Credentials (Low-level)
These are low-level building blocks. Most applications should use
delegateandverifyDelegationinstead.
SD-JWT VCs (Selective Disclosure JSON Web Token Verifiable Credentials) allow the holder to reveal only specific claims to a verifier. These functions give you direct control over credential creation, verification, and selective disclosure.
createSdJwtVc
Creates an SD-JWT Verifiable Credential with optional selective disclosure for individual claims.
function createSdJwtVc(options: SdJwtVcCreateOptions): Promise<string>Parameters
SdJwtVcCreateOptions
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
issuerPrivateKey | Uint8Array | Yes | --- | Issuer’s private key for signing |
issuerPublicKey | Uint8Array | Yes | --- | Issuer’s public key |
issuerDid | string | Yes | --- | DID of the credential issuer |
type | string | Yes | --- | Verifiable Credential Type (e.g. "AgentDelegationCredential") |
claims | CredentialClaims | Yes | --- | The credential claims (payload) |
selectiveDisclosure | string[] | Yes | --- | Claim names to make selectively disclosable |
algorithm | Algorithm | No | "ES256" | Signing algorithm ("ES256" or "EdDSA") |
holderDid | string | No | --- | DID of the credential holder (set as sub claim) |
expiresAt | Date | No | --- | Expiration date |
statusList | { url: string; index: number } | No | --- | Status list reference for revocation |
Returns
string --- the signed SD-JWT VC token. Contains the JWT, disclosures, and key binding material.
Example
import { createSdJwtVc, generateKeyPair } from "@credat/sdk";
const issuerKeys = generateKeyPair("ES256");
const vc = await createSdJwtVc({
issuerPrivateKey: issuerKeys.privateKey,
issuerPublicKey: issuerKeys.publicKey,
issuerDid: "did:web:acme.com",
type: "EmployeeCredential",
claims: {
name: "Alice Martin",
email: "alice@example.com",
role: "engineer",
department: "platform",
},
selectiveDisclosure: ["email", "department"],
holderDid: "did:web:acme.com:users:alice",
statusList: {
url: "https://acme.com/.well-known/status/1",
index: 7,
},
});verifySdJwtVc
Verifies the signature and structure of an SD-JWT VC token.
function verifySdJwtVc(
sdJwt: string,
issuerPublicKey: Uint8Array,
): Promise<SdJwtVcVerifyResult>Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
sdJwt | string | Yes | The SD-JWT VC token to verify |
issuerPublicKey | Uint8Array | Yes | Issuer’s public key |
Returns
SdJwtVcVerifyResult
| Field | Type | Description |
|---|---|---|
valid | boolean | Whether the token is valid |
claims | CredentialClaims | Decoded claims (disclosed claims only) |
issuer | string | Issuer DID (empty string on failure) |
format | "sd-jwt-vc" | Always "sd-jwt-vc" |
issuedAt | Date | When the credential was issued |
expiresAt | Date | undefined | Expiration date, if set |
statusListEntry | { statusListUrl: string; statusListIndex: number } | undefined | Status list reference, if embedded |
errors | string[] | undefined | Error messages (present when valid is false) |
Example
import { verifySdJwtVc, generateKeyPair } from "@credat/sdk";
const issuerKeys = generateKeyPair("ES256");
const result = await verifySdJwtVc(vc, issuerKeys.publicKey);
if (result.valid) {
console.log(result.claims);
// Only disclosed claims are present
} else {
console.error(result.errors);
}selectDisclosures
Selects which claims to reveal from an SD-JWT VC. Returns a new token containing only the chosen
disclosures --- claims not listed in revealClaims are omitted entirely.
function selectDisclosures(sdJwt: string, revealClaims: string[]): stringParameters
| Parameter | Type | Required | Description |
|---|---|---|---|
sdJwt | string | Yes | The full SD-JWT with all disclosures |
revealClaims | string[] | Yes | Names of claims to reveal |
Returns
string --- a new SD-JWT containing only the selected disclosures. Non-selectively-disclosable claims (those not listed in selectiveDisclosure at creation time) are always included.
Example
import { createSdJwtVc, selectDisclosures, verifySdJwtVc, generateKeyPair } from "@credat/sdk";
const issuerKeys = generateKeyPair("ES256");
// Create a credential with selective disclosure on email and department
const vc = await createSdJwtVc({
issuerPrivateKey: issuerKeys.privateKey,
issuerPublicKey: issuerKeys.publicKey,
issuerDid: "did:web:acme.com",
type: "EmployeeCredential",
claims: {
name: "Alice Martin",
email: "alice@example.com",
role: "engineer",
department: "platform",
},
selectiveDisclosure: ["email", "department"],
holderDid: "did:web:acme.com:users:alice",
});
// Reveal only the email --- name and role are always visible,
// department is hidden
const presented = selectDisclosures(vc, ["email"]);
// Verifier sees: name, role, email (but not department)
const result = await verifySdJwtVc(presented, issuerKeys.publicKey);Errors
| Code | When |
|---|---|
CREDENTIAL_INVALID_FORMAT | A disclosure in the token is malformed |