A DID Fragment is the part of a Decentralized Identifier (DID) that follows the hash (#) symbol, used to point to a specific key, service endpoint, or other component within the DID's associated DID Document. The full DID URI syntax is did:method:identifier#fragment. For example, in the DID did:example:123456789abcdefghi#key-1, the fragment key-1 references a specific public key listed in the corresponding DID document. This mechanism allows a single DID to manage multiple cryptographic keys, service endpoints, or verification methods, each addressable by its unique fragment.
LABS
Glossary
DID Fragment
A DID Fragment is the component of a DID URL following the hash (#) character, used to reference a specific part of a DID document, such as a particular verification method or service.
Chainscore © 2026
definition
DECENTRALIZED IDENTIFIER COMPONENT
What is DID Fragment?
A DID Fragment is a component of a Decentralized Identifier (DID) used to reference a specific resource or service within a DID document.
The primary function of a DID fragment is internal referencing within the context of its parent DID. It is not a standalone identifier and has no meaning outside the DID document it points into. When a verifier or relying party resolves the full DID URI including the fragment, the process involves first fetching the complete DID document from its resolver, then using the fragment to locate the specific JSON object (like a verificationMethod or service entry) within that document. This enables precise, cryptographically verifiable references to specific capabilities, such as signing a particular type of credential or connecting to a specific messaging service.
From a technical perspective, the fragment is defined by the DID Core specification (W3C) and its behavior is analogous to the fragment identifier in a standard URL. The syntax and semantics of what a fragment can point to are defined by the specific DID method in use and the structure of its DID documents. Common uses include referencing different public keys for various purposes (authentication, assertion, key agreement), linking to service endpoints for communication, or pointing to specific Verifiable Credentials or presentations. Proper use of fragments is crucial for building complex, interoperable decentralized identity systems where a single entity manages multiple relationships and capabilities.
how-it-works
DECODER RING
How a DID Fragment Works
A technical breakdown of the component that allows a single Decentralized Identifier (DID) to point to specific data or services within its associated DID document.
A DID Fragment is a string component appended to a Decentralized Identifier (DID) using a hash (#) symbol, forming a DID URL that references a specific part of the associated DID document. For example, the DID URL did:example:123456789abcdefghi#keys-1 uses the fragment keys-1 to point directly to a specific public key entry within the broader DID document. This mechanism enables fine-grained addressing, allowing applications to reference a particular verification method, service endpoint, or other JSON property without needing to parse the entire document.
The primary function of a fragment is to create an internal reference or anchor within the DID document's data structure. When a verifier or a relying party resolves the full DID URL, the resolver first fetches the complete DID document. It then uses the fragment identifier to locate the specific JSON object, typically by matching an id property. This is crucial for operations like digital signatures, where a proof must specify exactly which key from the document was used for signing, ensuring cryptographic precision and preventing ambiguity.
From an architectural perspective, fragments enable modularity and key rotation. A single DID document can contain multiple public keys for different purposes (e.g., authentication, assertion, key agreement). Each can be assigned a unique fragment identifier, such as #auth-key or #encryption-key. This allows services to be updated independently; a new signing key can be added with a new fragment without invalidating references to older, still-valid keys. It mirrors the functionality of URL fragments in web pages, providing direct, stable pointers to subsections of a structured document.
Implementing DID fragments requires strict adherence to the DID Core specification regarding URL syntax and document structure. The fragment itself is never sent over the network during the resolution process; it is a client-side directive for processing the retrieved document. This design ensures that the core DID resolution protocol remains simple and universal, while the fragment handling provides the necessary layer of specificity for advanced identity management and verifiable credential workflows, forming a foundational pattern for scalable decentralized identity systems.
key-features
DECENTRALIZED IDENTITY
Key Features of DID Fragments
DID Fragments are a core mechanism for creating granular, composable, and portable identifiers within a Decentralized Identifier (DID). They enable fine-grained control over identity attributes and verifiable credentials.
01
Granular Identifier Resolution
A DID Fragment is a suffix appended to a base DID (e.g., did:example:123#key-1) that allows a DID resolver to pinpoint a specific component within the associated DID Document. This enables direct addressing of individual public keys, service endpoints, or other verification methods without needing to parse the entire document.
02
Composable Identity Components
Fragments allow a single DID to represent a complex identity structure. A user can have multiple fragments for different purposes:
#key-agreementfor encrypted communication#signing-keyfor document signatures#social-mediafor linked service endpoints This composition avoids the need for multiple root DIDs for a single entity.
03
Portable Verifiable Credentials
Fragments are essential for Verifiable Credentials (VCs). A VC's proof section typically references a specific verification method via a DID Fragment (e.g., verificationMethod: "did:ethr:0xabc...456#controllerKey"). This binds the credential's validity to a precise cryptographic key within the issuer's DID Document, enabling portable verification.
04
Syntax and Standardization
Defined by the W3C DID Core specification, the fragment syntax follows the URI Fragment standard (RFC 3986). The fragment identifier is separated from the DID by a hash (#) character. It is opaque to the DID resolver—the resolver returns the entire DID Document, and the client extracts the fragment. This ensures interoperability across different DID methods.
