Skip to main content

W3C Verifiable Credentials

W3C Verifiable Credentials (VC) is the foundational standard for DPP Kit's credential format. Every credential issued by DPP Kit is a W3C VC v2.

What is a Verifiable Credential?

A Verifiable Credential is a tamper-evident digital claim made by an issuer about a subject. It consists of:

{
  "@context": ["https://www.w3.org/ns/credentials/v2"],
  "type": ["VerifiableCredential", "DigitalProductPassport"],
  "issuer": "did:web:app.dppkit.io:org:acme-corp",
  "validFrom": "2025-01-15T00:00:00Z",
  "credentialSubject": {
    "type": "Product",
    "name": "Organic Cotton T-Shirt",
    "identifier": "09347823000029"
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "verificationMethod": "did:web:app.dppkit.io:org:acme-corp#key-1",
    "proofPurpose": "assertionMethod",
    "proofValue": "z58DAdF..."
  }
}

Key Components

ComponentPurpose
@contextDefines the vocabulary used in the credential
typeWhat kind of credential this is
issuerDID of the organization that signed it
credentialSubjectThe actual claims (product info, facility info, etc.)
proofCryptographic signature proving the issuer signed it

How DPP Kit Uses VCs

  1. Issuance — DPP Kit constructs a credential JSON, then sends it to VCKit for signing
  2. Storage — The signed credential (with proof) is stored in the Storage Service
  3. Verification — VCKit's verify endpoint checks the signature, issuer DID, and status
  4. Display — DPP Kit fetches, verifies, and renders the credential for the user

Credential Status

W3C VCs support status mechanisms for revocation. DPP Kit uses Bitstring Status List — a compact, privacy-preserving way to indicate whether a credential has been revoked:

  • Each credential gets a position in a status list
  • The status list is a compressed bitstring (0 = valid, 1 = revoked)
  • Verifiers check the status list to determine if a credential is still valid
  • The issuer can flip a bit to revoke without revealing which specific credential was revoked

Interoperability

Because DPP Kit issues standard W3C VCs, credentials can be:

  • Verified by any VC-compatible verifier (not just DPP Kit)
  • Stored in any VC wallet
  • Exchanged with any system that understands W3C VCs
  • Presented using standard VC presentation protocols

You are never locked into DPP Kit for verification or storage.