Product Docs
Product DocsTechnical DocsLearning & GovernanceUseful Links
  • Product Docs
  • Node Docs
  • Learning Docs
  • ℹ️Getting Started
    • Product Overview
    • ➡️Get Started with cheqd Studio
      • 👉Set Up Your Account
      • 🗝️Create API Keys
      • 🪙Token Top Up
      • 🔄Advanced Configuration Options
    • ☑️Use Trust Registries for AI Agents
      • 🏗️Build an AI Agent Trust Registry
        • Setup AI Agent Trust Registry
          • Issue Verifiable Credentials to AI Agent
        • Setup and Configure MCP Server
          • Create AI Agent DID
          • Import Credential to AI Agent
          • Advanced functionality
            • Issue a Verifiable Credential
            • Verify a Credential
      • 🤝Validate AI Agent Trust Chain
  • 🟢Start using cheqd
    • 🆔Create DIDs and Identity Keys
      • Create a DID
      • Create Identity Keys
      • Create a Subject DID
      • Resolve a DID
      • Update a DID
      • Deactivate a DID
    • ✅Issue Credentials and Presentations
      • Issue a Verifiable Credential
      • Setup Verida Wallet
      • Verify a Verifiable Credential
      • Verify a Verifiable Presentation
      • Revoke a Verifiable Credential
      • Suspend or Unsuspend a Verifiable Credential
    • ♻️Charge for Verifiable Credentials
      • Understanding Credential Payments
        • Access Control Conditions
        • Privacy Considerations
      • Charge for Status List
      • Issue Credential with Encrypted Status List
      • Create Verifier Pays Issuer flow
      • Bulk Update or Rotate Encryption Keys
    • 🤝Build Trust Registries
      • Decentralized Trust Chains (DTCs)
        • Root Authorisations
        • RTAO -> TAO
        • TAO -> SubTAO
        • TAO -> Trusted Issuer (TI)
        • Referencing Trust Registry within a Verifiable Credential
      • Set up Trust Chain
        • Issue a Verifiable Accreditation
        • Verify a Verifiable Accreditation
      • Get Started with TRAIN
        • Deploy TRAIN and Anchor rTAO in DNS
        • Validate Trust Chain
    • 🎋Create Status Lists
      • Bitstring Status List
        • Create Bitstring Status List
        • Update Bitstring Status List
        • Check Bitstring Status List
        • Search Bitstring Status List
      • Token Status List
        • Create Token Status List
        • Update Token Status List
    • ↕️Create DID-Linked Resources
      • Understanding DID-Linked Resources
        • Context for developing DID-Linked Resources
        • Technical composition of DID-Linked Resources
        • Referencing DID-Linked Resources in VCs
      • Create a DID-Linked Resource
      • Search for DID-Linked Resources
  • 🛠️Integrate an SDK
    • Choosing the right SDK
    • 🍏Credo
      • Setup Credo Agent
      • Decentralized Identifiers (DIDs)
        • Create a DID
        • Update a DID
        • Deactivate a DID
      • DID-Linked Resources
        • Create DID-Linked Resource
        • Resolve DID-Linked Resource
        • Create AnonCreds Schema
        • Create AnonCreds Credential Definition
      • Verifiable Credentials and Presentations
        • Issue a Verifiable Credential (AnonCreds)
        • Present a Verifiable Credential (AnonCreds)
    • 🍊ACA-Py
      • Setup ACA-Py Agent
      • Decentralized Identifiers (DIDs)
        • Create a DID
        • Update a DID
        • Deactivate a DID
      • DID-Linked Resources
        • Create AnonCreds Schema
        • Create AnonCreds Credential Definition
      • Verifiable Credentials and Presentations
        • AnonCreds
          • Issue a Verifiable Credential
          • Present a Verifiable Credential
          • Revoke a Verifiable Credential
        • JSON-LD
          • Issue a Verifiable Credential
          • Present a Verifiable Credential
    • 🍈Veramo
      • Setup Veramo CLI for cheqd
        • Troubleshooting Veramo CLI Setup
      • Decentralized Identifiers (DIDs)
        • Create a DID
        • Querying a DID
        • Update an existing DID
        • Deactivate a DID
        • Create an off-ledger holder DID
        • Managing Identity Keys
        • Troubleshooting
      • Verifiable Credentials and Presentations
        • Issue a Verifiable Credential
        • Verify a Verifiable Credential
        • Create a Verifiable Presentation
        • Verify a Verifiable Presentation
      • Credential Payments
        • Charge for Status List
        • Issue Credential with Encrypted Status List
        • Verifier pays Issuer
      • Bitstring Status List
        • Create Status List
        • Issuing a Verifiable Credential referencing Status List
      • DID-Linked Resources
        • Create a DID-Linked Resource
        • Create a new Resource version within existing Collection
    • 🫐Walt.id Community Stack
  • 🏗️Architecture
    • Architecture Decision Record (ADR) Process
    • List of ADRs
      • 🔵ADR 001: cheqd DID Method
      • 🟢ADR 002: DID-Linked Resources
      • 🟡ADR 003: DID Resolver
      • 🟠ADR 004: DID Registrar
      • 🟣ADR 005: DID Resolution & DID URL Dereferencing
  • 💫Advanced features and alternatives
    • ➡️DID Registrar
      • Setup DID Registrar
      • Create a DID
      • Create a DID-Linked Resource
    • ⬅️DID Resolver
      • Setup DID Resolver
    • ⚡AnonCreds Object Method
      • Schemas
      • Credential Definitions
      • Revocation Registry Definitions
      • Revocation Status Lists
    • 🌠Advanced Tooling
      • cheqd Cosmos CLI for identity
        • Create a DID
        • Update a DID
        • Deactivate a DID
        • Query a DID
        • Create a DID-Linked Resource
        • Update a DID-Linked Resource
      • Direct interaction with ledger code
      • VDR Tools CLI with cheqd (deprecated)
      • Demo Wallet for Identity Setup
  • ⚛️Network
    • Get started with cheqd Network
      • Identity Write Pricing
      • Comparison to Hyperledger Indy
    • ⏩Setup your Wallet
      • Setup Leap Wallet
        • Congifure cheqd Testnet for Leap
      • Setup Keplr Wallet
      • Migrate from Keplr to Leap Wallet
    • ↪️Useful Tools and APIs
      • Block Explorer
      • Testnet Faucet
      • Validator Status API
      • Cheqd x Cosmos Data APIs
      • Cosmos Airdrop Helpers
      • Cosmos Address Convertor
      • Ethereum Bridge
    • ⬆️Network Upgrades
      • 2021
        • 0.1.x
        • 0.2.x
        • 0.3.x
      • 2022
        • 0.4.x
        • 0.5.x
        • 0.6.x
      • 2023
        • 1.x
      • 2024
        • 2.x
        • 3.x
      • Root Cause Analysis of Outages
        • v1.x upgrade RCA
  • ⚖️Legal
    • License
    • Code of Conduct
    • Security Policy
  • 🆘Support
    • System Status
    • Discord
    • Bugs & Feature Requests
Powered by GitBook
LogoLogo

General

  • Website
  • Blog
  • Get $CHEQ

Product Docs

  • Product Docs
  • cheqd Studio
  • Creds.xyz
  • Bug/Feature Requests

Technical Docs

  • Node Docs
  • GitHub
  • Block Explorer

Learning Docs

  • Learning Docs
  • Governance Docs
  • Governance Forum
  • Governance Explorer
On this page
  • What is TRAIN?
  • How TDZM and the TRAIN Trust Validator Work Together
  • Step-by-Step: Setting Up Trust and Validation
  • 1. Deploy Trust-DNS Zone Manager (TDZM)
  • 2. Delegate DNS Control to TDZM
  • 3. Anchor the rTAO DID in DNS
  • 4. Build the Trust Chain
  • 5. Use the TRAIN Trust Validator (TTV)
  • Summary

Was this helpful?

Edit on GitHub
Export as PDF
  1. Start using cheqd
  2. Build Trust Registries

Get Started with TRAIN

Anchor Decentralized Identifiers (DIDs) in DNS records and validate Decentralized Trust Chains (DTCs) using TRAIN.

Last updated 22 days ago

Was this helpful?

What is TRAIN?

TRAIN (TRust mAnagement INfrastructure) is a framework, led by the team at the , for establishing and validating decentralized trust. It allows ecosystems to verify whether Verifiable Credentials (VCs) were issued by authorized and trustworthy entities through cryptographically linked trust chains.

TRAIN includes two core components:

  • TRAIN Trust Validator (TTV): A service that validates the issuer of a Verifiable Credential by tracing Verifiable Accreditations up to a trusted root authority.

  • TDZM (Trust-DNS Zone Manager): A DNS component that enables Root Trusted Accreditation Organisations (rTAOs) to publicly anchor their Decentralized Identifiers (DIDs) in DNS.

Together, these components allow for governance-aware, high-assurance validation of digital credentials without centralized trust registries.


How TDZM and the TRAIN Trust Validator Work Together

Component
Purpose

TDZM

Anchors rTAO DIDs in DNS, establishing a verifiable and auditable trust root

TTV (TRAIN Trust Validator)

Validates VCs by following Verifiable Accreditations and optionally confirming the rTAO via DNS

When combined, they allow you to:

  • Establish a cryptographically linked trust hierarchy

  • Publish root DIDs (rTAOs) in DNS

  • Automatically validate credentials against published governance frameworks

  • Support scalable, decentralized ecosystems without compromising on assurance


Step-by-Step: Setting Up Trust and Validation

1. Deploy Trust-DNS Zone Manager (TDZM)

Run the TDZM backend and UI using:

  • Docker Compose (for testing or development)

  • Helm Charts in Kubernetes (for production)

TDZM includes:

  • A DNS nameserver to manage your trust zone

  • A backend API and UI for managing records

  • Optional OIDC authentication


2. Delegate DNS Control to TDZM

In your parent DNS zone (e.g. federation1.com):

  • Add an NS record pointing your trust subdomain (e.g. trust.federation1.com) to TDZM

  • Add an A record to resolve the nameserver’s domain to its IP

Example:

trust.federation1.com. NS ns1.trust.federation1.com.
ns1.trust.federation1.com. A 203.0.113.10

3. Anchor the rTAO DID in DNS

Use TDZM to publish a TXT or TLSA DNS record that links your rTAO’s DID to the trust domain.

Example:

_did.trust.federation1.com. TXT "did:cheqd:mainnet:rtao123"

This enables the TRAIN Trust Validator to resolve and verify the rTAO’s authenticity.


4. Build the Trust Chain

  • Publish a Root Authorisation for Trust Chain from the rTAO

  • Issue Verifiable Accreditations from rTAO → TAOs → Trusted Issuers

  • Define governance rules and credential schema policies as needed


5. Use the TRAIN Trust Validator (TTV)

Send a JSON request to TTV with the credential’s issuer, type, accreditation path, and optional DNS anchors. TTV will:

  • Traverse the Verifiable Accreditation chain

  • Verify structural and policy compliance

  • Optionally confirm the root via DNS lookups

  • Return a structured verification result


Summary

Goal
Component

Anchor rTAO in DNS

🌐 TDZM

Manage trust zones

🛠️ TDZM Backend & UI

Define & delegate trust

📜 Verifiable Accreditations

Validate credentials

🔎 TRAIN Trust Validator (TTV)


By combining DNS-based assurance with credential-level verification, the TRAIN infrastructure provides a flexible and scalable solution for decentralized trust governance.

🟢
🤝
Fraunhofer Institute

Deploy TRAIN and Anchor rTAO in DNS

Add high assurance to your root DID, anchoring it within a DNS record.

Cover

Set up Trust Chain

Design and build a trust chain for establishing a trust hierarchy in your ecosystem.

Cover

Validate Trust Chain

Validate Trust Chain to a root of trust using the TRAIN Trust Validator (TTV).