DID Creation is the foundational act of generating a Decentralized Identifier (DID) and its associated cryptographic keys, establishing a new, self-owned digital identity. The process involves creating a unique identifier string (the DID) that is cryptographically bound to a DID Document (DDO), which contains the public keys, authentication protocols, and service endpoints necessary for verification and interaction. This creation event is recorded on a verifiable data registry, typically a blockchain or distributed ledger, ensuring the DID's persistence, discoverability, and resistance to unilateral alteration.
LABS
Glossary
DID Creation
DID creation is the foundational process of generating a new Decentralized Identifier (DID) and its initial DID document, establishing a self-sovereign identity.
Chainscore © 2026
definition
DECENTRALIZED IDENTITY
What is DID Creation?
The technical process of generating a globally unique, self-sovereign identifier on a verifiable data registry, such as a blockchain.
The core technical steps include: - Key Generation: Creating a public/private key pair, where the private key is securely stored by the DID controller (the identity owner). - DID Method Execution: Following the rules of a specific DID method, a defined protocol (e.g., did:ethr:, did:key:, did:web:) that dictates how the DID is constructed, registered, and resolved on its target system. - DID Document Publication: Anchoring the initial state of the DID Document to the chosen registry, making it publicly resolvable. This process is permissionless, allowing any entity to create a DID without central approval.
Unlike traditional identity issuance, DID creation is self-sovereign; the controller retains exclusive cryptographic proof of ownership and control via their private keys. The resulting DID is a persistent, non-reassignable URI (e.g., did:example:123456789abcdefghi) that does not contain personal data, enhancing privacy. This separation of identifier from attributes is a key architectural principle, enabling selective disclosure of verifiable credentials linked to the DID.
Common DID methods illustrate the process: Creating a did:ethr:0x... identifier involves generating an Ethereum key pair and registering the DID Document's hash on the Ethereum blockchain. The did:key: method generates a DID directly from a public key, with the document embedded in the identifier itself, requiring no on-chain transaction. The choice of method determines the trade-offs between decentralization, cost, and functionality.
The primary outcome of DID creation is a cryptographic root of trust for all subsequent interactions. This DID serves as the stable reference point for issuing, holding, and presenting Verifiable Credentials (VCs), enabling trusted digital relationships in decentralized applications, supply chains, and credentialing systems without relying on centralized identity providers.
key-features
DECENTRALIZED IDENTIFIERS
Key Features of DID Creation
Decentralized Identifier (DID) creation establishes a cryptographically verifiable, self-sovereign identity anchored on a blockchain or other decentralized network, independent of centralized registries.
01
Decentralized & Self-Sovereign
A DID is created and controlled solely by its owner, without reliance on a central issuing authority like a government or corporation. The DID controller holds the cryptographic keys, enabling them to prove ownership and manage their identity data directly. This shifts control from centralized identity providers to the individual or entity.
02
Cryptographic Proof & Verifiability
Every DID is intrinsically linked to a set of cryptographic keys. Creation involves generating a public-private key pair. The public key is often embedded in the DID Document, allowing anyone to verify signatures created with the private key. This provides a foundation for cryptographic authentication and data integrity.
03
The DID Document (DID Doc)
Upon creation, a DID resolves to a DID Document—a machine-readable JSON-LD file describing the identity. It contains:
- Verification methods (public keys, biometric templates)
- Service endpoints for interacting with the identity (e.g., messaging)
- Mechanisms for updating or deactivating the DID This document is the technical core of the identity.
04
Immutability & Persistence
The DID itself—a unique URI—is typically registered on a verifiable data registry like a blockchain or Distributed Hash Table (DHT). This ensures the identifier is globally resolvable, persistent, and cannot be unilaterally revoked by a third party. The underlying ledger's immutability guarantees the identifier's existence can be proven over time.
05
Privacy by Design
DID creation supports privacy through pseudonymity and selective disclosure. Users can create multiple, unlinkable DIDs for different contexts (e.g., professional, social, financial). Using zero-knowledge proofs, they can prove specific claims (e.g., age > 21) without revealing the underlying data, minimizing personal data exposure.
06
Interoperability & Standardization
DID creation follows the W3C DID Core specification, ensuring interoperability across different networks and systems. The standard defines the DID syntax, resolution protocol, and DID Document structure. This allows identities created on one DID method (e.g., did:ethr:) to be understood by verifiers using a different technical stack.
how-it-works
DECENTRALIZED IDENTITY
How DID Creation Works
A technical overview of the process for generating a Decentralized Identifier (DID) and its associated cryptographic keys, establishing a self-sovereign digital identity.
DID creation is the cryptographic process of generating a unique, persistent identifier and its associated public-private key pair, enabling verifiable, self-sovereign identity without a central registry. The core mechanism involves a DID Method, which is a specification defining the precise steps for creating, reading, updating, and deactivating a DID on a specific verifiable data registry, such as a blockchain or distributed ledger. This process is executed by a DID controller, typically using a wallet or specialized software, which handles the key generation and registration.
The creation flow follows a defined sequence: first, the software generates a cryptographically secure public-private key pair; second, it formulates the DID Document (DID Doc), a JSON-LD document containing the public key and service endpoints; and third, it anchors this document to the chosen registry. The resulting DID itself is a URI (e.g., did:ethr:0xab...) composed of the scheme did:, a method identifier (e.g., ethr), and a method-specific identifier unique to the controller. This URI permanently resolves to the DID Document, establishing the cryptographic foundation for all subsequent interactions.
Key technical considerations during creation include key management strategies—such as storing the private key in a secure element—and selecting appropriate cryptographic suites (e.g., Ed25519, secp256k1) for signing and verification. The process is designed to be portable and interoperable, as the DID and its document are not locked into a single vendor or platform. Once created, this DID can be used to sign Verifiable Credentials, authenticate to websites via DID Auth, and engage in secure, peer-to-peer communications, forming the bedrock of decentralized identity ecosystems.
examples
IMPLEMENTATION PATTERNS
Examples of DID Creation Methods
Decentralized Identifiers (DIDs) can be created using various cryptographic and blockchain-based methods, each offering different trade-offs in terms of security, privacy, and interoperability.
01
Cryptographic Key Pair Generation
The foundational method where a DID is derived directly from a public key. A user generates a new asymmetric key pair (e.g., Ed25519, secp256k1). The DID's unique identifier is often a hash or encoding of the public key. The corresponding private key is stored securely and used to create verifiable credentials and proofs. This method is simple, portable, and does not inherently require a blockchain.
02
On-Chain Registry (Smart Contract)
A DID is created by invoking a smart contract on a blockchain like Ethereum. The contract acts as a verifiable data registry, minting a new DID document and recording its DID controller and initial public keys on-chain. This provides a globally consistent, tamper-proof record of creation and updates. Examples include the ERC-1056 (Ethr-DID) and ERC-725 standards.
03
Peer DID Method
Designed for private, peer-to-peer relationships, Peer DIDs are generated algorithmically between two parties without a centralized resolver. They use a did:peer method and are not recorded on any ledger. The DID document is exchanged directly and stored by the involved parties. This method maximizes privacy and is ideal for secure messaging and off-ledger interactions.
04
Sidetree-Based Protocols (ION, Element)
This method uses a layer-2 protocol (like Sidetree) anchored to a base blockchain (e.g., Bitcoin, Ethereum). DID operations (create, update, recover) are batched into anchor files and recorded via blockchain transactions. This provides scalability and low-cost operations while inheriting the base chain's security. Microsoft ION on Bitcoin is a prominent example.
05
Verifiable Data Registry (VDR) Interaction
DIDs are created by writing to a permissioned Verifiable Data Registry, such as Hyperledger Indy or a Sovrin Network node. These specialized ledgers are optimized for identity transactions. A steward or validator node processes the DID creation transaction, ensuring it complies with the network's governance framework before consensus is reached and the DID is written to the distributed ledger.
06
DID Web Method
A DID is created by hosting a DID document at a well-known HTTPS URL, following the did:web specification. The DID identifier is derived from the domain name (e.g., did:web:example.com). Control is proven via TLS certificates and HTTPS security. This method leverages existing web infrastructure and is simple for organizations with established web presence, though it relies on traditional web trust models.
technical-details
DID CREATION
Technical Details: Keys & Anchoring
This section details the cryptographic and on-chain mechanisms that underpin the creation of a Decentralized Identifier (DID), focusing on key generation, the anchoring process, and the resulting DID document.
DID creation is the process of generating a unique, self-sovereign identifier anchored to a blockchain, beginning with the cryptographic generation of a private key. This private key, which must be securely stored by the DID controller, is used to derive a corresponding public key. The public key is the foundational element for the DID's verifiable identity, enabling digital signatures and secure interactions. The specific DID method dictates the exact key generation algorithm, such as Ed25519 or secp256k1, which determines the format of the resulting DID identifier.
The core technical step is anchoring, where a cryptographic commitment of the DID's initial state is published to a distributed ledger, such as Bitcoin or Ethereum. This is typically done by creating a transaction that embeds a DID Document (DIDD) hash or a Create operation within its data payload. This transaction, once confirmed on-chain, provides a globally verifiable, timestamped proof of the DID's existence and its initial key material. The DID identifier itself is often derived from this anchoring transaction, commonly constructed from the method name, the blockchain namespace, and a unique identifier like a transaction hash or a public key hash (e.g., did:btcr:xyv2-xzpq-q9wa-p7t).
Following a successful anchor operation, the initial DID Document is assembled. This JSON-LD document contains the DID's public keys, authentication mechanisms, and service endpoints. The document is cryptographically signed by the controller's private key, and its integrity is linked to the blockchain via the anchored hash. This creates a verifiable data registry, where anyone can resolve the DID identifier to fetch the current DID Document and verify its provenance against the immutable ledger, establishing trust without a central authority.
Different DID methods implement anchoring differently. For example, did:ion uses the Bitcoin blockchain to anchor Sidetree protocol operations, enabling scalable, high-frequency updates off-chain. In contrast, did:ethr typically registers a DID by storing a hash of the DID Document directly in a smart contract on Ethereum. The choice of method and underlying blockchain involves trade-offs between cost, transaction finality, throughput, and the complexity of key management and recovery mechanisms.
The security of a DID is fundamentally tied to this creation process. Compromising the original private key can lead to a complete takeover, as the controller is defined by possession of that key. Therefore, secure key generation (using trusted hardware or secure enclaves) and the establishment of key recovery or delegation protocols—often defined within the DID Document itself—are critical considerations during the initial creation phase to ensure long-term usability and security of the decentralized identity.
security-considerations
DID CREATION
Security Considerations
Creating a Decentralized Identifier (DID) involves critical security decisions that determine the long-term custody, recoverability, and privacy of the identity. These foundational choices cannot be easily changed post-creation.
01
Key Management & Custody
The security of a DID is fundamentally tied to the management of its cryptographic key pair. The primary decision is between self-custody, where the user holds their private key (e.g., in a hardware wallet), and custodial models using third-party services. Self-custody offers maximum control but introduces the risk of permanent loss if the key is lost. Custodial solutions trade some control for recoverability but introduce counterparty risk.
02
DID Method Selection
The DID method (e.g., did:ethr:, did:key:, did:web:) dictates the underlying blockchain or system and its inherent security properties. Developers must evaluate:
- Network Security: The consensus mechanism and attack resistance of the underlying ledger (e.g., Proof of Work, Proof of Stake).
- Method Specification: The method's resilience to specific attacks like key rotation flaws or DID document hijacking.
- Longevity: The risk of the underlying system becoming deprecated or insecure.
03
Privacy & Correlation
A poorly created DID can leak sensitive metadata, enabling correlation across different services. Key considerations include:
- On-Chain Data: Storing the DID Document on a public ledger exposes its creation time and update history.
- Verifiable Credentials: The choice of which credentials to link to the DID can reveal identity attributes.
- Service Endpoints: Publicly listed endpoints in the DID Document can be tracked. Using privacy-preserving techniques like zero-knowledge proofs or selective disclosure is crucial for sensitive use cases.
04
Recovery & Revocation
A secure DID system must plan for key loss and compromise. Mechanisms must be established at creation:
- Recovery: Implementing social recovery (via trusted parties), guardian contracts, or shamir's secret sharing to regain access without a single point of failure.
- Revocation: Defining a clear process to revoke a compromised DID or rotate keys, as specified in the DID Document's verification method section. The absence of a recovery mechanism renders the DID a permanent liability.
05
Initial DID Document Integrity
The initial DID Document must be crafted securely, as it is the root of trust. This involves:
- Minimal Viable Document: Including only necessary verification methods and service endpoints to reduce attack surface.
- Secure Anchoring: Ensuring the first write (creation) to the underlying ledger is authenticated and cannot be front-run or tampered with.
- Timestamping: Leveraging the ledger's immutable timestamp to establish a provable creation order, which can be critical for dispute resolution.
06
Sybil Resistance & Uniqueness
For certain applications, preventing the cheap creation of many fake identities (Sybil attacks) is a security requirement. The creation process itself can incorporate proof-of-personhood or attestation mechanisms. Some DID methods may have inherent Sybil resistance due to costly ledger writes (e.g., gas fees), while others (like did:key) do not. The required level of uniqueness must be a deliberate design choice during creation.
ARCHITECTURAL COMPARISON
DID Creation vs. Traditional Identity Issuance
A comparison of the core mechanisms and properties for creating a decentralized identifier (DID) versus issuing a traditional digital identity.
| Feature | Decentralized Identifier (DID) | Traditional Identity (e.g., OAuth, SAML) |
|---|---|---|
Issuing Authority | Self-Sovereign (User) | Centralized Provider (e.g., Google, Government) |
Underlying Registry | Decentralized Ledger (Blockchain, DHT) | Centralized Database |
User Control | ||
Portability & Interoperability | ||
Verification Method | Cryptographic Proof (Digital Signatures) | Provider API Call |
Revocation Mechanism | On-chain update or proof presentation | Provider-controlled blacklist |
Typical Issuance Latency | < 5 seconds | Minutes to days |
Primary Architectural Goal | User Sovereignty & Censorship Resistance | Provider Control & Convenience |
DID CREATION
Frequently Asked Questions
Common questions about creating and managing Decentralized Identifiers (DIDs) on blockchain networks.
A Decentralized Identifier (DID) is a globally unique, persistent identifier that an individual, organization, or device creates, owns, and controls without reliance on a central authority. It works by linking a cryptographically generated string (the DID itself) to a DID Document stored on a verifiable data registry, typically a blockchain or distributed ledger. This document contains the public keys, service endpoints, and authentication protocols that enable the DID subject to prove control and interact in a trusted manner. The core innovation is that identity verification is performed through cryptographic proofs rather than permissions from a centralized database.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall