Free 30-min Web3 Consultation
Book Consultation
Smart Contract Security Audits
View Audit Services
Custom DeFi Protocol Development
Explore DeFi
Full-Stack Web3 dApp Development
View App Services
Free 30-min Web3 Consultation
Book Consultation
Smart Contract Security Audits
View Audit Services
Custom DeFi Protocol Development
Explore DeFi
Full-Stack Web3 dApp Development
View App Services
Free 30-min Web3 Consultation
Book Consultation
Smart Contract Security Audits
View Audit Services
Custom DeFi Protocol Development
Explore DeFi
Full-Stack Web3 dApp Development
View App Services
Free 30-min Web3 Consultation
Book Consultation
Smart Contract Security Audits
View Audit Services
Custom DeFi Protocol Development
Explore DeFi
Full-Stack Web3 dApp Development
View App Services
LABS
Glossary

JWT VC

A JWT VC is a W3C Verifiable Credential encoded in the JSON Web Token (JWT) format, creating a compact, URL-safe, and digitally signed credential.
Chainscore © 2026
definition
VERIFIABLE CREDENTIALS

What is JWT VC?

JWT VC is a technical standard for representing and exchanging cryptographically secure digital credentials, using the widely adopted JSON Web Token (JWT) format.

A JWT Verifiable Credential (JWT VC) is a digital, machine-verifiable attestation issued by an issuer to a holder, encoded as a JSON Web Token. It is a specific implementation of the W3C Verifiable Credentials Data Model, where the credential's claims and metadata are packaged into a signed JWT structure. This format provides a compact, URL-safe means of representing claims that can be digitally verified by any verifier possessing the issuer's public key, ensuring the credential's authenticity and integrity.

The structure of a JWT VC follows the standard JWT components: a header specifying the token type and cryptographic algorithm, a payload containing the credential subject's claims and VC-specific metadata (like @context, type, and issuer), and a signature created by the issuer. This signature is the core of its verifiability, binding the credential data to the issuer's cryptographic key. Common signing algorithms include EdDSA (like Ed25519) and ES256K, aligning with decentralized identity systems.

JWT VCs are a foundational technology for Decentralized Identity (DID) and Self-Sovereign Identity (SSI) ecosystems. They enable portable, user-controlled credentials that can be presented for access control, KYC processes, or proof of qualifications without relying on a central database. Their interoperability stems from the universal support for JWT libraries across programming languages and platforms, making them a pragmatic choice for integrating verifiable credentials into existing web and mobile applications.

When a holder presents a JWT VC to a verifier—often as part of a Verifiable Presentation (VP), which can also be a JWT—the verifier performs several checks. These include validating the JWT signature against the issuer's DID document, checking for revocation status (e.g., via a revocation list), and ensuring the credential has not expired. This process allows for trustless verification, where the verifier need only trust the issuer's public key, not a centralized intermediary.

Compared to other VC formats like JSON-LD Signatures (LD-Proofs), JWT VCs offer simplicity and computational efficiency but with less inherent semantic interoperability. They are best suited for use cases requiring straightforward claim structures and high-performance verification. The standard is formally defined in the W3C VC-JWT specification, ensuring consistency across implementations and promoting their adoption for digital driver's licenses, employee badges, and educational certificates.

how-it-works
VERIFIABLE CREDENTIALS

How JWT VC Works

JWT VC is a W3C-compliant format for creating and exchanging cryptographically secure digital credentials, using the widely adopted JSON Web Token standard as its container.

A JWT Verifiable Credential (JWT VC) is a W3C Verifiable Credential encoded as a JSON Web Token (JWT). This format leverages the JWT's established structure—a header, payload, and signature—to package credential data, metadata, and proof. The issuer (e.g., a university) cryptographically signs the JWT, creating a verifiable data integrity proof. This signature, typically using Elliptic Curve Digital Signature Algorithm (ECDSA) or EdDSA, allows any verifier to confirm the credential's authenticity and that it hasn't been altered since issuance.

The core data resides in the JWT's payload, which contains the credential subject (the holder's identifier, often a Decentralized Identifier (DID)), the issuer's DID, the issuance date, and the credential claims themselves (e.g., "degree":"Bachelor of Science"). This payload is wrapped within the standard JWT VC structure defined by the W3C, ensuring interoperability. The resulting signed JWT is then presented by the holder to a verifier. The verifier's process involves decoding the JWT, checking the issuer's signature against their public key (resolved from their DID), and validating the credential's status and expiration.

