Formally defined by the World Wide Web Consortium (W3C), a Credential Mediator is a standardized API and service that manages requests for verifiable credentials from relying parties (websites) and facilitates their secure retrieval from a user's digital wallet or credential store. Its primary function is to enable a seamless, user-controlled login flow, replacing traditional passwords with cryptographic proofs. This component is central to the Web Authentication (WebAuthn) and Verifiable Credentials ecosystems, providing a privacy-preserving bridge between web applications and a user's identity assets.
LABS
Glossary
Credential Mediator
A credential mediator is a service or agent component that facilitates credential exchange by routing messages between parties, often used to enable communication with holders who are offline or behind firewalls.
Chainscore © 2026
definition
W3C STANDARD
What is a Credential Mediator?
A Credential Mediator is a browser-based software component that acts as a secure intermediary between a user's digital wallet and a website, enabling passwordless authentication using Web3 credentials.
The mediator operates on a user-agent level, typically within a browser or operating system. When a website requests a credential (e.g., for login), the mediator prompts the user, who can then select which wallet to use and which specific credential to share. This process, known as the credential selection ceremony, ensures the user maintains sovereign control over their data. The mediator never sees the private cryptographic keys; it only facilitates the request and response protocol, enforcing user consent and minimizing data exposure through techniques like selective disclosure.
A key implementation is the Web Credentials API, which browsers like Chrome and Edge have integrated. For developers, using a Credential Mediator means implementing the navigator.credentials.get() and navigator.credentials.create() calls, which the mediator services. This abstracts the complexity of direct wallet communication, allowing standard web apps to request passkeys, digital driver's licenses, or educational certificates without custom integrations. The mediator handles the secure channel and protocol compliance, such as the W3C Verifiable Credentials Data Model.
The architectural role of the Credential Mediator is crucial for decentralized identity. It solves the 'wallet discovery' problem by providing a standard interface that all compliant wallets can plug into, preventing vendor lock-in. By separating the wallet (where credentials are stored) from the relying party (which uses them), it enhances security and portability. This design is foundational for SSI (Self-Sovereign Identity) systems, where the user, not the service provider, is the central authority over their digital identity.
how-it-works
ARCHITECTURE
How a Credential Mediator Works
A credential mediator is a core architectural component in decentralized identity systems that facilitates the secure and private exchange of verifiable credentials between holders, issuers, and verifiers.
A credential mediator acts as a secure, cloud-hosted service or a personal agent that manages the flow of Verifiable Credentials (VCs). Its primary function is to receive, store, and present credentials on behalf of a user (the holder) without the verifier needing direct access to the user's wallet or personal device. This is achieved through standardized protocols like W3C DIDComm or OpenID for Verifiable Credentials (OID4VC), which define how encrypted messages containing credential presentations are routed. The mediator ensures the user maintains control by requiring explicit consent for each disclosure, acting as a privacy-preserving relay rather than a central data repository.
The core operational flow involves three key interactions. First, an issuer sends a signed VC to the user's mediator endpoint, which stores it encrypted. When a verifier (e.g., a website) requests proof, it sends a Verifiable Presentation Request to the mediator. The mediator then forwards this request to the user's authenticator app (like a mobile wallet) for approval. Upon user consent, the wallet creates a Verifiable Presentation, signs it, and sends it back through the mediator to the verifier. This decouples the always-online mediator from the user's signing keys, which remain securely on their personal device.
This architecture solves critical usability and privacy challenges. It allows for push notifications for credential offers and presentation requests, enabling seamless interactions even when the user's wallet app is closed. Crucially, it prevents verifiers from correlating a user's activity across different services, as the mediator can use different DID identifiers for each interaction. Common implementations include Cloud Agents (e.g., in the Indicio Network or Microsoft Entra Verified ID) and Edge Agents running on user-controlled servers, balancing convenience with sovereignty.
key-features
ARCHITECTURE
Key Features of a Credential Mediator
A Credential Mediator is a trusted intermediary service that manages the flow of Verifiable Credentials (VCs) between holders, issuers, and verifiers. Its core features ensure privacy, interoperability, and user control in decentralized identity ecosystems.
01
Decentralized Identifier (DID) Resolution
The mediator resolves a user's Decentralized Identifier (DID) to discover their service endpoints, including the DIDComm messaging inbox. This is the first step in establishing a secure, direct communication channel without relying on a centralized directory. It enables the mediator to route credential requests and presentations to the correct wallet or agent.
02
Credential Storage & Management
Acts as a secure, cloud-based wallet agent that stores encrypted Verifiable Credentials (VCs) on behalf of the user. It manages the credential lifecycle, including:
- Receiving issued credentials from organizations.
- Organizing credentials into a private repository.
- Preparing and formatting credentials for presentation upon request.
03
Selective Disclosure & Presentation
Enables zero-knowledge proofs (ZKPs) and selective disclosure, allowing users to prove specific claims from a credential without revealing the entire document. For example, proving you are over 21 from a driver's license VC without exposing your birth date, address, or license number. This is a fundamental privacy-preserving feature.
04
Protocol Translation & Interoperability
Translates between different credential exchange protocols (e.g., W3C Verifiable Credentials, OpenID Connect (OIDC), SIOPv2) to ensure seamless interaction between disparate systems. A website using OIDC can request a credential, and the mediator can fulfill it using a W3C VC standard, bridging the Web2 and Web3 identity worlds.
05
User Consent & Authorization
Provides a critical user interface (often a front-end component) that requests explicit user consent before any credential is shared. The user sees who is requesting the data, what specific data is being requested, and for what purpose, maintaining user agency and aligning with principles of Self-Sovereign Identity (SSI).
06
Credential Status Verification
Checks the revocation status of credentials before presenting them. This involves querying a revocation registry (like a Status List or a smart contract) to ensure the credential has not been revoked by its issuer. This step is essential for verifiers to trust the presented data.
visual-explainer
CREDENTIAL MEDIATOR
Visualizing the Mediator's Role
A Credential Mediator is a specialized service that acts as a privacy-preserving intermediary between a user's wallet and a verifier, enabling selective disclosure of Verifiable Credentials without revealing the user's identity or wallet address.
In a typical Verifiable Credential (VC) flow, a user must present a credential from their decentralized identifier (DID) wallet to a service for verification. Without a mediator, this direct presentation can inadvertently expose the user's persistent DID or wallet address, creating a privacy leak and enabling unwanted correlation across different services. The Credential Mediator solves this by inserting itself as an anonymizing relay. The user's wallet communicates only with the mediator, which then forwards the presentation to the verifier, effectively decoupling the user's identity from the transaction.
The mediator's architecture is built around the W3C's DIDComm messaging protocol, which provides secure, encrypted peer-to-peer communication. When a verifier requests a credential, it sends this request to the mediator's public endpoint. The mediator, which already has an established connection with the user's wallet, forwards the request. The wallet prepares the verifiable presentation, signs it, and sends it back to the mediator. Crucially, the mediator strips any identifying routing information before passing the presentation to the verifier, ensuring the verifier only sees the credential proof, not the source.
This model enables powerful privacy patterns like unlinkable presentations. A user can prove they are over 18 to multiple different online services, and without a mediator, each service could theoretically collude to track the user via their public DID. With a mediator acting as a shared, anonymous proxy, each presentation appears to come from the same mediator, making it computationally infeasible for verifiers to link the requests back to a single individual. This preserves user privacy while maintaining the cryptographic trust of the underlying credentials.
Common implementations of this pattern include cloud-based mediators, which offer high availability for everyday applications, and local mediators, such as an agent running on a user's own device for maximum control. Projects like the DIF's Identity Hubs and ACA-Py agents utilize this mediator pattern. The role is essential for scaling decentralized identity systems, as it separates the concerns of credential management from the privacy requirements of presentation, allowing both user-centric control and practical, correlation-resistant authentication on the web.
primary-use-cases
CREDENTIAL MEDIATOR
Primary Use Cases
A Credential Mediator is a service that acts as a trusted intermediary between a relying party (e.g., a website) and a wallet to facilitate the exchange of Verifiable Credentials (VCs). It standardizes the communication flow for requesting and presenting credentials without storing user data.
02
Selective Disclosure of Verifiable Credentials
Facilitates user-controlled data sharing where only specific, necessary attributes from a credential are revealed. The mediator conveys the relying party's request (e.g., "prove you are over 18") to the wallet. The wallet can then create a derived proof showing only the required claim, preserving privacy through zero-knowledge proofs or BBS+ signatures.
03
Cross-Platform Credential Interoperability
Solves the challenge of different wallets and verifiers using disparate protocols. The mediator acts as a universal translator, allowing a wallet implementing the W3C Verifiable Credentials API to seamlessly interact with a website using a different request framework. This bridges ecosystems and prevents vendor lock-in.
04
Streamlining User Consent Flows
Provides a consistent, secure user experience for credential sharing. Instead of each website implementing a custom UI, the mediator presents a standardized interface via the wallet. This gives users clear, auditable consent prompts, showing exactly what data is being requested, who is requesting it, and for what purpose.
05
Enabling Credential Issuance
Manages the flow for receiving new credentials from an issuer. When a user qualifies for a credential (e.g., completing a KYC check), the issuer signals the mediator. The mediator then prompts the user's wallet to accept and securely store the newly issued Verifiable Credential, completing the issuance triangle.
ARCHITECTURE COMPARISON
Mediator vs. Similar Components
A technical comparison of the Credential Mediator's role against other common architectural components in decentralized identity and authorization systems.
| Feature / Role | Credential Mediator | Oracle | Relayer | Smart Contract Wallet |
|---|---|---|---|---|
Primary Function | Decouples credential presentation from wallet interaction | Feeds external data on-chain | Subsidizes and relays user transactions | Manages assets and executes transactions via smart contract logic |
Trust Model | Minimal; acts as a routing pipe, not a trust anchor | Critical; system trusts its data feed | Operational; trusts it won't censor transactions | Custodial variant: High (multi-sig committee). Non-custodial: User-controlled |
Data Handling | Transient routing of Verifiable Credentials/Presentations | Persistent sourcing and reporting of data | Relays signed transaction payloads | Stores and manages asset ownership state |
User Agency | High; user consent required for each credential flow | None; operates autonomously based on contract logic | Medium; user signs tx, relayer chooses to submit | Defined by smart contract rules (e.g., multi-sig thresholds) |
Typical Use Case | Signing into a dApp with a decentralized identifier (DID) | Providing a price feed for a DeFi lending protocol | Allowing a user to pay fees in ERC-20 tokens instead of native gas | Social recovery of a wallet or batch transaction execution |
State Modification | No | Yes (via reported data) | Yes (submits state-changing txs) | Yes (executes contract logic) |
Key Technical Dependency | W3C Verifiable Credentials, DIDComm protocols | Off-chain data source and attestation mechanism | Transaction fee liquidity, mempool access | Smart contract runtime (EVM, etc.), signature schemes |
security-considerations
CREDENTIAL MEDIATOR
Security and Trust Considerations
A Credential Mediator is a trusted intermediary that facilitates the secure exchange of verifiable credentials (VCs) between holders and verifiers, without tracking the underlying identity data. This section details its core security architecture and trust assumptions.
01
Decentralized Identifier (DID) Resolution
The mediator's security model is anchored in Decentralized Identifiers (DIDs). It does not store user credentials but acts on DID-based requests. Security depends on the integrity of the DID method (e.g., did:web, did:key, did:ethr) and the associated verifiable data registry (like a blockchain) to resolve the DID to its public key and service endpoint.
02
Holder-in-the-Middle Architecture
This design pattern ensures the credential holder maintains control. The mediator sits between the wallet and the verifier, but only passes encrypted messages. The holder's agent (e.g., a mobile wallet) decrypts requests, obtains user consent, and prepares responses. The mediator never sees plaintext credential data, minimizing its attack surface and data leakage risk.
03
Trust Assumptions and Attack Vectors
Users must trust the mediator to:
- Relay messages faithfully without modification.
- Maintain availability for service discovery.
- Protect metadata (e.g., which DIDs are communicating).
Key attack vectors include:
- Metadata correlation by analyzing traffic patterns.
- DoS attacks targeting the mediator's endpoint.
- Compromise of the mediator's DID or service endpoint.
05
Contrast with Centralized Identity Providers
Unlike traditional OAuth/OpenID Connect providers (e.g., "Login with Google"), a credential mediator does not:
- Issue or validate credentials itself.
- Act as a centralized point of data aggregation.
- Have the ability to unilaterally revoke user access.
The trust is shifted from a central authority to the cryptographic proofs embedded in the VCs and the security of the user's wallet.
06
Auditability and Open Standards
Security is bolstered by adherence to open standards like W3C Verifiable Credentials and DIDs. A mediator's operation can be audited because its logic is defined by these specifications. Using public, immutable ledgers for DID resolution provides a transparent and verifiable foundation, reducing reliance on the mediator's proprietary systems.
ecosystem-usage
CREDENTIAL MEDIATOR
Ecosystem Implementation
A Credential Mediator is a trusted intermediary service that facilitates the secure exchange of Verifiable Credentials (VCs) between holders and verifiers in a decentralized identity ecosystem. It acts as a communication bridge, enabling selective disclosure and privacy-preserving authentication without requiring direct, persistent connections between parties.
01
Core Function: Secure Credential Exchange
The mediator's primary role is to securely relay credential presentations and verification requests. It enables a holder (user) to present a credential to a verifier (service) without exposing their direct identity or wallet address. This is achieved through encrypted, ephemeral channels, ensuring the verifier only receives the specific, consented claims needed for the interaction.
02
Architecture & Protocols
Mediators implement standardized protocols like W3C Decentralized Identifiers (DIDs) and Verifiable Credentials Data Model. Key architectural components include:
- DIDComm: A secure, peer-to-peer messaging protocol for encrypted communication.
- Credential Offer/Request Flows: Standardized sequences for initiating and completing credential exchanges.
- Message Queues: Store-and-forward mechanisms for asynchronous communication between wallets and verifiers.
03
Privacy & User Sovereignty
A key design principle is maximizing user privacy. The mediator facilitates selective disclosure, allowing users to prove specific attributes (e.g., 'over 21') without revealing the entire credential. It also prevents correlation by not storing long-term logs of transactions and by using unique session identifiers for each exchange, upholding the principle of data minimization.
04
Example: DIDComm Mediator
In a typical flow using DIDComm v2, the mediator acts as a cloud-based relay. The user's wallet connects to the mediator using a long-lived connection. When a verifier needs to request a credential, it sends an encrypted message to the user's DID, which is routed through the mediator. The wallet receives the request via the mediator, the user consents, and the signed presentation is sent back through the same ephemeral path.
05
Contrast with Direct Peer-to-Peer
Mediators solve key challenges of pure P2P systems:
- Reliability: They provide a persistent endpoint for services to contact ephemeral mobile wallets.
- Firewall/NAT Traversal: They bypass network restrictions that can block direct connections.
- Asynchronous Communication: They allow interactions when the holder's wallet is offline, queuing requests for later delivery.
06
Implementation in Wallets & Services
For widespread adoption, wallet applications (e.g., identity agents) must integrate mediator client libraries. Major frameworks like Microsoft's Entra Verified ID and the OpenID for Verifiable Credentials (OID4VC) suite provide specifications and reference implementations for mediators. Service providers (verifiers) interact with standardized mediator APIs to initiate credential requests without managing complex direct connections.
CREDENTIAL MEDIATOR
Common Misconceptions
Clarifying frequent misunderstandings about the Credential Mediator, a key component of the Decentralized Identity (DID) ecosystem that manages the flow of verifiable credentials.
No, the Credential Mediator is not a centralized data controller but a protocol-compliant routing service. It operates as a relay or message router that facilitates communication between a holder's wallet and a verifier's service without accessing the credential data itself. The mediator's role is defined by open standards like the DIDComm protocol, ensuring it only passes encrypted messages. The actual verifiable credentials (VCs) and their cryptographic proofs remain under the sole control of the user's wallet, adhering to the core SSI (Self-Sovereign Identity) principle of user-centric data control.
CREDENTIAL MEDIATOR
Frequently Asked Questions
A Credential Mediator is a core component of decentralized identity systems, acting as a privacy-preserving intermediary between users and verifiers. These questions address its function, implementation, and role in the Web3 ecosystem.
A Credential Mediator is a software agent or service that facilitates the secure, privacy-preserving exchange of Verifiable Credentials (VCs) between a holder (user) and a verifier (relying party). It works by intercepting credential presentation requests, such as those initiated by a Decentralized Identifier (DID), and routing them to the user's wallet for selective disclosure. The user approves what specific, minimal data to share (e.g., proving they are over 18 without revealing their birthdate), and the mediator forwards only the authorized proof to the verifier. This architecture separates the user's identity wallet from the website or application, preventing unwanted credential scanning and enabling user-centric control over data flows.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall