Decentralized identity verification replaces traditional, siloed identity systems with user-controlled credentials. Instead of relying on a central database, users store verifiable credentials (VCs) in a digital wallet and present them via a decentralized identifier (DID). This DID is a unique, cryptographically secured string, often anchored to a blockchain like Ethereum or Polygon, that serves as a persistent identifier. Protocols like the W3C Decentralized Identifiers (DIDs) standard and Verifiable Credentials (VCs) data model provide the technical foundation. For onboarding, this means participants can prove their eligibility—such as KYC status or membership—without revealing unnecessary personal data to the application.
LABS
Guides
Setting Up a Decentralized Identity Verification for Participant Onboarding
A technical guide for developers on integrating DID protocols and verifiable credentials to manage compliant, private participant onboarding for enterprise prediction platforms.
Chainscore © 2026
introduction
INTRODUCTION
Setting Up a Decentralized Identity Verification for Participant Onboarding
Decentralized identity (DID) systems enable users to own and control their credentials without centralized intermediaries, a foundational component for secure Web3 onboarding.
The core architecture involves three roles: the issuer (e.g., a KYC provider), the holder (the user), and the verifier (your application). A user obtains a signed VC from a trusted issuer and stores it locally. When interacting with your platform, the user presents a cryptographically verifiable proof derived from this credential. This proof can be a Zero-Knowledge Proof (ZKP), enabling verification of claims (e.g., "user is over 18") without exposing the underlying data. Platforms like Civic, SpruceID (using Sign-In with Ethereum), and Polygon ID offer SDKs and infrastructure to implement this flow, handling the complexity of key management and proof generation.
Implementing DID-based onboarding requires integrating a wallet connection and a verification logic layer. First, users connect a wallet (e.g., MetaMask) which often serves as their DID controller. Your frontend then requests specific credentials using a query language like W3C Presentation Exchange or Polygon ID's Query Language. The user's wallet presents the required proof, which your backend verifies using the issuer's public DID (found on a Verifiable Data Registry like a blockchain). A basic verification check in JavaScript using the SpruceID SDK might look like: const verificationResult = await didkit.verifyPresentation(presentation, challenge);. This process creates a trustless, privacy-preserving onboarding experience.
Key considerations for deployment include choosing the appropriate DID method (e.g., did:ethr, did:polygonid), ensuring a smooth user experience for credential issuance, and managing revocation status. Revocation is often handled via status lists (like a revocation registry) or selective disclosure protocols. It's also critical to design the credential schema—the set of fields in your VC—to request only the minimum necessary data. This approach not only enhances privacy but also reduces regulatory and data liability for your application, aligning with principles of data minimization and user sovereignty.
For developers, the ecosystem provides robust tooling. SpruceID's Credible and Veramo are open-source frameworks for issuing and verifying credentials. Ethereum Attestation Service (EAS) allows for creating on-chain attestations that can function as VCs. When designing the flow, prioritize clear user prompts for credential sharing and fallback options for users without existing VCs, potentially integrating an issuance partner. This setup future-proofs your onboarding by creating portable, user-owned identities that can be reused across the Web3 ecosystem, moving beyond fragmented, application-specific accounts.
prerequisites
DECENTRALIZED IDENTITY
Prerequisites and Architecture
This guide outlines the technical foundation required to build a decentralized identity (DID) verification system for secure, user-controlled onboarding.
A decentralized identity (DID) system shifts control from centralized authorities to the individual user. At its core, a DID is a globally unique identifier, like did:ethr:0xabc123..., anchored on a blockchain. It links to a DID Document (DIDDoc), a JSON-LD file containing public keys, service endpoints, and verification methods. This architecture enables users to create and manage their own identifiers without relying on a central registry, forming the basis for self-sovereign identity (SSI). The DIDDoc is the source of truth for cryptographic verification of credentials and interactions.
To implement this, you need a blockchain or decentralized network as the root of trust. Ethereum (using ERC-1056/ERC-3643), Polygon, or dedicated DID networks like ION (on Bitcoin) are common choices. You'll also require a wallet or agent capable of creating DIDs, managing private keys, and signing Verifiable Credentials (VCs). For developers, libraries like ethr-did, did-jwt-vc, or Microsoft's Verifiable Credentials SDK provide essential tooling. A basic understanding of public-key cryptography and JSON Web Tokens (JWT) is necessary to work with these components effectively.
The verification flow involves several key actors: the Holder (user), the Issuer (entity issuing credentials), and the Verifier (your onboarding platform). The Holder requests a credential (e.g., a proof of KYC) from an Issuer. The Issuer signs a Verifiable Credential—a tamper-evident JSON file with claims—and the Holder stores it in their wallet. During onboarding, your platform (the Verifier) requests specific credentials and uses the public keys in the Holder's DIDDoc to cryptographically verify the issuer's signature and the credential's integrity, all without contacting the original Issuer.
For a production system, you must architect around key management and privacy. Private keys should never leave the user's secure environment (e.g., a hardware wallet or trusted mobile agent). Use Verifiable Presentations to allow users to share selective, minimal disclosures instead of full credentials. Consider zero-knowledge proofs (ZKPs) via protocols like Sismo or zkPass for advanced privacy, enabling users to prove they are over 18 without revealing their birth date. Your backend needs to validate DIDs against the blockchain and parse DIDDocs, which can be facilitated by services like SpruceID's Kepler or Microsoft Entra Verified ID.
Start development by setting up a test DID registry on a network like Sepolia or Polygon Mumbai. Use the ethr-did-registry contract or the did:web method for prototyping. Your first task is to write a script that creates a DID, generates a DIDDoc, and issues a simple self-signed VC. Then, build a verifier service that can resolve the DID from its identifier, fetch the DIDDoc, and verify the VC's JWT signature. This end-to-end test validates your core architecture before integrating UI components and more complex credential schemas.
key-concepts
DECENTRALIZED IDENTITY
Core Components and Standards
A secure onboarding system requires interoperable standards and verifiable credentials. These are the foundational protocols and tools for building decentralized identity verification.
04
JSON-LD & Digital Signatures
These are the technical standards that enable machine-readable, cryptographically secure credentials.
- JSON-LD: A JSON-based serialization format for Linked Data. It provides semantic context, allowing systems to understand the meaning of credential data.
- Digital Signatures: Used to prove the authenticity and integrity of DIDs and VCs. Common algorithms include EdDSA (Ed25519) and ES256K (used by did:ethr).
- Interoperability: Using standardized formats ensures credentials issued on one platform can be verified by another.
05
The SSI Architecture Stack
Self-Sovereign Identity (SSI) is the overarching architecture that combines DIDs, VCs, and VDRs into a functional system.
- Three Roles: Holder (user), Issuer (entity issuing credentials), and Verifier (entity requesting proof).
- Trust Triangle: The trust model where issuers are trusted by verifiers, and holders present proofs.
- User Agents: Wallets or apps (like Veramo or Trinsic) that allow holders to store and manage their DIDs and VCs.
step-1-did-creation
ONBOARDING FOUNDATION
Step 1: Create and Manage Decentralized Identifiers (DIDs)
A Decentralized Identifier (DID) is the core building block of self-sovereign identity, enabling participants to own and control their verifiable credentials without a central authority.
A Decentralized Identifier (DID) is a globally unique, persistent identifier that does not require a centralized registration authority. It is typically expressed as a URI, like did:ethr:0xabc123.... The DID is controlled by the entity it identifies via cryptographic keys described in an associated DID Document. This document, often stored on a blockchain or other decentralized network, contains public keys, authentication protocols, and service endpoints, enabling secure interactions. Unlike traditional usernames or emails, a DID is owned entirely by the user, providing a foundation for portable, interoperable identity.
For participant onboarding, the first step is DID creation. Using a library like did:ethr for Ethereum or did:key for a simple method, a user generates a public/private key pair. The corresponding DID is derived from the public key. For example, with did:key, the process is library-driven and does not require on-chain registration. For a method like did:ethr, the DID Document is anchored to a blockchain, providing a verifiable, tamper-proof record of the public key. This creates a cryptographic root of trust that all subsequent verifiable credentials will link back to.
Once created, the DID must be managed securely. The private key is the ultimate proof of ownership and must be stored in a secure enclave, hardware wallet, or managed custody service. Loss of the private key means loss of control over that identity and all associated credentials. The DID Document can be updated to rotate keys, add new service endpoints for credential exchange, or specify verification methods. This management is done by submitting transactions signed by the current controlling key, ensuring that identity evolution remains under the sole control of the DID subject.
In a practical onboarding flow, your application would integrate an SDK like didkit or veramo to handle DID operations. The code snippet below illustrates generating a did:key identifier using the Veramo CLI, a common tool for developers:
bash# Install Veramo CLI and generate a DID npm install -g @veramo/cli veramo did create -m key
This command creates a new DID Document locally. For production systems using did:ethr, you would configure an Ethereum provider to register the DID on-chain, incurring a gas fee but gaining the durability and discoverability of a public ledger.
The created DID serves as the participant's identity anchor. When they later receive verifiable credentials—such as a KYC attestation or membership badge—the issuer will sign those credentials with the participant's DID as the subject. Any verifier can then resolve the DID to its public key in the DID Document to cryptographically verify the credential's authenticity and the participant's control over it. This establishes a trust chain that is independent of any single platform or issuer, enabling seamless and secure cross-platform identity.
step-2-credential-issuance
ON-CHAIN IDENTITY
Step 2: Issue Verifiable Credentials for KYC and Roles
Learn how to issue verifiable credentials to establish participant identity and permissions on-chain, moving from verified data to actionable attestations.
A Verifiable Credential (VC) is a cryptographically signed attestation that a subject possesses certain attributes. For decentralized onboarding, you issue VCs after successful KYC verification to grant users specific on-chain roles. The credential itself is typically stored off-chain (like in a user's wallet), while a corresponding Verifiable Presentation and its proof are used on-chain to verify the claim without exposing the underlying personal data. This creates a privacy-preserving link between a real-world identity and a blockchain address.
To issue a credential, you need a Decentralized Identifier (DID) for both the issuer (your platform) and the subject (the user). The issuer signs a JSON-LD credential document containing claims like "kycStatus": "verified" or "role": "accreditedInvestor". Standards like the W3C Verifiable Credentials Data Model ensure interoperability. In practice, SDKs from identity platforms like SpruceID, Veramo, or Ethereum Attestation Service (EAS) abstract this complexity, providing functions to create and sign credentials programmatically.
Here is a conceptual example using a TypeScript SDK pattern for issuing a credential. This code creates a signed VC asserting a user's KYC status and investor role.
typescriptimport { Issuer } from '@veramo/core'; const credential = await agent.createVerifiableCredential({ credential: { issuer: { id: 'did:ethr:0xYourIssuerDID' }, credentialSubject: { id: 'did:ethr:0xUserAddress', kycStatus: 'verified', role: 'accreditedInvestor', issuanceDate: new Date().toISOString(), }, }, proofFormat: 'jwt', // Or 'lds' for JSON-LD signatures }); // The `credential` JWT or JSON-LD object is sent to the user's wallet.
For the credential to be useful on-chain, the user must present it. This is done via a Verifiable Presentation, where the user signs a request containing the credential's proof for a specific verifier (your smart contract). Your contract then verifies this signature against the known issuer's DID. Ethereum Attestation Service (EAS) simplifies this by providing a registry contract where issuers make attestations. To check a user's role, your contract calls EAS.getAttestation(attestationUID) to verify its validity and reads the attested data.
The final integration involves your gated smart contract function checking for a valid credential before allowing actions. For example, a token sale contract would verify an accreditedInvestor attestation before processing a purchase. This pattern decentralizes trust: the contract trusts the attestation issued by your verified DID, not the user's claim. It's crucial to manage your issuer's private key securely and consider revocation mechanisms, such as maintaining a revocation list or using non-expiring attestations with on-chain revoke functions.
step-3-access-control
DECENTRALIZED IDENTITY
Step 3: Implement Token-Gated Access with Credential Proofs
This guide explains how to use decentralized identity (DID) credentials and zero-knowledge proofs to create secure, privacy-preserving token-gated access for onboarding.
Token-gated access traditionally requires users to connect a wallet and prove ownership of a specific NFT or token. This reveals the user's entire wallet address and transaction history. Using decentralized identity credentials and zero-knowledge proofs (ZKPs), you can verify a user meets your criteria (e.g., holds a token, is over 18) without exposing their wallet address or other personal data. This approach, often built with standards like W3C Verifiable Credentials, shifts the paradigm from "proof by exposure" to "proof by cryptographic verification."
The core components are the Issuer, Holder, and Verifier. First, a trusted issuer (like a DAO or protocol) creates a Verifiable Credential attesting to a claim (e.g., "Alice holds a Governance Token") and signs it cryptographically. The user (Holder) stores this credential in their digital wallet. When accessing your gated application, instead of connecting their wallet, the user generates a ZK-SNARK or ZK-STARK proof derived from the credential. This proof cryptographically convinces your verifier contract that the credential is valid and unrevoked, and that the contained claim is true, all without revealing the underlying data.
To implement this, you'll need a verifier smart contract. Here's a simplified example using the Semaphore ZK framework for group membership proofs. Assume an issuer has added eligible users to a Semaphore group.
solidity// SPDX-License-Identifier: MIT import "@semaphore/interfaces/IVerifier.sol"; import "@semaphore/interfaces/ISemaphore.sol"; contract TokenGatedAccess { ISemaphore public semaphore; uint256 public groupId; constructor(address _semaphore, uint256 _groupId) { semaphore = ISemaphore(_semaphore); groupId = _groupId; } function accessGatedContent( uint256 merkleTreeRoot, uint256 nullifierHash, uint256[8] calldata proof ) external { // Verify the ZK proof proves membership in the group semaphore.verifyProof(groupId, merkleTreeRoot, 0, nullifierHash, groupId, proof); // Logic to grant access (e.g., set a flag, mint an access token) _grantAccess(msg.sender); } }
The user's client generates the proof off-chain, proving they are in the group without revealing which member they are.
For a more generic credential system, consider Sismo's ZK Badges or the Verax Attestation Registry. These systems allow issuers to write attestations on-chain (e.g., on Linea or Polygon zkEVM). Your verifier contract then checks the Attestation Registry for a valid, unrevoked attestation linked to a user's hashed identifier. The user can present a ZK proof that they possess an attestation with specific properties. Key checks include the attestation schema ID, issuer address, expiration time, and revocation status. This decouples the verification logic from the issuance process.
When integrating, focus on the user flow: 1) User obtains a credential from a trusted issuer. 2) Your frontend requests a specific proof (e.g., proof of token-holding). 3) The user's wallet (like MetaMask Snap or Sismo Connect) generates the ZK proof. 4) Your frontend sends the proof to your verifier contract. 5) The contract verifies the proof and executes the gated logic. Tools like eth-proof-of-ownership or Disco's protocol can simplify this flow. Always include a fallback mechanism, such as a manual review for revoked credentials or edge cases.
This method significantly enhances privacy and security for users. It minimizes on-chain gas costs for users (proof verification is cheap), reduces the attack surface by not exposing wallet addresses, and enables complex gating logic (e.g., "holds Token A OR completed Quest B"). The main challenges are issuer trust and user education. Ensure your UI clearly explains the privacy benefits and guides users through the proof generation process, which is a new interaction pattern for many.
step-4-privacy-preservation
ADVANCED CONFIGURATION
Step 4: Preserve Privacy with Zero-Knowledge Proofs (Optional)
This optional step enhances your decentralized identity verification system by allowing participants to prove eligibility without revealing the underlying data, using zero-knowledge proofs (ZKPs).
Zero-knowledge proofs (ZKPs) are cryptographic protocols that enable one party (the prover) to convince another party (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself. In the context of decentralized identity verification, this allows a user to prove they meet specific onboarding criteria—such as holding a minimum token balance, being on an allowlist, or having a credential from a trusted issuer—without exposing their wallet address, transaction history, or the credential's exact details. This is a fundamental shift from verifying data to verifying proofs about data, significantly enhancing user privacy.
To implement this, you need a ZK circuit that encodes your verification logic. For example, a circuit can be programmed to prove: "I own a wallet that holds more than 100 GOV tokens as of block #20,000,000, and this wallet is signed by a key from a trusted identity provider." Popular frameworks for developing these circuits include Circom and SnarkJS. You write the circuit logic, compile it to generate proving and verification keys, and then integrate it with your application. The user's client (like a browser wallet with ZK capabilities) generates the proof locally using their private data, and only the proof is sent on-chain for verification.
A practical implementation involves several components. First, your smart contract needs a verifier function, typically generated from your ZK circuit compilation. Second, users need a way to generate proofs client-side; libraries like SnarkJS for JavaScript or Arkworks for Rust are commonly used. For example, after a user connects their wallet, your dApp frontend would prompt them to generate a ZK proof attesting to their eligibility. The proof is then submitted to your verification contract. A basic verifier interface in Solidity might look like this:
solidityinterface IVerifier { function verifyProof( uint[2] memory a, uint[2][2] memory b, uint[2] memory c, uint[1] memory input ) external view returns (bool); }
Your onboarding contract would call this verifier before granting access.
While powerful, adding ZKPs introduces complexity. You must carefully design the circuit to accurately represent your business logic without vulnerabilities. The trust model shifts to trusting the correctness of the circuit and the initial setup (trusted setup ceremony for some systems like Groth16). Furthermore, generating proofs can be computationally intensive for users, though zk-SNARK proofs are relatively quick to verify on-chain. For many use cases, leveraging existing identity ZK protocols like Semaphore (for anonymous signaling) or ZK-EVMs for private transactions can be more efficient than building a circuit from scratch.
This optional step is best suited for applications where participant privacy is paramount, such as anonymous voting in a DAO, private credential verification for employment, or whitelisting for confidential deals. By integrating ZKPs, you move from a model of transparent, data-revealing verification to one of selective disclosure, where users share only what is absolutely necessary. This not only protects user data but can also reduce the liability and data storage requirements for your application, aligning with core Web3 principles of user sovereignty and data minimization.
CORE PROTOCOLS
DID and VC Protocol Comparison
Comparison of foundational protocols for implementing decentralized identity and verifiable credentials in a production system.
| Feature / Metric | W3C DID & VC (Universal) | Veramo (Framework) | Sidetree (Protocol) |
|---|---|---|---|
Core Standard | W3C DID 1.0, VC-DATA-MODEL 2.0 | Implements W3C Standards | Defines DID Method (e.g., ION, Element) |
Implementation Type | Specification | Modular TypeScript Framework | Layer 2 Protocol for Blockchains |
Primary Blockchain | Method-specific (e.g., Ethereum, Bitcoin) | Multi-chain agent (Ethereum, Polygon, Tezos) | Bitcoin (via ION) or Ethereum (via Element) |
Credential Format Support | JSON-LD, JWT | JSON-LD, JWT, EIP712, Custom | JSON-LD, JWT (via implementations) |
Key Management | DID Document specifies keys | Plugins (KeyManager, DID-Key, DID-Ethr) | Sidetree Operations (Create, Update, Recover) |
Resolution Time | Varies by method & network | < 2 sec (cached agent) | ~10 sec (Bitcoin block time + batch) |
Production Scalability | High (depends on method) | High (modular, cloud-native) | Very High (batch anchoring) |
Developer Onboarding | Steep (spec-first) | Moderate (framework, docs) | Complex (run/index node vs. SDK) |
DECENTRALIZED IDENTITY
Common Implementation Issues and Solutions
Implementing decentralized identity (DID) for user onboarding presents unique technical hurdles. This guide addresses the most frequent developer challenges, from key management to verification logic, with practical solutions.
DID resolution failures are often caused by incorrect resolver configuration or network issues. The resolver must be pointed at the correct DID method's driver.
Common causes and fixes:
- Unsupported DID Method: Ensure your resolver library (e.g.,
did-resolver,ethr-did-resolver) includes the driver for your method (e.g.,did:ethr:,did:key:). - RPC Endpoint Issues: For blockchain-based DIDs (like
did:ethr), verify your Ethereum provider URL is correct and responsive. Use a reliable service like Infura or Alchemy. - Invalid DID Syntax: Check the DID string format. For
did:ethr:0x..., the address must be a valid Ethereum address. - Caching Problems: Some public resolvers have rate limits. Implement local caching for frequently accessed DIDs or use a dedicated resolver instance.
Example using did-resolver and ethr-did-resolver:
javascriptimport { Resolver } from 'did-resolver'; import { getResolver } from 'ethr-did-resolver'; // Configure provider for the ethr method const providerConfig = { networks: [{ name: 'mainnet', rpcUrl: 'https://mainnet.infura.io/v3/YOUR_KEY' }] }; const ethrResolver = getResolver(providerConfig); const didResolver = new Resolver(ethrResolver); // Now resolve const didDocument = await didResolver.resolve('did:ethr:0xabc...');
resource-links
GUIDES
Development Resources and Tools
Resources and tooling to implement decentralized identity verification for participant onboarding using production-grade standards, SDKs, and privacy-preserving verification flows.
DECENTRALIZED IDENTITY
Frequently Asked Questions
Common questions and troubleshooting for developers implementing decentralized identity (DID) systems for user onboarding.
A Decentralized Identifier (DID) is a globally unique, persistent identifier that an individual or entity controls without reliance on a central registry. It is defined by the W3C standard. A DID resolves to a DID Document, a JSON-LD file containing public keys, authentication methods, and service endpoints.
A blockchain wallet address (e.g., 0x...) is a single-purpose cryptographic identifier for controlling assets on a specific chain. A DID is more versatile:
- Portability: A DID is chain-agnostic and can be used across multiple systems.
- Control: The DID Document allows the controller to rotate keys and update service endpoints without changing the core identifier.
- Verifiability: It enables Verifiable Credentials (VCs), allowing users to prove claims (like age or membership) without revealing the underlying data.
In short, a wallet address is for signing transactions; a DID is a foundational identity layer for verifiable, self-sovereign interactions.
conclusion
IMPLEMENTATION SUMMARY
Conclusion and Next Steps
This guide has walked you through the core components of building a decentralized identity verification system for user onboarding, from credential issuance to on-chain verification.
You have now implemented a foundational system for decentralized identity verification. This system enables participants to obtain and control their own verifiable credentials (VCs), such as proof of KYC from a trusted issuer, and present them for verification in a privacy-preserving manner. The core architecture involves an issuer (using a service like SpruceID's didkit), a holder's wallet (like an Ethereum wallet with Sign-In with Ethereum), and a verifier smart contract that checks the credential's validity and issuer's signature on-chain. This moves away from centralized databases, giving users ownership of their data.
For production deployment, several critical next steps are required. First, thoroughly audit your smart contracts, especially the signature verification logic, to prevent spoofing attacks. Consider using established libraries like OpenZeppelin for EIP-712 structuring. Second, design a robust issuer backend with secure key management and a revocation mechanism, such as a revocation registry. Third, ensure your user-facing dApp provides clear UX for the credential request and presentation flow, explaining the purpose of each signature to users. Tools like the ethr-did registry can help manage Decentralized Identifiers (DIDs) for issuers.
To extend the system's capabilities, explore integrating zero-knowledge proofs (ZKPs). Using frameworks like snarkjs or circuits.circom, you can allow users to prove they hold a valid credential meeting certain criteria (e.g., is over 18) without revealing the credential itself. This significantly enhances privacy. Furthermore, consider making your verifier contract compatible with broader identity standards like the Verifiable Credential Data Model and W3C Decentralized Identifiers to ensure interoperability with other identity ecosystems.
The landscape of decentralized identity is rapidly evolving. Stay updated on core standards by following the W3C Verifiable Credentials Working Group. Experiment with identity infrastructure providers like SpruceID, Veramo, or Microsoft's ION for managed services. Finally, engage with the community by testing your implementation with real users, gathering feedback on UX, and contributing to open-source identity projects. Decentralized identity is a key primitive for building trustworthy, user-centric Web3 applications.