A Credential Definition is a public, on-chain schema that defines the structure, data types, and cryptographic commitments for a specific type of verifiable credential (VC) within a decentralized identity system, such as Hyperledger Indy or AnonCreds. It is published to a distributed ledger by an issuer and serves as the technical blueprint that all credentials of that type must follow. Crucially, it contains the issuer's public key for the credential type, enabling any verifier to cryptographically verify that a presented credential was issued by the claimed entity and has not been tampered with, without needing to contact the issuer directly.
LABS
Glossary
Credential Definition
A credential definition is a public, on-ledger schema in Hyperledger Indy that specifies the structure of a verifiable credential and the cryptographic commitments used for issuing and verifying zero-knowledge proofs.
Chainscore © 2026
definition
DECENTRALIZED IDENTITY
What is a Credential Definition?
A foundational component in verifiable credential systems that establishes the structure and trust rules for a specific type of credential.
The creation of a Credential Definition involves several key steps. First, the issuer generates a unique cryptographic key pair specifically for that credential type. The public key and its associated revocation registry configuration (if supported) are then anchored to a blockchain in a tamper-proof transaction. This process transforms a private schema—which only defines attribute names like "name" or "degreeDate"—into a publicly trusted definition. The on-chain record binds the issuer's identity (via their DID, or Decentralized Identifier) to the specific credential format, creating a reusable and globally referenceable trust anchor for all future credentials issued under that definition.
For verifiers, the Credential Definition is the critical piece of trust data. When receiving a verifiable credential, a verifier's agent fetches the corresponding Credential Definition from the ledger. Using the public key within it, the verifier can cryptographically verify the digital signature on the credential proof. This mechanism enables privacy-preserving verification, as the credential can be validated based on public blockchain data without querying the issuing authority. This decouples verification from issuer availability, a core tenet of self-sovereign identity (SSI).
Different credential systems implement this concept with varying terminology and technical details. In the W3C Verifiable Credentials Data Model, a similar role is played by a combination of the issuer's DID Document (which contains public keys) and the credential's JSON-LD context or JSON Schema. However, the AnonCreds-style Credential Definition is notable for its explicit, on-chain binding of a key to a specific schema, optimizing for the zero-knowledge proof capabilities of CL signatures. This design is particularly suited for selective disclosure, where a user can prove a claim (e.g., "I am over 21") without revealing the underlying data (their exact birth date).
In practice, a Credential Definition's ledger identifier (e.g., a schema ID combined with the issuer's DID) becomes a standard reference used across ecosystems. For example, a university might publish a "Bachelor of Science Degree" Credential Definition. Every digital diploma it issues references this single definition, allowing any employer or institution to instantly understand the credential's format and trust its authenticity. This system creates scalable, interoperable trust, reducing the need for bilateral agreements and manual background checks in digital interactions.
how-it-works
ANATOMY OF A VERIFIABLE CREDENTIAL
How a Credential Definition Works
A Credential Definition is the technical blueprint that enables the issuance and verification of cryptographically secure credentials on a decentralized identity network.
A Credential Definition is a public, on-chain record that binds a schema—which defines the data structure of a credential—to a specific issuer's cryptographic keys. This binding is the critical step that makes a credential verifiable. When an issuer creates a Credential Definition, they generate a unique public/private key pair, known as a revocation key, specifically for that credential type. The public portion of this key, along with a reference to the schema, is published to the ledger, creating an immutable link between the issuer's identity, the data format, and the cryptographic material needed for verification and revocation.
The primary function of a Credential Definition is to enable zero-knowledge proof verification. It provides the cryptographic parameters that allow a holder to prove they possess a valid credential from a known issuer without revealing the underlying attribute data. For example, a university's "Alumni Degree" Credential Definition would allow a graduate to prove they hold a degree from that institution, and that it has not been revoked, without disclosing their GPA or student ID. This process relies on the CL signature scheme, a form of BBS+ signatures, which the Credential Definition configures for a specific schema.
From a technical perspective, creating a Credential Definition is a transaction submitted to the distributed ledger (e.g., an Indy-based ledger or the AnonCreds Object Capability Ledger). This transaction contains the cred_def_id, a unique identifier derived from the issuer's DID, the schema ID, the signature type (e.g., CL), and the public key material (key_correctness_proof). Once written, this definition becomes the trusted root for all credentials of that type. Verifiers fetch the Credential Definition from the ledger to cryptographically verify any proof presented to them, ensuring the credential's integrity and origin.
