Decentralized Identifiers (DIDs) are a foundational component of self-sovereign identity (SSI) in Web3. Unlike traditional accounts tied to a central database, a DID is a cryptographically verifiable identifier that an individual, organization, or device controls directly. It is typically expressed as a URI, such as did:ethr:0xabc123..., and is anchored on a public blockchain or decentralized network. This creates a portable, censorship-resistant identity layer that users can employ across different services without relying on a single issuing authority.
LABS
Guides
Setting Up a Decentralized Identity (DID) Framework for Market Participants
A technical tutorial for implementing a decentralized identity system for issuers, investors, and service providers in regulated token markets. Covers DID issuance, verifiable credentials for KYC/AML, ZK proofs for privacy, and on-chain integration.
Chainscore © 2026
introduction
INTRODUCTION
Setting Up a Decentralized Identity (DID) Framework for Market Participants
A practical guide to implementing a DID framework for secure, user-controlled identity in Web3 applications.
The core technical components of a DID framework include the DID Document (DIDDoc) and Verifiable Credentials (VCs). The DIDDoc, resolvable from the DID itself, contains the public keys, authentication mechanisms, and service endpoints necessary for interaction. Verifiable Credentials are tamper-evident, privacy-respecting digital attestations—like a proof of KYC or membership—that can be issued to a DID holder. The holder can then present cryptographically signed Verifiable Presentations to verifiers, enabling trust without exposing underlying personal data.
For market participants—such as DeFi users, NFT collectors, or DAO members—implementing a DID framework starts with choosing a DID method. Popular blockchain-native methods include did:ethr (Ethereum, Polygon), did:pkh (Public Key Hash, used by Ceramic), and did:key. The choice depends on your target chain, required functionality, and the need for key rotation or service endpoints. Libraries like ethr-did-registry for Ethereum or did-resolver provide the tools to create, resolve, and update DIDs programmatically.
A basic implementation involves generating a key pair, creating the DID, and publishing its initial document. For example, using the ethr-did library with an Ethereum provider, you can create a new identity controlled by a private key. The corresponding DIDDoc is registered on-chain, allowing any service to resolve the public key and verify signatures from that DID. This establishes a root of trust for all subsequent interactions, from signing transactions to receiving credentials.
Integrating this identity layer into an application enables powerful features. Users can sign in with their wallet (Sign-In with Ethereum, SIWE), proving control of their DID without a password. Platforms can issue non-transferable Soulbound Tokens (SBTs) or Verifiable Credentials to a user's DID as proof of reputation, accreditation, or participation. This creates a composable identity graph where trust and history are portable across dApps, reducing redundant KYC checks and enabling new forms of sybil-resistant governance and credit.
prerequisites
SETUP
Prerequisites
Before implementing a decentralized identity (DID) system, you need the right tools, accounts, and foundational knowledge. This section outlines the essential prerequisites for developers and organizations.
A decentralized identifier (DID) is a new type of globally unique identifier that an individual, organization, or device controls without a central registry. Unlike traditional usernames or email addresses, DIDs are anchored on a verifiable data registry, typically a blockchain or distributed ledger. This gives users self-sovereign identity (SSI), meaning they own and control their credentials without intermediaries. The core specifications are governed by the W3C Decentralized Identifiers (DID) 1.0 standard, which defines the data model and syntax for creating and resolving DIDs.
You will need a development environment capable of interacting with blockchain networks and cryptographic operations. Essential tools include Node.js (v18+) and a package manager like npm or yarn. For blockchain interaction, install a library such as ethers.js v6 or viem. You'll also need a DID method library specific to your chosen blockchain; for Ethereum-based DIDs (did:ethr), use the ethr-did-resolver and ethr-did-registry packages. A basic understanding of public-key cryptography and JSON Web Tokens (JWT) or Verifiable Credentials (VCs) is required to understand how proofs and signatures work.
To deploy and test DIDs, you need access to a blockchain network. For initial development, you can use a local testnet like Hardhat or Anvil. For staging, use a public testnet such as Sepolia or Goerli, which require test ETH from a faucet. You will need a crypto wallet (e.g., MetaMask) to manage the private keys that control your DIDs. Finally, secure a RPC provider endpoint from a service like Alchemy, Infura, or QuickNode to connect your application to the blockchain. These accounts and endpoints are necessary for writing transactions to the ledger, which is how DIDs are created and updated.
architecture-overview
SYSTEM ARCHITECTURE OVERVIEW
Setting Up a Decentralized Identity (DID) Framework for Market Participants
This guide outlines the core components and design patterns for implementing a Decentralized Identity (DID) system, enabling verifiable, self-sovereign credentials for users and entities in Web3 markets.
A Decentralized Identity (DID) framework shifts control of digital credentials from centralized authorities to the individual. At its core, it consists of three key elements: DIDs, which are unique, persistent identifiers (like did:ethr:0xabc123...); Verifiable Credentials (VCs), which are tamper-evident claims issued by trusted entities; and Verifiable Presentations (VPs), which are selective disclosures of these credentials. This architecture enables market participants—whether traders, DAO members, or service providers—to prove their reputation, qualifications, or compliance without relying on a single, fallible database.
The technical stack for a DID system is built on decentralized identifiers and W3C Verifiable Credentials data model. Developers typically use libraries like did-jwt-vc or frameworks from the Decentralized Identity Foundation (DIF). The architecture involves an issuer (e.g., a KYC provider), a holder (the user's wallet), and a verifier (a dApp). Credentials are signed cryptographically, often using EdDSA or ES256K algorithms, and their integrity is anchored to a blockchain—commonly Ethereum for its widespread wallet adoption—via a DID Registry smart contract that maps DIDs to public keys.
For on-chain integration, a DID Registry contract is deployed to manage the lifecycle of DIDs. A basic Solidity contract stores a mapping from a DID identifier to a public key and controller address. When a user needs to present a credential, their wallet (like MetaMask) signs a challenge. The verifier's backend then resolves the user's DID to their current public key via the registry and validates the signature and credential proof. This creates a trustless verification flow.
Implementing this requires careful key management. Users' private keys must be secured in a non-custodial wallet. For recovery, consider social recovery via smart contracts (like Argent Wallet) or shamir secret sharing. Furthermore, to maintain privacy, frameworks like Zero-Knowledge Proofs (ZKPs) can be used with VCs, allowing users to prove they hold a valid credential (e.g., being over 18) without revealing the underlying data. zkSNARK circuits, as used by protocols like Semaphore, are a common approach for this selective disclosure.
In a DeFi or marketplace context, DIDs enable soulbound tokens (SBTs) for non-transferable reputation, sybil-resistant governance, and compliant access to financial services. For example, a lending protocol could require a verifiable credential from an accredited investor issuer before allowing access to certain pools. The architecture's success hinges on interoperability; using standard DID methods (like did:ethr or did:key) and VC formats ensures credentials are portable across different platforms and verifiers.
core-tools-libraries
DID FRAMEWORK
Core Tools and Libraries
Essential libraries and protocols for implementing decentralized identity (DID) systems, enabling verifiable credentials and self-sovereign identity for users and market participants.
step-1-did-creation
FOUNDATION
Step 1: Creating and Managing DIDs
This guide explains how to create and manage Decentralized Identifiers (DIDs), the foundational component for self-sovereign identity in Web3 markets.
A Decentralized Identifier (DID) is a globally unique, persistent identifier that an individual, organization, or device controls without reliance on a central registry. Unlike traditional usernames or email addresses, a DID is anchored on a verifiable data registry, typically a blockchain like Ethereum or Polygon. This creates a portable, censorship-resistant identity that users own and manage via cryptographic keys. For market participants, this is the first step to establishing a trusted, interoperable presence across different platforms and services.
Creating a DID involves generating a DID Document (DID Doc). This JSON-LD document contains the public keys, authentication mechanisms, and service endpoints associated with the DID. The most common method is using the did:ethr method, where the DID is derived directly from an Ethereum public key (e.g., did:ethr:0xabc123...). You can create one programmatically using libraries like ethr-did or did-jwt. The core action is generating a keypair and registering the corresponding DID Document on-chain or with a resolver.
Here is a basic example using the ethr-did library to create and resolve a DID:
javascriptimport { EthrDID } from 'ethr-did'; import { ethers } from 'ethers'; // 1. Generate a new Ethereum keypair const provider = new ethers.providers.JsonRpcProvider('RPC_URL'); const wallet = ethers.Wallet.createRandom().connect(provider); // 2. Instantiate the EthrDID controller const ethrDid = new EthrDID({ identifier: wallet.address, chainNameOrId: 'mainnet', // or 'sepolia', 137 (Polygon) provider, registry: '0xdca7ef03e98e0dc2b855be647c39abe984fcf21b' // EthrDID Registry }); // The DID string is automatically derived console.log('DID:', ethrDid.did); // did:ethr:0xYourAddress... // 3. (Optional) Resolve the DID Document const resolver = new Resolver(getResolver({ name: 'mainnet', provider })); const didDocument = await resolver.resolve(ethrDid.did);
Managing your DID involves updating its DID Document to add new public keys for different devices, specify service endpoints for communication, or delegate authority. Key actions include:
- Adding a Verification Method: Attach a new public key for signing verifiable credentials.
- Adding a Service Endpoint: Link to a user's hub for receiving messages or storing credentials.
- Revoking Keys: Deactivate compromised keys to maintain security. These updates are signed by the current controller's private key and submitted as transactions to the underlying blockchain, ensuring an immutable audit trail of all changes.
For market applications, a well-managed DID serves as the root of trust. It allows a trader to prove they control an on-chain address history, a protocol to issue attested credentials (like KYC status), and a marketplace to verify a user's reputation across platforms without a central database. The next step is using this DID to issue and present Verifiable Credentials, which are tamper-proof claims about the identity subject.
step-2-vc-issuance
IMPLEMENTATION
Step 2: Issuing Verifiable Credentials for KYC/AML
This guide details the technical process of issuing a Verifiable Credential (VC) to a user who has completed KYC/AML checks, using the W3C Verifiable Credentials Data Model and decentralized identifiers (DIDs).
A Verifiable Credential (VC) is a tamper-evident digital credential whose authorship and integrity can be cryptographically verified. In our KYC/AML context, the credential's issuer is the regulated entity (e.g., a financial institution), the holder is the user who passed checks, and the verifier is any dApp or service needing proof. The credential's core is a JSON-LD or JWT structure containing the user's verified claims, such as "kycStatus": "Approved" and "amlRiskLevel": "Low". The issuer signs this data structure with their private key, binding it to their Decentralized Identifier (DID).
The issuance flow begins after successful KYC. The user's wallet (acting as a holder agent) requests a credential by presenting a Verifiable Presentation of their DID. The issuer's backend creates the VC payload. For a JWT VC, this includes the issuer's DID (iss), the subject's DID (sub), the issuance date, the claims object, and a unique identifier. The issuer then signs this JWT using the private key associated with their DID, as defined in their DID Document. The signed VC is returned to the user's wallet, which stores it securely in a digital wallet or identity hub.
Here is a simplified example of a JWT Verifiable Credential's decoded payload for KYC:
json{ "iss": "did:ethr:0x1234...", "sub": "did:key:z6Mk...", "vc": { "@context": ["https://www.w3.org/2018/credentials/v1"], "type": ["VerifiableCredential", "KYCAMLAttestation"], "credentialSubject": { "id": "did:key:z6Mk...", "kycStatus": "Approved", "amlRiskLevel": "Low", "issuanceDate": "2023-10-26T15:30:00Z", "expirationDate": "2024-10-26T15:30:00Z" } } }
The credentialSubject.id must match the sub field, and the entire structure is signed to produce the final JWT.
For the credential to be trusted, the issuer's DID must be resolvable to a public DID Document containing the public key or verification method used for the signature. Verifiers check this by resolving the iss DID, fetching the public key, and validating the JWT signature. This mechanism ensures cryptographic verifiability without relying on a central database. Standards like DID:ethr (Ethereum) or did:key are commonly used. The credential may also include a proof purpose (e.g., assertionMethod) to define its intended use.
Best practices for issuance include setting a reasonable expirationDate to comply with AML refresh requirements, never including raw PII (Personally Identifiable Information) in the on-chain VC, and using selective disclosure protocols like BBS+ signatures or ZK-SNARKs to allow users to prove specific claims (e.g., "I am over 18") without revealing the entire credential. The issued VC enables the holder to participate in regulated DeFi pools or tokenized asset platforms by presenting this reusable, privacy-preserving proof of compliance.
step-3-zk-proofs
DID FRAMEWORK
Step 3: Implementing Zero-Knowledge Proofs for Selective Disclosure
This guide explains how to integrate zero-knowledge proofs (ZKPs) into a Decentralized Identity (DID) system, enabling market participants to verify credentials without revealing sensitive data.
Selective disclosure is the core privacy feature of a modern DID system. It allows a user (the prover) to prove a specific claim derived from a credential—like being over 18 or having a sufficient credit score—without revealing the credential itself or any extraneous personal data. This is achieved using zero-knowledge proofs (ZKPs), cryptographic protocols that enable one party to prove to another that a statement is true without conveying any information beyond the validity of the statement itself. For marketplaces, this means platforms can enforce participation rules (e.g., accredited investor status) while users maintain full data sovereignty.
To implement this, you first need verifiable credentials (VCs) issued to a user's DID. A VC is a tamper-evident credential, like a digital driver's license, signed by a trusted issuer. The user holds this VC in their digital wallet. When a marketplace (the verifier) requests proof of a specific attribute, the user's wallet does not send the raw VC. Instead, it generates a ZK-SNARK or ZK-STARK proof. This proof cryptographically demonstrates that the user possesses a valid VC from a recognized issuer and that the VC contains data satisfying the verifier's predicate (e.g., birthdate < 2006-01-01), without revealing the actual birthdate.
A practical implementation often uses circuits. For a credential with a score attribute, you could use the Circom language to define a circuit that proves the score is above a threshold. The circuit takes the private credential data and the public threshold as inputs, outputting true only if the condition holds. The code snippet below outlines a simple Circom template for this proof:
circomtemplate ScoreThreshold() { signal private input userScore; signal input threshold; signal output isAboveThreshold; isAboveThreshold <-- userScore > threshold; isAboveThreshold * (1 - isAboveThreshold) === 0; // Force binary output }
This circuit is compiled and used by the wallet's proving key to generate the ZKP.
The verifier's role is simplified. They do not need to see user data or manage complex logic. They only need the verification key corresponding to the circuit and the proof submitted by the user. Using libraries like snarkjs on-chain or in a backend service, the verifier can quickly check the proof's validity. On Ethereum, this can be done with precompiled contracts for pairing checks, such as in Semaphore or projects using the Verifier.sol pattern. The verification cost is a critical consideration, as generating proofs (prover time) is computationally intensive, while verifying them is relatively cheap.
For production systems, consider using established SDKs and frameworks to abstract complexity. The W3C Verifiable Credentials Data Model provides the standard data format. Libraries like Veramo offer plugins for issuing VCs and generating ZKP presentations. For identity-specific ZK circuits, the Iden3 protocol and circomlib provide reusable templates for common operations (e.g., Merkle tree inclusion proofs for anonymous membership). Always audit your circuits and integrate with secure wallet solutions like MetaMask Snaps or WalletConnect to ensure a smooth user experience during the proof generation and presentation flow.
The end result is a trust-minimized interaction. The marketplace gains cryptographic assurance that its policy is met, the user's privacy is preserved, and the issuer's attestation is relied upon without being contacted for each transaction. This architecture is foundational for compliant yet private DeFi, on-chain credit scoring, and gated community access, moving beyond the all-or-nothing data exposure of traditional web2 systems.
step-4-smart-contract-integration
TUTORIAL
Integrating DIDs and Proofs with Smart Contracts
This guide explains how to implement a decentralized identity (DID) framework for market participants using smart contracts, enabling verifiable credentials and on-chain proof verification.
A Decentralized Identifier (DID) is a self-owned, globally unique identifier that does not rely on a central registry. For market participants—such as traders, liquidity providers, or borrowers—DIDs enable portable, verifiable identities across different DeFi protocols. The core components are the DID document, which contains public keys and service endpoints, and Verifiable Credentials (VCs), which are tamper-proof attestations (like KYC status or credit score) issued by trusted entities. Smart contracts act as the verification layer, checking the cryptographic proofs attached to these credentials before granting access to financial services.
To begin integration, you must choose a DID method. For Ethereum-based systems, the did:ethr method, which uses an Ethereum address as the DID, is common. The associated DID document can be stored on-chain via a registry contract or off-chain using the ERC-725 and ERC-735 standards for claim management. A basic registry contract maps a bytes32 DID to a document URI. For example:
soliditymapping(bytes32 => string) public didDocuments; function setDocument(bytes32 did, string memory uri) public { didDocuments[did] = uri; }
This allows participants to resolve their DID to a document containing their public keys.
Verifiable Credentials are signed JSON-LD documents. A smart contract cannot store them directly due to cost and size, so we store only essential proofs on-chain. A common pattern is to have users submit a cryptographic proof—like a digital signature or a Zero-Knowledge Proof (ZKP)—that validates a claim without revealing the underlying data. For instance, a contract can verify that a user possesses a valid credential from a known issuer by checking a ECDSA signature against the issuer's public key stored in the DID document. This enables gas-efficient, privacy-preserving verification of attributes like accredited investor status.
Implementing a verification function involves several steps. First, the contract must resolve the issuer's DID to retrieve their public verification key. Next, it validates the structure and signature of the presented Verifiable Presentation. A simple Solidity function might verify a signed hash of a credential:
solidityfunction verifyCredential( bytes32 issuerDid, bytes32 credentialHash, uint8 v, bytes32 r, bytes32 s ) public view returns (bool) { address issuerAddress = resolveDID(issuerDid); address signer = ecrecover(credentialHash, v, r, s); return signer == issuerAddress; }
For complex claims, consider using ZK-SNARK verifiers like those from circom and snarkjs.
Integrating this framework into a DeFi protocol allows for permissioned or risk-adjusted interactions. A lending pool could require a VC proving a minimum credit score before offering a low-collateral loan. A DEX could whitelist addresses that have proven KYC compliance. The contract logic gates access based on the successful verification of the on-chain proof. It's crucial to design revocation mechanisms—often via on-chain revocation registries or status lists—so issuers can invalidate credentials if needed. Always audit the entire flow, as the security of the financial logic now depends on the correctness of the identity verification.
Best practices for production include using audited libraries like Spruce ID's didkit or Veramo for off-chain credential handling, storing only cryptographic commitments on-chain to preserve privacy, and ensuring your contract can handle DID method upgrades. The future lies in interoperability; design your system to support multiple DID methods and proof types (JWT, ZKP, etc.) from the start. This creates a robust foundation for composable identity across the Web3 financial stack.
METHOD SELECTION
DID Method Comparison for Regulated Markets
Comparison of DID methods based on compliance, privacy, and interoperability requirements for financial institutions and regulated entities.
| Feature / Requirement | did:ethr (Ethereum) | did:key (W3C Standard) | did:sov (Sovrin / Indy) | did:web (Web-Based) |
|---|---|---|---|---|
Verifiable Credential Format | W3C VC-DM, JWT | W3C VC-DM, JWT | AnonCreds (ZKP), W3C VC-DM | W3C VC-DM, JWT |
Selective Disclosure (ZKP) | ||||
GDPR Right to Erasure Support | Key Rotation | Key Revocation | Full Deletion via Tails File | Server Deletion Required |
Transaction Cost (Est.) | $2-15 (Gas) | Free | $0.01-0.10 (Network Fee) | Free |
Settlement Finality | ~5 min (PoS) | Instant | ~1-5 sec (Plenum) | Instant |
Governance Model | Permissionless | Standardized | Permissioned Network | Centralized Issuer |
KYC/AML Attestation Integration | Custom Smart Contract | Linked Data Proofs | Built-in Schema Registry | Custom API Layer |
Maximum Throughput (TPS) | ~100 | N/A (Off-Chain) | ~1,700 | Varies by Host |
DID FRAMEWORK
Frequently Asked Questions
Common technical questions and solutions for developers implementing decentralized identity systems for market participants.
A Decentralized Identifier (DID) is a new type of globally unique identifier that is controlled by the user, not a central authority. It is cryptographically verifiable and does not require a centralized registry. Unlike a traditional database ID (e.g., a UUID or email), a DID is anchored on a decentralized system like a blockchain or DLT.
Key Differences:
- Control: The user holds the private keys, enabling self-sovereign control.
- Verifiability: Proof of ownership is done via digital signatures, not a central server.
- Portability: DIDs are not locked to a single service provider. They can be used across any compatible platform (e.g., Verifiable Credential issuers, DeFi protocols).
- Persistence: The identifier itself is designed to be long-lived, even if the specific service managing it changes.
Common DID methods include did:ethr: (Ethereum), did:key:, and did:web:.
resource-links
DEVELOPER GUIDES
Additional Resources
Practical tools and specifications for implementing a decentralized identity (DID) framework across Web3 market participants, including issuers, verifiers, and credential holders.
conclusion-next-steps
IMPLEMENTATION SUMMARY
Conclusion and Next Steps
You have now configured a foundational Decentralized Identity (DID) framework using verifiable credentials and selective disclosure.
This guide walked you through the core components of a DID system for market participants: creating a DID document anchored to a blockchain like Ethereum or Polygon, issuing W3C Verifiable Credentials for KYC/AML status or professional accreditation, and enabling selective disclosure using BBS+ signatures or zero-knowledge proofs. The framework ensures participants control their data while providing the cryptographic assurances necessary for trust in decentralized markets.
For production deployment, several critical next steps are required. First, integrate a resolver to fetch DID documents from their anchored networks; consider using the universal resolver from the Decentralized Identity Foundation. Second, establish a revocation mechanism, such as a smart contract-based status list or the W3C Status List 2021 specification, to invalidate credentials if needed. Finally, design the user experience for credential wallets, ensuring participants can easily store, present, and manage their verifiable data.
Explore advanced patterns to enhance your system. Implement zk-SNARK proofs for complex claims (e.g., proving an accredited investor status without revealing net worth). Use DIDComm v2 for secure, private messaging between entities in your ecosystem. For interoperability, ensure your credentials use well-known contexts and types from schemas like those on the W3C-CCG GitHub.
The landscape of decentralized identity is rapidly evolving. Monitor emerging standards like W3C Verifiable Credential Data Integrity and IANA DID Methods. Engage with communities such as the DIF, W3C Credentials Community Group, and OpenID Connect working groups to stay current. Building on open standards is crucial for long-term viability and cross-protocol compatibility.
Start with a controlled pilot. Deploy your framework in a testnet environment with a small group of users. Gather feedback on UX, performance, and the clarity of attestation requests. Use this data to iterate before a mainnet launch. The goal is a system that is not only technically robust but also practically usable by the market participants it aims to serve.