DIDs & Credential Signing
Every organization in DPP Kit has its own Decentralized Identifier (DID) — a globally unique, self-sovereign identity that is used to cryptographically sign credentials.
What is a DID?
A DID (Decentralized Identifier) is a W3C standard for creating verifiable digital identities without relying on a central authority. In DPP Kit, DIDs follow the did:web method:
did:web:app.dppkit.io:org:acme-corp
This DID resolves to a DID Document — a JSON file served at https://app.dppkit.io/org/acme-corp/did.json — which contains the organization's public key.
How Signing Works
1. Organization creates a credential (DFR, DPP, etc.)
2. DPP Kit signs it with the org's private key via VCKit
3. The signed credential includes a cryptographic proof
4. Anyone can verify by:
a. Resolving the issuer DID to get the public key
b. Checking the signature against the credential content
The private key never leaves the server. Only the public key is published in the DID Document.
DID Setup
When you first create an organization, it has no DID. Setting up a DID:
- Navigate to the Organization page in the dashboard
- Click Create DID
- DPP Kit generates a key pair and registers the DID with VCKit
- The DID Document is published automatically
You must create a DID before you can issue any credentials. The onboarding checklist will guide you through this.
Verification Flow
When someone views a credential (either in DPP Kit or externally), the verification process is:
- Fetch the signed credential from storage
- Extract the issuer DID from the credential
- Resolve the DID to retrieve the public key
- Verify the cryptographic signature
- Check the credential status (not revoked)
- Display the credential with a pass/fail verification badge
DPP Kit always verifies credentials before displaying them — you'll see a green checkmark for valid credentials or a red warning for failed verification.