In an increasingly interconnected digital world, the need for secure, interoperable, and user-centric identity solutions has never been more critical. Traditional identity management systems often fall short in providing the flexibility and trust required to navigate multiple platforms and services seamlessly. To address these challenges, Crossmint is proud to announce the launch of its Verifiable Credentials (VC) product—designed to empower businesses and individuals with a robust, open-standards-based solution for digital identity management.
Crossmint’s VC solution is a turnkey solution for issuance, presentation and verification of credentials, that works both in onchain and offchain contexts. It’s built leveraging the W3C Verifiable Credentials protocol, Non-Fungible Tokens (NFTs), and Decentralized Identifiers (DIDs),ensuring the highest levels of security, privacy, and interoperability, making it a game-changing platform for both developers and enterprises.
Whether you’re issuing reusable Know Your Customer (KYC) credentials, verifiable educational certificates, or enterprise-level digital identities, Crossmint streamlines the process, reduces costs, and ensures compatibility across platforms.
This blog post takes a closer look at the key features and capabilities of Crossmint’s Verifiable Credentials, highlighting how our architecture, storage options, encryption methods, and developer tools come together to redefine identity solutions.
Use Cases
Education and Certification
VCs enable academic institutions to issue secure, verifiable digital credentials such as diplomas, certificates of completion, and transcripts. Students can easily share proof of their qualifications with employers, universities, or government agencies, significantly reducing the time and costs associated with traditional verification processes. For example, a university can issue blockchain-backed credentials to graduates, which employers can instantly verify without needing to contact the institution.
Know Your Business (KYB)
VCs simplify compliance and onboarding by enabling the issuance of reusable business verification credentials. Businesses can securely validate their entity’s compliance across multiple platforms, eliminating redundant paperwork and streamlining onboarding. A fintech platform, for instance, can use Crossmint-issued KYB credentials to authenticate business entities quickly and efficiently, saving valuable resources while enhancing trust.
Healthcare Credentials
The healthcare sector can leverage VCs to issue secure, verifiable credentials such as immunization records, practitioner certifications, and patient identities. These credentials ensure privacy and can be shared securely with authorized entities, such as employers or travel authorities. For example, a hospital can issue tamper-proof digital vaccination records, allowing patients to seamlessly present proof for international travel or workplace requirements.
Supply Chain and Logistics
VCs enhance transparency and trust within supply chains by enabling verifiable credentials for products and certifications. These credentials can be used to authenticate product origins, verify sustainability certifications, or confirm compliance with regulations. A luxury goods manufacturer, for instance, can use Crossmint to issue VCs that verify the authenticity of its products, ensuring trust among consumers and partners while deterring counterfeiting.
Building an Identity Solution on Open Standards
Crossmint’s VC solution is built entirely on open standards, ensuring interoperability for users across platforms and other solutions in the space.
Verifiable Credentials (VCs)
Crossmint relies on the W3C VC standard to issue, manage, and verify credentials.
VCs are digital representations of information about a person, organization, or entity, designed to be secure, tamper-proof, and easily verifiable. For instance, use cases like Proof of Education allow organizations to issue secure, verifiable educational certificates, while reusable Know Your Customer/Business (KYC/B) credentials let users and companies validate their compliance across multiple platforms, reducing redundant paperwork and effort.
Businesses issuing VCs, equip credential subjects with credentials that are interoperable, useful across platforms. Cryptographic proofs are embedded in VCs, allowing 3rd parties to verify credentials without involving the issuer in the verification process, saving time and precious resources.
On the other hand, businesses building logic to digest and verify these VCs significantly reduce implementation and integration costs, as they only have to build the verification logic once.
NFTs (Non-Fungible Tokens)
NFTs are digital assets that represent unique ownership of a specific item, governed by standards like ERC-721. The benefit of NFTs lies in their interoperability, immutability, and uniqueness, which makes them ideal for representing verifiable credentials on the blockchain. By integrating VCs with NFTs, Crossmint merges the best of both worlds. This allows users to not only hold unique digital assets but also to verify, store, and access them in a decentralized way. This integration enhances the security and usability of VCs.
DID (Decentralized Identifiers)
Decentralized Identifiers (DIDs) are a foundational element in decentralized identity systems, enabling verifiable identities without the need for centralized authorities like governments or corporations. WebDID, an implementation of DIDs, lets organizations and individuals have a DID tied to their web domain, allowing for more human-readable identifiers. Crossmint’s platform utilizes WebDIDs to further increase the trust in the Issuer entity.
In addition to using standards, Crossmint actively collaborates with the Decentralized Identity Foundation (DIF) to contribute to the development of global identity standards. One major area of focus is the creation of an official standard for Verifiable Credential schemas. This collaboration ensures that Crossmint’s solutions are interoperable, future-proof, and aligned with industry standards. Finally, Crossmint is contributing to the establishment of an official repository for custom and standard credential schema storage.
Unifying Blockchain, NFTs, and VCs
Crossmint's architecture integrates blockchain and NFTs to create a secure and user-controlled system for verifiable credentials (VCs). Each VC is double-linked to an NFT, which serves as a reference onchain, ensuring the credential’s immutability and authenticity. While the VC’s private data is stored offchain for privacy, the NFT onchain allows verifiers to easily confirm its validity, as well as subjects to securely hold VCs in their wallets for seamless presentation in various applications.
Blockchain as the Source of Truth
When a VC is issued, Crossmint’s minting platform records the transaction onchain. Any change to the NFT’s metadata would require the onchain reference to also update, making edits from malicious actors publicly visible and easily disputed. Additionally, if issuers choose to revoke a credential, they can burn the associated NFT, ensuring the credential’s status is always up to date.
Offchain Storage for Privacy
To balance transparency with privacy, credentials themselves do not reside onchain. Instead, they are stored offchain in a location chosen by the issuer. This ensures that sensitive information remains private and only accessible to authorized entities.
- IPFS: Crossmint supports decentralized storage via IPFS, allowing credentials to be stored in a decentralized manner, ensuring long-term accessibility and immutability.
- Crossmint Storage: For issuers not requiring a fully decentralized solution, but prefer a reliable and streamlined process, Crossmint provides a dedicated storage system. Credentials stored here can be easily retrieved and managed through Crossmint's infrastructure, offering a scalable and secure way to handle sensitive data.
- Delegated Storage: Enterprises can choose to manage their own storage systems for credentials. Crossmint supports delegated storage endpoints, where issuers retain full control over credential retrieval and can implement custom access controls to protect sensitive data.
Onchain Control
Users retain full control over their credentials, deciding when and with whom to decrypt them. This architecture prioritizes user privacy while leveraging the blockchain’s immutable and decentralized nature.
As an additional layer of control, Crossmint offers enterprises the ability to sign credentials with their own wallet and not solely with a Crossmint-managed one. This feature enables organizations to maintain control over credential issuance without having to share their private key.
Credential Retrieval
Verifiers can easily identify credentials and fetch private data via a user’s wallet on the blockchain. Since VCs are represented as NFTs onchain, there is no need for an integration between the VC issuer and the verifier. Given a user’s wallet and the VC’s NFT ID, the VC’s private data can be retrieved and verified from storage.
Credential Revocation
The immutable nature of onchain transactions ensures that once the NFT associated with the VC is burned, there is no longer a way to retrieve the user’s credential for future verification. As a result, an issuer can simply burn the NFT for the credential to no longer be valid. Depending on the offchain storage location, the credential private data can then also be deleted.
Implementation Outline
Credential Types
Credential types, also known as schemas, define the structure of the information that will be included in a VC. Types ensure that credentials are consistent and cannot be tampered with. Crossmint allows issuers to create and customize credential templates based on a defined type, by specifying additional attributes, such as metadata, encryption settings, storage location, and chain configurations.
The following is an example of a University Course credential type containing three attributes: courseName, courseNumber, and finalGrade.
[
{
name: "courseName",
type: "string",
},
{
name: "courseNumber",
type: "uint16",
},
{
name: "finalGrade",
type: "uint8",
}
]
API Capabilities
Crossmint’s API provides a comprehensive set of functionalities for managing VCs:
- Issue: Issuers can create credentials using a single REST API call and send them to users via email or a wallet address on any chain.
const credentialParams = {
recipient: `email:${userEmail}:polygon-amoy`,
credential: {
subject: {
course: "Blockchain 101",
grade: "A",
},
expiresAt: "2034-02-02",
},
};
fetch(`https://staging.crossmint.com/api/v1-alpha1/credentials/templates/${templateId}/vcs`, options)
- Verify: Verifiers can check with a simple REST API the validity of a credential by confirming its authenticity, ensuring it hasn't been revoked, and that it’s issued by the claimed issuer. Verification can be performed also via our SDK. Since Crossmint’s VCs are based on the W3C standard, developers can use any library that supports this standard to verify a credential.
const options = {
method: "POST",
headers: {
"X-API-KEY": "YOUR_API_KEY",
"Content-Type": "application/json",
},
body: `{"credential": ${JSON.stringify(credential.unencryptedCredential)}}`,
};
fetch("https://staging.crossmint.com/api/v1-alpha1/credentials/verification/verify", options)
- Revoke: Issuers can revoke credentials by burning the associated NFT onchain via a simple REST API call, instantly invalidating the credential. This revocation is recorded transparently onchain for future reference.
const options = {
method: "DELETE",
headers: {
"X-API-KEY": "YOUR_API_KEY",
},
};
fetch(`https://staging.crossmint.com/api/v1-alpha1/credentials/${credentialId}`, options)
Privacy and Encryption
When credentials are stored on public, decentralized platforms like IPFS, ensuring the privacy of sensitive information becomes crucial. Without proper encryption, any data stored on IPFS is accessible to anyone. Therefore, it's essential to use strong encryption methods to protect the credential data, allowing only authorized parties to access and decrypt it.
Lit Protocol: Decentralized Encryption
Lit Protocol offers a decentralized solution for encrypting credentials, ensuring that data confidentiality is maintained even when stored on public networks. Crossmint leverages Lit Protocol to allow only the credential subject to decrypt their credential, putting full control in the hands of the user. Through Lit, encryption and decryption happen across decentralized nodes, ensuring no single centralized entity has control over the encryption keys. Users are prompted to sign a message with their wallet to authenticate and decrypt credentials for verifiers to review.
Crossmint Encryption
For use cases where decentralized encryption is not a priority, Crossmint provides its own encryption solution that offers a similar user experience to Lit Protocol. In Crossmint's system, users still sign messages to authenticate and decrypt credentials, but the authentication process is managed by Crossmint. This approach simplifies integration, offering a faster and more reliable user experience while maintaining strong security. Crossmint encryption is well-suited for scenarios where ease of use and performance are prioritized over fully decentralized control.
SDK for Verifiers
Crossmint offers a comprehensive SDK for third party verifiers, streamlining the process of interacting with VCs. This SDK simplifies credential retrieval, presentation, decryption, and verification, eliminating the complexities verifiers would otherwise have to face when integrating blockchain, cryptography, and user interactions.
Key Features of the SDK
- Retrieval
The SDK enables verifiers to easily retrieve VCs from users' wallets. It allows filtering by credential type or issuer, providing flexibility in fetching only relevant credentials.
import * as sdk from '@crossmint/client-sdk-verifiable-credentials';
sdk.CrossmintAPI.init('YOUR_API_KEY');
const wallet = "USER_WALLET";
const filters = {
// typeId represents an academic credential schema
type: <typeId>
};
const credentials = await sdk.getCredentialNFTs(
"polygon",
wallet,
filters
);
console.log('Academic credentials retrieved successfully:', credentials);
- Presentation and Decryption
The SDK handles credential presentation and decryption seamlessly. For encrypted credentials, the SDK prompts users to sign a message proving their identity and authorizing decryption.
import * as sdk from '@crossmint/client-sdk-verifiable-credentials';
sdk.CrossmintAPI.init('YOUR_API_KEY');
const encryptedCredential = <encryptedCredentialObject>;
if (collection.metadata.credentialMetadata.encryption.type==VerifiableCredentialEncryptionType.DECENTRALIZED_LIT){
const decryptedData = await new sdk.Lit("staging").decrypt(encryptedCredential);
}else if (collection.metadata.credentialMetadata.encryption.type==VerifiableCredentialEncryptionType.CROSSMINT_RECOVERABLE){
const decryptedData = await new sdk.CrossmintMetamaskDecrypt().decrypt(encryptedCredential);
} else {
throw new Error("Not supported")
}
console.log("Decrypted credential:", decryptedData);
- Verification
Verifiers can easily check the validity of credentials using the SDK’s verification features. The SDK performs local verification, checking the credential’s issuer, expiration, and revocation status, eliminating the need for interaction with external services.
import * as sdk from '@crossmint/client-sdk-verifiable-credentials';
sdk.CrossmintAPI.init('YOUR_API_KEY');
const decryptedCredential = <CredentialObject>;
const verificationResult = await sdk.verifyCredential(decryptedCredential);
console.log('Verification result:', verificationResult);
Crossmint Simplified SDK
The Crossmint SDK is designed to offer verifiers a faster, more reliable experience by using Crossmint’s own infrastructure.
Provider-Agnostic SDK
Since Crossmint adheres to open standards, a provider-agnostic version of the SDK is also available. It abstracts away Crossmint-specific functionality, making it suitable for scenarios where verifiers want more granular control over the blockchain interactions.
Conclusion
Crossmint’s open-standards-based approach to verifiable credentials sets a new benchmark for the future of digital identity management. Crossmint enables businesses and users to build trust, streamline processes, and enhance security in an increasingly decentralized world. Its robust architecture balances privacy and transparency through solutions like offchain storage, encryption methods such as Lit Protocol, and flexible issuer controls, ensuring that sensitive information remains secure yet accessible when needed.
With tools like a comprehensive API and SDKs, Crossmint simplifies implementation for developers and lowers integration costs for businesses, making verifiable credentials a practical solution for a wide range of use cases—from education and KYC compliance to enterprise-level credential management.
Valerio Massimo Camaiani
Tech Lead of Crossmint Verifiable Credentials and member of DIF