Creating Dynamic Policies

Example of a Rego policy

Creating a Sample Policy using Rego

A simple Rego policy that takes a credential subject as input and verifies the subject DID against a given parameter would look like this:

package system

default main = false

main {
    input.parameter.user ==

This policy file is located in the SSIKit test resources: src/test/resources/rego/subject-policy.rego

Executing a Policy On-The-Fly

Please refer to the SSI-Kit setup section to exectute the command successfully.

ssikit vc verify -p DynamicPolicy='{ "policy": "src/test/resources/rego/subject-policy.rego", \
  "input": { "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" } }' \

Saving a Dynamic Policy

You can save the policy by name, which simplifies its usage in future verifications.

Please refer to the SSI-Kit setup section to exectute the command successfully. Example

ssikit vc policies create \
    -n "MyCustomPolicy" \
    -D "Verifies credential subject against a provided DID" \
    -p src/test/resources/rego/subject-policy.rego \
    -i '{ "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" }'


  • -n, --name: Policy name, must not conflict with existing policies

  • -D, --description: Optional policy description

  • -p, --policy: Path or URL to policy definition. e.g.: rego file for OPA policy engine

  • -i, --input: Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file

  • -d, --data-path: JSON path to the data in the credential which should be verified, default: "$" (whole credential object)

  • -s, --save-policy: Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL

  • -f, --force: Override existing policy with that name (static policies cannot be overridden!)

  • -e, --policy-engine: Policy engine type, default: OPA. Options, OPA

  • --vc / --no-vc: Apply/Don't apply to verifiable credentials (default: apply)

  • --vp / --no-vp: Apply/Don't apply to verifiable presentations (default: don't apply)

Last updated