Verifiable Credentials (VCs) are a W3C standard for creating tamper-evident digital credentials that can be cryptographically verified. Unlike traditional paper certificates, VCs allow an issuer (e.g., a licensing board) to issue a credential to a holder (an investigator), who can then present proof of that credential to a verifier (a court or client) without revealing unnecessary personal data. This model shifts control of identity data from centralized databases to the individual, enhancing privacy and portability. In the context of investigator accreditation, VCs can represent licenses, training certifications, or case clearance credentials.
LABS
Guides
Setting Up a Verifiable Credential System for Investigator Accreditation
A developer tutorial for implementing a cryptographically secure system for issuing, holding, and verifying investigator qualifications and site readiness credentials.
Chainscore © 2026
introduction
VERIFIABLE CREDENTIALS
Introduction
This guide explains how to build a decentralized accreditation system for investigators using verifiable credentials, zero-knowledge proofs, and on-chain verification.
The core components of a VC system are the Issuer, Holder, and Verifier. The Issuer signs a credential containing claims (e.g., "licenseType": "Private Investigator", "expiry": "2025-12-31") using their private key. The Holder stores this credential in a digital wallet. When proof is required, the Holder creates a Verifiable Presentation, which may use zero-knowledge proofs (ZKPs) to selectively disclose information. For instance, an investigator could prove they hold a valid license without revealing its serial number or issuance date, a principle known as data minimization.
To make these credentials trustless and universally verifiable, we anchor them to a blockchain. The Issuer's public key (DID) and the credential's schema can be registered on-chain, providing a decentralized trust registry. Smart contracts act as verifiers, checking the credential's cryptographic signature and its revocation status against an on-chain registry. This eliminates reliance on a central authority for verification. For our system, we'll use Ethereum for the trust anchor and IPFS for storing credential schemas and optional off-chain data, ensuring the system is both transparent and scalable.
This guide provides a technical walkthrough for developers to implement such a system. We will cover: creating Decentralized Identifiers (DIDs) for issuers, defining credential schemas using JSON-LD, issuing signed VCs, implementing ZK-SNARKs for selective disclosure via circuits written in Circom, and writing a Solidity verifier contract. The final system will allow an investigator to generate a proof of accredited status that can be verified on-chain with a single function call, enabling decentralized background checks and compliance automation.
By the end of this tutorial, you will have a functional prototype for a self-sovereign accreditation system. This has direct applications in legal tech, regulatory compliance, and professional licensing, moving beyond vulnerable paper-based processes to a secure, interoperable, and user-centric model. The code examples will use established libraries like did:ethr, jsonld-signatures, and snarkjs to ensure production-ready practices.
prerequisites
FOUNDATIONAL SETUP
Prerequisites and System Architecture
This guide details the technical and architectural prerequisites for building a decentralized, verifiable credential system to accredit investigators, ensuring trust and auditability without a central authority.
A verifiable credential (VC) system for investigator accreditation replaces a centralized certificate database with a decentralized trust model. The core components are the issuer (the accrediting body), the holder (the investigator), and the verifier (an entity checking the credential). Credentials are cryptographically signed statements stored in a holder's digital wallet, not on a central server. This architecture provides self-sovereign identity, where the investigator controls their own credentials and can present them for verification without contacting the original issuer. The system's integrity relies on Decentralized Identifiers (DIDs) and W3C Verifiable Credentials standards.
Before development, you must establish the technical prerequisites. Your stack will need a blockchain or decentralized network to anchor DIDs and credential status. Options include Ethereum for its robust smart contract ecosystem, Polygon for lower costs, or Hyperledger Indy/Aries frameworks built specifically for identity. You will also need a credential wallet for holders, such as Trinsic, Veramo, or a custom solution using React Native or Flutter. Development requires familiarity with JSON-LD or JWT credential formats, public-key cryptography, and a backend language like Node.js or Python for issuer/verifier logic.
The system architecture consists of several key layers. The Identity Layer manages DIDs, which are created on-chain and resolve to DID Documents containing public keys. The Credential Layer handles the issuance, holding, and presentation of VCs using protocols like OIDC4VP or WACI-DIDComm. The Verification Layer includes smart contracts or services that check credential proofs, signatures, and revocation status via a revocation registry (e.g., a smart contract or a verifiable data registry). A critical design choice is whether to use zero-knowledge proofs (ZKPs) for selective disclosure, allowing an investigator to prove accreditation without revealing extraneous personal data.
For the accreditation use case, the credential schema must be carefully defined. A sample credential subject in JSON-LD format would include fields like accreditationId, investigatorName, accreditingBody, issueDate, expiryDate, specialization, and credentialLevel. The issuer's DID signs this schema, creating an immutable link. You must also implement a revocation mechanism. A common pattern uses a smart contract as a revocation registry where the issuer can update a bitmask; verifiers check this registry status during the presentation process to ensure the credential is still valid.
Finally, consider the integration points and security. The system must interface with existing investigator management portals for issuance and with third-party platforms (like court evidence systems) for verification. Secure key management for issuer signing keys is paramount, often requiring Hardware Security Modules (HSMs). All network interactions should use TLS 1.3, and wallet apps must implement secure storage for private keys. By establishing this architecture, you create a system where investigator credentials are tamper-evident, privacy-respecting, and independently verifiable by any party in the ecosystem.
key-concepts
IMPLEMENTATION GUIDE
Core Concepts: W3C Verifiable Credentials & DIDs
Build a decentralized accreditation system for investigators using the W3C's open standards for digital identity and attestations.
01
Understanding the W3C VC Data Model
The W3C Verifiable Credentials Data Model v2.0 is the foundation. A VC is a tamper-evident credential with a standard JSON-LD structure. It includes:
- Issuer: The entity creating the credential (e.g., an accreditation board).
- Holder: The subject receiving the credential (the investigator).
- Verifier: The party checking the credential's validity.
- Credential Subject: The claims being made (e.g.,
"accreditationType": "Financial Crimes"). - Proof: A cryptographic signature linking the credential to the issuer's DID.
03
Implementing Credential Status with Revocation
Accreditations can be suspended or revoked. The StatusList2021 specification is the modern standard for revocation. Instead of checking a centralized database, verifiers check a bitstring status list issued as a VC itself.
Implementation Steps:
- The issuer creates a StatusList2021Credential containing a 16KB compressed bitstring.
- Each accredited investigator is assigned a unique index in this list (0 = valid, 1 = revoked).
- The issuer's credential includes a
credentialStatusproperty pointing to this list and the holder's index. - Verifiers fetch and parse the status list VC to check the bit at the specified index.
05
Designing the Presentation & Verification Flow
Holders (investigators) must present their credentials to verifiers. Use the Verifiable Presentation data model, which bundles one or more VCs.
Key Considerations:
- Selective Disclosure: Use Data Integrity Proofs (like BBS+) or JSON Web Tokens (JWTs) to allow holders to reveal only specific claims (e.g., prove accreditation without revealing a personal ID number).
- Challenge-Response: Verifiers should send a cryptographic nonce to prevent replay attacks.
- VP Verification Steps: The verifier's code must: 1) Verify the VP's proof, 2) Verify the proof of each embedded VC, 3) Check the
credentialStatus, and 4) Validate the issuer's DID is trusted.
06
Deployment & Trust Establishment
A live system requires operational decisions:
- Issuer DID Publication: Publish your issuer's DID Document to its method's ledger (e.g., Ethereum for
did:ethr). - Trust Registry: Maintain a public list of authorized issuer DIDs. This can be a simple smart contract or a signed VC itself.
- Key Management: Use
veramokey manager or cloud HSM services to securely store the issuer's private keys. Never store keys in environment variables in production. - Credential Storage: Holders store VCs in a digital wallet. Consider integrating with w3m or SSI Snap for user-friendly custody.
implementation-steps
TUTORIAL
Implementation Steps: Issuer, Holder, Verifier
A step-by-step guide to building a decentralized accreditation system using Verifiable Credentials (VCs) for investigators.
A Verifiable Credential system for investigator accreditation involves three core roles: the Issuer (accrediting body), the Holder (investigator), and the Verifier (client or platform). The workflow begins with the Issuer creating a credential, which the Holder stores in a digital wallet. The Verifier can then request and cryptographically verify this credential without contacting the Issuer, enabling trustless proof of qualifications. This tutorial uses the W3C Verifiable Credentials Data Model and common cryptographic standards like JSON Web Tokens (JWT) and Decentralized Identifiers (DIDs).
1. The Issuer: Creating the Credential
The Issuer's first step is to establish its identity on a blockchain or decentralized network by creating a Decentralized Identifier (DID) and its associated cryptographic keys. Using a library like did-jwt-vc, the Issuer can then create a signed credential. The credential is a JSON object containing the investigator's claims (e.g., "accreditationType": "Certified Fraud Examiner", "issueDate": "2024-01-15"), the Issuer's DID, and a digital signature. This creates an immutable, tamper-proof attestation of the holder's status.
javascript// Example: Issuer creates a signed VC (using did-jwt-vc) const vcPayload = { sub: 'did:ethr:0xHolderAddress...', // Holder's DID vc: { '@context': ['https://www.w3.org/2018/credentials/v1'], type: ['VerifiableCredential', 'InvestigatorAccreditationCredential'], credentialSubject: { id: 'did:ethr:0xHolderAddress...', accreditationId: 'CFE-2024-001', accreditedUntil: '2025-12-31' } } }; const vcJwt = await createVerifiableCredentialJwt(vcPayload, issuerSigner);
2. The Holder: Receiving and Storing Credentials
The Holder (investigator) must also have a DID and a secure digital wallet capable of storing VCs, such as a mobile app or browser extension. Upon receiving the signed vcJwt from the Issuer, the Holder stores it locally. The wallet manages the Holder's private keys and presents credentials only upon the Holder's explicit consent. When a Verifier requests proof, the Holder does not send the raw credential. Instead, they create a Verifiable Presentation—a wrapper that can selectively disclose information and is also cryptographically signed by the Holder, proving control of their DID.
3. The Verifier: Requesting and Validating Proof
The Verifier's role is to request specific credentials and verify their authenticity. This involves sending a Presentation Request (e.g., using the Decentralized Identity Foundation's Presentation Exchange format) specifying the required credential type and constraints. Upon receiving the Holder's Verifiable Presentation, the Verifier performs several checks: verifying the signatures of both the Issuer and the Holder against their public DIDs, checking the credential's status (e.g., against a revocation list), and ensuring it has not expired. Libraries like did-jwt-vc provide verification functions that handle this process.
javascript// Example: Verifier validates a received VP JWT const verificationResult = await verifyVerifiablePresentation( vpJwt, // The presented JWT from the Holder { resolver: didResolver, // To fetch Issuer and Holder DID Docs policies: { issuanceDate: true, expirationDate: true, revocationCheck: 'https://issuer.com/revocation-list' } } ); if (verificationResult.verified) { // Grant investigator access }
For production systems, consider key management, credential revocation using status lists, and interoperability standards like DIDComm for secure messaging. Open-source frameworks like Veramo or Microsoft's ION for Sidetree-based DIDs can accelerate development. This architecture eliminates centralized databases of credentials, putting individuals in control of their professional identity while enabling instant, cryptographic verification for third parties.
INVESTIGATOR ACCREDITATION
Designing Credential Schemas for Clinical Data
A technical guide for developers implementing a verifiable credential system to manage and verify the professional accreditation of clinical trial investigators on-chain.
A credential schema is a formal, machine-readable template that defines the structure and data types for a verifiable credential. It acts as a blueprint, specifying the required and optional claims (e.g., licenseNumber, accreditingBody, expiryDate). In a decentralized system like W3C Verifiable Credentials, schemas are essential for interoperability and data integrity. They ensure all credentials issued for "Investigator Accreditation" contain the same core fields, allowing verifiers (like trial sponsors or regulatory portals) to parse and validate them automatically without manual interpretation. Without a schema, credentials are just unstructured JSON, making automated trust impossible.
IMPLEMENTATION OPTIONS
DID Method & VC Library Comparison
Comparison of popular DID methods and Verifiable Credential libraries for building an accreditation system.
| Feature / Metric | did:ethr (Ethereum) | did:key (Decentralized) | did:web (Centralized) |
|---|---|---|---|
Underlying Technology | Ethereum Smart Contracts | Public Key Cryptography | HTTPS Web Domain |
Decentralization Level | High (Permissionless) | High (No Registry) | Low (Centralized Issuer) |
VC Library Support | |||
Typical Issuance Cost | $2-10 (Gas Fee) | $0 (No Gas) | $0 (No Gas) |
Revocation Mechanism | On-chain Registry | Status List 2021 | Status List 2021 |
Suitable for Production | |||
Development Complexity | Medium-High | Low | Low |
Recommended Library | Veramo | DIDKit | Transmute |
privacy-considerations
PRIVACY, SELECTIVE DISCLOSURE, AND ZERO-KNOWLEDGE PROOFS
Setting Up a Verifiable Credential System for Investigator Accreditation
A technical guide to implementing a privacy-preserving accreditation system using verifiable credentials and zero-knowledge proofs for investigators.
Verifiable Credentials (VCs) are a W3C standard for creating tamper-evident digital credentials that can be cryptographically verified. For investigator accreditation, a VC acts as a digital attestation issued by a trusted authority (e.g., a regulatory body) that contains claims about the investigator's identity, qualifications, and certification status. Unlike a simple PDF certificate, a VC is a JSON-LD or JWT-based data structure signed with the issuer's private key, enabling anyone to verify its authenticity and integrity without contacting the issuer directly. This forms the foundation for a decentralized trust model.
The core privacy challenge is enabling selective disclosure. An investigator might need to prove they are accredited without revealing their full name, date of birth, or credential serial number. Zero-Knowledge Proofs (ZKPs), specifically zk-SNARKs or zk-STARKs, solve this. They allow the credential holder to generate a proof that they possess a valid VC with specific attributes satisfying a predicate (e.g., accreditationStatus == "active" AND issueDate > 2023-01-01), without revealing the attributes themselves. Libraries like snarkjs or circom are used to create circuits that define these provable statements.
A practical system architecture involves several components. The Issuer (accreditation body) runs a server to sign and issue VCs. The Holder (investigator) uses a digital wallet (e.g., Veramo agent) to store the VC and generate ZKPs. The Verifier (client or platform requiring proof) specifies the proof request. For example, a verifier may only require proof that the holder's accreditation is current and from an authorized issuer. The holder's wallet uses a ZKP circuit to prove knowledge of a valid signature and that the hidden attributes satisfy the rules, sending only the proof and the revealed public issuer DID to the verifier.
Implementation requires defining the credential schema and ZK circuit. First, create a JSON schema for the accreditation VC specifying fields like issuerDid, holderDid, accreditationType, expiryDate, and licenseNumber. The issuer signs this. For the ZK circuit, using the circom language, you define constraints. A simple circuit might take the VC's hashed data and signature as private inputs and the issuer's public key as a public input, outputting a true signal only if the signature is valid and the hidden expiryDate is in the future. This circuit is compiled and a trusted setup generates proving and verification keys.
Here is a simplified workflow in code using pseudocode concepts. The holder's agent generates a proof:
javascript// Holder generates ZKP for selective disclosure const proof = await zkSnark.prove({ circuit: accreditationCircuit, privateInputs: { hashedCredentialData: hash(credential.claims), signature: credential.proof.signatureValue }, publicInputs: { issuerPublicKey: credential.issuer } }); // Holder sends to verifier sendToVerifier({ proof, verificationKey, revealed: { issuerDid } });
The verifier then runs zkSnark.verify(verificationKey, proof, publicInputs) to get a boolean result, trusting the proof's validity without seeing the underlying sensitive data.
Key considerations for production include revocation. Using a Revocation List 2020 credential status allows issuers to revoke VCs without breaking ZKPs, as the circuit can check non-membership in a cryptographic accumulator. Interoperability is achieved by adhering to W3C VC Data Model and Decentralized Identifiers (DIDs). Scalability of ZKPs depends on circuit complexity and trusted setup. For ongoing accreditation, consider using BBS+ signatures for selective disclosure without ZKPs for simpler claims. Always audit ZK circuits and use established libraries like @iden3/circomlib to minimize cryptographic risks in the accreditation process.
resource-links
DEVELOPER RESOURCES
Tools, Libraries, and Further Resources
These tools and standards help you design, issue, verify, and govern verifiable credentials for investigator accreditation. Each resource supports production-grade identity systems aligned with W3C and DIF specifications.
DEVELOPER FAQ
Frequently Asked Questions
Common technical questions and troubleshooting for implementing a blockchain-based verifiable credential system for investigator accreditation.
A Verifiable Credential (VC) is a tamper-proof digital attestation, like a diploma or license, that can be cryptographically verified. In a blockchain system, the core components are:
- Issuer: The accredited body (e.g., a law enforcement agency) that creates and signs the VC.
- Holder: The investigator who receives and stores the VC, typically in a digital wallet.
- Verifier: An entity (e.g., a court or partner agency) that checks the VC's validity.
How it works on-chain: The credential's core data (claims) is signed by the issuer and stored off-chain (e.g., IPFS). A unique cryptographic hash of this data is then anchored to a blockchain like Ethereum or Polygon. The Decentralized Identifier (DID) of the issuer is also recorded on-chain. To verify, a verifier checks the issuer's on-chain DID registry to confirm the signing key is valid and compares the hash on-chain with the hash of the presented credential. This creates a trustless system where the blockchain acts as a global, immutable root of trust for the credential's provenance and integrity.
conclusion-next-steps
PRODUCTION CHECKLIST
Conclusion and Production Deployment
This guide concludes with a production deployment checklist for a verifiable credential system, covering security, infrastructure, and operational best practices.
Deploying a verifiable credential system for investigator accreditation requires moving from a development environment to a secure, scalable production setup. Key infrastructure decisions include choosing a blockchain network (e.g., Ethereum Mainnet, Polygon, or a private EVM chain like Hyperledger Besu), selecting a decentralized identifier (DID) method (e.g., did:ethr or did:web), and deploying your credential schema as a smart contract. Ensure your issuer's private keys are managed via hardware security modules (HSMs) or cloud KMS services like AWS KMS or Azure Key Vault, never storing them in environment variables or code repositories.
For the verifier component, implement robust API security using JWT authentication, rate limiting, and CORS policies. The verifier service should cache credential status and schema definitions to reduce on-chain queries and improve performance. Use a service like The Graph for efficient indexing of credential issuance and revocation events if on a public chain. For user-facing applications, integrate wallet SDKs (e.g., MetaMask, WalletConnect) to handle the presentation flow, and provide clear UX guidance for users holding their credentials in digital wallets.
Establish a clear operational governance model. This includes defining roles for system administrators, documenting procedures for credential revocation and schema updates, and setting up monitoring for smart contract events and API health. Use infrastructure-as-code tools like Terraform or Pulumi to manage cloud resources. Finally, conduct a security audit of your smart contracts and application code, and consider a bug bounty program to crowdsource vulnerability discovery before and after launch to ensure the integrity of the accreditation system.