05
Selective Disclosure & Privacy
By using different fragments for different contexts (e.g., #work, #banking), a DID controller can practice selective disclosure. They can present credentials or signatures from specific fragments without revealing their entire DID Document or all associated keys, enhancing privacy and minimizing correlation.
06
Contrast with DID Parameters
It is crucial to distinguish fragments from DID Parameters (e.g., did:example:123?service=agent&version=1).
- Parameters instruct the resolver how to fetch the DID Document (query).
- Fragments instruct the client how to use a specific part of the retrieved document (reference). Parameters are resolved server-side; fragments are processed client-side.
syntax-and-structure
DID FRAGMENT
Syntax and Structure
A DID Fragment is a specific component of a Decentralized Identifier (DID) URL that points to a particular part or resource within a DID document.
A DID Fragment is the component of a Decentralized Identifier (DID) URL that follows the hash (#) character, serving as a pointer to a specific section or resource within the associated DID Document. The full syntax is did:method:identifier#fragment. For example, in the DID URL did:example:123456789abcdefghi#key-1, the fragment is key-1. This mechanism allows a single DID document, which can contain multiple public keys, service endpoints, and other data, to be referenced with surgical precision, enabling verifiers to identify the exact cryptographic material or service needed for an interaction without processing the entire document.
The primary function of a fragment is disambiguation and direct reference. A DID document is a JSON-LD structure that may list several verification methods (e.g., for authentication, assertion, or key agreement). By appending a fragment like #key-2 or #auth-key, the controller can specify which exact key should be used for a particular operation, such as signing a Verifiable Credential. This is crucial for key rotation and management, as different keys can be used for different purposes or time periods, all under the same persistent DID.
From a syntactic and parsing perspective, the fragment is not sent to the DID resolver. The resolver's job is to fetch the complete DID document using the portion of the URL before the hash (did:method:identifier). Once the document is retrieved, the consuming application uses the fragment to navigate within the JSON structure, typically by matching the fragment value against the id property of an object within the document. It is a client-side dereferencing mechanism. The W3C DID Core specification mandates that fragment identifiers must be interpreted in accordance with the DID document's data model and representation (e.g., JSON-LD).
In practice, fragments enable complex, real-world use cases. A DID document for a corporate entity might contain separate keys for the CEO, the legal department, and a robotic process automation (RPA) service. Using fragments like #ceo-sig-2025, #legal-approval, and #rpa-endpoint, the entity can issue and control credentials with clear authority chains. Similarly, in user-centric identity, a personal DID might use #master-key for recovery and #device-key-phone for daily authentication, all referenced cleanly from the same foundational identifier.
It is important to distinguish the DID fragment from the DID Query component, which precedes the fragment and uses a question mark (?) for parameterization (e.g., did:example:123?versionId=2#key-1). While query parameters might instruct the resolver how to fetch a specific version or representation of the document, the fragment instructs the client what to look for inside it. This separation of concerns is a key design pattern in decentralized identifier architecture, ensuring resolvers remain simple and universal while clients handle specific resource selection.
primary-use-cases
DID FRAGMENT
Primary Use Cases
DID Fragments are the core building blocks for creating decentralized identifiers (DIDs). These are the primary scenarios where they are deployed to enable self-sovereign identity.
02
Selective Credential Disclosure
A key use case is verifiable presentations, where a user proves specific claims without revealing their entire identity. For example, a DID Fragment can be used to prove a user is over 21 by presenting a cryptographic proof linked to that fragment, without disclosing their name, birth date, or other credentials.
03
Cross-Platform & Cross-Chain Identity
DID Fragments enable portable identity across different blockchains and applications. A fragment created on Ethereum can be resolved and verified by a service on Polygon or Solana, provided they support the same DID method. This breaks down identity silos in the Web3 ecosystem.
04
Resource-Specific Authorization
Fragments are used to grant fine-grained access permissions. A user can have one DID Fragment for accessing a DeFi protocol and a separate one for a DAO governance platform. This limits the attack surface and correlation risk, as a compromise of one fragment does not affect others.
05
Sybil Resistance & Uniqueness Proofs
In systems requiring unique human verification (e.g., airdrops, governance), DID Fragments can be linked to off-chain attestations or biometric proofs. This allows protocols to issue a credential to a unique fragment, making it computationally infeasible for a single entity to control multiple verified identities.
06
Decentralized Service Endpoints
A DID Fragment's DID Document can list service endpoints for secure communication. This enables decentralized messaging, encrypted data storage locations, or links to social recovery mechanisms. The fragment acts as a discoverable address book entry controlled solely by the identity owner.
resolution-process
DID FRAGMENT
The Resolution Process with a Fragment
A DID Fragment is a string appended to a Decentralized Identifier (DID) after a hash (`#`) character, used to reference a specific component—such as a public key, service endpoint, or verification method—within the associated DID Document.
