Referencing Trust Registry within a Verifiable Credential

Learn how to include or reference Trust Registries and Verifiable Accreditations within the body of W3C Verifiable Credentials.

To ensure a Verifiable Credential (VC) is not only technically valid but also issued by an authorized and trusted party, it must include metadata that links back to its origin in a trust registry.

This is done using the termsOfUse property, where the Trusted Issuer includes an AttestationPolicy referencing:

The Verifiable Accreditation that granted them permission
The Root Authorization that anchors the governance framework

Why reference a trust registry?

Including a reference to a trust registry enables verifiers to:

Validate that the issuer is accredited to issue this type of credential.
Trace the credential’s trust lineage back to a Root Trusted Accreditation Organisation (rTAO).
Enforce domain-specific governance or regulatory policies.

Structure of `termsOfUse`

The termsOfUse field uses the AttestationPolicy type and typically includes:

Field

Description

type

Must be "AttestationPolicy"

parentAccreditation

DID URL pointing to the Verifiable Accreditation that granted authority to the issuer

rootAuthorization

DID URL referencing the original Root Authorization for the trust chain

Example: Credential referencing its trust registry via `AttestationPolicy`

{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://www.w3.org/ns/credentials/examples/v2"
  ],
  "id": "http://university.example/credentials/3732",
  "type": ["VerifiableCredential", "ExampleDegreeCredential"],
  "issuer": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0",
  "validFrom": "2010-01-01T00:00:00Z",
  "credentialSubject": {
    "id": "did:cheqd:testnet:b4902745-5b5b-423e-820a-0773b033f2b9",
    "degree": {
      "type": "ExampleBachelorDegree",
      "name": "Bachelor of Science and Arts"
    }
  },
  "termsOfUse": {
    "type": "AttestationPolicy",
    "parentAccreditation": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0/resources/58c01595-f884-4a3b-add4-8c691e16b8ee",
    "rootAuthorization": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0/resources/58c01595-f884-4a3b-add4-8c691e16b8ee"
  }
}

What this enables

This embedded trust policy allows verifiers to:

Look up the parent accreditation and root authorization.
Confirm that the issuer was permitted to issue the attestation type.
Automate or enforce policy-based trust decisions.

Validating Trust Chains Using TRAIN

Once a Verifiable Credential includes an AttestationPolicy referencing the trust registry, TRAIN (TRust mAnagement INfrastructure) can be used to automatically validate the issuer’s authority against a decentralized trust chain.

What does TRAIN do?

TRAIN is a trust validator that:

Accepts a credential (or its metadata) as input.
Resolves the issuer’s accreditation.
Traverses the trust chain to the root authorization.
Optionally checks DNS anchoring of the root DID for higher assurance.
Returns a result that confirms if the issuer is trusted under the specified framework.

TRAIN Validation Input

Here’s a simplified example of the request body TRAIN accepts:

{
  "issuer": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0",
  "type": ["VerifiableCredential", "ExampleDegreeCredential"],
  "termsofuse": "AttestationPolicy",
  "parentAccreditation": "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0/resources/58c01595-f884-4a3b-add4-8c691e16b8ee",
  "DNSTrustFrameworkPointers": ["example.trust-scheme.org"]
}

Note: DNSTrustFrameworkPointers is optional. If omitted, TRAIN will still validate trust up to the root authorization.

TRAIN Validation Output

TRAIN returns a response like this:

{
  "VerificationStatus": true,
  "VerificationResult": {
    "AccreditorDIDs": [
      "did:cheqd:testnet:c2f18b6b-32e2-48d1-a5a8-5f5d2d9798f0",
      "did:cheqd:testnet:8ea036da-f340-480d-8952-f5561ea1763c"
    ],
    "FoundRootIssuerDID": "did:cheqd:testnet:8ea036da-f340-480d-8952-f5561ea1763c",
    "TrustFramework": "Example Trust Framework",
    "TrustFrameworkId": "https://example.com/governance-framework/124",
    "VerifyRootIssuerDIDinDNS": true
  }
}

✅ VerificationStatus: true indicates that the issuer is properly accredited and the trust chain is intact. Although this will only be true if the root DID is also included in a DNS record.

Why use TRAIN?

Automates trust validation using standardized credential metadata.
Provides clear trust decisions for wallets, agents, and verifiers.
Enables integration with public DNS for added assurance of root DIDs.
Compatible with all credentials that follow cheqd’s trust chain model.

Get Started with TRAIN

Deploy TRAIN to verify Decentralized Trust Chains back to a Root of Trust DID and DNS Record.

Last updated 6 months ago

Was this helpful?

hashtagWhy reference a trust registry?

hashtagStructure of termsOfUse

hashtagExample: Credential referencing its trust registry via AttestationPolicy

hashtagWhat this enables

hashtagValidating Trust Chains Using TRAIN

hashtagWhat does TRAIN do?

hashtagTRAIN Validation Input

hashtag TRAIN Validation Output

hashtagWhy use TRAIN?