Liccium Developer PortalLiccium Developer Portal
Authentication

Verifiable Credentials (VCs)

Authentication Using Verifiable Credentials (VCs)

Liccium supports authentication through Verifiable Credentials (VCs) issued to declaring parties. This method enables individual creators, organisations, or automated agents to make signed, traceable, and cryptographically verifiable declarations of authorship, rights, provenance, or AI involvement.

VCs provide a flexible and decentralized trust model and are especially suited for individual users, creative professionals, or ecosystem participants who do not use Qualified Certificates (QCerts).

Overview

A Verifiable Credential (VC) is a W3C-standardised digital certificate that binds metadata to a subject (e.g. a creator or organization) using a Decentralized Identifier (DID).

  • VCs are digitally signed by a trusted issuer, such as Liccium or a certified third party.
  • A declaring party can attach a valid VC to a declaration, allowing third parties to verify identity and role without relying on central registries or legacy certificates.
  • VCs are issued in the Creator Credentials ecosystem (creatorcredentials.com) and follow the specifications aligned with W3C Verifiable Credentials.

Requirements

To authenticate declarations using VCs, the declaring party must:

  • Generate a cryptographic key pair (e.g. Ed25519 or EC P-256)
  • Obtain a Verifiable Credential issued to their public key (bound via did)
  • Sign the declaration using their private key
  • Include the VC object in the declaration metadata under the credentials field

VC Issuance

VCs are issued by trusted entities based on verified identity and role. Issuers – such as Liccium, publishers, CMOs, or agencies – maintain logs of issued credentials and make their public key material available for verification. Credentials may express claims such as creator identity, affiliations, roles, and registry participation.

Example VC claims:

Code(json)
 
"credentials": [
  {
    "@context": [
      "https://www.w3.org/ns/credentials/v2"
    ],
    "id": "urn:uuid:a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "type": [
      "VerifiableCredential",
      "VerifiableAttestation", 
      "CredentialType"
    ],
    "issuer": "did:web:example-issuer.com",
    "validFrom": "2024-01-15T08:30:00.000Z",
    "validUntil": "2027-01-15T08:30:00.000Z",
    "credentialSubject": {
      "id": "did:key:z6MkrJVnaZkeFzdQyQSUQgb3ekqX9Q2acd1SzNl6cvUCBWrTg",
      "sameAs": "Example Organization Ltd",
      "affiliation": "registry.example-commons.org"
    },
    "credentialSchema": [
      {
        "id": "https://schemas.example.com/credentials/supplier/v1.0/schema.json",
        "type": "JsonSchema"
      }
    ],
    "proof": {
      "type": "JwtProof2020",
      "jwt": "eyJhbGciOiJSUzI1NiIs1235cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.EkN-DOsnsuRjRO6BxXemmJDm3HbxrbRzXglbN2S4sOkopdU4IsDxTI8jO19W_A4K8ZPJijNLis4EZsHeY559a4DFOd50_OqgHs3UF8SUx8qJBBwB7qmLh7ADBawLV4JYNNsb_8q5AXWz4AvqYQxK9YeqOHyPW7KHAzX6CfUWfGiE"
    }
  }
]

Adding the VC to a Declaration

To authenticate a declaration, the declaring party includes the VC under the credentials field of the metadata.

  • The signature must be generated using the private key corresponding to the DID in the VC.
  • The declaring party must match the credentialSubject.id.

Verification Process

When a third party (e.g. registry or consumer) receives the declaration:

  1. They extract the credential and verify the VC's issuer signature.
  2. They check the VC's subject DID against the declaration's issuer.
  3. They validate the declaration's signature using the subject's public key.

This process ensures that the declaration is:

  • Authenticated by a valid identity
  • Linked to a known role (e.g. creator, editor, AI agent)
  • Traceable to a timestamped, tamper-evident statement

Certificate-Based Trust Using x5c Headers

For issuers using X.509 certificates (e.g. QCerts), Liccium supports VC authentication via the x5c (certificate chain) in the protected header of the JSON Webs Signature (JWS). This embeds a Base64-encoded certificate chain that is covered by the digital signature, ensuring its authenticity and integrity:

Code(json)
 
"header": {
  "x5c": [
    "MIIDdzCCAl+gAwIBAgIEb4a...", 
    "MIIDajCCAlKgAwIBAgIQFA..."
  ]
}

The recipient validates the JWS using the public key from the first certificate in the chain and verifies that the signature covers both the protected header and the payload. The full x5c chain can be used to build trust via a recognized Certificate Authority (CA), including those issuing Qualified Certificates.

This mechanism allows issuers to authenticate Verifiable Credentials without a Decentralized Identifier (DID), enabling compatibility with institutional PKI and regulatory trust models (e.g. eIDAS/QTSPs).

Benefits of Using VCs

  • Decentralised and privacy-preserving
  • Compatible with both DID and X.509 trust models
  • Granular role claims (e.g. creator, AI agent, publisher)
  • Interoperable with other VC ecosystems

Next Steps

  1. Request a VC from Liccium or another trusted issuer
  2. Generate a key pair and register your DID or certificate
  3. Sign and publish declarations with authenticated metadata
Last modified on
CertificatesAPI Access and Keys