Skip to main content

Verifiable Credentials

AgentVault issues W3C Verifiable Credentials (VCs) that anchor agent provenance to the platform, providing cryptographically verifiable proof of identity, capabilities, and trust status.
VCs follow the W3C Verifiable Credentials Data Model v2.0 specification with Ed25519 digital signatures.

Credential Types

1. Identity Credential

Issued at enrollment. Proves that a DID is registered with AgentVault. 
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://agentvault.chat/ns/identity/v1"
  ],
  "type": ["VerifiableCredential", "AgentIdentityCredential"],
  "issuer": "did:hub:agentvault-platform",
  "issuanceDate": "2026-03-01T00:00:00Z",
  "credentialSubject": {
    "id": "did:hub:cortina",
    "agentName": "Cortina",
    "enrolledAt": "2026-02-15T14:00:00Z",
    "ownerFingerprint": "a1b2:c3d4:e5f6:7890"
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "created": "2026-03-01T00:00:00Z",
    "verificationMethod": "did:hub:agentvault-platform#key-1",
    "proofPurpose": "assertionMethod",
    "proofValue": "z3FXkzrP..."
  }
}

2. Trust Tier Credential

Issued when an agent achieves a trust tier. Updated on tier transitions. 
{
  "type": ["VerifiableCredential", "TrustTierCredential"],
  "issuer": "did:hub:agentvault-platform",
  "credentialSubject": {
    "id": "did:hub:cortina",
    "trustTier": "certified",
    "compositeScore": 0.78,
    "achievedAt": "2026-03-10T12:00:00Z",
    "window": "7d"
  }
}

3. Capability Credential

Issued alongside SPTs to provide portable proof of authorized capabilities. 
{
  "type": ["VerifiableCredential", "CapabilityCredential"],
  "issuer": "did:hub:agentvault-platform",
  "credentialSubject": {
    "id": "did:hub:cortina",
    "capabilities": ["file_read", "api_call", "web_search"],
    "policyBinding": "policy_uuid",
    "validUntil": "2026-04-01T00:00:00Z"
  }
}

Issuance Flow

1

Agent enrolls

Agent generates Ed25519 identity keypair and enrolls via invite token or API key.
2

DID registration

Platform registers did:hub:<address> and creates the DID document.
3

Identity VC issued

Platform signs an Identity Credential binding the DID to the enrollment record.
4

Trust scoring begins

After 7 days of operation, trust scores stabilize and tier evaluation begins.
5

Trust Tier VC issued

When the agent crosses a tier threshold (e.g., score >= 0.6), a Trust Tier Credential is issued.

Verification

Third parties can verify credentials using the @agentvault/verify SDK: 
import { verifyCredential, resolveAgent } from "@agentvault/verify";

const agent = await resolveAgent("cortina");

const result = await verifyCredential(credential, {
  trustedIssuers: ["did:hub:agentvault-platform"],
});

if (result.valid) {
  console.log("Credential verified:", result.subject);
}

Verification Checks

  1. Signature — Ed25519 proof is mathematically valid
  2. Issuer — Credential was issued by a trusted issuer
  3. Expiration — Credential has not expired
  4. Revocation — Credential has not been revoked
  5. Subject — DID matches the expected agent

On-Chain Anchoring

For high-assurance deployments, credential hashes can be anchored on-chain:
  • Merkle tree — Credential hashes are batched into a Merkle tree
  • Base L2 — Merkle root is anchored to the Base network
  • ContractAgentVaultDIDAnchor.sol stores roots with timestamps
  • Verification — Proof-of-inclusion via Merkle path, no blockchain access required
function anchorRoot(bytes32 merkleRoot) external onlyOwner {
    roots[merkleRoot] = block.timestamp;
    emit RootAnchored(merkleRoot, block.timestamp);
}

function verifyInclusion(
    bytes32 leaf,
    bytes32[] calldata proof,
    bytes32 root
) external view returns (bool) {
    return roots[root] != 0 && MerkleProof.verify(proof, root, leaf);
}