: Use cases, technical requirements, trust framework participation Outputs: VC architecture design, credential schemas, issuance/verification flows, wallet integration specifications, UX design

Phase 2: Build & Integrate

Inputs: Architecture design, selected tools/libraries, integration specifications Outputs: Issuer infrastructure deployed, verifier integration completed, wallet connectivity tested, operational procedures documented

Phase 3: Rollout

Inputs: Built infrastructure, pilot plan, user onboarding Outputs: Pilot with selected users, credential issuance live, verification flows operational, feedback collection, iterative improvements

Phase 4: Operate

Inputs: Production infrastructure, operational procedures Outputs: Ongoing issuance and verification, schema updates, revocation management, adoption metrics, ecosystem expansion

Deliverables

  • Verifiable Credentials strategy and use case prioritization
  • Credential schema definitions (aligned with standards)
  • Issuance and verification flow documentation
  • Wallet integration specifications
  • Trust framework participation plan
  • Revocation strategy and procedures
  • User experience design for credential flows
  • Operational runbooks

Risks & Failure Modes

RiskLikelihoodImpactEarly SignalsMitigation
User adoption challenges (wallet complexity)HHLow credential acceptance, onboarding abandonmentUX investment, progressive disclosure, familiar analogies
Interoperability failuresMHCredentials rejected by verifiers, format mismatchesStandards compliance, testing with ecosystem partners
Revocation latency exposes invalid credentialsMMRevoked credentials acceptedAppropriate revocation mechanism, short credential lifetimes
Issuer key compromiseLHFraudulent credentials issuedHSM protection, key rotation, monitoring
Schema evolution breaks existing credentialsMMVerification failures after updatesSchema versioning, backward compatibility

KPIs / Outcomes

  • Credential issuance volume (track adoption)
  • Verification success rate (target: greater than 99%)
  • User wallet activation rate (adoption metric)
  • Time to verify vs. traditional methods (value demonstration)
  • Revocation effectiveness (revoked credentials not accepted)
  • Ecosystem interoperability (credentials accepted across verifiers)