The resolution process with a fragment is the mechanism by which a DID resolver locates and returns a specific part of a DID Document, rather than the entire document. When a client submits a DID URL containing a fragment (e.g., did:example:123#key-1), the resolver first performs standard DID resolution to fetch the complete, verified DID Document. The fragment component (#key-1) is then used as an internal pointer, instructing the resolver to extract and return only the identified component, such as the specific verification method or service endpoint listed under that identifier within the document's data structure.
This process is crucial for enabling fine-grained interactions in decentralized systems. For instance, a verifier needing to check a signature only requires the specific public key used, not the identity holder's entire suite of keys or service listings. By resolving did:example:123#key-1, the resolver efficiently returns the JSON object for that single key. This targeted resolution supports use cases like selective disclosure, where different fragments can point to different cryptographic keys for distinct purposes (authentication, assertion, key agreement), or to specific service endpoints for communication or credential exchange.
The syntax and semantics of fragments are defined by the DID specification and the method governing the DID. The fragment identifier must correspond to the id property of an object within the DID Document. If the fragment does not resolve to a valid component, the resolution process fails for that specific dereferencing request. This architecture ensures that DIDs can function as compound URIs, where the base DID provides global, persistent identification, and the fragment enables precise, internal addressing within the decentralized identity's data set, separating the identifier from the identified data.
examples-in-did-documents
FRAGMENT USE CASES
Examples in DID Documents
A DID fragment is the part of a DID URL after the # symbol, used to reference a specific component within a DID document. These examples illustrate how fragments enable precise, verifiable addressing of keys, services, and other data.
01
Referencing a Public Key
The most common use of a fragment is to point to a specific public key within the verificationMethod array. This is essential for cryptographic operations like signature verification.
Example DID URL: did:example:123456789abcdefghi#key-1
Corresponding DID Document Entry:
json{ "verificationMethod": [{ "id": "did:example:123456789abcdefghi#key-1", "type": "Ed25519VerificationKey2018", "controller": "did:example:123456789abcdefghi", "publicKeyMultibase": "zH3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV" }] }
02
Pointing to a Service Endpoint
Fragments can reference specific service endpoints defined in the DID document, such as a linked data signature service, a messaging hub, or a credential repository.
Example DID URL: did:example:123456789abcdefghi#linked-domain
Corresponding DID Document Entry:
json{ "service": [{ "id": "did:example:123456789abcdefghi#linked-domain", "type": "LinkedDomains", "serviceEndpoint": "https://example.com" }] }
This allows a verifier to directly fetch the service definition for interaction.
03
Selecting a Verification Relationship
Fragments are used within verification relationships (authentication, assertionMethod, keyAgreement, etc.) to delegate which specific key from the verificationMethod array is authorized for that purpose.
Example DID Document Snippet:
json{ "authentication": [ "did:example:123456789abcdefghi#key-1" ], "assertionMethod": [ "did:example:123456789abcdefghi#key-2" ] }
Here, the fragment #key-1 is authorized for authentication, while #key-2 is authorized for issuing Verifiable Credentials (assertionMethod).
04
Fragment-Only References
When a reference is made from within the same DID document, the DID method-specific identifier can be omitted, leaving only the fragment. This is a shorthand defined by the W3C DID Core specification.
Internal Reference Example:
json{ "capabilityInvocation": ["#key-3"] }
This is interpreted as the full DID URL did:example:123456789abcdefghi#key-3. It's a concise way to reference internal components without repeating the full DID prefix.
05
Resolving a DID URL
The process of DID URL dereferencing involves a resolver fetching the DID document, then using the fragment to isolate the specific JSON object. The resolver performs a JSON Pointer-like traversal to locate the object whose "id" property matches the full DID URL.
Steps:
- Resolve
did:example:123456789abcdefghito its document. - Parse the document as a JSON structure.
- Search for any object where
id == "did:example:123456789abcdefghi#key-1". - Return that specific object as the dereferencing result.
DECOMPOSING THE SYNTAX
DID URL Components: A Comparison
A breakdown of the four core components of a DID URL, their purpose, and whether they are required for a valid DID or DID URL.
| Component | Purpose | Required for DID? | Required for DID URL? |
|---|---|---|---|
DID Scheme | Identifies the string as a Decentralized Identifier (always 'did:') | ||
DID Method | Specifies the underlying blockchain or network (e.g., 'ethr', 'key', 'web') | ||
Method-Specific Identifier | A unique identifier on the specified method's network | ||
Path | Points to a specific resource within a DID document | ||
Query | Requests a specific representation or parameter of the DID document | ||
Fragment | References a specific part, key, or service within the DID document |
DID FRAGMENT
Frequently Asked Questions (FAQ)
Common questions about DID Fragments, a core component of Decentralized Identifiers (DIDs) used for precise, cryptographically verifiable referencing.
A DID Fragment is a string component appended to a Decentralized Identifier (DID) after a hash (#) symbol, used to reference a specific part or verification method within a DID document. It functions like an HTML anchor link, allowing a single DID to manage multiple cryptographic keys, service endpoints, or other data. For example, in the DID did:example:123456789abcdefghi#key-1, the fragment #key-1 points to a specific public key entry within the associated DID document. This enables fine-grained control and selective disclosure of verification material without needing separate DIDs for each key or service.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall