What Are Verifiable Credentials? The Complete Guide

The Problem with Digital Trust Today

In the modern digital ecosystem, identity is fragmented and insecure. The systems used to manage and verify who a person is online are largely built on outdated models that expose individuals and organizations to significant risk. Traditional digital identity relies on centralized and federated approaches, both of which present fundamental flaws.

In a centralized identity model, each service a person uses—from social media to online banking—maintains its own separate database of user credentials. This approach creates countless data silos, each a potential target for attack. A breach at any single service provider can expose the sensitive personal information of millions of users.

The federated identity model, exemplified by "Sign in with Google" or "Log in with Facebook," was developed to simplify this process. While more convenient, it introduces a different set of problems. It concentrates immense power in the hands of a few large identity providers, who can track user activity across different websites and services. This creates significant privacy concerns, as personal data can be correlated and used in ways the individual never intended or explicitly consented to. Both models suffer from a core weakness: the user is never truly in control of their own data.

A Comparison of Digital Identity Models

Table 1: A Comparison of Digital Identity Models

CategoryCentralized IdentityFederated IdentitySelf-Sovereign Identity (SSI)
Data ControlControlled by a single service provider (e.g., a website).Controlled by a third-party Identity Provider (e.g., Google, Facebook).Controlled by the individual user.
User PrivacyLow, as the provider controls data collection and use.Medium. Data is shared between services, creating potential for tracking.High. User shares only necessary data (selective disclosure).
Single Point of FailureHigh. A breach at the provider compromises all user data.High. A breach at the Identity Provider compromises access to many services.Low. Decentralized nature eliminates single targets for large-scale breaches.
PortabilityLow. Identity is locked to a single service.Medium. Identity is portable across services that support the provider.High. Credentials are held by the user and are interoperable by design.

To solve these deep-seated issues of security, privacy, and control, a new technical paradigm is required. This is where Verifiable Credentials (VCs) emerge as a foundational technology for a more secure and user-centric internet. In essence, Verifiable Credentials are tamper-evident, cryptographically secure digital versions of the credentials we use every day, giving individuals control over their own data and allowing them to share proof of their achievements and attributes without revealing unnecessary personal information.

Verifiable Credentials: The Digital Wallet for Your Achievements

The easiest way to understand Verifiable Credentials is to compare them to a physical wallet. A physical wallet holds various items that prove things about a person: a driver's license proves the ability to drive, a university ID proves student status, and an insurance card proves coverage. Each card was issued by a different trusted authority (the DMV, a university, an insurance company) and now resides in the individual's possession, under their direct control.

A digital wallet for Verifiable Credentials functions in precisely the same way, but for the digital world. It is a secure application, typically on a smartphone, where an individual can store and manage their digital credentials. Just as a person decides whether to pull out their driver's license or just state their name, the holder of a digital wallet has complete control over when, where, and with whom they share their digital credentials.

This analogy reveals a crucial shift in thinking away from a single, monolithic "digital identity." A wallet does not contain a person's "identity"; it holds a collection of distinct, verifiable attributes or claims. One credential makes a claim about driving privileges, another about educational attainment. The power of VCs lies in this granularity. They are not about creating one universal online ID but about empowering users to manage a collection of discrete, context-specific claims about themselves. "Verifying credentials," in this context, is the process where a third party can request claims about you and then cryptographically check the authenticity of these requested claims instantly, without needing to contact the original issuer every time.

The Core Components: The Triangle of Trust

The Verifiable Credentials ecosystem is built on the interaction between three core roles. This relationship is often referred to as the "triangle of trust" and is essential for the system's function.

The Issuer: The Source of Truth

The Issuer is an organization that attests to a claim about a subject and creates a cryptographically signed credential containing that claim.

  • Examples: A government agency issuing a digital passport, a university issuing a digital diploma, a bank issuing proof of income, or an employer issuing an employee badge.

The Holder: The User in Control

The Holder is the individual or entity that receives the credential from the Issuer. The Holder stores the credential in their personal digital wallet and has sole authority over how and when it is shared.

The Verifier: The Trusting Party

The Verifier is the person or organization that needs to confirm a claim about the Holder. The Verifier requests proof from the Holder, who then presents their Verifiable Credential. The Verifier can then check the credential's authenticity and integrity instantly.

  • Examples: An employer verifying a job applicant's degree, a website confirming a user is over 18, a border agent checking a digital passport, or a hospital confirming a doctor's medical license.

How Verifiable Credentials Work: A Step-by-Step Process

The lifecycle of a Verifiable Credential follows a clear four-step process:

Step 1: Issuance (Creating the Credential)

The process begins when an Issuer validates information about a potential Holder through a standard process, such as a Know Your Customer (KYC) check or student enrollment confirmation. Once the information is confirmed, the Issuer generates a digital credential containing specific claims (e.g., "Date of Birth: 1990-05-15"). This credential is then cryptographically signed with the Issuer's private key, creating a tamper-evident seal, and is securely transmitted to the Holder.

Step 2: Storage (The Holder's Digital Wallet)

The Holder receives the credential and accepts it into their digital wallet. This wallet can be an app or web application on their phone or laptop. Once stored, the credential resides entirely under the Holder's control, independent of the Issuer's systems. This is a critical distinction from traditional models where data remains on a company's servers.

Step 3: Presentation (Sharing Proof, Not Data)

When a Verifier needs to confirm a claim, they request it from the Holder. The Holder uses their wallet to generate a Verifiable Presentation. This is a bundle that contains the relevant credential (or parts of it) and is also cryptographically signed by the Holder using their private key. This second signature proves to the Verifier that the Holder is the rightful owner of the credential and consents to sharing it.  

Crucially, this step enables selective disclosure. The Holder can choose to reveal only the specific claims necessary for a given transaction. For example, to prove they are of legal drinking age, they can present only the claim "is over 21" without revealing their name, address, or exact date of birth, dramatically enhancing privacy.

Step 4: Verification (The Cryptographic Handshake)

The Verifier receives the Verifiable Presentation and performs a series of automated cryptographic checks. First, it verifies the Holder's signature to confirm ownership. Second, it verifies the Issuer's original signature on the credential. To do this, the Verifier retrieves the Issuer's public key from a trusted data registry. If both signatures are valid, the Verifier can be certain that the credential is authentic, was issued by the claimed Issuer, has not been altered, and is being presented by its rightful owner. This entire verification happens in seconds, without the Verifier ever needing to contact the Issuer directly.

What Are Examples of Verifiable Information?

The applications for Verifiable Credentials span nearly every industry, transforming processes that currently rely on slow, insecure, and paper-based verification.

Example 1: The University Diploma

A university (Issuer) issues a digital diploma as a VC to a graduating student (Holder). When applying for a job, the student can instantly present this credential to a potential employer (Verifier). The employer's system can cryptographically verify its authenticity in seconds. This eliminates the need for expensive and time-consuming manual background checks and calls to the university registrar, streamlining the hiring process for both parties.

Example 2: The Proof of Residence

A Public Utility Company (Issuer) issues a monthly digital bill as a Verifiable Credential (VC) to a resident (Holder). When signing up for a new internet service, the Holder needs to prove they live at the service address. The Holder can present a Verifiable Presentation to the Internet Service Provider (Verifier) that proves only two claims: "Full Name" and "Residential Address." The ISP's system can cryptographically confirm the validity of the address and that it is associated with the Holder's name, without ever seeing the Holder's utility account number, energy consumption, or other information. This fulfills the ISP's business needs while protecting the resident's other data.

Example 3: The Professional License

A medical board (Issuer) issues a license-to-practice VC to a qualified doctor (Holder). When the doctor joins a new hospital, the hospital's administration (Verifier) can instantly confirm that the doctor's license is authentic and has not been revoked. This ensures patient safety, satisfies regulatory compliance, and dramatically speeds up the onboarding and credentialing process for medical professionals.

DIDs vs. Verifiable Credentials: What's the Difference?

Within the world of Self-Sovereign Identity (SSI), two foundational technologies work together: Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). They are distinct but complementary.

A simple analogy helps clarify their roles: a DID is like your physical street address. It is a unique, persistent identifier for your home. Knowing the address 123 Main Street doesn't tell someone anything personal about who lives there, their credit score, or their profession. It's simply a stable endpoint where information can be sent and received. A VC is like an Official Letter delivered to that mailbox, such as a diploma or a utility bill. Each letter is a specific claim from a specific issuer (a university, a power company).

More technically, DIDs are a new type of identifier that individuals can create for themselves, which they own and control completely. A DID can be the anchor of a digital identity (some identity ecosystems only use private and public keys without DIDs). It contains no personal data itself; instead, it resolves to a public "DID Document" that contains the cryptographic public keys and potentially service endpoints needed to interact with the DID's owner securely.

Verifiable Credentials are the statements or claims that are cryptographically bound to a DID. The Issuer signs a credential and addresses it to the Holder's DID. From a technical standpoint, this relationship is the critical component that unlocks true data mobility and independence from any single issuer. Because the credential is tied to the user-controlled DID rather than an account on the Issuer's system, the Holder can truly own and manage it for life.

Understanding the W3C Verifiable Credentials Data Model

Verifiable Credentials (VCs) are based on open standards from the World Wide Web Consortium (W3C), ensuring interoperability and avoiding vendor lock-in. The W3C Verifiable Credentials Data Model (VCDM) defines a standard way to express credentials (the data model) and leaves room for multiple cryptographic encodings to make them tamper-evident and verifiable. Most commonly, VCs are secured using Data Integrity proofs (JSON-LD), JOSE/JWT (JWS), or SD-JWT (selective disclosure with JWT). The last one enables users to share only a subset of the claims in a credential.