A single schema can have multiple Credential Definitions associated with it, typically one per issuer. This allows different organizations to issue credentials with the same data structure (e.g., a "Driver's License" schema) while maintaining their own independent cryptographic authority and revocation registries. The Credential Definition model is foundational to SSI (Self-Sovereign Identity) architectures like Hyperledger Indy and AnonCreds, providing the mechanism for scalable, privacy-preserving, and interoperable digital trust.
key-features
ARCHITECTURE
Key Features of a Credential Definition
A Credential Definition is the core schema that dictates the structure, cryptographic proofs, and issuance rules for a verifiable credential on a blockchain. These features ensure credentials are interoperable, secure, and privacy-preserving.
01
Schema & Data Structure
The Credential Definition binds a Credential Schema—which defines the data fields, types, and constraints—to a specific Issuer. This creates a concrete, on-chain reference for the credential's format, ensuring all instances follow the same structure for interoperability. For example, a KYC Credential schema might define fields for fullName (string), dateOfBirth (date), and idHash (bytes32).
02
Issuer's Public Key Commitment
A core cryptographic component where the issuer commits their public key to the definition. This key is used to generate zero-knowledge proofs (like BBS+ signatures) that allow credential holders to prove possession without revealing the underlying data. The commitment is irrevocably linked to the definition on-chain, establishing non-repudiable provenance.
03
Revocation Registry Reference
The definition specifies the mechanism and location for checking credential status. It points to a Revocation Registry—a smart contract or accumulator—that the issuer updates to revoke credentials. This allows verifiers to check a credential's validity in real-time without contacting the issuer directly, a critical feature for compliance and security.
04
On-Chain Registration & DID Binding
The definition is published to a verifiable data registry (like a blockchain). It is cryptographically linked to the Issuer's Decentralized Identifier (DID), providing a globally resolvable, tamper-proof record of who created the definition and when. This creates a trust anchor in the system, allowing anyone to verify the definition's authenticity.
05
Support for Selective Disclosure
By design, credential definitions enable selective disclosure and predicate proofs. A holder can prove a statement about their credential (e.g., 'I am over 18') without revealing the credential's full contents (their exact birth date). This is a foundational privacy feature powered by the definition's cryptographic setup.
06
Type & Signature Specificity
The definition declares the exact signature type (e.g., CL signature, BBS+) and cryptographic parameters used. This technical specificity ensures that verifiers know precisely how to verify proofs generated from credentials issued under this definition, guaranteeing correctness across different wallets and verifier systems.
technical-details
TECHNICAL DETAILS AND COMPONENTS
Credential Definition
A Credential Definition is a core data structure in verifiable credential systems, such as those built on Hyperledger Indy or AnonCreds, that formally specifies the schema and cryptographic commitments for issuing a specific type of credential.
A Credential Definition is a public, on-ledger object that binds a Credential Schema to a specific Issuer's cryptographic keys. It is created when an issuer decides to issue credentials of a particular type, such as a university diploma or a driver's license. The definition contains the public key used for signing credentials and cryptographic commitments (like a CL signature public key) that enable the creation of zero-knowledge proofs. This ensures that credentials can be verified without revealing the underlying attribute values or the holder's identity, a process known as selective disclosure.
The creation of a Credential Definition is a critical, one-time setup step. It cryptographically commits the issuer to a specific schema version and key pair, preventing them from later altering the structure of issued credentials or repudiating their signatures. This object is published to a verifiable data registry, typically a distributed ledger, where it can be referenced by its unique identifier (credDefId). Verifiers use this public definition to cryptographically verify that a presented credential proof was issued by the authorized entity and conforms to the expected format.
Technically, a Credential Definition in the AnonCreds model includes several key components: a reference to the schema (schemaId), the type of signature scheme (e.g., CL), a tag for issuer-specific configuration, the public verification key, and a revocation registry identifier if the credential type supports revocation. This structure enables interoperability, as any party can fetch the definition from the ledger to understand the credential's format and verify proofs, forming the trust anchor for decentralized identity ecosystems.
examples
IMPLEMENTATION PATTERNS
Examples of Credential Definitions
A Credential Definition is a formal schema that defines the structure and cryptographic rules for a specific type of verifiable credential. These examples illustrate how the concept is implemented across different ecosystems.