A key advantage of the JWT VC format is its compatibility with existing web infrastructure, as JWTs are natively supported by many libraries and APIs. It is often paired with JWT Verifiable Presentations (JWT VP), where a holder can present one or more VCs, optionally adding their own signature for holder binding. This mechanism is fundamental to Self-Sovereign Identity (SSI) architectures and decentralized trust models, enabling selective disclosure of attributes without relying on a central database for verification.

key-features
TECHNICAL PRIMER

Key Features of JWT VC

A JSON Web Token Verifiable Credential (JWT VC) is a compact, URL-safe format for representing claims that can be cryptographically verified. This section details its core technical attributes and design principles.

01

Compact Serialization

JWT VCs use a highly compact serialization format, consisting of a Header, Payload, and Signature, separated by dots (e.g., xxxxx.yyyyy.zzzzz). This structure is:

  • URL-safe: Can be transmitted in HTTP headers, query parameters, or QR codes.
  • Space-efficient: Minimizes data overhead compared to JSON-LD-based VCs, making it ideal for mobile and low-bandwidth environments.
  • Widely Supported: Leverages the mature JWT ecosystem with libraries available in virtually every programming language.
02

Standardized Proof Mechanism

The integrity and authenticity of a JWT VC are secured by a JSON Web Signature (JWS). This provides a standardized proof mechanism where:

  • The issuer signs the JWT's header and payload using a private key.
  • The verifier validates the signature using the issuer's public key, typically resolved via a Decentralized Identifier (DID).
  • The proof is cryptographically bound to the credential data, ensuring it cannot be altered without detection. This mechanism is defined in the IETF RFC 7515 and RFC 7519 standards.
03

Selective Disclosure

While a basic JWT VC is disclosed in its entirety, the format can be extended to support Selective Disclosure. This allows a holder to reveal only specific claims from a credential without exposing the entire document. Common implementations include:

  • SD-JWT (Selective Disclosure JWT): Uses hashed claim values and disclosure arrays to enable unlinkable, piecewise revelation of data.
  • Zero-Knowledge Proofs (ZKPs): Advanced schemes can prove statements about claims (e.g., 'age > 21') without revealing the underlying data. This is crucial for privacy-preserving verification.
04

Interoperability & W3C Compliance

JWT VC is a conformance profile of the W3C Verifiable Credentials Data Model. This ensures semantic interoperability by mapping JWT claims to standardized VC properties:

  • The vc claim contains the credential metadata and claims data as a JSON object.
  • The iss (issuer) and sub (subject) claims map directly to the VC's issuer and holder identifiers.
  • This design allows JWT VCs to be used seamlessly in ecosystems that also support JSON-LD VCs, as the underlying data model is consistent.
05

Stateless Verification

A key architectural feature is stateless verification. A verifier can validate a JWT VC without querying the issuer or a centralized registry in real-time. Validity is determined by:

  1. Cryptographic Signature: Verifying the JWS signature against the issuer's public key.
  2. Claim Validation: Checking standard JWT claims like exp (expiration) and nbf (not before).
  3. Credential Status: Optionally checking a status list (e.g., a signed JSON file) if revocation is required. This enables offline-capable, scalable verification workflows.
06

Common Use Cases & Examples

JWT VCs are deployed in scenarios requiring portable, verifiable claims. Typical examples include:

  • Digital Driver's Licenses (mDL): The ISO 18013-5 standard for mobile driver's licenses uses a JWT-based data structure for presentation.
  • Employee Badges & Access Credentials: Issued by corporations for accessing physical facilities or SaaS applications.
  • Educational Certificates: Universities issuing digitally signed diplomas that can be instantly verified by employers.
  • KYC/AML Attestations: Financial institutions issuing reusable proof-of-identity credentials to customers.
jwt-structure
VERIFIABLE CREDENTIAL FORMAT

JWT VC Structure

An explanation of the JSON Web Token (JWT) encoding for W3C Verifiable Credentials, detailing its compact, self-contained structure and cryptographic proofs.

The JWT VC structure is a specific encoding of a W3C Verifiable Credential (VC) using the compact, URL-safe JSON Web Token (JWT) format, defined in the W3C VC Data Model JWT representation. In this structure, the credential's core claims—such as iss (issuer), sub (subject), vc (the credential data), and nbf (valid from)—are packaged into a JSON object, which is then cryptographically signed to produce a JWT. This creates a self-contained, proof-carrying token where the signature serves as the cryptographic proof, enabling verification without querying the issuer's backend.

The anatomy of a JWT VC consists of three Base64Url-encoded segments separated by dots: the Header, Payload, and Signature. The Header specifies the token type (JWT) and the signing algorithm (e.g., EdDSA or ES256K). The Payload contains the actual Verifiable Credential claims. The Signature is generated by signing the encoded Header and Payload, binding them together. This structure is inherently portable and suitable for HTTP headers or QR codes, making it a common choice for OpenID Connect Verifiable Credentials (OIDC4VC) and other stateless, bearer-token authentication flows.

A key advantage of the JWT VC format is its selective disclosure capability when combined with JSON Web Proof (JWP) or SD-JWT (Selective Disclosure for JWTs). These extensions allow the holder to reveal only specific claims from the credential while still providing a valid cryptographic proof, enhancing privacy. However, a limitation is that the credential data is opaque when encrypted; the structure itself does not natively support zero-knowledge proofs on the plaintext claims, a feature more inherent to Linked Data Proof (LDP) formats.

When a verifier receives a JWT VC, the verification process involves decoding the token, validating the JWT signature using the issuer's public key (often resolved via a DID in the iss claim), and then checking the contained VC data for validity and expiration. The vc claim within the payload is a JSON object conforming to the W3C VC data model, containing the credentialSubject, issuanceDate, and optional credentialSchema. This dual-layer structure—JWT wrapper and VC payload—provides a standardized method for interoperability across systems that already support JWT libraries.

In practice, the JWT VC structure is contrasted with the Linked Data Proof (LDP) format. While LDPs sign the credential's JSON-LD normalized data, embedding the proof directly within the credential JSON, JWT VCs are a detached proof format where the signature envelope is separate. The choice between them often depends on ecosystem requirements: JWT is favored for its library support and compactness in API-driven environments, whereas LDP is preferred for semantic web compatibility and advanced ZKP (Zero-Knowledge Proof) use cases. Both are valid representations per the W3C standard.

ecosystem-usage
JWT VC

Ecosystem Usage & Standards

JWT VC is a W3C standard for encoding Verifiable Credentials (VCs) as JSON Web Tokens (JWTs), providing a compact, widely-supported format for decentralized identity claims.

01

Core Specification

The JWT VC Data Model defines how to map W3C Verifiable Credential properties into a JWT's payload. The credential subject's claims are placed in the vc claim object, and the JWT signature provides cryptographic proof, fulfilling the VC's proof requirement. This creates a self-contained, digitally-signed package of claims.

02

Key Advantages

  • Compactness: A single, base64url-encoded string is easy to transmit in URLs, HTTP headers, or QR codes.
  • Tooling Ubiquity: Leverages the massive existing ecosystem of JWT libraries in nearly every programming language.
  • Protocol Compatibility: Naturally fits into OAuth 2.0 and OpenID Connect (OIDC) flows, enabling SIOP (Self-Issued OpenID Provider) and OIDC4VP.
03

Typical Use Cases

  • Sign-In with Ethereum (SIWE): Often uses JWT VCs to deliver authenticated user profiles.
  • Selective Disclosure: Protocols like SD-JWT (Selective Disclosure JWT) allow holders to reveal only specific claims from a credential.
  • API Access: Presenting a JWT VC as a bearer token for authorized access to web services, proving a specific attribute (e.g., KYC status).
04

Structure & Verification

A JWT VC has three parts: Header (specifying alg and typ), Payload (containing the vc object, issuer, subject, and expiration), and Signature. A verifier must:

  1. Validate the JWT signature using the issuer's public key.
  2. Check standard JWT claims (e.g., exp, iss).
  3. Parse the vc object to enforce the credential's specific business logic.
05

SD-JWT for Selective Disclosure

Selective Disclosure JWT (SD-JWT) is a critical extension to the base JWT VC format. It allows a holder to cryptographically prove individual claims from a larger credential without revealing the entire document. This is achieved through hash digests of claim values and optional Key Binding JWT (KB-JWT) to prevent token replay.

06

Related Standards

  • W3C Verifiable Credentials Data Model v2.0: The overarching data model that JWT VC implements.
  • OpenID for Verifiable Credentials (OIDC4VC): A suite of protocols using JWT VCs for issuance (OIDC4VCI) and presentation (OIDC4VP).
  • JOSE (JSON Object Signing and Encryption): The foundational suite (RFCs 7515-7519) defining JWS, JWE, JWK, and JWA that JWT VC relies upon.
COMPARISON

JWT VC vs. Other VC Formats

A technical comparison of Verifiable Credential (VC) representation formats based on core protocol specifications.

Feature / CharacteristicJWT VC (RFC 7519)SD-JWT VC (IETF SD-JWT)Data Integrity VC (LD-Proofs)

Primary Encoding

Compact Serialization (Base64URL)

Selective Disclosure JWT

JSON-LD (RDF Dataset)

Cryptographic Proof

JWS (JSON Web Signature)

JWS with Disclosed Claims

Linked Data Proofs (e.g., Ed25519Signature2020)

Selective Disclosure

Schema Binding

Implicit via JWT claims

Explicit via _sd digests

Explicit via JSON-LD context

Verifier Complexity

Low (Standard JWT libraries)

Medium (SD-JWT processing)

High (JSON-LD canonicalization)

Standardization Body

IETF (RFC 7519)

IETF (Internet Draft)

W3C (Verifiable Credentials Data Model)

Typical Use Case

API authentication, simple claims

Identity credentials, privacy-preserving sharing

Interoperable semantic data, complex graphs

security-considerations
JWT VC

Security & Implementation Considerations

JSON Web Token Verifiable Credentials (JWT VCs) are a W3C-standardized format for encoding claims. While offering interoperability, they introduce specific security and architectural tradeoffs that implementers must address.

01

Signature & Key Management

The core security of a JWT VC relies on the JSON Web Signature (JWS) applied by the issuer. Critical considerations include:

  • Key Lifecycle: Secure generation, storage, and rotation of the issuer's private key.
  • Algorithm Choice: Selecting cryptographically secure signing algorithms (e.g., EdDSA, ES256K) and avoiding deprecated ones like none or HS256.
  • Proof-of-Control: The holder must prove control of the private key corresponding to the sub (subject) public key to generate a valid Verifiable Presentation.
02

Credential Status & Revocation

JWT VCs are bearer tokens by default, requiring explicit mechanisms to invalidate them. Common patterns include:

  • Status List 2021: Embedding a bitstring status list in a separate JWT VC, where a bit position indicates revocation.
  • OAuth 2.0 Token Introspection: Treating the VC JWT as an access token and checking its status via an authorization server API.
  • Short Expiry Times: Using a short exp claim to limit credential lifetime, forcing frequent re-issuance.
03

Selective Disclosure Limitations

Unlike BBS+ signatures used in other VC formats, standard JWT signatures do not natively support cryptographic selective disclosure. To reveal only specific claims:

  • Token Transformation: The holder must create a new, derived JWT with only the disclosed claims, which requires re-signing with their key (a Verifiable Presentation).
  • Blind Issuance: Requires custom extensions, as the base JWT spec does not support issuing signatures on hidden messages. This can impact privacy-preserving use cases.
04

Audience & Replay Attack Mitigation

The JWT aud (audience) claim is crucial for ensuring a credential presented to one verifier is not replayed to another. Implementers must:

  • Validate Audience Strictly: The verifier must check that the aud claim matches its own identifier.
  • Use Unique Nonces: The verifier should provide a challenge nonce that the holder must include in the presentation JWT (jti or nonce claim) to prevent replay within the session.
  • Bind to Session: Link the presented VC to the specific authentication session or DID of the holder.
05

Schema Validation & Claim Integrity

The vc claim object within the JWT payload must be rigorously validated.

  • Credential Schema: Use the credentialSchema property to link to a JSON Schema or similar definition for structural validation of claims.
  • Context Integrity: Ensure the @context includes the correct W3C Verifiable Credentials contexts to define the semantic meaning of terms.
  • Claim Parsing: Safely handle nested objects and potential JSON injection when parsing the JWT payload to avoid interpretation errors.
06

DID Method & Resolver Dependencies

JWT VCs often use Decentralized Identifiers (DIDs) in the iss and sub fields. This introduces external dependencies:

  • Resolver Performance & Availability: The verifier must resolve the issuer's DID document to fetch their public key. This requires a reliable, secure DID resolver.
  • Method-Specific Risks: Security depends on the chosen DID method (e.g., did:web, did:key, did:ethr). Each has different trust assumptions regarding key rotation, revocation, and governance.
  • Cache Strategies: Implement caching of DID documents with appropriate TTLs to balance performance with key freshness.
JWT VERIFIABLE CREDENTIALS

Frequently Asked Questions (FAQ)

JWT Verifiable Credentials (JWT VCs) are a widely adopted format for creating, issuing, and verifying digital credentials on the web. This FAQ addresses common technical questions about their structure, security, and role in decentralized identity systems.

A JWT Verifiable Credential is a digital credential formatted as a JSON Web Token (JWT) that conforms to the W3C Verifiable Credentials Data Model. It is a cryptographically signed JSON object containing claims about a subject (e.g., a person or entity) that can be independently verified by any party. The JWT format provides a compact, URL-safe means of representing claims to be transferred between two parties, with its signature ensuring data integrity and authenticity of the issuer. This makes JWT VCs a core component of Self-Sovereign Identity (SSI) and decentralized identity architectures, enabling portable, user-controlled credentials.

ENQUIRY

Get In Touch
today.

Our experts will offer a free quote and a 30min call to discuss your project.

NDA Protected
24h Response
Directly to Engineering Team
10+
Protocols Shipped
$20M+
TVL Overall
NDA Protected Directly to Engineering Team