Credential Wallet

A credential wallet serves as the user's primary interface for managing a Decentralized Identifier (DID) and its associated Verifiable Credentials (VCs). This enables self-sovereign identity (SSI), where users have full control over their personal data, deciding what to share, with whom, and for how long. Examples include:

• Storing a university-issued digital diploma.
• Holding a government-issued eID or driver's license.
• Proving age without revealing birthdate via a zero-knowledge proof.

Credential wallets are essential for accessing token-gated content, communities, and services. The wallet proves ownership of a specific NFT or fungible token required for entry. This is a core mechanism for:

• DAO membership and voting rights.
• Exclusive Discord servers or online forums.
• Private event ticketing and real-world experiences.
• Premium content subscriptions, where the token acts as a key.

In decentralized finance, credential wallets can store on-chain reputation and credit scores as verifiable credentials. This allows for undercollateralized lending and personalized financial products. Use cases include:

• Proving a history of successful loan repayments from protocols like Aave or Compound.
• Storing a credit score attestation from an oracle or scoring service.
• Enabling "proof-of-humanity" or Sybil resistance for fair airdrop distribution.

These wallets streamline the verification of professional qualifications and work history, reducing fraud. Organizations can issue tamper-proof credentials directly to a user's wallet.

• LinkedIn-style profiles with verified employment history.
• Open Badges for completed courses or certifications.
• Professional licenses (e.g., medical, engineering) issued by accredited bodies.
• Conference attendance proofs and speaker credentials.

Credential wallets can securely hold travel documents, enabling faster and more secure border control and hotel check-ins. This leverages W3C Verifiable Credentials standards for global interoperability.

• Digitally signed vaccination records or health passes.
• Biometric-linked travel credentials for airport e-gates.
• Hotel loyalty memberships and pre-verified booking details.

In the open-source and Web3 ecosystem, credential wallets can attest to a developer's contributions and skills. This creates a portable, verifiable reputation system.

• GitHub commit history attested by a platform.
• Bug bounty hunter credentials from security platforms like Immunefi.
• Protocol governance participation history.
• Smart contract auditor certifications.

A credential wallet acts as a secure digital vault for verifiable credentials (VCs). It allows users to:

• Securely store credentials issued by trusted entities.
• Organize different types of credentials (e.g., KYC status, educational diplomas, professional licenses).
• Manage selective disclosure, revealing only the necessary attributes for a given interaction.
• Control cryptographic keys required to prove ownership and validity of credentials.

Credential wallets are built on Decentralized Identifier (DID) standards (e.g., W3C DID). A DID is a user-controlled, globally unique identifier that is not dependent on a central registry. The wallet:

• Generates and manages the user's DIDs and their associated private keys.
• Uses DIDs to sign and present credentials, proving they originated from the wallet's owner.
• Enables interactions without relying on traditional usernames or centralized identity providers.

In DeFi, credential wallets enable on-chain identity and compliance without sacrificing user privacy. Examples include:

• Sybil Resistance: Proving unique personhood (e.g., via a World ID credential) to prevent airdrop farming.
• Credit Scoring: Presenting a verifiable credit history from a traditional institution to access undercollateralized loans.
• Regulatory Compliance (KYC): Selectively disclosing a verified identity credential to a protocol to access higher-tier services, without exposing raw personal data on-chain.

Credential wallets replace traditional login systems for passwordless, phishing-resistant access to web applications and physical spaces.

• Website Login: A user presents a verifiable credential from their wallet instead of a username/password.
• DAO Governance: Proving membership or reputation credentials to access gated forums or vote.
• Physical Access: Using a mobile wallet to present a credential (like a digital employee badge) to unlock a door.

Widespread adoption depends on interoperability, driven by open standards:

• W3C Verifiable Credentials Data Model: The foundational standard defining the structure of a VC.
• DIDComm: A secure, peer-to-peer messaging protocol for wallets to communicate (e.g., to receive an issuance offer).
• OpenID for Verifiable Credentials (OIDC4VC): A profile that integrates VCs into the widely-used OAuth 2.0 and OpenID Connect flows for web authentication.

Several projects and protocols are building credential wallet infrastructure:

• Ethereum Attestation Service (EAS): A public good for making attestations (credentials) on-chain, which can be held in compatible wallets.
• Veramo: An open-source framework for building credential wallets and DID agents.
• Spruce ID: Develops Sign-In with Ethereum and tools for decentralized identity, including credential wallets.
• WalletConnect: Extending its protocol to support credential presentation for dApp authentication.

The fundamental security model. A credential wallet's primary function is to securely store the private keys associated with a user's Decentralized Identifiers (DIDs). These keys are used to sign and present credentials. Security models include:

• User Custody: Keys are stored locally on the user's device (e.g., in a secure enclave).
• Cloud/Agent Custody: Keys are managed by a trusted cloud service or agent, requiring careful trust evaluation.
• Multi-Party Computation (MPC): Keys are split across multiple parties, removing a single point of failure.

A core privacy-preserving feature enabled by Verifiable Credentials. Instead of presenting an entire credential (e.g., a driver's license with name, address, DOB), the wallet can generate a cryptographic proof that only reveals specific, required claims.

Example: Proving you are over 21 by revealing only a birthDate > 2003-01-01 predicate, without disclosing the exact date or other personal details. This minimizes data exposure and limits correlation.

Security mechanism that cryptographically binds a credential to the wallet holder, preventing credential theft and misuse. When a credential is issued, it is linked to the holder's DID. To present it, the wallet must prove control of the corresponding private key via a digital signature.

This ensures that even if a credential's data is intercepted, it cannot be used by anyone other than the legitimate holder who controls the associated keys.

Wallets are high-value targets for attackers. Common threats include:

• Malicious Verification Requests: Fake QR codes or deep links that trick users into signing a transaction or disclosing credentials to a fraudulent verifier.
• Fake Wallet Apps: Malicious clones of legitimate wallet applications designed to steal keys and credentials.
• User Education Gap: The complexity of key management and signing prompts can lead to user error. Wallets must provide clear, unambiguous context for every signing request.

Secure handling of credential revocation is critical. Wallets must check the revocation status of a credential (e.g., via a revocation list or a status registry) before presenting it, ensuring outdated or compromised attestations are not used.

Privacy-preserving revocation methods, such as accumulators or zero-knowledge proofs, allow status checks without revealing which specific credential is being queried, protecting user privacy.

Security is not just technical but also systemic. Wallets operate within trust frameworks that define the rules for issuing, holding, and verifying credentials (e.g., W3C Verifiable Credentials Data Model).

Interoperability across different ecosystems requires the wallet to support multiple DID methods, signature suites (e.g., EdDSA, BBS+), and credential formats, all while maintaining a consistent security posture and user experience.

These are the three primary roles in the credential ecosystem, defining the flow of trust.

• Issuer: A trusted entity (university, government, DAO) that creates and signs Verifiable Credentials.
• Holder: The individual or entity (user) that receives and stores the credential in their wallet and controls its presentation.
• Verifier: A service (website, employer) that requests and cryptographically verifies the credential's validity and the holder's control over it.

A critical privacy-enhancing feature enabled by credential wallets and cryptographic proofs like Zero-Knowledge Proofs (ZKPs). It allows a holder to prove a specific claim from a credential without revealing the entire document. For example:

• Proving you are over 21 without revealing your exact birth date or address.
• Proving you have a credit score > 700 without showing the full report. This minimizes data exposure and reduces privacy risks.

A Verifiable Presentation is the package of data a holder submits from their wallet to a verifier. It is constructed by the wallet in response to a request and typically includes:

• One or more Verifiable Credentials (or derived proofs).
• A presentation proof that cryptographically demonstrates the holder's control over the associated DIDs.
• Optional holder binding to prove the presenter is the legitimate subject of the credentials. It is the final, verifiable output of the credential wallet's presentation process.