VERIFIABLE CREDENTIALS
Credential Definition vs. Related Concepts
A comparison of the core data structure that defines a credential's schema with related concepts in decentralized identity systems.
| Feature / Purpose | Credential Definition | Credential Schema | Credential Offer | Verifiable Presentation |
|---|---|---|---|---|
Core Function | Binds a credential to a specific issuer and public key for verification. | Defines the data structure (attributes, types) for a class of credentials. | An issuer's proposal to issue a credential to a holder. | A holder's presentation of one or more credentials to a verifier. |
Created By | Issuer | Schema Author / Governance Body | Issuer | Holder |
Primary Data | Issuer DID, Schema ID, Public Key, Revocation Registry ID | Attribute names, data types, format constraints | Credential Preview, Issuer DID, Holder DID | Selected credentials, proof(s), presentation metadata |
Immutable on Ledger | ||||
Contains Private Data | ||||
Verification Reference | Used to cryptographically verify credential signatures. | Used to validate the structure of credential data. | Not used for verification; it's a pre-issuance message. | The object that is directly verified against definitions and schemas. |
Example (Simplified) | did:example:issuer#key-1 -> Schema XYZ | schema:name(string), dob(date), id(number) | "I offer you a Driver's License credential." | Presenting a Driver's License to a bartender. |
ecosystem-usage
CREDENTIAL DEFINITION
Ecosystem Usage and Standards
A Credential Definition is a critical component of decentralized identity systems, formally specifying the structure, issuer, and cryptographic commitments for a specific type of verifiable credential.
01
Core Components
A Credential Definition is a public, on-chain record that binds an issuer's cryptographic keys to a specific credential schema. It contains:
- Schema Reference: The unique identifier for the data structure (e.g.,
email,degree). - Issuer DID: The Decentralized Identifier of the credential's authorized issuer.
- Public Keys: The cryptographic keys (e.g., CL signatures) used to issue and verify credentials of this type.
- Revocation Registry ID: A reference to the mechanism for revoking issued credentials, if supported.
02
Role in Verifiable Credentials (VCs)
The Credential Definition acts as the trust anchor in the W3C Verifiable Credentials data model. When a verifier receives a credential, they use its referenced Credential Definition to:
- Authenticate the Issuer: Confirm the credential was signed by the authorized entity.
- Validate Structure: Ensure the credential data conforms to the expected schema.
- Check Revocation Status: Query the linked registry to confirm the credential is still valid. This decouples trust in the issuer's identity from trust in the specific credential type.
03
Implementation in Hyperledger Indy/Aries
In the Hyperledger Indy ecosystem, a Credential Definition (often called a cred_def) is written to the Indy Ledger. It is created by an issuer after a Schema is published. Key implementation details include:
- Use of CL (Camenisch-Lysyanskaya) signature schemes for selective disclosure and zero-knowledge proofs.
- Each
cred_defhas a unique identifier derived from the issuer's DID, schema ID, and signature type. - The Hyperledger Aries framework provides tooling for agents to create, publish, and resolve Credential Definitions during credential issuance flows.
04
Comparison with Schema
It's crucial to distinguish between a Schema and a Credential Definition.
- Schema: Defines the data model (attribute names and types). It is generic and can be reused by many issuers. Example: A
UniversityDegreeschema with attributesname,degree,year. - Credential Definition: Binds a specific issuer to a specific schema with their cryptographic keys. It makes the schema issuable. Example:
UniversityXYZcreates a Credential Definition to issue credentials against theUniversityDegreeschema. A schema is a template; a Credential Definition is an issuer's commitment to use that template.
05
Standards & Interoperability
Credential Definitions are governed by open standards to ensure ecosystem interoperability.
- W3C Verifiable Credentials Data Model: Provides the overarching conceptual framework.
- DIF (Decentralized Identity Foundation) Specifications: Groups like the Credential Manifest and Issuance WGs define how Credential Definitions are discovered and used.
- ANSI/INCTTS 499-202X: Emerging national standard for verifiable credentials in the US.
- ISO/IEC JTC 1/SC 27: International standards for security techniques, including parts relevant to credential cryptography.
06
Use Cases & Examples
Credential Definitions enable trust in decentralized applications:
- Education: A university issues digital diplomas using a Credential Definition linked to its official DID and a
DiplomaSchema. - Finance: A bank creates a Credential Definition for KYC/AML attestations, allowing customers to prove identity to third parties without re-submitting documents.
- Employment: A company issues proof-of-employment credentials, with a Credential Definition ensuring the credentials are verifiably from that specific employer.
- Healthcare: A clinic issues vaccination records via a defined credential type, enabling privacy-preserving verification.
security-considerations
CREDENTIAL DEFINITION
Security and Privacy Considerations
A Credential Definition is a cryptographic schema that defines the structure and verification rules for a specific type of verifiable credential. It is a foundational component of decentralized identity systems, enabling privacy-preserving verification.
01
Cryptographic Binding
A Credential Definition binds a credential schema to a specific issuer's public key (or decentralized identifier, DID). This cryptographic commitment ensures that any credential issued under this definition is verifiably signed by the authorized issuer. The definition includes the public key material and the CL signature scheme parameters, creating a unique, non-repudiable link between issuer identity and credential format.
02
Schema Integrity
The definition references a credential schema, which is a blueprint for the credential's data attributes (e.g., name, dateOfBirth, membershipStatus). By publishing the schema's hash on a verifiable data registry (like a blockchain), the Credential Definition guarantees the schema's immutability. This prevents an issuer from later changing the meaning or data types of the attributes without detection, ensuring long-term verifiability.
03
Selective Disclosure & Zero-Knowledge Proofs
Credential Definitions in advanced systems (e.g., based on BBS+ signatures) are engineered to support zero-knowledge proofs. This allows a holder to prove they possess a valid credential without revealing the credential itself or all its attributes. For example, a user can prove they are over 21 from a driver's license credential without disclosing their exact birth date or address. The definition's cryptographic parameters enable this privacy-preserving capability.
04
Revocation Registry Binding
For revocable credentials, the Credential Definition is linked to a revocation registry. This registry, often an accumulator or a list of revoked credential indices published on a blockchain, allows verifiers to check if a credential is still valid. The definition specifies the registry's identifier and type, creating a secure and auditable mechanism for status checks without the issuer learning about individual verification events.
05
Public Trust & Decentralized Issuance
Once published to a verifiable data registry (e.g., a permissioned blockchain like Indy or a public ledger), the Credential Definition becomes a public, non-forgeable artifact. It establishes a root of trust that any verifier can independently reference. This decentralizes trust by removing the need for verifiers to directly contact or know the issuer; they only need to trust the ledger's integrity and the definition's cryptographic proofs.
06
Key Rotation & Compromise Recovery
A critical security consideration is key management. If an issuer's private key is compromised, any credentials issued under the associated definition are at risk. Systems address this through defined key rotation protocols, where a new Credential Definition (with new public keys) is published. This necessitates a process for re-issuing credentials to holders, highlighting the operational security required for long-lived credential ecosystems.
CREDENTIAL DEFINITION
Common Misconceptions
Clarifying frequent misunderstandings about the foundational component of verifiable credentials, which defines the schema and issuer's public key for verification.
No, a Credential Definition is a public, on-chain schema and cryptographic commitment published by an issuer, while a Verifiable Credential is the private, holder-owned data instance that conforms to that definition. The definition acts as the public rulebook and verification key, whereas the credential is the personal, signed claim issued to a user. For example, a university publishes a Credential Definition for its diplomas; each graduate then receives a unique Verifiable Credential containing their specific degree data, signed with the key from that definition.
CREDENTIAL DEFINITION
Frequently Asked Questions
A Credential Definition is the core technical object in a verifiable credential system, defining the structure and cryptographic commitments for a specific type of credential. These questions address its purpose, creation, and role in decentralized identity.
A Credential Definition is a public, on-chain object that defines the structure and cryptographic commitments for a specific type of verifiable credential, enabling its issuance and verification. It works by binding a schema (which defines the data fields) to a specific issuer's cryptographic keys. The issuer publishes the definition, which includes a public key and a revocation registry reference, to a verifiable data registry like a blockchain. When the issuer later creates a credential for a holder, they cryptographically sign it using the private key linked to this definition. Verifiers can then use the public information in the Credential Definition to cryptographically verify the credential's authenticity and integrity without contacting the issuer.
further-reading
CREDENTIAL DEFINITION
Further Reading
A Credential Definition is the core, on-chain schema for a Verifiable Credential in an Indy-based decentralized identity system. Explore its components, related standards, and the ecosystem it enables.
02
Schema
The reusable template that defines the structure and data types for a set of credentials, created before the Credential Definition. It specifies the attribute names (e.g., name, degree, issueDate) but contains no cryptographic material.
- On-Chain Record: Stored on a distributed ledger (e.g., Hyperledger Indy, Sovrin).
- Immutability: Provides a consistent reference point for all issuers using that schema.
03
Revocation Registry
A critical component linked to a Credential Definition that allows an issuer to revoke issued credentials. It uses cryptographic accumulators to enable privacy-preserving revocation checks.
- Mechanism: Issuers publish revocation entries to a registry.
- Zero-Knowledge Proofs: Verifiers can check revocation status without learning which specific credential is being checked.
06
Zero-Knowledge Proofs (ZKPs)
Advanced cryptographic techniques that enable selective disclosure and predicate proofs using Verifiable Credentials. They allow a holder to prove they have a valid credential meeting certain criteria without revealing the underlying data.
- Example: Proving you are over 21 from a birthdate credential without revealing your actual birthdate.
- Enhanced Privacy: A key feature enabled by the cryptographic foundation of Credential Definitions.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall