The DID Web Method is a Decentralized Identifier (DID) specification that uses a domain name as the foundation for a cryptographically verifiable digital identity. Defined by the W3C, its DID syntax is did:web:<domain-name>, where the domain acts as the persistent identifier's root. The associated DID Document—containing public keys and service endpoints—is hosted at a well-known location under that domain, typically /.well-known/did.json. This method leverages the existing Domain Name System (DNS) and HTTPS infrastructure for discovery and resolution, making it one of the most straightforward and immediately deployable DID methods.
LABS
Glossary
DID Web Method
A W3C-standardized DID method that uses HTTPS and the Domain Name System (DNS) to host and resolve Decentralized Identifier (DID) documents from a well-known location on a web server.
Chainscore © 2026
definition
DECENTRALIZED IDENTIFIER SPECIFICATION
What is DID Web Method?
The DID Web Method is a W3C-standardized mechanism for creating and resolving Decentralized Identifiers (DIDs) using the familiar infrastructure of the web.
A key advantage of the DID Web method is its simplicity and low barrier to entry for developers and organizations. Unlike blockchain-based methods, it does not require transaction fees or specialized node software. The entity controlling the domain (e.g., a company, developer, or individual) has full custodianship over the DID and its document, allowing for direct management and rapid updates. This makes it ideal for prototyping, enterprise use cases, and scenarios where a trusted domain authority is acceptable. However, this reliance on traditional web trust models means its decentralization is contingent on the security and availability of the domain and web server.
The technical resolution process is defined by the W3C DID Specification. A resolver converts the did:web:example.com identifier into an HTTPS GET request to https://example.com/.well-known/did.json. The returned JSON-LD document must conform to the DID Core data model. For more specific paths, like did:web:example.com:user:alice, the resolver would fetch https://example.com/user/alice/did.json. This predictable, HTTP-based lookup enables interoperability across any system that implements the standard DID Web resolution algorithm.
Common use cases for DID Web include securing communications with Verifiable Credentials, establishing trust in API authentication (e.g., using DID as an OAuth client ID), and creating self-sovereign identities for websites and services. It serves as an excellent entry point for understanding decentralized identity principles before exploring more complex, fully decentralized ledgers. Its design prioritizes practical deployment, allowing organizations to issue, hold, and verify credentials without initially integrating with a blockchain, though it can be used in conjunction with other methods for enhanced trust models.
When implementing DID Web, critical security considerations include maintaining the integrity and availability of the hosted DID Document, using HTTPS to prevent man-in-the-middle attacks, and properly managing the private keys corresponding to the public keys listed in the document. Best practices also involve implementing proper HTTP caching headers and considering the use of DID Configuration with serviceEndpoint entries like linkedDomains to cryptographically link the DID to the domain, further strengthening the trust assertion.
how-it-works
DECENTRALIZED IDENTIFIER METHOD
How the DID Web Method Works
The DID Web Method is a specification for creating and resolving Decentralized Identifiers (DIDs) using the infrastructure of the World Wide Web.
The DID Web Method, defined by the W3C, is a mechanism for creating Decentralized Identifiers (DIDs) where the identifier itself is a URL based on a domain name you control. A DID Web identifier takes the form did:web:example.com. This method leverages the existing Domain Name System (DNS) and HTTPS infrastructure to provide a simple, low-barrier entry point for decentralized identity. The controlling entity—be it an individual, organization, or service—publishes the corresponding DID Document at a well-known location under that domain, typically https://example.com/.well-known/did.json. This document contains the public keys, service endpoints, and other verification methods necessary to prove control of the DID.
The resolution process is straightforward and does not require a blockchain or a specialized decentralized registry. When a verifier needs to look up did:web:example.com, they perform an HTTPS GET request to the predictable URL. The returned DID Document is cryptographically signed, allowing the verifier to authenticate its origin and integrity. This design makes the Web Method highly practical for enterprise applications, self-sovereign identity wallets, and verifiable credentials ecosystems where participants already manage web domains. Its reliance on TLS/HTTPS also provides a foundational layer of security and authenticity for the document retrieval process.
A key advantage of the DID Web Method is its simplicity and deployability. Since it uses standard web protocols, it avoids the complexity of running a node on a blockchain or peer-to-peer network. However, this convenience comes with trade-offs. Control of the DID is contingent on control of the domain name and web server, making it dependent on traditional centralized authorities (domain registrars and hosting providers). For high-assurance, censorship-resistant identities, methods like did:ethr or did:ion may be more appropriate. The DID Web Method is thus ideal for organizational identities, API authentication, and scenarios where existing web trust models are sufficient.
key-features
DECENTRALIZED IDENTIFIER PROTOCOL
Key Features of DID Web Method
The DID Web Method is a W3C standard for creating Decentralized Identifiers (DIDs) using web domains as the foundational trust anchor. It enables simple, self-hosted digital identity without a blockchain.
01
Domain-Based Identifier
A DID Web identifier is derived directly from a domain name you control, following the format did:web:example.com. The domain's DNS infrastructure and TLS/SSL certificates serve as the initial trust root. This creates a human-readable, verifiable link between the DID and a web location.
02
Self-Hosted DID Document
The core identity document—the DID Document (DIDDoc)—is a JSON file hosted at a predictable URL under the domain (e.g., https://example.com/.well-known/did.json). This document contains:
- Public keys for authentication and signing.
- Service endpoints for interacting with the identity holder.
- The controller's verification methods.
03
No Blockchain Required
Unlike methods like did:ethr or did:sov, DID Web does not rely on a distributed ledger for registration or resolution. Identity management is performed via standard HTTPS operations, making it simpler to deploy and integrate with existing web infrastructure and Content Delivery Networks (CDNs).
04
Standardized Resolution
Resolvers fetch the DID Document via an HTTP GET request to the well-known location, following the DID Core Specification. Resolution must verify the TLS connection and the document's JSON structure and signatures. This interoperability allows any compliant DID resolver to process did:web identifiers.
05
Key Rotation & Document Updates
The identity controller can update their DID Document by publishing a new file to their web server. To maintain trust, updates should be signed with a prior authentication key. This enables key rotation, revocation of compromised keys, and the addition of new service endpoints without changing the core DID identifier.
06
Use Cases & Limitations
Ideal for organizational identities, IoT device management, and SSI pilots where domain ownership is established. Key limitations include:
- Centralization Risk: Dependency on domain and web hosting control.
- Liveness Requirement: The web server must be online for resolution.
- Less suitable for fully decentralized, individual user identities compared to blockchain-anchored methods.
technical-details
DID WEB METHOD
Technical Details: DID Syntax and Resolution
An examination of the DID Web method, a decentralized identifier specification that leverages the existing Domain Name System (DNS) and HTTPS infrastructure for simple, self-hosted identity management.
The DID Web method is a Decentralized Identifier (DID) specification defined by the W3C that creates a DID from a domain name, using the familiar did:web method identifier. This method enables individuals and organizations to host their own DID documents on a web server they control, making it one of the most straightforward methods to implement without requiring a new blockchain or specialized registry. The DID itself is derived directly from the host component of a URL, such as did:web:example.com. Its resolution involves performing an HTTPS GET request to a well-known endpoint on that domain to retrieve the corresponding DID Document.
The syntax for a DID Web identifier follows a predictable pattern: did:web:<host>[:<path>]. The <host> is a fully qualified domain name, optionally followed by a <path> component for organizational purposes, like did:web:example.com:user:alice. This path structure allows a single domain to manage multiple DIDs. The corresponding DID Document is fetched by converting this DID into a URL: the did:web: prefix is replaced with https://, colons (:) are replaced with forward slashes (/), and the path /.well-known/did.json is appended. For example, did:web:example.com resolves to https://example.com/.well-known/did.json.
Resolution of a did:web identifier is an HTTPS-based process where a DID resolver performs a TLS-secured HTTP GET request to the constructed URL. The server must respond with the DID Document as a JSON-LD document with the correct application/did+ld+json content type. This document contains the public keys, service endpoints, and verification methods associated with the DID. A key advantage of this method is its simplicity and reliance on established web security models, including TLS certificates for server authentication. However, it also inherits the web's centralized trust model, as control of the DID is contingent upon control of the domain name and web server.
For key rotation and updates, the DID Web method relies on the entity controlling the web server to publish a new DID Document at the same URL. This is a simple file update but requires careful management to ensure continuity and prevent service disruption. Unlike blockchain-anchored methods, there is no immutable audit trail of changes, so implementers often pair the DID Document with cryptographic proofs, like signed verifiable credentials, to establish a history. The method is particularly suited for enterprise, academic, and institutional use cases where the organization already maintains a trusted web domain and wants to issue verifiable credentials to employees or members without deploying new infrastructure.
While powerful for prototyping and controlled environments, the DID Web method has distinct considerations. Its decentralization is relative, as it depends on the centralized Domain Name System (DNS) and certificate authorities. Security is tied to the security of the hosting web server and the strength of its TLS configuration. The W3C specification mandates the use of HTTPS to ensure communication integrity and recommends the publication of DID Documents with appropriate HTTP cache-control headers. For production systems requiring higher assurance of availability and censorship resistance, it is often used in conjunction with other, more persistent DID methods or through did:web-to-did:peer bridging techniques.
examples
DID WEB METHOD
Examples and Use Cases
The DID Web method enables decentralized identifiers to be resolved directly from a domain's well-known URI, making it a practical choice for web-native identity systems. These cards illustrate its core implementations and real-world applications.
01
Domain-Based Identity for Web Services
A common use case is for a company to host its own DID document at https://example.com/.well-known/did.json. This allows the company to use did:web:example.com as a verifiable, self-sovereign identifier for:
- Authenticating users to its web services without passwords.
- Signing software updates or official communications.
- Establishing secure, encrypted channels with partners using the public keys listed in the DID document.
02
Decentralized Social Media & Credentials
Platforms implementing the Verifiable Credentials data model can use did:web as an issuer identifier. For example, an educational institution at did:web:university.edu can issue digitally signed diplomas. Holders can then present these credentials to third parties (like employers) who verify the signature against the public keys in the university's published DID document, enabling trust without a central registry.
03
Secure API Access & Authentication
did:web is used in DID-based authentication protocols like OIDC SIOP (Self-Issued OpenID Provider) and Verifiable Presentations. A service provider can configure its system to accept logins from users who control a did:web. The authentication flow involves the user proving control of the private key corresponding to the public key in their DID document, enabling passwordless, phishing-resistant access.
04
Technical Implementation: Hosting a DID Document
To create a did:web, an entity publishes a DID Document as a JSON file on a web server under the .well-known path (e.g., /.well-known/did.json). The document must contain:
- The DID itself (
"id": "did:web:example.com"). - Public keys for verification and key agreement.
- Service endpoints for interaction, such as a linked domains service or a credential repository.
- Proper CORS headers to allow cross-origin fetch by verifiers and wallets.
05
Comparison with Other DID Methods
did:web differs from blockchain-anchored methods (like did:ethr or did:ion):
- No Blockchain: It relies on HTTPS and domain control, avoiding transaction fees and blockchain latency.
- Centralized Trust Point: Trust is anchored in the security of the domain and its TLS certificate, rather than a decentralized ledger.
- Ease of Deployment: Simpler to implement for organizations with existing web infrastructure. It is often chosen for closed ecosystems or enterprise pilots where the trust model aligns with existing web PKI.
security-considerations
DID WEB METHOD
Security Considerations
The DID Web method uses web domains as the foundation for decentralized identifiers, inheriting the security model of the existing web infrastructure. This creates unique security implications for key management, domain control, and privacy.
03
Privacy & Correlation Risks
Because the DID is derived from a domain, it can be inherently correlatable.
- Organizational DIDs: A company's DID (e.g.,
did:web:example.com) publicly associates all interactions with that entity. - User Sub-DIDs: User-specific DIDs under a domain (e.g.,
did:web:example.com:user:alice) can be tracked across services that use the same domain, potentially compromising user privacy unless carefully designed with pseudonymous subdomains.
04
Revocation & Compromise Recovery
Responding to a key compromise is a critical process:
- Immediate action: The domain controller must quickly replace the compromised DID document with a new one containing fresh public keys.
- Verifier caching: Relying parties may cache the old DID document, leading to acceptance of fraudulent signatures until their cache updates. The method lacks a built-in, real-time revocation notification system.
- Recovery mechanisms must be pre-defined in the DID document, such as multi-signature schemes or designated recovery controllers.
05
TLS/HTTPS Dependency
DID Web's security model assumes the integrity of the TLS certificate chain. A breach in this chain undermines the entire method.
- Risks include compromised Certificate Authorities (CAs) issuing fraudulent certificates for the domain.
- Verifiers must validate the TLS connection, ensuring the certificate is valid and matches the domain in the DID. This makes the method's security contingent on the Public Key Infrastructure (PKI) of the web.
06
Best Practices & Mitigations
To enhance security, implementers should:
- Use HTTP Signatures or Linked Data Proofs on the DID document itself to provide an additional layer of integrity verification beyond TLS.
- Employ key rotation policies and list multiple authentication keys in the DID document for redundancy.
- For high-value identities, consider using a Decentralized Identifier method with a more resilient underlying ledger (e.g., did:ethr, did:ion) or use DID Web as a delegation endpoint pointing to a more secure primary DID.
COMPARISON MATRIX
DID Web vs. Other DID Methods
A technical comparison of the DID Web method against other common DID method archetypes, focusing on deployment, governance, and trust assumptions.
| Feature | DID Web | DID:Key / DID:Peer | Verifiable Data Registry (VDR) Methods (e.g., did:ethr, did:ion) |
|---|---|---|---|
Decentralized Identifier (DID) Document Resolution | HTTP(S) request to a well-known URI on a web domain | Embedded in-line or derived from a cryptographic key pair | Query to a blockchain, sidechain, or overlay network (e.g., Ethereum, Bitcoin, Sidetree) |
Primary Trust Anchor / Verifiable Data Registry | Domain Name System (DNS) and Web PKI (TLS/SSL) | Direct cryptographic verification; no external registry | Underlying blockchain or decentralized network (consensus ledger) |
DID Creation / Registration Cost | Cost of domain registration and hosting | $0 (key generation only) | Network transaction fee (gas) or staking requirement |
DID Update / Deactivation Mechanism | Update/delete the hosted DID Document file | Not applicable (immutable) or requires new DID | Signed transaction submitted to the underlying ledger |
Inherent Decentralization of Registry | |||
Requires a Cryptocurrency Wallet | |||
Typical Use Case | Web-centric identity for organizations, SSO | Ephemeral or pairwise peer-to-peer interactions | Self-sovereign identity integrated with blockchain ecosystems |
W3C DID Specification Compliance |
ecosystem-usage
DID WEB METHOD
Ecosystem Usage and Adoption
The DID Web method leverages existing web infrastructure to create decentralized identifiers, enabling practical, low-barrier identity solutions for web applications and services.
02
Primary Use Cases
DID Web is commonly used for:
- Verifiable Credentials (VCs): Issuing and verifying credentials for login, attestations, and memberships.
- Decentralized Web Apps (dApps): Providing user-controlled authentication without centralized providers.
- API Access Control: Securing APIs by requiring DIDs and signed requests for authorization.
- Corporate and Organizational Identity: Entities use their domain to issue verifiable credentials for employees or services.
03
Advantages & Trade-offs
Advantages:
- Low Friction: Uses existing domain ownership and TLS certificates for trust.
- No New Infrastructure: No need for a blockchain or specialized resolver.
- Human-Readable: The DID string is directly tied to a recognizable domain.
Trade-offs:
- Centralization Point: Relies on the domain name system (DNS) and the security of the web host.
- Persistence: The identifier is only as persistent as the domain registration and hosting.
- Limited Decentralization: Compared to blockchain-based methods, it offers weaker censorship resistance.
04
Technical Workflow Example
- Create: A service at
alice.example.comcreates a DID document and publishes it athttps://alice.example.com/.well-known/did.json. - Resolve: A verifier resolves
did:web:alice.example.comvia an HTTP GET request to that URL. - Authenticate: Alice signs a challenge with her private key, corresponding to a public key in her DID document.
- Verify: The verifier fetches the DID document, checks the signature, and authenticates Alice.
06
Adoption & Real-World Projects
DID Web sees adoption where ease of deployment is critical:
- EU's eIDAS 2.0 Digital Identity Wallet: Exploring DID Web for credential issuance.
- Educational Credentials: Universities issuing verifiable diplomas under their
.edudomains. - Open Source Projects: Frameworks like Spruce ID's
didkitand Microsoft's ION (which can use DID Web as a sidetree anchoring option) support the method. - Enterprise SSO: Pilots for replacing traditional corporate identity providers with decentralized models.
DID WEB METHOD
Common Misconceptions
The DID Web method is a W3C standard for creating decentralized identifiers using web domains, but its simplicity often leads to confusion. This section clarifies its core mechanics, security model, and appropriate use cases.
A DID Web identifier is not decentralized in the same way as blockchain-based DIDs; it is a domain-based identifier that relies on the centralized control of a web domain and its TLS infrastructure. The decentralization is limited to the verifiable data registry, which is the target domain's .well-known directory. If the domain expires, is seized, or its TLS certificate is revoked, the DID and its associated verifiable credentials become unresolvable or untrustworthy. Its primary advantage is ease of implementation without requiring a blockchain, making it suitable for controlled environments like corporate identity systems, not for censorship-resistant applications.
DID WEB METHOD
Frequently Asked Questions (FAQ)
Decentralized Identifiers (DIDs) are a core component of Web3 identity. The `did:web` method is a practical and widely adopted standard for creating and resolving DIDs using existing web infrastructure. These questions address its core mechanics, use cases, and trade-offs.
The DID Web method (did:web) is a Decentralized Identifier (DID) specification that allows a DID to be created and resolved using standard web infrastructure, such as HTTPS and domain names. It works by hosting a DID document—a JSON-LD file containing public keys, service endpoints, and verification methods—at a well-known URL derived from the DID itself. For example, the DID did:web:example.com would resolve to the DID document hosted at https://example.com/.well-known/did.json. This method leverages the existing trust and security of the Domain Name System (DNS) and TLS certificates to provide a verifiable, self-sovereign identity without requiring a new blockchain or specialized decentralized network.
further-reading
DID WEB METHOD
Further Reading
Explore the technical specifications, foundational standards, and practical implementations of the DID Web method.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall