A DID Document is a JSON-LD or JSON object that contains the public keys, authentication mechanisms, and service endpoints associated with a Decentralized Identifier (DID). It is the core data structure that enables a DID controller to prove control and interact with the identity. The document is automatically resolved from a DID method on a verifiable data registry, such as a blockchain, and its integrity is protected by the underlying ledger's consensus mechanism.
LABS
Glossary
DID Document
A DID Document is a machine-readable JSON-LD file that describes a Decentralized Identifier (DID), containing public keys, verification methods, and service endpoints for secure interaction.
Chainscore © 2026
definition
DECENTRALIZED IDENTITY
What is a DID Document?
A DID Document is the machine-readable data structure that describes a Decentralized Identifier (DID) and its associated cryptographic keys, services, and verification methods.
The primary components within a DID Document include verification methods, which are cryptographic public keys or other proofs used for authentication, assertion, and key agreement. It also lists service endpoints, which are URLs for interacting with the DID subject, such as a hub for encrypted data storage or a credential repository. These components allow the document to function as a self-sovereign, portable identity profile that is not dependent on a central authority.
The lifecycle of a DID Document is managed through DID operations—Create, Read, Update, Deactivate—as defined by the W3C standard. Updates, such as key rotation or adding new services, are executed by submitting transactions to the underlying verifiable data registry, creating an immutable audit trail. This ensures the document can evolve over time while maintaining a verifiable history of changes, which is critical for long-lived digital identities.
In practical use, a DID Document is resolved by a client or verifier to obtain the current public keys needed to verify a Verifiable Credential or a Verifiable Presentation. For example, when verifying a digital driver's license, the verifier resolves the issuer's DID to fetch their DID Document, retrieves the appropriate public key, and uses it to cryptographically verify the credential's signature. This process establishes trust without relying on a pre-existing relationship or a centralized certificate authority.
how-it-works
DECENTRALIZED IDENTITY
How a DID Document Works
A DID Document is the machine-readable data structure that describes a Decentralized Identifier (DID), containing the cryptographic keys, service endpoints, and metadata needed to verify and interact with the identity.
A DID Document is a JSON-LD or JSON object that serves as the authoritative source of information for a Decentralized Identifier (DID). Its primary function is to enable cryptographic verification of the DID subject, typically by listing public keys, known as verification methods. These keys are used for authentication, asserting control, and signing verifiable credentials. The document is resolved from a DID method—a specific blockchain or network protocol—by converting the DID string (e.g., did:example:123456) into its corresponding document.
The core components of a DID Document include the id (the DID itself), verificationMethod entries for public keys, and authentication and assertionMethod properties that reference these keys for specific operations. It also contains service endpoints, which are URLs for interacting with the identity holder, such as a linked data storage hub or a messaging service. This structure allows the document to be both a verification tool and a discovery mechanism, enabling secure, decentralized interactions without relying on a central directory.
DID Resolution is the process of fetching the current, valid DID Document from the underlying decentralized system, such as a blockchain, peer-to-peer network, or distributed file system. The resolution process must also handle DID URL dereferencing, which targets a specific component within the document, like a single key or service. This ensures that any party can independently and trustlessly retrieve the information needed to verify proofs and establish secure communication channels with the DID's controller.
key-components
DECONSTRUCTED
Key Components of a DID Document
A DID Document is a machine-readable JSON-LD object containing the cryptographic material and service endpoints necessary to interact with a Decentralized Identifier. These are its core structural elements.
01
DID Subject
The DID Subject is the entity—person, organization, device, or data object—identified by the Decentralized Identifier (DID). The DID Document itself is the authoritative description of this subject.
- The subject is referenced by the DID URI (e.g.,
did:example:123456). - The document's primary purpose is to enable cryptographic verification of the subject's control.
02
Verification Methods
Verification Methods are the core cryptographic proofs, defining how the DID controller authenticates or interacts. They are listed in the verificationMethod property.
- Each method has a unique ID, type (e.g.,
JsonWebKey2020,Ed25519VerificationKey2020), controller, and the public key material. - They are referenced by other sections like
authenticationorassertionMethodto specify their usage.
03
Authentication
The Authentication property specifies which verification methods can be used to prove control of the DID, typically for logging in or signing into applications. This is a foundational capability for decentralized identity.
- It can directly embed a key or reference one from
verificationMethod. - Enables protocols like DID Auth and SIOP (Self-Issued OpenID Connect).
04
Service Endpoints
Service Endpoints are network locations for interacting with the DID subject, listed in the service property. They decouple the identifier from specific protocols.
- Common endpoint types include LinkedDomains, DIDCommMessaging, and VerifiableCredentialRepository.
- Each endpoint has an ID, type, and service endpoint URI (e.g.,
https://example.com/agent).
05
Assertion Method & Capability Invocation
These properties define keys for specific authorization actions.
- Assertion Method: Specifies keys authorized to issue Verifiable Credentials or other assertions.
- Capability Invocation: Specifies keys authorized to invoke cryptographic capabilities, such as updating the DID Document itself.
These provide fine-grained security beyond basic authentication.
06
Also Known As & Controller
Also Known As (alsoKnownAs): An array of other identifiers (DIDs, URLs) for the same subject, enabling identity correlation.
Controller: Specifies one or more DIDs that have the authority to make changes to this DID Document. This is critical for delegated management or organizational DIDs where the subject and controller differ.
json-ld-structure
DECODING THE DATA MODEL
JSON-LD Structure and Semantics
This section details the technical framework of a DID Document, focusing on its representation as a JSON-LD (JavaScript Object Notation for Linked Data) document and the semantic meaning of its core properties.
A DID Document is a machine-readable resource, typically expressed in JSON-LD, that describes a Decentralized Identifier (DID) and its associated cryptographic keys, services, and verification methods. The JSON-LD format is critical because it provides a standardized structure while enabling semantic interoperability; it defines a @context property that links the JSON data to formal vocabularies, ensuring terms like verificationMethod and service have globally understood meanings across different systems and applications.
The core semantics of a DID Document revolve around three primary components: verification methods, service endpoints, and the DID subject. Verification methods, such as public keys, define how the DID controller can cryptographically prove control, for instance, by creating digital signatures. Service endpoints are network addresses (URIs) for interacting with the DID subject, enabling functionalities like messaging or credential exchange. The DID subject is the entity (person, organization, device) identified by the DID, and the document serves as its authoritative digital descriptor.
JSON-LD's linked data capabilities allow DID Documents to be extensible and composable. Developers can define custom verification relationship types (e.g., keyAgreement for encryption, assertionMethod for signing verifiable credentials) and service types by referencing new vocabularies in the @context. This flexibility supports complex use cases without breaking existing parsers, as they can ignore unfamiliar properties. The structure also enables selective disclosure and proof mechanisms, where specific parts of the JSON-LD graph can be cryptographically verified without exposing the entire document.
verification-methods
DID DOCUMENT
Types of Verification Methods
A DID Document's verification methods define the cryptographic mechanisms a DID subject can use to prove control and authenticate. These are the core building blocks for decentralized identity.
01
Public Key Methods
The most fundamental verification method, listing cryptographic public keys. These keys are used for digital signatures and encryption.
- Example Types:
Ed25519VerificationKey2020,EcdsaSecp256k1VerificationKey2019,RSAVerificationKey2018. - Structure: Includes the public key material, its ID (e.g.,
#key-1), controller (the DID), and type. - Usage: Proves control of the corresponding private key for signing verifiable credentials or authentication challenges.
02
Blockchain Account Methods
Links the DID to a specific blockchain account address, enabling on-chain verification of ownership and actions.
- Example Types:
EcdsaSecp256k1RecoveryMethod2020,Ed25519BlockchainAccountId. - Mechanism: The verification method contains the blockchain account address (e.g., an Ethereum
0x...address). A verifier can check that a signature from that address corresponds to a transaction or message linked to the DID. - Use Case: Directly proving control of a wallet for decentralized finance (DeFi) or NFT interactions.
03
Verification Relationships
Properties within the DID Document that specify how each verification method can be used, defining its authorization scope.
- Key Properties:
authentication: Proves the DID subject is interacting with an entity (for logging in).assertionMethod: Used for signing verifiable credentials and assertions.keyAgreement: Establishes encrypted communication channels.capabilityInvocation: Authorizes changes to the DID Document itself.
- Flexibility: A single verification method (like a public key) can be referenced by multiple relationships.
04
Embedded vs Referenced Methods
Verification methods can be defined directly within the DID Document or referenced from an external source.
- Embedded Method: The full public key or cryptographic data is included directly in the
verificationMethodarray. This is the most common approach. - Referenced Method: The
verificationMethodarray contains a reference (URI) to a key or proof located elsewhere, such as a blockchain transaction or a secure hardware module. This is useful for key rotation or hardware security modules (HSMs).
05
Cryptographic Suites & Linked Data Proofs
Verification methods are often associated with specific cryptographic suites that define the exact algorithms and data formats for creating and verifying proofs.
- Linked Data Proofs: Standards like
Ed25519Signature2020orJsonWebSignature2020define how to create a machine-readable, cryptographically-verifiable proof using a referenced verification method. - Interoperability: Using standardized suites ensures verifiers from different systems can understand and validate the proofs generated by the DID subject.
ecosystem-usage
DID DOCUMENT
Ecosystem Usage and DID Methods
A DID Document is a machine-readable JSON-LD file that contains the cryptographic material and service endpoints necessary to interact with a Decentralized Identifier (DID).
01
Core Structure & Components
A DID Document is a JSON object containing essential information for a DID. Its core components include:
id: The DID itself, serving as the document's primary identifier.verificationMethod: An array of public keys, cryptographic suites, or other verification methods (e.g.,Ed25519VerificationKey2020).authentication: Specifies which verification methods can be used to authenticate the DID subject.assertionMethod: Specifies methods for creating verifiable credentials.service: An array of service endpoints (e.g., a linked storage location, a messaging service) for interacting with the DID subject.
02
Resolving a DID to its Document
The process of retrieving a DID Document from its DID identifier is called resolution. This is performed by a DID Resolver, which follows the rules of the specific DID method.
- The resolver queries the underlying system (e.g., a blockchain, a distributed ledger, or a P2P network) where the DID is anchored.
- It fetches the corresponding DID Document data, which may be stored on-chain or referenced via a content-addressable system like IPFS.
- The output is a DID Resolution Result, a wrapper containing the document, metadata, and resolution status.
03
W3C Standardization & JSON-LD
DID Documents are defined by the World Wide Web Consortium (W3C) as a core part of the Decentralized Identifiers (DIDs) v1.0 specification. The standard mandates the use of JSON-LD (JavaScript Object Notation for Linked Data).
- JSON-LD provides a formal data model and context (
@context), enabling semantic interoperability. - This allows documents to be understood as a graph of linked data, making them processable by machines across different systems and DID methods.
- The
@contextfield typically points tohttps://www.w3.org/ns/did/v1.
04
Common DID Methods & Their Documents
Different DID methods store and manage DID Documents in distinct ways, influencing their structure and capabilities.
did:ethr(Ethereum): The document is derived from an on-chain registry smart contract; public keys are Ethereum addresses.did:key: A simple, self-contained method where the public key is encoded directly into the DID itself, and the document is generated algorithmically.did:web: The DID Document is hosted at a predictable HTTPS URL, enabling easy adoption for web services.did:ion(Sidetree/ION): Uses a Layer 2 protocol on Bitcoin to create scalable, high-throughput DID operations with document history.
05
Service Endpoints & Interoperability
The service array is a critical component for enabling real-world interactions. It allows a DID controller to declare how they can be reached or what services they offer.
- Common endpoint types:
LinkedDomains,DIDCommMessaging,CredentialRepository. - For example, a
DIDCommMessagingendpoint allows other entities to send encrypted messages to the DID subject. - This design decouples the persistent identifier (DID) from ephemeral service locations, enabling seamless service migration and interoperability across different agent frameworks and ecosystems.
06
Document Updates & Controller Authentication
DID Documents are not static; they can be updated by entities that prove control. This is governed by the verificationMethod and authentication sections.
- To update a document (e.g., rotate a key, add a service), a controller must sign the update operation with a private key corresponding to a listed verification method.
- The specific update mechanism (e.g., a blockchain transaction, a signed patch file) is defined by the DID method.
- This provides a secure, cryptographic basis for self-sovereign identity, where the subject maintains control without relying on a central authority.
DECENTRALIZED IDENTITY COMPARISON
DID Document vs. Traditional Digital Certificate
A technical comparison of the core architectural and operational differences between decentralized identifiers and traditional PKI-based certificates.
| Feature / Attribute | DID Document (Decentralized Identifier) | Traditional Digital Certificate (X.509 PKI) |
|---|---|---|
Issuing Authority | Self-issued or decentralized network (e.g., blockchain, ledger) | Centralized Certificate Authority (CA) |
Root of Trust | Decentralized system (e.g., verifiable data registry) | Centralized CA hierarchy and root certificates |
Identifier (Subject) | Decentralized Identifier (DID) - persistent, controller-owned URI | Subject Distinguished Name (DN) - bound to CA namespace |
Revocation Mechanism | Direct controller update of DID Document | Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) |
Proof Purpose Binding | Explicit | Implicit via certificate extensions (e.g., keyUsage, extendedKeyUsage) |
Portability & Control | Controller has full cryptographic control; portable across systems | Bound to issuing CA; control ceded to CA for issuance/revocation |
Lookup / Resolution | Resolved via a DID method from a verifiable data registry | Validated via CA's signature chain and published CRLs |
Primary Use Case | User-centric, interoperable decentralized identity and verifiable credentials | Machine-to-machine authentication (TLS/SSL), enterprise PKI |
DID DOCUMENT
Frequently Asked Questions (FAQ)
A DID Document is the core data structure of a decentralized identifier. These questions address its purpose, structure, and practical use.
A DID Document is a JSON-LD data structure that contains the cryptographic material, verification methods, and service endpoints necessary to prove control of a Decentralized Identifier (DID). It works by binding a DID (like did:example:123456) to a set of public keys, allowing the DID controller to authenticate and interact securely without a central authority. The document is typically retrieved by resolving the DID against a DID method, such as did:ethr: or did:key:, which defines the specific blockchain or network rules. It is the foundational component for Verifiable Credentials and decentralized identity systems.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall