Start with Identity
Standard · recommendation

Verifiable Credentials & SD-JWT

W3C VC Data Model 2.0; IETF SD-JWT VCW3C / IETFVC Data Model 2.0 Recommendation (May 2025); SD-JWT VC draft-16 (2026)Official spec ↗

What it is

A Verifiable Credential (VC) is a cryptographically signed, tamper-evident digital credential that follows the W3C VC Data Model. It is the data format at the heart of decentralized identity: a portable, machine-verifiable version of the paper and plastic credentials people carry today, from a diploma to a driver's license to a proof of employment.

The model defines three roles, the issuer, holder, verifier trust triangle:

  • An issuer signs a credential and gives it to a subject.
  • A holder keeps it in a wallet and controls when to present it.
  • A verifier checks the signature, the issuer, and the credential status, without calling back to the issuer.

SD-JWT (Selective Disclosure JWT) is the IETF token format increasingly used to carry these credentials in a way that supports selective disclosure.

How it works

  • Issuance (issuer to holder): an authority issues a signed credential to the user's wallet. Keys are often anchored by a decentralized identifier (DID), so the verifier can resolve the issuer's public key without a central registry. The OpenID4VCI protocol standardizes this exchange.
  • Presentation (holder to verifier): the holder assembles a verifiable presentation and shares only what is needed. With selective disclosure they can prove they are over 18 without revealing their birth date. OpenID4VP standardizes the request and response.
  • Formats: the two dominant credential formats are SD-JWT VC (JWT-based, favored by eIDAS 2.0 and IETF work) and W3C VC with Data Integrity proofs (JSON-LD, often paired with BBS signatures for unlinkable disclosure). AnonCreds is a third format common in ledger-based ecosystems.
  • Revocation: issuers publish status through a revocation registry or status list so a verifier can tell whether a credential is still valid.

Status

The W3C published the VC Data Model 2.0 family as Recommendations in May 2025. SD-JWT and SD-JWT VC are active IETF drafts (draft-16 in 2026) and are referenced directly by EU digital identity work. The OpenID for Verifiable Credentials protocols reached a High Assurance Interoperability Profile 1.0 Final in December 2025. Adoption is accelerating through eIDAS 2.0 and the EUDI Wallet and mobile driver's licenses.

When to use it

Reach for verifiable credentials when you need reusable, portable proof that a holder controls: verify once and reuse many times, with the user deciding what to share. The strongest current use cases are reusable identity verification and KYC, government and cross-border ID, and workforce credentials such as certifications that should survive a job change. For plain workforce SSO, mature federated protocols are still the right tool.

Pitfalls

  • The ecosystem is still consolidating; interoperability depends on shared profiles like OpenID4VC and HAIP rather than the base data model alone.
  • Revocation, wallet recovery, and issuer governance are the hard parts, not the signing.
  • Format fragmentation (SD-JWT VC vs W3C Data Integrity vs AnonCreds) means you must pick formats your verifiers actually accept.

Related

Guides: what is decentralized identity, verifiable credentials implementation guide. Standards: DID, OpenID4VC, mDL. Glossary: verifiable credential, SD-JWT, verifiable presentation. Vendors: decentralized identity.

Independent, community-driven reference. Always confirm details against the official specification linked above.