A quick note on VC Data Model versions

W3C has published two versions of the Verifiable Credentials Data Model: v1.1 (W3C Recommendation on March 3, 2022) and v2.0 (W3C Recommendation on May 15, 2025). Both define the same fundamental concepts (issuer, credentialSubject/claims, and a verifiable signature), while v2.0 refines terminology and alignment with modern security mechanisms (e.g., JOSE/COSE and Data Integrity) and improves extensibility. Many ecosystems still run v1.1, with adoption of v2.0 growing.

The three core parts of a VC

Claims (the pieces of information)

The credentialSubject block contains the claims about the subject (Holder). For a university diploma, claims could include degree type, major, and graduation date.

Metadata (Who issued it and when)

Includes information like the issuer’s DID, the issuanceDate, and a unique credential id. This helps a verifier understand origin and lifecycle.

Cryptographic proof or signature (the tamper-proof seal)

This is what makes the credential verifiable. Depending on the chosen approach, you’ll see either a proof block (Data Integrity / JSON-LD) or a JWT/JWS/SD-JWT signature that covers the credential payload. W3C’s VC-JOSE-COSE spec defines how to secure VCDM payloads with JOSE (JWT), COSE (CBOR), and SD-JWT.

Example 1 — Data Integrity (JSON-LD) VC

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1"
  ],
  "id": "http://example.edu/credentials/3732",
  "type": ["VerifiableCredential", "UniversityDegreeCredential"],
  "issuer": "did:example:76e12ec712ebc6f1c221ebFEB1f",
  "issuanceDate": "2024-01-01T19:23:24Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "degree": {
      "type": "Bachelor of Science",
      "name": "Computer Science"
    }
  },
  "proof": {
    "type": "Ed25519Signature2018",
    "created": "2024-01-01T19:23:24Z",
    "proofPurpose": "assertionMethod",
    "verificationMethod": "https://example.edu/issuers/14#keys-1",
    "jws": "eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..l9d_264a..."
  }
}

Here, the VCDM payload is secured with a Data Integrity proof (a JSON-LD proof block).

Example 2 — VC-JWT (JOSE/JWS) representation (simplified)

In a JWT representation defined by VC-JOSE-COSE, the same VCDM fields appear inside the JWT payload (e.g., under vc), and the credential is signed with JWS. Instead of a JSON-LD proof block, verification uses the JWT header+signature.

// (header)
{ "alg": "EdDSA", "typ": "vc+jwt" }

// (payload) — key VCDM fields embedded as JSON
{
  "iss": "did:example:76e12ec712ebc6f1c221ebFEB1f",
  "nbf": 1704137004,
  "vc": {
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
      "https://www.w3.org/2018/credentials/examples/v1"
    ],
    "type": ["VerifiableCredential", "UniversityDegreeCredential"],
    "id": "http://example.edu/credentials/3732",
    "issuanceDate": "2024-01-01T19:23:24Z",
    "issuer": "did:example:76e12ec712ebc6f1c221ebFEB1f",
    "credentialSubject": {
      "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
      "degree": { "type": "Bachelor of Science", "name": "Computer Science" }
    }
  }
}

// The compact JWS string is what gets transported/presented.

The Future is Verifiable: Key Benefits

The shift toward Verifiable Credentials and Self-Sovereign Identity offers great benefits for individuals, organizations, and the digital economy as a whole.

Enhanced Security & Fraud Prevention

Because VCs are cryptographically signed and tamper-evident, they are exponentially more difficult to forge than physical documents or simple digital files. This provides strong guarantees against fraud. Furthermore, by moving data from centralized, high-value targets to individual digital wallets, the SSI model drastically reduces the risk and impact of large-scale data breaches.

Better User Privacy & Control

This is perhaps the most significant benefit. Through selective disclosure, users can prove a specific claim without over-sharing personal data. This principle of data minimization is a cornerstone of modern privacy regulations and is built into VCs.

Interoperability and Efficiency

Built on open W3C standards, VCs are designed to work across different services, industries, and international borders, creating a digital ID model that works globally. This interoperability eliminates redundant and inefficient verification processes. Instead of every new service conducting its own costly identity check, it can simply verify a credential that has already been issued by a trusted source. This speeds up everything from customer onboarding and employee credentialing to loan applications and supply chain management.

Become a Verifiable Credential Issuer, Verifier, or Wallet Provider with walt.id

Learn how to issue, verify, and store W3C VCs quickly and easily. Choose the free open-source Community Stack (Apache-2.0) or the production-ready Enterprise Stack from walt.id, trusted by 25,000+ developers and organizations worldwide.

Product Editions

  • The Community Stack (Apache-2.0) — trusted open source multi-platform libs, powerful APIs and easy-to-use white label apps for digital identity and wallets.
  • The Enterprise Stack — a solution for building secure, compliant and robust identity and wallet solutions or platforms at scale.

Guides

Last updated on September 15, 2025