Verifiable Credentials
Verifiable credentials are a W3C data model for tamper-evident digital claims that can move from issuers to holders to verifiers, making them relevant to identity, provenance, delegation, and agent governance.
Definition
A verifiable credential, or VC, is a structured digital credential whose authorship and integrity can be checked by a verifier. The W3C Verifiable Credentials Data Model v2.0 became a W3C Recommendation on May 15, 2025. It defines an extensible way to express claims, credentials, and presentations in an ecosystem made up of issuers, holders, and verifiers.
A VC can help a verifier check who issued a claim, whether the credential has been altered, and whether it is still usable under the verifier's policy. It does not prove that the issuer is trustworthy, that the underlying claim is true or fair, that the holder is the rightful presenter, or that the verifier has a legitimate reason to ask for it.
VCs are a data model and ecosystem pattern, not one identity system. A deployment might use Decentralized Identifiers, OpenID protocols, SD-JWT, JOSE, COSE, BBS-derived selective-disclosure proofs, mobile-document formats, browser mediation, or vendor wallets. The governance question is which exact layer is making which claim.
Snapshot
- Stable core: W3C Verifiable Credentials Data Model v2.0 is the Recommendation baseline for the issuer-holder-verifier model.
- Main objects: credential, verifiable credential, verifiable presentation, issuer, holder, verifier, credential subject, claim, evidence, status, schema, and securing mechanism.
- Security split: the data model is separate from securing methods such as Data Integrity proofs, JOSE, SD-JWT, and COSE.
- Status split: a valid signature does not answer revocation, suspension, expiry, replacement, or policy-fit questions.
- Privacy promise: selective disclosure can reduce overcollection, but only if the credential format, wallet, verifier request, status checking, and logs avoid correlation.
- AI relevance: VCs can express attestations about agents, datasets, models, audits, licenses, devices, and supply-chain artifacts, but they do not make those claims true by themselves.
Current Context
In the June 2026 standards landscape, VCDM v2.0 remains the W3C Recommendation baseline, while Verifiable Credentials Data Model v2.1 is a W3C Working Draft dated May 11, 2026. W3C also published a Verifiable Credentials Overview Group Note on June 18, 2026 and a Threat Model for Decentralized Credentials Group Note Draft on June 22, 2026. Those documents help explain ecosystem risks, but they are not replacements for the normative data model and securing specifications.
Adjacent specifications are at different maturity levels. Data Integrity 1.0, Securing Verifiable Credentials using JOSE and COSE, and Bitstring Status List v1.0 are W3C Recommendations from May 15, 2025. Data Integrity BBS Cryptosuites v1.0 was a W3C Candidate Recommendation Draft dated April 7, 2026, aimed at selective disclosure and unlinkable derived proofs. Confidence Method v1.0 was a W3C Working Draft dated June 18, 2026 and explicitly experimental.
Transport and wallet protocols have also matured outside W3C. OpenID for Verifiable Presentations 1.0 became an OpenID Final specification on July 9, 2025, and OpenID for Verifiable Credential Issuance 1.0 became Final on September 16, 2025. IETF RFC 9901 standardized Selective Disclosure for JSON Web Tokens in November 2025, while the SD-JWT VC profile remained an IETF Internet-Draft during this review window. A verifier therefore needs to distinguish credential data model, credential format, issuance protocol, presentation protocol, wallet behavior, and trust framework.
Roles and Objects
An issuer creates a credential. A holder stores or controls it, often through a wallet or credential-management system. A verifier receives a presentation and decides whether it satisfies a policy. The credential subject is the entity the claims are about; depending on the schema, that subject may be a person, organization, account, device, product, dataset, model, or service.
A credential is a set of claims plus metadata such as issuer, subject, validity period, type, schema, status, evidence, and terms of use. A verifiable credential is secured so verification software can detect tampering and check authorship. A verifiable presentation packages one or more credentials for a verifier, often adding holder binding or proof of possession so the presentation is not merely a copied document.
This portability lets an institution issue a claim once and let another system evaluate it later. It also creates governance pressure: schema, issuer authority, revocation, retention, and appeal all matter.
Securing and Status
W3C separates the data model from securing mechanisms. Verifiable Credential Data Integrity 1.0, also a May 15, 2025 W3C Recommendation, describes cryptographic proof mechanisms for authenticity and integrity. Securing Verifiable Credentials using JOSE and COSE, another Recommendation from the same date, defines ways to secure VC data with JOSE, SD-JWT, and COSE technologies.
Status is separate from signature checking. Bitstring Status List v1.0, a W3C Recommendation from May 15, 2025, defines a privacy-preserving and space-efficient way to publish suspension, revocation, or similar status information. A credential can be correctly signed and still be expired, suspended, revoked, superseded, or outside the verifier's policy.
Schemas and evidence are also separate. A credential schema can help software understand expected fields and types; evidence can point to supporting material; neither is a guarantee that the issuing process was fair or that the evidence was independently reviewed. For high-stakes use, the verifier needs a policy that names acceptable issuers, schemas, assurance levels, status methods, freshness windows, and appeal routes.
AI Context
For AI systems, verifiable credentials are not only about human identity documents. They are a candidate format for attestations about agents, datasets, model releases, benchmark runs, audits, licensing, safety cases, device provenance, and software supply-chain claims.
The connection to AI Agent Identity is direct. As AI agents act through browsers, APIs, wallets, tool servers, and other agents, systems need a way to distinguish self-description from accountable claims. A signed agent card, bot registration, product passport, or audit attestation still needs policy about who may issue it and what relying parties may infer.
The W3C Digital Credentials API is Working Draft work, not a final Recommendation, and is designed to let user agents mediate issuance and presentation while remaining agnostic to credential formats. That matters for browser agents: a credential prompt is not just another click target. It can disclose identity, eligibility, affiliation, location-bound status, or government-linked attributes.
For AI provenance, VCs sit beside Content Provenance and Watermarking, AI Data Provenance, SCITT, AI Audits and Third-Party Assurance, and AI System Inventory. A VC can carry a signed claim about an artifact or actor; a transparency log, model card, audit trail, or procurement record may still be needed to make that claim useful.
Governance and Safety
VC systems fail when cryptographic verification is treated as institutional truth. A valid signature says that a key associated with an issuer protected a credential; it does not settle whether the issuer should exist, whether the credential is accurate, or whether a verifier is over-collecting attributes.
Selective disclosure and zero-knowledge techniques can reduce unnecessary sharing, but they are not automatic. A system can use VCs and still demand too much data, create linkable presentations, centralize wallet dependencies, exclude people without credentials, or make revocation opaque.
For AI governance, a dataset credential, model attestation, or agent authorization should name the issuer, schema, subject, validity period, status mechanism, evidence basis, relying parties, and dispute path. Otherwise the VC becomes a polished label on an unreviewed claim.
Verifier governance is as important as issuer governance. A verifier should have authority to ask, request the minimum claim, authenticate itself to the wallet or holder, explain purpose and retention, check status without creating avoidable issuer or verifier correlation, and record the decision without storing unnecessary credential contents. These controls connect directly to Data Minimization and Contextual Integrity.
Credential Evidence Record
A VC-backed claim is useful only if later reviewers can reconstruct what was actually checked. For consequential identity, agent, provenance, or audit claims, preserve at least:
- Credential layer: credential identifier, type, schema, issuer, credential subject, claims requested, validity period, evidence field, and terms of use.
- Securing layer: proof or envelope type, cryptographic suite or JOSE/COSE profile, key identifier, issuer-controlled identifier, and verification software version.
- Status layer: status method, status list or endpoint, revocation or suspension result, freshness time, and failure handling when status cannot be checked.
- Presentation layer: presentation protocol such as OpenID for Verifiable Presentations, wallet or credential manager, holder binding, disclosed claims, verifier identity, and user or agent approval event.
- Policy layer: acceptable issuers, schemas, assurance levels, relying-party authority, purpose, retention period, appeal path, and exception handling.
- AI layer: if the credential concerns an agent, dataset, model, audit, or artifact, link it to the relevant inventory, provenance record, audit trail, and incident owner.
Defense Pattern
- Separate signature from trust. Check cryptography, issuer authority, schema, status, and policy fit.
- Minimize disclosure. Ask for the narrow claim, not the full credential, when selective disclosure is available.
- Constrain relying parties. Define who may request which claims, why, and for how long.
- Preserve contestability. Give subjects a route to correct, challenge, or contextualize credentials.
- Authenticate the verifier. A wallet should not treat a syntactically valid request as a legitimate demand for attributes.
- Check holder binding. Determine whether the presenter is appropriately related to the credential, especially when credentials are copied, delegated, or handled by agents.
- Log without hoarding. Preserve the verification decision, policy version, and disclosed-claim summary without retaining full credentials unless necessary.
- Plan for loss and revocation. Wallet loss, key compromise, issuer compromise, schema errors, and status-service outages need recovery and appeal paths.
Source Discipline
Claims about verifiable credentials should identify the exact specification, version, maturity level, and securing mechanism. VCDM v2.0, VCDM v2.1, Data Integrity proofs, JOSE/COSE credentials, SD-JWT selective disclosure, SD-JWT VC, mobile identity documents, browser APIs, OpenID presentation flows, and vendor wallets are related but not interchangeable. A report should say what was issued, who issued it, how it was secured, how status was checked, what the verifier learned, and what policy authorized the request.
Use primary sources for standards and current status: W3C Recommendations, Working Drafts, Candidate Recommendations, Group Notes, OpenID Final specifications, IETF RFCs or Internet-Drafts, regulator text, and official implementation documentation. Do not cite a wallet vendor's marketing page as evidence that an ecosystem is privacy-preserving or interoperable.
For AI claims, avoid vague phrases like "the model is certified" or "the agent is verified." Name the credential issuer, subject, claim, schema, proof mechanism, status check, relying-party policy, and the external evidence that makes the credential meaningful.
Spiralist Reading
Spiralism reads verifiable credentials as a test of institutional memory. A credential can make a claim portable, but portability can either reduce dependency or spread classification everywhere. The healthy form is narrow, inspectable, revocable, and contestable. The unhealthy form turns every interaction into an identity checkpoint and every verifier into a collector of attributes.
Open Questions
- Which AI-agent claims should be credentials rather than self-advertised metadata?
- How should verifiers prove that they are entitled to request a credential?
- Who is accountable when a credential is technically valid but institutionally misleading?
Related Pages
- Digital Identity
- Digital Credentials API
- OpenID for Verifiable Presentations
- Decentralized Identifiers
- Federated Credential Management
- Zero-Knowledge Proofs
- Content Provenance and Watermarking
- AI Data Provenance
- Supply Chain Integrity, Transparency, and Trust
- AI Audits and Third-Party Assurance
- AI System Inventory
- AI Audit Trails
- AI Agent Identity
- Web Bot Auth
- Synthetic Identity Fraud
- Digital Public Infrastructure
- Contextual Integrity
- Data Minimization
- AI Governance
Sources
- W3C, Verifiable Credentials Data Model v2.0, W3C Recommendation, May 15, 2025.
- W3C, Verifiable Credentials Data Model v2.1, W3C Working Draft, May 11, 2026.
- W3C, Verifiable Credentials Overview, W3C Group Note, June 18, 2026.
- W3C, Verifiable Credential Data Integrity 1.0, W3C Recommendation, May 15, 2025.
- W3C, Securing Verifiable Credentials using JOSE and COSE, W3C Recommendation, May 15, 2025.
- W3C, Bitstring Status List v1.0, W3C Recommendation, May 15, 2025.
- W3C, Data Integrity BBS Cryptosuites v1.0, W3C Candidate Recommendation Draft, April 7, 2026.
- W3C, Confidence Method v1.0, W3C Working Draft, June 18, 2026.
- W3C, Threat Model for Decentralized Credentials, W3C Group Note Draft, June 22, 2026.
- W3C, Digital Credentials API, Working Draft.
- OpenID Foundation, OpenID for Verifiable Presentations 1.0, Final, July 9, 2025.
- OpenID Foundation, OpenID for Verifiable Credential Issuance 1.0, Final, September 16, 2025.
- IETF, RFC 9901: Selective Disclosure for JSON Web Tokens, November 2025.
- IETF Datatracker, draft-ietf-oauth-sd-jwt-vc: SD-JWT-based Verifiable Digital Credentials, Internet-Draft status page.