A W3C Decentralized Identifier (DID) is a globally unique, persistent identifier that does not require a centralized registration authority, enabling individuals and organizations to prove control over their digital identity. Defined by the World Wide Web Consortium (W3C), a DID is a URI string composed of three parts: the did: scheme, a method identifier (e.g., ethr, key, ion), and a method-specific identifier. This structure allows DIDs to be resolved to a DID Document, a JSON-LD file containing the cryptographic keys and service endpoints necessary for authentication and interaction.
LABS
Glossary
W3C Decentralized Identifier (DID)
A W3C standard defining a globally unique, verifiable identifier for decentralized digital identity, enabling control without central authorities.
Chainscore © 2026
definition
IDENTITY STANDARD
What is a W3C Decentralized Identifier (DID)?
A technical standard for creating self-sovereign, verifiable digital identities that are not controlled by any central authority.
The core innovation of a DID is its resolution to a verifiable data registry, typically a blockchain or other distributed ledger, which stores the DID Document's current state. This creates a system of self-sovereign identity (SSI) where the subject (the entity identified by the DID) controls their identifier and associated credentials without reliance on a central issuer or provider. Control is proven cryptographically using the public keys listed in the DID Document, enabling secure, peer-to-peer interactions. This is a fundamental shift from traditional, siloed identity models controlled by corporations or governments.
DIDs enable a wide range of verifiable credentials use cases, such as issuing tamper-proof digital driver's licenses, university degrees, or professional certifications. For example, a university could issue a credential to a DID controlled by a graduate, who could then present it to an employer for instant, cryptographically-verified proof of their degree. Other applications include decentralized login systems (DID Auth), secure messaging, and supply chain provenance. The DID method specification defines how a specific blockchain or network creates, resolves, updates, and deactivates DIDs, with popular methods including did:ethr for Ethereum and did:key for simple key pairs.
how-it-works
MECHANISM
How Does a W3C DID Work?
A technical breakdown of the core components and resolution process that enable a W3C Decentralized Identifier (DID) to function without a central registry.
A W3C Decentralized Identifier (DID) works by separating the identifier itself from the systems that manage and verify it, using a three-part architecture: the DID, the DID Document (DID Doc), and the DID Method. The DID itself is a unique URI (e.g., did:example:123456) that points to its corresponding DID Document. This document, hosted on a verifiable data registry like a blockchain or distributed ledger, contains the cryptographic material (public keys), service endpoints, and verification methods needed to authenticate the DID's controller and interact with them. The DID Method is the technical specification that defines how to create, read, update, and deactivate (CRUD) DIDs and their documents on a specific ledger or network.
The core operational process is DID Resolution. When a relying party (e.g., a website or app) receives a DID, it performs resolution to fetch the current, cryptographically verifiable DID Document. This involves parsing the DID to identify its method (the did:example: part) and using the corresponding method's resolver to query the appropriate verifiable data registry. The resolver retrieves the DID Document, which is typically signed or anchored in the registry, ensuring its integrity. The relying party can then use the public keys and service endpoints in the document to encrypt data for the DID's owner, verify digital signatures, or initiate secure communication channels, all without contacting a central authority.
DID Authentication and Verifiable Credentials are primary use cases enabled by this mechanism. To authenticate, a DID controller signs a challenge with the private key corresponding to a public key listed in their DID Document. The verifier uses the public key from the resolved document to cryptographically verify the signature, proving control of the DID. For Verifiable Credentials, issuers sign credentials with their DID, and holders present proofs derived from those credentials. Verifiers resolve the issuer's DID to obtain their public key and verify the credential's signature, establishing trust based on cryptographic proof rather than a centralized certificate authority.
key-features
CORE ARCHITECTURE
Key Features of W3C DIDs
W3C Decentralized Identifiers (DIDs) are a new type of identifier that enable verifiable, self-sovereign digital identity. These features define their unique properties and capabilities.
01
Decentralized & Self-Sovereign
A DID is controlled solely by its subject (person, organization, or thing), not by a central issuing authority like a government or corporation. This shifts control from centralized registries to the individual, using cryptographic key pairs for proof of ownership. The identifier itself is a URI that points to a DID Document stored on a verifiable data registry, such as a blockchain or distributed ledger.
02
The DID Document (DID Doc)
Every DID resolves to a DID Document, a JSON-LD file containing the information necessary to interact with the DID subject. Key components include:
- Public Keys: For authentication and establishing secure communication.
- Service Endpoints: To enable trusted interactions (e.g., messaging, data storage).
- Verification Methods: Specifications for proving control, such as digital signatures. This document is the machine-readable source of truth for the DID's capabilities.
03
Verifiable & Cryptographically Secure
Control over a DID is proven using standard public-key cryptography. The subject signs data with their private key, and any verifier can confirm the signature using the public key published in the DID Document. This enables verifiable credentials and secure interactions without relying on a trusted third party for authentication. The integrity of the DID Document itself can also be verified via the underlying ledger.
04
Persistent & Resolvable
A DID is designed to be a long-lived, persistent identifier. It does not contain routing information or location details. Instead, it is resolved through a standardized DID method to fetch its current DID Document. This separation allows the underlying infrastructure (e.g., the blockchain) to change or upgrade without invalidating the identifier, as long as the resolution process remains functional.
05
DID Methods & Interoperability
A DID method defines the specific operations (create, read, update, deactivate) for a particular type of verifiable data registry (e.g., did:ethr: for Ethereum, did:key: for simple keys). The W3C standard provides the core data model and syntax, while DID methods implement it for specific networks. This allows for ecosystem diversity while aiming for semantic interoperability across different systems.
06
Privacy-Enhancing by Design
DIDs support privacy patterns like pairwise-pseudonymous identifiers, where a subject uses a different, unique DID for each relationship to prevent correlation across contexts. Because DIDs are not inherently tied to real-world identifiers, they minimize data exposure. The subject can selectively disclose information via verifiable credentials, providing data minimization and user-centric control over personal data.
examples
IMPLEMENTATIONS
Examples of DID Methods & Use Cases
A DID Method defines the specific mechanism for creating, resolving, updating, and deactivating DIDs on a particular verifiable data registry, such as a blockchain. These examples illustrate the diversity of approaches and their practical applications.
did-document
W3C DECENTRALIZED IDENTIFIER (DID)
The DID Document
A machine-readable document that describes a decentralized identifier (DID) and its associated cryptographic keys, services, and verification methods.
A DID Document is a JSON-LD or JSON data structure that contains the public keys, authentication protocols, and service endpoints necessary to interact with the entity identified by a Decentralized Identifier (DID). It is the core resource that makes a DID functional, as it provides the mechanism for proving control and enabling trusted interactions. The document is typically resolved by querying the underlying verifiable data registry (like a blockchain) where the DID is anchored, using the DID's unique URI.
The structure of a DID Document is defined by the W3C standard and includes several key sections. The verificationMethod property lists the public keys or other cryptographic material, such as those used for digital signatures. The authentication and assertionMethod properties specify which verification methods are used to prove control of the DID. The service endpoints define how to communicate with the DID subject, enabling connections to decentralized web nodes, credential repositories, or other interactive services.
Control and Updates are fundamental to the DID Document. Only the controller who possesses the corresponding private keys can update the document, for example, to rotate keys or add new services. This update mechanism is governed by the rules of the specific DID method used (e.g., did:ethr, did:key). The document's integrity is protected by the underlying blockchain or decentralized network, ensuring that any changes are verifiable and tamper-evident, which is crucial for maintaining long-term trust.
In practical use, a DID Document enables verifiable credentials and secure interactions. For instance, when a user presents a credential, a verifier resolves the issuer's DID to fetch its DID Document, retrieves the appropriate public key, and cryptographically verifies the signature. This process creates a trust model that does not rely on a central certificate authority. The document's service endpoints can also be used to initiate DIDComm encrypted messaging or discover linked data associated with the identity.
ARCHITECTURAL COMPARISON
DID vs. Traditional Identifiers
A structural comparison of Decentralized Identifiers (DIDs) and centralized identity models.
| Feature | Decentralized Identifier (DID) | Traditional Identifier (e.g., Email, OAuth) |
|---|---|---|
Architectural Model | Decentralized | Centralized or Federated |
Issuance & Control | Self-Sovereign (User-Controlled) | Issuer-Controlled |
Underlying Registry | Verifiable Data Registry (e.g., blockchain) | Centralized Database or Directory |
Cryptographic Proof | Verifiable Credentials & Digital Signatures | Typically Password or OAuth Token |
Persistence & Portability | Inherently Portable; Persistent Identifier | Bound to Issuing Service Provider |
Resolvable Endpoint | DID Document (Decentralized) | Provider's API (Centralized) |
Censorship Resistance | High (No Single Point of Control) | Low (Subject to Provider's Policies) |
Interoperability Standard | W3C DID & VC Specifications | Proprietary or Platform-Specific Protocols |
ecosystem-usage
CORE IDENTITY LAYER
Ecosystem Usage in DeSci & Web3
W3C Decentralized Identifiers (DIDs) provide a foundational, self-sovereign identity layer for Web3 and DeSci, enabling verifiable credentials, data provenance, and permissioned access without centralized authorities.
01
Core Technical Specification
A W3C Decentralized Identifier (DID) is a globally unique, persistent identifier that does not require a centralized registration authority. It is defined by a URI scheme (did:) and consists of three parts: a DID Method (e.g., key, ethr, ion), a method-specific identifier, and an optional path or fragment. The identifier is cryptographically bound to a DID Document, a JSON-LD file containing public keys, service endpoints, and verification methods for authentication and interaction.
02
Verifiable Credentials (VCs)
DIDs are the primary mechanism for issuing and verifying Verifiable Credentials in Web3. A VC is a tamper-evident credential (like a diploma or license) whose authorship can be cryptographically verified. Key components:
- Issuer: Signs the credential with their DID.
- Holder: Stores the credential in a digital wallet, linked to their DID.
- Verifier: Checks the credential's signature against the issuer's DID on the Verifiable Data Registry (often a blockchain). This creates trust without direct communication between parties.
03
Decentralized Science (DeSci) Applications
In DeSci, DIDs enable reproducible research and data sovereignty.
- Author Attribution: Researchers can permanently link publications, datasets, and code to their DID, creating an immutable scholarly record.
- Data Provenance: Experimental data can be signed with a lab's DID, creating a verifiable chain of custody from collection through analysis.
- Peer Review & Grants: Anonymous peer review can be conducted using DIDs to prove expertise without revealing identity, and grant distributions can be automated to DID-controlled wallets.
05
DID Methods & Blockchain Integration
Different DID Methods specify how a DID is created, resolved, updated, and deactivated on various underlying systems. Common types include:
- Blockchain-Native (did:ethr, did:sol): The DID is directly registered and managed via transactions on a blockchain like Ethereum or Solana.
- Off-Chain (did:key): A DID derived directly from a public key, useful for lightweight, temporary relationships.
- Side-Tree/Layer 2 (did:ion): Uses a secondary protocol (like ION) built on Bitcoin for high-throughput DID operations, anchoring proofs to the base ledger for security.
W3C DECENTRALIZED IDENTIFIER (DID)
Technical Details
A W3C Decentralized Identifier (DID) is a new type of globally unique, cryptographically verifiable identifier that is controlled by the entity it identifies, not by a central registry. This section details its core components, technical operation, and relationship to blockchain technology.
A W3C Decentralized Identifier (DID) is a globally unique, cryptographically verifiable identifier that is created, owned, and controlled by the entity it identifies, without reliance on a central authority. It works through a three-part system: the DID URI, a DID Document, and a Verifiable Data Registry.
- DID URI: A standardized string like
did:example:123456789abcdefghi. It consists of thedid:scheme, a DID Method identifier (e.g.,ethr,key,ion), and a unique, method-specific identifier. - DID Document: A JSON-LD document containing the public keys, service endpoints, and verification methods associated with the DID. It is resolved from the DID URI.
- Verifiable Data Registry: A decentralized system (like a blockchain, distributed ledger, or peer-to-peer network) where the DID Document is anchored and its integrity is guaranteed.
The entity proves control by signing with the private key corresponding to a public key in its DID Document, enabling self-sovereign identity.
W3C DECENTRALIZED IDENTIFIER (DID)
Common Misconceptions
Clarifying widespread misunderstandings about the W3C Decentralized Identifier (DID) standard, its relationship to blockchain, and its practical applications.
No, a Decentralized Identifier (DID) is a standard URI format for a globally unique identifier, while a blockchain address is a specific type of cryptographic public key or hash. A DID is a persistent identifier that can be resolved to a DID Document (DIDDoc), which contains public keys, service endpoints, and other metadata. While a blockchain address can be used within a DID system (e.g., did:ethr:0x...), a DID is an abstraction layer that is not inherently tied to any single blockchain. This allows DIDs to be blockchain-agnostic, portable, and capable of key rotation, which most native blockchain addresses are not.
W3C DECENTRALIZED IDENTIFIER (DID)
Frequently Asked Questions (FAQ)
A technical FAQ addressing common developer and architectural questions about W3C Decentralized Identifiers, the core standard for self-sovereign identity on the web.
A W3C Decentralized Identifier (DID) is a globally unique, persistent, and cryptographically verifiable identifier that is controlled by its subject (e.g., a person, organization, or device) without reliance on a central registry, identity provider, or certificate authority. It is defined by the World Wide Web Consortium (W3C) as a URI composed of three parts: the did: scheme, a DID Method identifier (e.g., ethr, key, ion), and a method-specific identifier. A DID resolves to a DID Document, a JSON-LD document containing public keys, verification methods, and service endpoints that enable trusted interactions. This architecture enables self-sovereign identity, where the controller proves ownership using private keys without asking for permission from a central authority.
further-reading
W3C DECENTRALIZED IDENTIFIER (DID)
Further Reading
Explore the core components, standards, and practical applications of Decentralized Identifiers (DIDs), the foundation of self-sovereign digital identity.
06
Real-World Use Cases
DIDs enable practical applications across industries:
- Supply Chain: Verifiable provenance of goods.
- Finance: KYC/AML credentials that are privacy-preserving.
- Healthcare: Patient-controlled medical records.
- Gaming & NFTs: Portable, sovereign player identities and asset ownership.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall