1 of 100

Product Docs

Getting Started

Product Overview

Get started with cheqd's identity functionality and product offerings.

Integrate with cheqd

cheqd maintains an array of products and packages with varying levels of integration complexity to allow its partners and customers to have multiple ways of plugging into cheqd's identity functionality. Via these different packages, customers and partners can create cheqd DIDs, DID-Linked Resources, Status Lists, Trust Registries and Schemas, as well as use cheqd's Credential Payments model.

There are three core ways of integrating and building with cheqd:

What functionality does cheqd offer?

cheqd's identity functionality is fully standards compliant, ensuring interoperability and no vendor lock-in. cheqd's tooling and different product offerings offer a variety of building blocks for any Trusted Data Market.

Industry Standard DID Support

Get started with cheqd Studio

cheqd Studio is the easiest route to get started with cheqd's identity functionality, or for testing with very low integration effort. Using simple REST APIs, it is possible to integrate cheqd Studio in a few lines of code.

Understanding cheqd's capabilities

cheqd supports a wide array of standards and protocols via different Software Development Kits (SDKs) and integrations.

Understanding the structure of cheqd's packages

One of cheqd's primary motives is to make itself accessible to the widest set of identity applications possible. To accomplish this, cheqd has built a flexible set of packages and tooling to accommodate its identity capabilities into a broad set of external SDKs and applications.

These can be represented through the visual below:

Partner SaaS products

You can also leverage SaaS products from our partners that consume these underlying SDKs to build high-quality credential ecosystems on top of cheqd’s infrastructure:

Get involved

Please reach out to us there for discussions, help, and feedback on the project.

🙋 Find us elsewhere

Get Started with cheqd Studio

Get started with cheqd's API product offering for creating DIDs, trust registries and monetising credentials: cheqd Studio.

Introduction

cheqd Studio is a set of APIs, guides and tutorials to help users establish an end-to-end trusted ecosystem for digital credentials.

Using REST APIs, customers can build cheqd's trust infrastructure into existing applications. All of cheqd’s existing open-source libraries remain available, and cheqd Studio does not necessitate developers to switch their SSI stack in their entirety, but allows them to build into their existing tooling, for example alongside APIs such as the Universal Resolver.

Get started

Features

Understanding the different modes and client choices

With cheqd Studio, there are multiple ways it can be deployed and hosted to support clients with different requirements.

Option 1: Custodied by cheqd (Custodian Mode)

This mode is the most simple for users, allowing cheqd to custody both Cosmos AND Identity keys in Veramo KMS. This means that manages both ledger-writes and signing identity transactions on behalf of the customer.

To ensure this is highly secure, we have deployed an instance of a Veramo Key Management Store (KMS) which uses a Postgress DB (TypeOrm) to store Cosmos AND identity keys in one encrypted table, so it cannot be read in plaintext. This design allows us to segment different customers' keys securely and efficiently.

User optionality and toggles:

Within Custodian mode, we also enable clients to toggle

External Database

Clients are able to choose whether to use our default database for storing keys or utilise their own database.

By default, ENABLE_EXTERNAL_DB is set to off/false. To enable external Veramo KMS database, set ENABLE_EXTERNAL_DB to true, then define below environment variables in .env file:

EXTERNAL_DB_CONNECTION_URL: PostgreSQL database connection URL, e.g. postgres://<user>:<password>@<host>:<port>/<database>.
EXTERNAL_DB_ENCRYPTION_KEY: Secret key used to encrypt the Veramo key-specific database tables. This adds a layer of protection by not storing the database in plaintext.
EXTERNAL_DB_CERTIFICATE: Custom CA certificate required to connect to the database (optional).

API Authentication using LogTo

By default, the application has API authentication disabled (which can be changed in configuration). If, however, you'd like to run the app with API authentication features, the following variables need to be configured.

By default, ENABLE_AUTHENTICATION is set to off/false. To enable external Veramo KMS database, set ENABLE_AUTHENTICATION to true, then define below environment variables in .env file:

Endpoints
1. LOGTO_ENDPOINT: API endpoint for LogTo server
2. LOGTO_DEFAULT_RESOURCE_URL: Root of API resources in this application to be guarded. (Default: http://localhost:3000/api on localhost.)
3. LOGTO_MANAGEMENT_API: URL of management API for LogTo (default is https://default.logto.app/api)
4. CORS_ALLOWED_ORIGINS: CORS allowed origins used in the app
User-facing APIs
1. LOGTO_APP_ID: Application ID for the cheqd Studio application in LogTo. This can be set up as type "Traditional Web"
2. LOGTO_APP_SECRET: Application secret associated with App ID above.
Machine-to-machine backend APIs
1. LOGTO_M2M_APP_ID: Application ID for machine-to-machine application in LogTo. This is used for elevated management APIs within LogTo.
2. LOGTO_M2M_APP_SECRET: Application secret
1. LOGTO_DEFAULT_ROLE_ID: LogTo Role ID for the default role to put new users into.
2. LOGTO_WEBHOOK_SECRET: Webhook secret to authenticate incoming webhook requests from LogTo.
Miscellaneous
1. DEFAULT_CUSTOMER_ID: Customer/user in LogTo to use for unauthenticated users
2. COOKIE_SECRET: Secret for cookie encryption.

Option 2: Self-custodied (Client-managed mode)

Client-managed mode gives the cheqd Studio user the ability to utilise their own identity keys for signing identity transactions, while still allowing cheqd Studio to manage the CHEQ account keys for writing to the cheqd network. This mode is intended to be used for more production environments where the user signs each identity transaction independently, affording a greater level of security and control to the client.

Full client-managed mode is still in development and we will update this documentation as and when it becomes available

Architecture

Alternatives

Below are a list of alternatives for integrating with cheqd. Each offers a different set of protocols and underlying technical capabilities.

Set Up Your Account

Follow these steps to create your account on cheqd Studio and begin using our APIs securely.

The user is required to Log In to our cheqd Studio portal and then access their API key to authenticate with our APIs. The API key guards the API from unauthorized access and is required for both testing production environments.

Step 1: Get started with cheqd Studio

Head to our cheqd Studio and click Get Started.

Step 2: Create your account

Email and password
Google single sign-on
Discord login

Click Sign In or Create Account to continue.

Step 3: Create a new API key and authenticate with cheqd Studio APIs

Once signed in, create an API key from your account dashboard. This key is required to authenticate with cheqd Studio APIs and protects your environment from unauthorized access.

Step 4: Start using cheqd

Get started with our tutorials for cheqd Studio functionality.

Step 5: Select a Billing plan

Create API Keys

Generate API Keys to securely authenticate with cheqd Studio APIs.

API keys are unique data strings used to authenticate a user and enable access to privileged operations on cheqd Studio APIs. All cheqd Studio APIs use API keys as the mechanism to authenticate client requests. Your API key should be kept confidential and secure at all times.

Authentication is required for all API requests; without it, the requests will fail.
All API requests must be made over HTTPS.

🚧Keep Your API Keys Safe

Because our API keys allow access to cheqd Studio APIs, you must keep them secure at all times.

Ensure your API key is always stored securely as soon as it is initially generated.
Make sure to copy your API key into a secure place, such as a Password Manager.
Never share it or record it in a publicly accessible medium (client-side code, public repositories, etc.).

Caution: If you lose secure control of your API keys, your entity may not be able to access your created DIDs, DID-Linked Resources or Credential Payments.

Step 1: Sign into cheqd Studio

Follow the tutorial here to get started with your cheqd Studio account.

Step 2: Generate API key

Navigate to the "Developers" tab on cheqd Studio and select "Create an API Key". You are able to choose the expiry date of the API key, and it will automatically be set to expire 1 year from the current date.

Step 3: Use your API key to authenticate with cheqd Studio APIs

Navigate to the "APIs" tab and copy/paste your API key into the API key box towards the top of your page. This will enable you to authenticate with the cheqd Studio APIs, allowing users to use cheqd Studio APIs within their existing Billing Plan and usage limits.

Step 4: Start using cheqd

Get started with our tutorials for cheqd Studio functionality.

Token Top Up

Manually Top Up Your Account with CHEQ.

Users may exhaust their usage limits in their cheqd Studio billing plan, but may want to continue using the Studio before their usage limits refresh. Therefore, users can manually top up their account with CHEQ tokens to use any APIs that involve a ledger-write, e.g:

Creating, Updating or Deactivating DIDs
Creating unencrypted or encrypted Status Lists
Creating Trust Registries
Creating other DID-Linked Resources

Step 1: Locate your cheqd address (for CHEQ)

The following API can be used to fetch the new account information:

customer_id is used as an identifier for the particular customer using cheqd Studio. It is generated as a sub-field of the JWT token used in the authorization header.
cheqd_account is used to pay for identity transactions on either testnet or mainnet. A cheqd account is automatically generated when a new customer_id is generated.

Step 2: Adding CHEQ tokens to your account

If you exceed the usage limits in your cheqd Studio billing plan but want to continue using ledger-based functionality before your limits reset, you can manually top up your account using CHEQ tokens.

If you need to add CHEQ tokens to your cheqd Studio cheqd_account, there are a few steps you need to follow:

Mainnet

You will need to send CHEQ tokens from your new cheqd Wallet account to your cheqd_account address for using the Credential Service.

Testnet

It is unlikely that you will ever need to top up your Testnet account, as this is handled automatically. However, in the event that your Testnet account runs out of tokens, you can follow the step below.

Once you have successfully created an account and have topped up your CHEQ tokens, you are ready to get started!

Step 3: Continue using cheqd

Get started with our tutorials for cheqd Studio functionality.

Advanced Configuration Options

Advanced setup guide for running the cheqd Studio.

Run as standalone application using Docker Compose

docker compose -f docker/no-external-db/docker-compose-no-db.yml up --detach

This standalone service uses an in-memory database with no persistence, and therefore is recommended only if you're managing key/secret storage separately.

Run with external Key Management System (KMS) and/or authentication service using Docker Compose

Construct the postgres URL and configure the env variables mentioned above.

Configure PostgreSQL database

POSTGRES_USER: Username for Postgres database
POSTGRES_PASSWORD: Password for Postgres database
POSTGRES_MULTIPLE_DATABASES: Database names for multiple databases in the same cluster, e.g.: "app,logto". This sets up multiple databases in the same cluster, which can be used independently for External Veramo KMS or LogTo service.

Then, make the Postgres initialisation scripts executable:

chmod +x docker/with-external-db/pg-init-scripts/create-multiple-postgresql-databases.sh

Start LogTo service

Then, run the LogTo service to configure the LogTo application API resources, applications, sign-in experiences, roles etc using Docker Compose:

docker compose -f docker/with-external-db/docker-compose-with-db.yml --profile logto up --detach

Start credential-service app

Then, start the service using Docker Compose:

docker compose -f docker/with-external-db/docker-compose-with-db.yml up --detach

Running app or LogTo migrations

When upgrading either the external Veramo KMS or LogTo, you might need to run migrations for the underlying databases.

For example, to run cheqd Studio app migrations on an existing Postgres database (for external Veramo KMS):

docker compose -f docker/with-external-db/docker-compose-with-db.yml --profile app-setup up --detach

Or to run LogTo migrations on an existing Postgres database:

docker compose -f docker/with-external-db/docker-compose-with-db.yml --profile logto-setup up --detach

Build using Docker

docker build --file docker/Dockerfile --target runner . --tag credential-service:local

Use Trust Registries for AI Agents

Design, Build and Validate Trust Registries for AI Agents on cheqd.

Get Started

cheqd Trust Registries can be designed and built by companies that create AI agents, and verified by users of AI agents. Select your user type below to begin:

What are Trust Registries for AI Agents?

Trust Registries play a critical role in establishing trust for AI Agents. Acting as authoritative databases, they can verify the AI Agent is accredited and authorised to carry out certain actions, ensuring transparency and accountability.

Here’s how they support the AI ecosystem:

Accreditation of AI Agents: Trust Registries maintain verified records of AI agents, ensuring that they are accredited by trusted organisations or ecosystems. Through accreditations, these trust registries validate that AI agents are legitimate and scope the permissions under which the AI agent can operate within.
Transparency: Trust Registries enable users and organisations to query and verify the origins and accreditations of AI systems they engage with. By providing a publicly accessible record of trusted AI agents, Trust Registries empower stakeholders to assess the credibility and history of an AI system before utilising it. This enhances confidence in the system, especially when the AI’s decisions impact sensitive areas like personal data or legal outcomes.
Governance: Trust Registries also serve as a governance tool, ensuring that AI developers and platforms are held accountable for their actions. By maintaining a registry of accredited AI systems, these registries can track the ongoing compliance of AI agents, making it easier to enforce ethical standards and regulatory requirements. In the event of a failure or harm caused by an AI agent, Trust Registries offer a clear point of reference for auditing and resolving accountability issues.

cheqd has developed a robust Trust Registry solution, enabling users to establish hierarchical chains of trust, with each registry entry being DID-resolvable for enhanced transparency and security.

Capabilities of cheqd's Trust Registries for AI Agents

cheqd’s Agentic Trust combine and build upon tried and tested capabilities, already deployed at scale:

Integrations with popular AI/ML tooling, such as MCP servers for easing how AI agents can interface with decentralised identity.
Work with our SaaS (cheqd Studio) or Software Development Kits (SDKs) depending on your desired level of control versus simplicity.
SDKs in multiple software languages to suit preferences / skillsets.
Industry-leading whilst interoperable capabilities. e.g. DIDs, DID-linked resources, and Trust Registries.

Components of cheqd's AI Trust Registry Solution

Authorities can author trust registries and issue identifiers to agents using:

cheqd studio (SaaS APIs) for easy and quick integration with no deployment requirements
SDKs for more control and tighter integration

Agent frameworks, deployments or end-users can use:

Model Context Protocol (MCP) to surface responses directly to users via the agent, including a /who_is command which has the agent verify itself.
Hosted TRAIN APIs to verify Agent accreditations.
SDKs to hold & proof credentials, including verifying signatures.

Establishing a Trust Hierarchy

cheqd's Trust Registry model is predicated on the notion of a trust hierarchy, which is conceptually very similar to traditional Public Key Infrastructure (PKI). Specifically, the model relies on a Root of Trust from which trusted relationships can be established.

In our model for AI Agents, each organisation in the trust hierarchy is able to issue Verifiable Accreditations to other entities, conveying a set of permissions or scopes that determine what the recipient entity is permitted to do.

The following diagram shows an example of how an AI Agent Creator can accredit two AI Agents lower in the hierarchy:

Through this type of relationship, an AI Agent can prove that it is accredited by an AI Agent Creator through presenting the Verifiable Accreditation, which is stored on the cheqd blockchain.

Similarly, an AI Agent creator can prove that it is also trustworthy, demonstrating that it is a real actor rather than a fraudulent actor. In the diagram below, a Governance Authority (such as an accreditation body for AI Agent Creators) can accredit AI Agent Creators directly.

Therefore, relying parties can query the accreditations of AI Agents all the way back to a Root of Trust.

Use cases for AI Agent Trust registries

Below are a series of use cases to which this solution architecture can be applied:

Use-case

Description

Governance authority

(Governance authority issued) Verifiable Accreditation

Organisation

(Organisation issued) Verifiable Accreditation

Ownership / representation

Verification of which agents are approved to represent which company for a given scope.

Group company

Company relationship

Subsidiary

Scope of representation

Agent Bill of Materials

Verifiable proof of the “supply chain” of an AI Agent, including who, how and when it was developed, trained, and deployed.

Framework

Agent Bill of Materials (e.g. model, corpus, used)

Not applicable

Regulatory compliance

Verifiable compliance with a given regulatory scheme for a given period.

Government (e.g. EU)

Authority to audit against EU AI Act

Auditor

Agent Compliance Certificate

Industry standard compliance

Verifiable compliance with an industry-body administered scheme.

Industry body (e.g. DAIAA, SAIA)

Agent Compliance Certificate (issued to Agent)

Not applicable

Security audit

Proof of a suitable and reputable security audit.

Security company

Agent Compliance Certificate (issued to Agent)

Not applicable

Generic trust check

The ability to state that a company or AI Agent trusts another for a given context.

Any organisation

“I trust this organisation”

Any organisation

“I trust this agent”

Learn more about cheqd's Trust Registry model

Read through some of our guides below to getting setup with trust registries on cheqd:

Build an AI Agent Trust Registry

Build an AI Agent Trust Registry on cheqd.

Building a Trust Registry for your AI Agent is split into two core flows that are distinct, but also contain some overlapping dependencies:

Design and Build of Trust Registry

The Trust Registry is set up using our cheqd Studio APIs. Each ecosystem wanting to use our AI Agent trust registries should plan how the trust chain should be structured.

Setup and Configuration of MCP Server

Builders can use the cheqd MCP server to provision an AI Agent its own DID and to provision Verifiable Credentials to the AI Agent's wallet.

Get started with the setup of your AI Agent Trust Registry using the guides below:

Learn more about cheqd's Trust Registry model

Read through some of our guides below to getting setup with trust registries on cheqd:

Issue Verifiable Credentials to AI Agent

Issue a Credential to an AI Agent using cheqd's APIs.

Once you have created your Trust Registry for the accreditation and authorisation of the organisations in your ecosystem, you can issue a credential to your AI Agent.

Step 1: Create DID for AI Agent

Each AI Agent must have its own DID to securely receive and manage credentials and accreditations. This identification allows the AI Agent to cryptographically control these credentials and accreditations.

Step 2: Choose Schema for Credential

You must decide which schema to use for the credential you are issuing to the AI Agent. You should make sure that you, as an issuer, are accreditedToAttest for the specific credential schema you want to use.

Step 3: Compile Credential Request

To ensure the AI Agent's credentials are demonstrably verifiable to a root of trust, certain steps are essential in the credential issuance process.

For subjectDid use the DID created in Step 1.

An example of the request format is below:

{
  "issuerDid": "did:cheqd:testnet:0a35d559-00ff-41b6-81ad-f64faa522771", // DID of Trusted Issuer
  "subjectDid": "did:cheqd:testnet:a7e8bf7c-9d97-4b1e-a7bb-43a6754aafbf", // DID of AI Agent
  "attributes": {
      "aiAgentName": "ChatGPT-4 Turbo",
      "aiAgentVersion": "4.0-turbo",
      "model": "GPT-4 Turbo",
      "modelVersion": "4.0",
      "contextWindow": 128000,
      "temperature": 0.7,
      "topK": 40,
      "topP": 0.9,
      "maxTokens": 4096,
      "fineTuned": false,
      "fineTuningDetails": null,
      "safetyRating": "ISO 42001 Certified",
      "evaluationMetrics": [
        "BLEU-4",
        "ROUGE-L",
        "F1 Score: 92.5%"
      ],
      "certificationAuthority": "AI Ethics Board",
      "validUntil": "2026-03-28T12:00:00Z"
  },
  "type": [
    "VerifiableCredential",
    "VerifiableAttestation",
    "AIAgentAuthorisation"
  ],
  "format": "jwt",
  "credentialSchema": "https://resolver.cheqd.net/1.0/identifiers/did:cheqd:testnet:c6630f1e-9248-4af6-b7ac-5bcaf646f213?resourceName=AIAgentAuthorisation&resourceType=JSONSchemaValidator2020",
    "termsOfUse": {
      "type": "AttestationPolicy",
      "parentAccreditation": "did:cheqd:testnet:0a35d559-00ff-41b6-81ad-f64faa522771?resourceName=AccreditationToAttest&resourceType=VerifiableAccreditationToAttest",
      "rootAuthorisation": "did:cheqd:testnet:c6630f1e-9248-4af6-b7ac-5bcaf646f213?resourceName=OrganisationAuthorisationForAIAgents&resourceType=VerifiableAuthorisationForTrustChain"
    }
}

The table below breaks down what components are required and why they are needed:

Field

Required?

Description

issuerDid

Yes

The Issuer DID issuing the credential to the AI Agent

subjectDid

Yes

The DID of the AI Agent

attributes

Yes

The specific permissions, scopes or attributes you want to issue to the AI Agent

type

Yes

The type of credential. This should match the types the issuer is accredited to issue,

format

Defaults to VC JWT

credentialSchema

Yes

The credential schema matching the attributes of the credential

termsOfUse

Yes

Pointers to the accreditations of the issuer

type

Yes

Must be attestationPolicy

parentAccreditation

Yes

Must point to the accreditation of the Issuer, matching the credential type and schema

rootAuthorisation

Yes

Must point to the root authorisation that has accredited DIDs higher in the trust chain.

Step 4: Issue Verifiable Credential to AI Agent

Issue the compiled credential using the cheqd studio API enpoint below:

(Optional) Step 5: Publish Credential Response as a DID-Linked Resource

The Issuer, after issuing the credential to the AI Agent, may publish the response (the fully formatted verifiable credential) as a DID-Linked Resource.

The response format should look like the following example, including a proof (signed by the issuer).

{
  "credentialSubject": {
    "aiAgentName": "ChatGPT-4 Turbo",
    "aiAgentVersion": "4.0-turbo",
    "model": "GPT-4 Turbo",
    "modelVersion": "4.0",
    "contextWindow": 128000,
    "temperature": 0.7,
    "topK": 40,
    "topP": 0.9,
    "maxTokens": 4096,
    "fineTuned": false,
    "fineTuningDetails": null,
    "safetyRating": "ISO 42001 Certified",
    "evaluationMetrics": [
      "BLEU-4",
      "ROUGE-L",
      "F1 Score: 92.5%"
    ],
    "certificationAuthority": "AI Ethics Board",
    "validUntil": "2026-03-28T12:00:00Z",
    "id": "did:cheqd:testnet:a7e8bf7c-9d97-4b1e-a7bb-43a6754aafbf"
  },
  "issuer": {
    "id": "did:cheqd:testnet:0a35d559-00ff-41b6-81ad-f64faa522771"
  },
  "type": [
    "VerifiableCredential",
    "VerifiableAttestation",
    "AIAgentAuthorisation"
  ],
  "termsOfUse": {
    "type": "AttestationPolicy",
    "parentAccreditation": "did:cheqd:testnet:0a35d559-00ff-41b6-81ad-f64faa522771?resourceName=AccreditationToAttest&resourceType=VerifiableAccreditationToAttest",
    "rootAuthorisation": "did:cheqd:testnet:c6630f1e-9248-4af6-b7ac-5bcaf646f213?resourceName=OrganisationAuthorisationForAIAgents&resourceType=VerifiableAuthorisationForTrustChain"
  },
  "credentialSchema": "https://resolver.cheqd.net/1.0/identifiers/did:cheqd:testnet:c6630f1e-9248-4af6-b7ac-5bcaf646f213?resourceName=AIAgentAuthorisation&resourceType=JSONSchemaValidator2020",
  "@context": [
    "https://www.w3.org/2018/credentials/v1"
  ],
  "issuanceDate": "2025-04-04T02:43:52.000Z",
  "proof": {
    "type": "JwtProof2020",
    "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiQUlBZ2VudEF1dGhvcmlzYXRpb24iXSwiY3JlZGVudGlhbFN1YmplY3QiOnsiYWlBZ2VudE5hbWUiOiJDaGF0R1BULTQgVHVyYm8iLCJhaUFnZW50VmVyc2lvbiI6IjQuMC10dXJibyIsIm1vZGVsIjoiR1BULTQgVHVyYm8iLCJtb2RlbFZlcnNpb24iOiI0LjAiLCJjb250ZXh0V2luZG93IjoxMjgwMDAsInRlbXBlcmF0dXJlIjowLjcsInRvcEsiOjQwLCJ0b3BQIjowLjksIm1heFRva2VucyI6NDA5NiwiZmluZVR1bmVkIjpmYWxzZSwiZmluZVR1bmluZ0RldGFpbHMiOm51bGwsInNhZmV0eVJhdGluZyI6IklTTyA0MjAwMSBDZXJ0aWZpZWQiLCJldmFsdWF0aW9uTWV0cmljcyI6WyJCTEVVLTQiLCJST1VHRS1MIiwiRjEgU2NvcmU6IDkyLjUlIl0sImNlcnRpZmljYXRpb25BdXRob3JpdHkiOiJBSSBFdGhpY3MgQm9hcmQiLCJ2YWxpZFVudGlsIjoiMjAyNi0wMy0yOFQxMjowMDowMFoifSwidGVybXNPZlVzZSI6eyJ0eXBlIjoiQXR0ZXN0YXRpb25Qb2xpY3kiLCJwYXJlbnRBY2NyZWRpdGF0aW9uIjoiZGlkOmNoZXFkOnRlc3RuZXQ6MGEzNWQ1NTktMDBmZi00MWI2LTgxYWQtZjY0ZmFhNTIyNzcxP3Jlc291cmNlTmFtZT1BY2NyZWRpdGF0aW9uVG9BdHRlc3QmcmVzb3VyY2VUeXBlPVZlcmlmaWFibGVBY2NyZWRpdGF0aW9uVG9BdHRlc3QiLCJyb290QXV0aG9yaXNhdGlvbiI6ImRpZDpjaGVxZDp0ZXN0bmV0OmM2NjMwZjFlLTkyNDgtNGFmNi1iN2FjLTViY2FmNjQ2ZjIxMz9yZXNvdXJjZU5hbWU9T3JnYW5pc2F0aW9uQXV0aG9yaXNhdGlvbkZvckFJQWdlbnRzJnJlc291cmNlVHlwZT1WZXJpZmlhYmxlQXV0aG9yaXNhdGlvbkZvclRydXN0Q2hhaW4ifSwiY3JlZGVudGlhbFNjaGVtYSI6Imh0dHBzOi8vcmVzb2x2ZXIuY2hlcWQubmV0LzEuMC9pZGVudGlmaWVycy9kaWQ6Y2hlcWQ6dGVzdG5ldDpjNjYzMGYxZS05MjQ4LTRhZjYtYjdhYy01YmNhZjY0NmYyMTM_cmVzb3VyY2VOYW1lPUFJQWdlbnRBdXRob3Jpc2F0aW9uJnJlc291cmNlVHlwZT1KU09OU2NoZW1hVmFsaWRhdG9yMjAyMCJ9LCJzdWIiOiJkaWQ6Y2hlcWQ6dGVzdG5ldDphN2U4YmY3Yy05ZDk3LTRiMWUtYTdiYi00M2E2NzU0YWFmYmYiLCJuYmYiOjE3NDM3MzQ2MzIsImlzcyI6ImRpZDpjaGVxZDp0ZXN0bmV0OjBhMzVkNTU5LTAwZmYtNDFiNi04MWFkLWY2NGZhYTUyMjc3MSJ9.z9xTp5dSMACTLhrAsO-RBjcmaJJvWHqD6_78FTjaOkBroAMS0f8NlvpIrC7CGojkzCv_T8M_VBexzXU9I8JKAg"
  }
}

You can follow the tutorial below to publish your issued credential as a DID-Linked Resource. Generally we suggest the resourceType of VerifiableAttestation for credentials issued to AI Agents.

This will store the schemas securely on the cheqd Network, where they can be fetched using DID URLs.

Step 5: Provision Verifiable Credential into AI Agent using MCP server

To complete the setup of your AI Agent trust registry and its associated credential, the final step is to provision this credential directly into the AI Agent's wallet using our MCP Server. Follow the tutorial below to finalize your setup!

Setup and Configure MCP Server

Setup and Configure your MCP Server to begin using cheqd's identity functionality with your AI Agent.

This is an advanced guide for those who want to integrate AI Agents with the Cheqd Network to create DIDs, Issue Verifiable Credentials and store Verifiable Credentials.

Overview

Our MCP server is designed as a modular toolkit that can be easily integrated with existing AI workflows, particularly through Claude Desktop, Cursor, and other MCP-compatible client applications.

Benefits of using MCP with cheqd

Enhanced AI Trust and Verification: Enable AI agents to create, resolve, and verify decentralised identities, establishing a foundation of trust for AI interactions.
Verifiable Credential Management: Simplify the issuance, verification, and management of verifiable credentials through standardised tools.
Decentralised Identity Operations: Leverage cheqd's blockchain infrastructure for creating and managing DIDs with cryptographic security.
Standardised AI Context: Utilise the Model Context Protocol to provide structured and verifiable context for AI interactions.
Human-in-the-loop Security: MCP's approval-based tool execution model ensures humans maintain oversight of sensitive identity operations.
Interoperable Integration: Seamlessly connect with existing identity ecosystems through the cheqd network and Credo Toolkit.

Integration with Credo Toolkit

DID Management: Create, update, resolve, and deactivate DIDs on the cheqd network.
Resource Operations: Create and resolve DID-linked resources.
Schema Management: Define and retrieve credential schemas for standardised credential formats.
Connection Management: Establish secure DIDComm connections between identity holders and verifiers.
Credential Issuance: Generate and issue verifiable credentials with cryptographic proofs.
Verification Protocols: Implement zero-knowledge proof verification for enhanced privacy.

The Credo Toolkit abstracts the complexity of these operations, presenting them as simple, well-documented MCP tools that can be invoked by AI agents with appropriate permissions. By leveraging the Credo Toolkit integration, the MCP server provides comprehensive tools for managing the full lifecycle of decentralised identifiers (DIDs) and verifiable credentials on the cheqd network.

Target Use Cases and Scenarios

The Cheqd MCP Server is particularly well-suited for scenarios requiring trusted AI interactions with verifiable identity information:

AI-Assisted Identity Verification: Enable AI agents to verify user identities through cryptographically secured credentials.
Credential Issuance Workflows: Streamline the creation and issuance of verifiable credentials through AI-guided processes.
Trusted Data Exchange: Facilitate secure sharing of verified data between organisations using AI intermediaries.
Identity-Aware AI Systems: Build AI applications that respect privacy and understand the provenance of identity information.
Cross-Domain Verification: Enable verification of credentials across different systems and networks through the cheqd infrastructure.
Self-Sovereign Identity Management: Support user control over identity information while enabling AI assistance for complex operations.

Getting Started

Prerequisites

Working understanding of cheqd network: Understanding of DID operations and verifiable credentials.
Node.js 20 or higher (if running using npx).
Docker Desktop (if running using docker). This is preferred when running the ACA-Py demo.

Quick Start: Use the Remote MCP Server

The simplest way to get started with MCP and Trust Registry verification is to use our hosted remote MCP server.

Configuration

Open your Claude Desktop configuration file:
- macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
- Windows: %APPDATA%\Claude\claude_desktop_config.json
Or, for Cursor .cursor/mcp.json
Add the following configuration:

Save the file and restart Claude Desktop.
You should now see the Trust Registry verification tools available in Claude Desktop/ Cursor.

Alternative: Local Installation (For Developers)

If you prefer to run the MCP server locally, with more control on the configuration and environment variables, you can run locally using docker.

1. Get the code

Get the docker-compose.yaml specially designed for Claude Desktop:

2. Create Configuration File

Update your local env.example file with the required environment variables:

Replace your-testnet-mnemonic with a valid mnemonic for the cheqd testnet. You can generate one using the cheqd CLI or get one from the cheqd faucet.

Server Configuration Options

Credo Tool Configuration Options

3. Update Claude Config

Add the following configuration to your claude_desktop_config.json or .cursor/mcp.json

4. Restart Claude Desktop

When successfully started, the MCP tools will be available.

Using the MCP with Trust Registry

Once configured, you can interact with the Trust Registry through Claude by:

Using the verify-trust-registry tool to verify credentials against the Trust Registry
Running a verification check for a cheqd DID or credential

Next Steps

Now that you have the Cheqd MCP Server running, you can:

Explore the available tools for DID management and credential operations
Create your first verifiable credential using the provided tools
Set up a complete identity verification workflow

Create AI Agent DID

Use the cheqd MCP server to provision your AI Agent its own DID.

⚠️ Before you begin...

After the MCP server is running and Claude Desktop (or any MCP Client) is connected, you can ask the agent to create a DID just by typing:

Hello agent, can you create a DID on cheqd testnet?

The agent may ask for human input to run the "create-did" MCP tool, please select "yes" or "allow".

What is happening under the hood?

Import Credential to AI Agent

Accept a JWT Credential into the AI Agent's wallet.

Copy the JWT token and ask Claude Desktop (or any your choice of MCP Client) to accept the credential as follows:

Can you accept the credential from this JWT token "eyJhbGciOiJFZ....."

Claude/Client should use the import-credential tool to add this credential to it's wallet as shown below:

What is happening under the hood?

Advanced functionality

Advanced functionality for cheqd's MCP Server.

We have built additional functionality into the MCP Server for other use cases, including:

Issue a Verifiable Credential

Tutorial: Issue a Verifiable Credential using MCP Toolkit

Follow these instructions to Issue a new Credential from your MCP Client (e.g. Claude Desktop) using the MCP Toolkit.

⚠️ Before you begin...

Step 1: Start your Holder Agent

// from mcp-toolkit folder 
cd docker
docker compose --profile demo up -d

Step 2: Create Connection between Holder and Claude Desktop.

Although, either agents can start the connection, in this tutorial we will start the invite from Holder.

Parameters and Request Body

For automated acceptance, pass the following parameters:

auto_accept

Set this to true.

A simple request body is below:

{
    "alias": "Faber",
    "handshake_protocols": ["https://didcomm.org/didexchange/1.1"],
    "use_public_did": false,
    "my_label": "Invitation to Faber"
}

Step 3: Claude Desktop accepts the invitation

Go to Claude Desktop, and accept the connection by pasting the invitation_url value.

Always "Allow for this chat" or "Allow once" when the prompt appears. This is a security feature to have human interaction for MCP tools.

Step 4: Ask Claude to issue a Credential

Now you can ask Claude Desktop to issue a Credential Offer to the connection. Claude will interpret the message automatically and do all the steps necessary to issue a Credential Offer.

For this tutorial, we asked Claude to create a credential offer with score as 80 and subject as Mathematics.

When all the steps are completed, a Credential Offer will be sent to Holder agent.

Step 5: Holder accepts and stores the Credential.

Parameters

Filter on "offer-received" state

state

Set this to "offer-received".

Copy and save the cred_ex_id from the response and pass that in the next request to Accept the Offer.

Now, store the received Credential into the Holder wallet.

Validate AI Agent Trust Chain

Verify and validate your AI Agent's trust with cheqd's MCP server and TRAIN.

⚠️ Before you begin...

To validate your AI Agent, you can simply use the whois prompt provided by the Cheqd MCP Server.

Then Click "Send" button without writing any other prompt:

You can also use /<mcp-server-name>:whois if using a CLI client:

The response should be similar to below. Claude/Client should use list-credentials to get the latest credentials from Agent's wallet, and then use verify-trust-registry tool to verify the credential.

Then present a summary of the credential:

Learn more about what's happening under the hood:

Under the hood, the MCP Server is using our trust registry validation engine called TRAIN to recursively verify the issuer of the credential, up to a root of trust.

If you do not want to use MCP, you can build and validate cheqd Trust Registries in any alternative application using our more generalised tutorials.

Read more about our Decentralized Trust Chain (DTC) approach and how TRAIN works below:

Start using cheqd

Integrate an SDK

Decentralized Trust Chains (DTCs)

Learn about Decentralized Trust Chains (DTCs) on cheqd.

Verifiable Credentials (VCs) are most commonly issued by legal entities to assert facts such as identity, qualifications, or authorisation. Their core purpose is to provide the Relying Party — the entity verifying the credential — with a Level of Assurance (LoA) that the claims within the credential are legitimate.

However, in practice, it’s often difficult for relying parties to determine whether a legal entity issuing a credential is authentic, or a fraudulent impersonation. There is no built-in mechanism in most credential ecosystems for verifying whether a DID-based issuer is recognised, authorised, or trustworthy.

Note: This lack of trusted issuer infrastructure is a critical blocker for many digital credential ecosystems — and a common reason why solutions stall before reaching production.

To fully establish trust, relying parties must be able to:

Identify who issued a credential
Understand whether the issuer was authorised to issue it
Trace who accredited the issuer, and under what governance framework

Introducing Decentralized Trust Chains (DTCs)

To solve this challenge, cheqd introduces a verifiable trust infrastructure called Decentralized Trust Chains (DTCs) — a model that complements and extends approaches like the EBSI Trust Chain Framework.

DTCs allow participants to create hierarchical chains of trust, where:

A Root Trusted Accreditation Organisation (rTAO) defines the governance model
Verifiable Accreditations delegate authority to other legal entities (e.g., TAOs, Trusted Issuers)
Verifiable Credentials are issued by accredited issuers, with embedded metadata that references the trust chain

Together, these components form a decentralized trust registry for each ecosystem.

Publicly Verifiable, Policy-Governed Trust

cheqd’s DTC model introduces both permissions and policies:

Permissions define what an entity is allowed to do (e.g. issue or accredit)
Policies define who granted that permission, under what framework, and with what legal or operational requirements.

This infrastructure is made publicly resolvable by publishing all authorisations and accreditations as DID-Linked Resources on the cheqd ledger. This means:

🧩 Trust relationships are machine-verifiable
🔍 Verifiers do not need prior knowledge of each entity
🛠️ Resolution follows W3C standards like DID-Core, DID Resolution and DID-Linked Resources.

The result: A scalable, cryptographically verifiable way to determine whether an issuer — and the credential they issue — can be trusted.

There are many terms used within this guide, and as such, familiarise yourself or refer back to the concepts within the glossary below:

Abbreviation

Term

Description

Accreditation Policy

A machine-readable policy embedded in a Verifiable Accreditation that defines the scope, conditions, and governance under which an entity is authorised to accredit others or issue Verifiable Credentials.

Attestation Policy

A machine-readable policy embedded in a Verifiable Credential that links the credential to the issuer’s accreditation and root authorisation, enabling verifiers to validate that the issuer was authorised to make the attestation.

DID

Decentralized Identifier

Legal entity identifier for Trust Registry, cannot be natural person in context of Trust Infrastructure

Governance Authority

The legal entity or consortia responsible for writing the Governance Framework. In many instances the Governance Authority is also a Root TAO

Governance Framework

A policy document outlining the purpose, roles, scopes and permissions for a given ecosystem using the Trust Infrastructure.

Root TAO (rTAO)

Root Trusted Accreditation Organization

A Root Trusted Accreditation Organisation (rTAO) is the top-level authority in a Decentralized Trust Chain responsible for defining the governance framework and issuing the Root Authorisation that anchors all downstream accreditations and attestations within the trust ecosystem.

TAO

Trusted Accreditation Organization

A Trusted Accreditation Organisation (TAO) is an entity accredited by a Root Trusted Accreditation Organisation (rTAO) or another TAO to govern a segment of the trust chain by issuing accreditations to other entities or authorising the issuance of Verifiable Credentials within a defined scope.

Trust Chain

Hierarchy of Verifiable Accreditations. Multiple Trust Chains may comprise a Trust Registry.

Trusted Issuer

A Trusted Issuer is an entity accredited within a Decentralized Trust Chain to issue domain-specific Verifiable Credentials, operating under the scope and governance defined by an upstream accreditation and the overarching trust framework.

Trust Infrastructure

The overall set of technical and governance components to establish end-to-end trust.

Verifiable Accreditation

A Verifiable Accreditation is a Verifiable Credential that delegates authority from one entity to another, specifying the types of credentials they are permitted to issue or the roles they are authorised to perform within a defined trust framework.

Verifiable Trust Model

Permissions with policies to either accredit, or to attest

Establishing a Trust Hierarchy

Decentralized Trust Chains are based on the concept of a hierarchical trust model, conceptually similar to traditional Public Key Infrastructure (PKI). At the top sits a Root of Trust, from which trust is delegated through a verifiable chain of credentials.

In this model, each participant is identified by a Decentralized Identifier (DID) and may be granted permission — via a Verifiable Accreditation — to accredit others or issue credentials themselves.

How the Hierarchy Works

Trust is delegated top-down through Verifiable Accreditations:

Role

Description

Root TAO (rTAO)

Issues Root Authorisations and initial Accreditations to other TAOs. Sets the governance baseline.

Trusted Accreditation Organisation (TAO)

Can accredit other TAOs or Trusted Issuers. Acts as an intermediary layer in larger ecosystems.

Trusted Issuer (TI)

Issues Verifiable Credentials to users/entities, based on permissions received from an upstream TAO.

The following diagram show how a Root TAO accredits two TAOs lower in the hierarchy:

Each role is cryptographically linked through issued Verifiable Credentials, creating a machine-verifiable trust path.

Verifiable Credentials & Policy Enforcement

Credentials are issued with a termsOfUse section that references an Attestation Policy, linking them back to the issuer’s accreditation and the root of trust.
Digital Wallets or agents can present these credentials for verification.
Verifiers can then resolve and validate the entire trust chain — from the issuer to the rTAO — using DID resolution and optional DNS anchoring.

Trust Infrastructure Roles and their Permissions

As shown in the diagram above, legal entities can play the following roles:

In a Decentralized Trust Chain, each legal entity assumes a defined role with clearly scoped permissions. While a single DID may represent multiple roles in simple ecosystems, every complete trust chain should include these three functional roles:
- Root Trusted Accreditation Organisation (rTAO)
- Trusted Accreditation Organisation (TAO)
- Trusted Issuer (TI)
Only the Trusted Issuer (TI) is permitted to issue domain-specific Verifiable Credentials (VCs).

Root Trusted Accreditation Organisation (rTAO)

The rTAO is the root of governance in a trust chain. It establishes the ecosystem’s rules and authorises who can issue or accredit within it.

Capabilities:

Issue a Root Authorisation that defines the Trust Framework
Self-accredit for governance or issuance
Accredit TAOs and TIs to delegate responsibility
Revoke accreditations from any participant in the trust chain

Credential Type:

VerifiableAuthorisationForTrustChain

Policy Type:

TrustFrameworkPolicy (included in termsOfUse)

A TAO manages a delegated segment of the trust chain under the rTAO. It may further accredit entities or take on the role of issuer if permitted.

Capabilities:

Accredit itself to issue VCs
Accredit other TAOs or Trusted Issuers
Revoke accreditations issued within its scope

Credential Type:

VerifiableAccreditationToAccredit

Policy Type:

AccreditationPolicy (included in termsOfUse)

A Trusted Issuer is an entity that issues domain-specific Verifiable Credentials under the conditions granted by its accreditation.

Capabilities:

Issue Verifiable Credentials to users or organisations
Only within the types, schemas, and jurisdictions defined in their accreditation

Credential Type:

VerifiableAccreditationToAttest

Policy Type:

AccreditationPolicy (accreditation) + AttestationPolicy (included in the issued credential’s termsOfUse)

Policies define the rules, permissions, and governance bindings for each layer of the trust chain. They are embedded into credentials via the termsOfUse field and fall into three types:

Policy Type

Used In

Purpose

TrustFrameworkPolicy

Root Authorisation

Defines the root governance model

AccreditationPolicy

Verifiable Accreditation

Constrains and describes the scope of authority

AttestationPolicy

Verifiable Credential

Links the credential back to the issuer’s accreditation and trust framework

How Policies are Linked

Root Authorisation includes a TrustFrameworkPolicy
Each Accreditation must reference:
- A parent AccreditationPolicy, or
- The original TrustFrameworkPolicy
Each Credential (Attestation) must reference:
- The AttestationPolicy pointing back to the issuer’s accreditation

This layered policy model enables verifiers to traverse and validate the entire trust chain — from a single credential back to a rTAO (optionally anchored in DNS) — while ensuring that all participants adhere to consistent governance and operational standards.

Trust Types in Decentralized Trust Chains

Trust Chains are constructed from three verifiable building blocks:

1. Authorisations

Define the rules of the ecosystem
Issued by the rTAO as a VerifiableAuthorisationForTrustChain
Reference the root governance framework

2. Accreditations

Grant permission to accredit or issue
Are always domain-specific and non-transferable
Must include an AccreditationPolicy in termsOfUse
Allow entities to govern or issue only within the authorised scope

3. Credentials (Attestations)

Assert facts (identity, qualifications, rights)
Must include an AttestationPolicy that:
- Links back to the issuer's accreditation
- Establishes a trust path to the root authority
Issuable only by accredited Trusted Issuers

In Summary:

Element

Purpose

Authorisations

Define the governance and policy rules at the root of the trust chain

Accreditations

Delegate trust authority for accreditation or credential issuance

Credentials (Attestations)

Assert verifiable facts within the scope of a governed trust framework

Get Started

Get started

Use cheqd Studio APIs to define, issue, and publish trust registry entries:

Create and manage Root Authorisations, Accreditations, and Attestations
Resolve trust chains in real time using standard DID resolution
Anchor trust registries on-chain while keeping business logic off-chain

For verification, use TRAIN to validate the trust registry to determine whether an issuer DID is accredited, and what they are accredited for — by traversing the full trust chain to its root.

Deploy TRAIN and Anchor rTAO in DNS

Deploy the DNS Zone Manager and anchor your Root DID in a DNS Zone.

Overview

To enable DNS-based verification of root authorities in your trust ecosystem, TRAIN relies on a component called the TDZM (Trust-DNS Zone Manager). This component manages DNS zones where Root Trusted Accreditation Organisations (rTAOs) can anchor their DIDs using TXT or TLSA records.

This page explains how to deploy TDZM, anchor your rTAO, and configure the environment to support trust chain resolution using DNS.

Why Anchor Your rTAO in DNS?

Anchoring your rTAO in DNS enhances trustworthiness and auditability by:

Providing cryptographic proof of domain control
Allowing trust validators (like TRAIN) to verify the root of the trust chain against public DNS records
Increasing assurance in ecosystems where DNS-based trust is required (e.g., public sector, federated networks)

Deployment Options

You can deploy TDZM in two ways:

Locally using Docker Compose
In a Kubernetes Cluster using Helm charts

Option 1: Run Locally with Docker Compose

This is the easiest way to run TDZM for development and testing.

Steps:

Navigate to the deploy/local directory in the TDZM repository.
Run the deployment script:

bashCopyEdit./deploy.sh build

The build flag is optional but recommended to ensure you’re running the latest version.

This will launch:

A Keycloak instance for authentication
The TDZM backend
The TDZM UI

Local Access

Option 2: Deploy in Kubernetes (Production)

TDZM can be deployed in a Kubernetes cluster using Helm charts for both the backend and UI.

Prerequisites

Kubernetes cluster with Nginx Ingress Controller
TLS certificates available as Kubernetes secrets OR A Let’s Encrypt cert issuer setup via Ingress

Configure DNS Delegation

Before TDZM can manage your trust zone, you must configure your DNS provider:

NS Record in the parent zone pointing to your TDZM instance Example:
```
CopyEdittrust.federation1.com. NS ns1.trust.federation1.com.
```
A Record resolving the nameserver to your TDZM server’s IP Example:
```
cssCopyEditns1.trust.federation1.com. A 192.0.2.4
```

These records must be added in the parent zone (e.g., federation1.com) for your trust zone to be valid (trust.federation1.com).

Helm Configuration: TDZM Backend

When deploying the backend, set the following values in your Helm values.yaml file:

Property

Description

Example

zoneConfig.TF_DOMAIN_NAME

DNS zone managed by TDZM

trust.federation1.com

zoneConfig.TF_DOMAIN_IP

IP address for the NS server

192.0.2.4

zoneConfig.PRIMARY_SERVER_NSD

Domain of the primary nameserver

ns1.trust.federation1.com

zoneConfig.PRIMARY_SERVER_IP

IP of the primary nameserver

192.0.2.4

authConfigFileContent.ISSUER_URL

OIDC issuer for JWT validation

https://auth.federation1.com

authConfigFileContent.CLIENT_ID

Allowed client ID

tzdm-client

authConfigFileContent.ALLOW_UNSAFE_SSL

Skip SSL validation (not recommended)

false

Note: TDZM requires a shared volume (ReadWriteMany) for pod scaling. Ensure your cluster supports this (e.g., via NFS).

Helm Configuration: TDZM UI

UI configuration options:

Property

Description

Example

zonemgr_url

Backend URL

http://tdzm-backend.namespace.svc.cluster.local

oidc_issuer_url

OIDC server URL

https://auth.federation1.com

oidc_client_id

OIDC client ID

tzdm-ui-client

oidc_client_secret

Client secret

super-secret-value

ui_host

Public UI domain

ui.trust.federation1.com

app_base_url_path

Must be /ui

/ui

Next Step: Anchor Your rTAO DID

Once TDZM is running and DNS is delegated:

Add a TXT record under your trust zone with the content linking your rTAO DID to the domain.
Example DNS entry:

arduinoCopyEdit_did.trust.federation1.com. TXT "did:cheqd:mainnet:rtao123"

This DNS record will allow TRAIN to resolve and validate the rTAO’s DID during trust chain verification.

Summary

Component

Description

TDZM Backend

Manages DNS records and trust zones

TDZM UI

Provides web interface to manage delegations

TRAIN

Uses TDZM-managed DNS records to validate rTAO identities

DNS Provider

Must delegate NS and A records to the TDZM zone manager

Validate Trust Chain

Validate the trust chain of a credential using TRAIN, to recursively traverse back to a Root of Trust, and determine the accreditations and authorizations of an issuer Decentralized Identifier (DID).

Overview

TRAIN is a trust validation service that evaluates the trustworthiness of Verifiable Credentials (VCs) by checking whether the issuer's Decentralized Identifier (DID) can be traced back to a trusted source—known as a root of trust.

Get started with TRAIN TTV API

Use the TRAIN APIs below to validate your trust chain:

What TRAIN Does

TRAIN's Trust Validator (TTV) validates credentials by:

Taking a Verifiable Credential (VC) as input.
Identifying the issuer DID from the credential.
Following the credential's trust chain, resolving links between DIDs, Verifiable Accreditations, and Trust Anchors.
Verifying whether the top-level (root) entity in the chain is a trusted source (e.g., DNS-anchored entity, government body, industry group).
Producing a trust assessment (e.g., valid/invalid, verified/unverified) that can be consumed by relying parties.

How TRAIN Uses the cheqd Trust Anchor

Within the cheqd network, Trust Anchors represent root entities that can authorize other issuers via Verifiable Accreditations. These accreditations form Decentralized Trust Chains, which TRAIN evaluates to determine if a credential is trustworthy.

TRAIN integrates the cheqd Trust Anchor model by:

Recognizing VerifiableAccreditation credentials as establishing authority between entities.
Resolving these links recursively up the chain until it reaches a root-level DID.
Checking whether the root DID is associated with a DNS-anchored Trust Anchor using DNSTrustFrameworkPointer entries.

Validation Logic

When TRAIN evaluates a credential issued within cheqd's ecosystem, it performs the following checks:

Credential Verification Validates the signature and schema of the input Verifiable Credential.
Trust Chain Resolution Follows the termsOfUse field and associated VerifiableAccreditation resources to build the credential’s trust chain.
Anchor Resolution Locates the root DID and evaluates whether it has a valid DNSTrustFrameworkPointer or other proof-of-authority reference (e.g., X.509 linkage).
Anchor Validation Confirms that the root DID’s association with a domain name is cryptographically anchored using DNS-based proofs (e.g., DNS TXT records or TLSA).
Policy Compliance (optional) Validates that the trust chain complies with local or domain-specific policy requirements (e.g., only accept credentials rooted in .gov domains).

TRAIN Trust Validator (TTV) Request Format

The following fields are used when submitting a request to the TRAIN Trustworthiness Validator (TTV). This validator checks whether the issuer of a Verifiable Credential is trustworthy by tracing their accreditations up a trust chain. The fields below are passed as JSON in the request body and instruct TRAIN on how to resolve and validate the issuer's authority and compliance with a defined trust policy.

Field

Required

Description

Example Value

issuer

✅ Yes

The DID of the issuer of the Verifiable Credential being validated. Must be a valid did:cheqd DID.

did:cheqd:testnet:975f1941-9313-41d4-ac8b-88fedda7ce80

type

✅ Yes

An array of credential types. The first must always be "VerifiableCredential"; any additional values represent the VC subtype.

[ "VerifiableCredential", "MuseumPassCredential" ]

termsofuse

✅ Yes

The policy name or type under which the credential is issued. Indicates which validation logic TRAIN should apply.

"AttestationPolicy"

parentAccreditation

✅ Yes

A DID URI pointing to the VerifiableAccreditation that proves the issuer was accredited by a higher authority (i.e. part of a trust chain).

did:cheqd:testnet:07b4e2cb-b0b8-444e-8ed4-b0920115a45e?resourceName=TrustedIssuerAccreditation&resourceType=VerifiableAccreditationToAttest

credentialSchema

❌ Optional

URI for a JSON schema to validate the structure of the credential. If not provided, TRAIN will use the schema defined in the accreditation itself.

https://resolver.cheqd.net/.../resourceName=MuseumPassCredentialSchema&resourceType=JsonSchemaValidator2018

DNSTrustFrameworkPointers

❌ Optional

A list of DNS domains used to verify that the root DID is also DNS-anchored. If not provided, TRAIN will still validate the root DID alone.

[ "cheqd.testtrain.trust-scheme.de" ]

TRAIN Trust Valdiator (TTV) Response Format

When a trust validation request is submitted, the TRAIN Trust Validator returns a structured JSON response describing the outcome of the trust chain evaluation. This includes the result of DNS anchoring checks (if requested) and the discovered trust framework that governs the credential's validation.

Below is a breakdown of each field returned in the response:

Field

Type

Description

Example

VerificationStatus

boolean

Indicates whether the root DID was successfully matched against a DNS record. Will only be true if DNS verification was performed and succeeded.

true

VerificationResult

object

Contains detailed information about the accreditation chain, root DID, and DNS verification process.

—

VerificationResult.AccreditorDIDs

string[]

An ordered array of DIDs representing each entity in the accreditation chain, from the VC issuer up to the root authority.

[ "did:cheqd:issuer", "did:cheqd:intermediary", "did:cheqd:root" ]

VerificationResult.FoundRootIssuerDID

string

The root DID at the top of the trust chain (i.e. the ultimate Trust Anchor).

"did:cheqd:testnet:b003df6f-ec8e-48dd-9a2b-7011c5cf0a5e"

VerificationResult.TrustFramework

string

A URL pointing to the governance or policy framework that governs this trust chain. This is sourced from the root authorisation (VerifiableAuthorisation).

"https://learn.cheqd.io/governance/start"

VerificationResult.TrustFrameworkId

string

A human-readable name or ID of the trust framework, also derived from the root authorisation metadata.

"cheqd Governance Framework"

VerificationResult.FindingCorrespondingDNSTrustFrameworkInitiated

boolean

Indicates whether TRAIN attempted to look up a DNS pointer associated with the root DID.

true

VerificationResult.VerifyRootIssuerDIDinDNS

boolean

Indicates whether the root DID was successfully verified via a DNS TXT/TLSA record.

true

Benefits of Using TRAIN with cheqd

Decentralized Assurance: No need to trust a single registry—chains of accreditations are independently verifiable.
DNS Anchoring: Leverages globally resolvable domain infrastructure to provide high-assurance validation.
Interoperable: Built on open standards like DIDs, VCs, and JSON-LD for compatibility with other ecosystems.

Sequence Diagram for Validation

Below is a sequence diagram showing how a request is fully validated.

Context for developing DID-Linked Resources

Understand the context and design decisions around why cheqd developed DID-Linked Resources (DLRs).

Understanding "Resources" in decentralised identity

For example, common types of resources that might be required to issue and validate Verifiable Credentials are:

Schemas;
Status lists;
Trust registries;
Visual Representations of Verifiable Credentials;
Documents; or
Logos

Schemas

{ 
    "@type": "http://schema.org/Person", 
    "http://schema.org/address": {   
        "@type": "http://schema.org/PostalAddress",   
        "http://schema.org/streetAddress": "123 Main St.",   
        "http://schema.org/addressLocality": "Blacksburg",   
        "http://schema.org/addressRegion": "VA",   
        "http://schema.org/postalCode": "24060",   
        "http://schema.org/addressCountry": "US" 
    }
}

This might also take the form of evidence schemes, which describe additional information about the processes used to validate the information presented in a Verifiable Credential in common, machine-readable format.

Status and Revocation Lists

Trust registries

Visual representations for Verifiable Credentials

Such visual representations can also be used to quickly communicate information visually during identity exchanges, such as airline mobile boarding passes.

While it’s useful to have digital credentials that can be verified cryptographically, the reality is that there are often occasions when a quick “visual check” is done instead. For example, when at an airport, an airline staff member might visually check a mobile boarding pass to direct people to the correct queue they need to join. The mobile boarding pass does get scanned at points like check-in, security, boarding etc., to digitally read the information, other scenarios where this is not done are equally valid. However, most Verifiable Credential formats do not explicitly provide such “human-friendly” forms of showing the data held in a credential.

Documents

More broadly, there are other types of resources that might be relevant for companies beyond SSI vendors, that want a way to represent information about themselves in an immutable and trustworthy way.

Logos

The current uses for resources are therefore very broad across the SSI ecosystem, and in addition, for other companies that may want to use DIDs to reference relevant information on ledger. For this reason, it is essential that the SSI community strengthens the way that resources are stored, referenced and retrieved in SSI ecosystems.

In our demo for IIW, we showed an IIW logo as a resource on-ledger, being used within the body of a Verifiable Credential. In the JSON below, you will be able to see the resources being used in both the "@context" and "logo" sections.

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://veramo.io/contexts/profile/v1",
    "https://resolver.cheqd.net/1.0/identifiers/did:cheqd:testnet:z6jKUJA5YcZsNxZgsrQPKPipL2FRTf4s/resources/a20aa56a-a76f-4828-8a98-4c85d9494545"
  ],
  "type": [
    "VerifiableCredential",
    "EventReservation"
  ],
  "issuanceDate": "2022-11-17T03:19:03.328Z",
  "credentialSubject": {
    "id": "did:key:z6MkwTr46BWU42YejmZrDDCbL127dBoxSXeLuaHS75vTCg7i"
  },
  "reservationId": "4810116769",
  "reservationStatus": "https://schema.org/ReservationConfirmed",
  "reservationFor": {
    "@type": "Event",
    "name": "Internet Identity Workshop IIWXXXV",
    "startDate": "2022-11-16T16:00:00",
    "endDate": "2022-11-18T00:00:00",
    "location": "Computer History Museum, 1401 N Shoreline Blvd, Mountain View, CA 94043",
    "logo": "https://resolver.cheqd.net/1.0/identifiers/did:cheqd:testnet:z6jKUJA5YcZsNxZgsrQPKPipL2FRTf4s/resources/8140ec3a-d8bb-4f59-9784-a1cbf91a4a35"
  },
  "issuer": {
    "id": "did:cheqd:mainnet:zAXwwqZzhCZA1L77ZBa8fhVNjL9MQCHX"
  },
  "proof": {
    "type": "JwtProof2020",
    "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vdmVyYW1vLmlvL2NvbnRleHRzL3Byb2ZpbGUvdjEiLCJodHRwczovL3Jlc29sdmVyLmNoZXFkLm5ldC9kaWQ6Y2hlcWQ6dGVzdG5ldDp6NmpLVUpBNVljWnNOeFpnc3JRUEtQaXBMMkZSVGY0cy9yZXNvdXJjZXMvYTIwYWE1NmEtYTc2Zi00ODI4LThhOTgtNGM4NWQ5NDk0NTQ1Il0sInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJFdmVudFJlc2VydmF0aW9uIl0sImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImlkIjoiZGlkOmtleTp6Nk1rd1RyNDZCV1U0Mlllam1ackREQ2JMMTI3ZEJveFNYZUx1YUhTNzV2VENnN2kifX0sIkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIiwiaHR0cHM6Ly92ZXJhbW8uaW8vY29udGV4dHMvcHJvZmlsZS92MSIsImh0dHBzOi8vcmVzb2x2ZXIuY2hlcWQubmV0L2RpZDpjaGVxZDp0ZXN0bmV0Ono2aktVSkE1WWNac054WmdzclFQS1BpcEwyRlJUZjRzL3Jlc291cmNlcy9hMjBhYTU2YS1hNzZmLTQ4MjgtOGE5OC00Yzg1ZDk0OTQ1NDUiXSwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIkV2ZW50UmVzZXJ2YXRpb24iXSwiaXNzdWFuY2VEYXRlIjoiMjAyMi0xMS0xN1QwMzoxOTowMy4zMjhaIiwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6a2V5Ono2TWt3VHI0NkJXVTQyWWVqbVpyRERDYkwxMjdkQm94U1hlTHVhSFM3NXZUQ2c3aSJ9LCJyZXNlcnZhdGlvbklkIjoiNDgxMDExNjc2OSIsInJlc2VydmF0aW9uU3RhdHVzIjoiaHR0cHM6Ly9zY2hlbWEub3JnL1Jlc2VydmF0aW9uQ29uZmlybWVkIiwicmVzZXJ2YXRpb25Gb3IiOnsiQHR5cGUiOiJFdmVudCIsIm5hbWUiOiJJbnRlcm5ldCBJZGVudGl0eSBXb3Jrc2hvcCBJSVdYWFhWIiwic3RhcnREYXRlIjoiMjAyMi0xMS0xNlQxNjowMDowMCIsImVuZERhdGUiOiIyMDIyLTExLTE4VDAwOjAwOjAwIiwibG9jYXRpb24iOiJDb21wdXRlciBIaXN0b3J5IE11c2V1bSwgMTQwMSBOIFNob3JlbGluZSBCbHZkLCBNb3VudGFpbiBWaWV3LCBDQSA5NDA0MyIsImxvZ28iOiJodHRwczovL3Jlc29sdmVyLmNoZXFkLm5ldC8xLjAvaWRlbnRpZmllcnMvZGlkOmNoZXFkOnRlc3RuZXQ6ejZqS1VKQTVZY1pzTnhaZ3NyUVBLUGlwTDJGUlRmNHMvcmVzb3VyY2VzLzgxNDBlYzNhLWQ4YmItNGY1OS05Nzg0LWExY2JmOTFhNGEzNSJ9LCJpc3N1ZXIiOnsiaWQiOiJkaWQ6Y2hlcWQ6bWFpbm5ldDp6QVh3d3FaemhDWkExTDc3WkJhOGZoVk5qTDlNUUNIWCJ9LCJzdWIiOiJkaWQ6a2V5Ono2TWt3VHI0NkJXVTQyWWVqbVpyRERDYkwxMjdkQm94U1hlTHVhSFM3NXZUQ2c3aSIsIm5iZiI6MTY2ODY1NTE0MywiaXNzIjoiZGlkOmNoZXFkOm1haW5uZXQ6ekFYd3dxWnpoQ1pBMUw3N1pCYThmaFZOakw5TVFDSFgifQ.U4vPbvdY7724a1jJwiDeCH_4_YC5sKUMcH6lY_XCVWBTE1RvYAnTj4fPHWMy6zSVFL9TAk4ZBOqFjKUtShBSCw"
  }
}

By clicking the image below, you will see that this is actually being pulled and resolved from the cheqd ledger:

Rationale for storing resources on-ledger

What are the problems with the way resources are stored?

The issue of centralisation affects resources providing extra context and information to support Verifiable Credentials. These resources, such as schemas and revocation lists, are often stored and referenced using centralised hosting providers.

Using centralised hosting providers to store resources may have a significant difference in the longevity and authenticity of Verifiable Credentials. For example, a passport (which typically has a 5–10 year validity) issued as a Verifiable Credential anchored to a DID (regardless of whether the DID was on-ledger or not) might stop working if the credential schema, visual presentation format, or other necessary resources were stored off-ledger on traditional centralised storage.

DIDs could be tampered by compromising the hosting provider: DIDs and DID Documents ("DIDDocs") stored at a centralised web endpoint can be compromised and replaced by malicious actors.
Hosting providers could unilaterally cease to host particular clients: Hosting providers could terminate accounts due to factors such as non-payment of fees, violation of Terms of Service, etc.
Single point-of-failure in resiliency: Even for highly-trusted and sophisticated hosting providers who may not present a risk of infrastructure being compromised, a service outage at the hosting provider can make a DID anchored on their systems inaccessible.

Single points of failure

Even for highly-trusted and sophisticated hosting providers who may not present a risk of infrastructure being compromised, a service outage at the hosting provider can make a resource anchored on their systems inaccessible.

Link rot

This illustrates that link rot can affect a significant proportion of links in a relatively small amount of time, and once again, looking at how resources are currently stored in SSI ecosystems, if the resource locations are moved and the links are broken, the Verifiable Credentials relying on these resources become unusable. Therefore, resources, once defined, should be architected to be used and referenced indefinitely, without being changed.

Tamper-evident changes and censorship resistance

Finally, the centralised way that resources are currently stored and managed is not immutable, and as a result, it is liable to tampering. For example, if a hosting provider is compromised, or if malicious actors are working for the company, resources may be changed and previous resource versions may be purged from the central database.

As we move towards a new web infrastructure with Web 3 (and beyond…), and as more projects leverage blockchain and distributed ledgers, it’s important not to port the previous issues of the web, and instead find novel ways to better manage information, with longevity in mind. This is why at cheqd, we have decided to redesign the way resources are captured on the ledger.

Semantic Linkage

Solutions that do currently store schemas on ledger (e.g., Hyperledger Indy) don't have semantic linkage between old and new versions. In this instance, current ledgers allow new versions to be made but don't offer an easy way for client apps to discover linkages as they evolve over time.

Addressing risk vectors using DID-Linked Resources

We took the following design principles into consideration, along with an explanation of how we addressed them:

Built using existing, familiar DID Core Spec patterns: Wherever possible, our design attempts to utilise existing patterns and behaviours within the W3C DID Core specification (such as the use of DID URLs to identify resources), instead of trying to implement proprietary/custom approaches. We believe that similar designs could be adopted by other DID methods if they choose.
Protection against linkrot for long-term retrieval: Any Resource stored on-ledger is replicated across multiple nodes.
1. If any individual node or endpoint is down, lookup requests can be sent to any other node on the network.
2. In a catastrophic scenario where the network itself stops to exist, e.g., companies shutting down, getting acquired etc the on-ledger data can still be restored by digital archivists using ledger snapshots. A practical example of this is how Cosmos Hub makes historical chain archives available which can be restored. While this can be cumbersome, we wanted to design for this as a fail-safe.
Extensible by default: Our objective was to build a flexible design pattern that allowed developers to define and extend their own resource types. Trying to control what kinds of resources could be written to ledger would make the ledger-side logic complex. Instead, we opted for a design where the cheqd ledger acts agnostically to store resources, as long as correctly authorised, as a permanently-accessible endpoint.
Design for DID-spec "dumb" as well as DID-spec "smart" client applications: Many approaches in this space assume that client applications must be adept at parsing DIDDocs and resolving complex inter-DIDDoc relationships. We saw describing resources using DIDDocs as metadata about the resource which could be independently-parsed by "smart" client applications; while also providing a fallback approach for "dumb" client applications. We internally considered this as "What if an identity wallet understood how to parse JSON, but didn't understand the DID Core spec?"
Version controlled: The ability to evolve a resource over time is critical for identity use cases. As described above, examples of this include when identity document schemas change, logos evolve, etc. Current approaches (such as Hyperledger Indy CredDefs) deal with this by creating entirely new, unlinked resources. We designed to make it easy, using existing DID Core specification techniques, so that client applications could query "What was the version of a resource with this name on this date/time?"

Technical composition of DID-Linked Resources

Understand the technical composition of DID-Linked Resources (DLRs) on cheqd.

Formatting a Resource

Using UUIDs, we can have a high level of confidence that no two identical resource IDs will ever be created. This is important for ensuring the integrity and uniqueness of each individual resource.

Figure 1: DID-linked Resource DID URL path

This will be explained further in the section on DID URL dereferencing to fetch a resource.

Understanding the DID and Collection relationship

Resources are organised into groups called "Collections". Each DID may have an associated Collection, and the Collection ID is derived from the unique identifier of the DID.

Collections can store any type of Resource, but for the purpose of this documentation we will focus on the use case where the Collection is used for storing a set of schemas.

The most important concept used in this design is that each on-ledger Collection is identified using a DID and is described using a DID Document.

The DID Document acts as metadata, providing information about the Collection, such as who is able to update it, when it was created and what are the latest and deprecated versions of Resources within the Collection.

For example, the following DID:

did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d

will derive the Collection ID: 1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d

Figure 2: Relationship between a DID and Resource Collection

A Collection is created using a createResource transaction, and specifying the Collection ID as the same identifier as that of the parent DID.

Creating a Resource inside a Collection, associated with a DID

To create a "DID-Linked Resource", you must already have created a 'parent' DID, from which the Collection ID can be derived. When you carry out the createResource transaction, you must:

Generate a new, unique UUID for the Resources
Specify the same Collection ID as the unique identifier of the parent DID
Sign the createResource transaction with the Verification Method keys of the parent DID.

This is shown in the diagram below:

Figure 3: Relationship between a DID and DID-linked Resource

Example of createResource transaction using Veramo SDK:

{
    "kms": "local",
    "payload": {
        "collectionId": "1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
        "id": "f3d39687-69f5-4046-a960-3aae86a0d3ca",
        "name": "PassportSchema",
        "version": "", // optional
        "resourceType": "CL-Schema",
        "alsoKnownAs": [], // optional alternative URIs
        "data": "SGVsbG8sIHdvcmxk" // base 64 encoded file 
    },
    "signInputs": [{
        "verificationMethodId": "did:cheqd:testnet:z4ZUuPbs1xyK7y8d#key-1",
        "keyType": "Ed25519",
        "privateKeyHex": "0f5c124886178037952e87e0cdc55d185732577fca19ae877e64ac9ab24a0cc534e5326e70f1a42d785d93048aee806c359ec75a7b06f39253befd1746708438"
    }]
}

Linking DIDs to Resources and Collections

Multiple, DID-Linked Resources can be stored in a Collection, for example, this could be different versions of the same Resource over a period of time or semantically-linked resources. This enables unique resources to be stored directly on-ledger and be retrievable through DID resolution and dereferencing.

Once you have created a resource, the DID Document will automatically reference the resource and the collection within the didDocumentMetadata in a newly defined section called linkedResourceMetadata.

This relationship is shown in the diagram below:

Figure 4: DID Document metadata with DID-linked Resource metadata

For simplicity, we will focus on the use case where a Resource is a schema. The same logic used in fetching schemas from the ledger can be applied to any of the aforementioned types of Resources.

The syntax of a Resource metadata for a single schema is as follows:

"linkedResourceMetadata": [
  {
    "resourceURI": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d/resources/f3d39687-69f5-4046-a960-3aae86a0d3ca",
    "resourceCollectionId": "1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
    "resourceId": "f3d39687-69f5-4046-a960-3aae86a0d3ca",
    "resourceName": "PassportSchema", // First version of a Resource called PassportSchema
    "resourceType": "CL-Schema",
    "mediaType": "application/json",
    "created": "2022-07-19T08:40:00Z",
    "checksum": "7b2022636f6e74656e74223a202274657374206461746122207d0ae3b0c44298",
    "previousVersionId": "", // empty string if no previous version, otherwise, resourceId of previous version
    "nextVersionId": "", // null if no new version, otherwise, resourceId of new version
  }
]

Media Types allowed in Resources

Resource Request Parameters

The following list defines which specific parameters a resource request format may contain:

Parameter

Description

resourceUri

resourceCollectionId

A string that conforms to a cheqd-supported unique identifier format. For example a UUID: 46e2af9a-2ea0-4815-999d-730a6778227c

resourceId

A string that uniquely identifies the resource, cheqd uses UUIDs. For example a UUID: 0f964a80-5d18-4867-83e3-b47f5a756f02

resourceName

A string that uniquelt names and identifies a resource. This property, along with the resourceType below, can be used to track version changes within a resource.

resourceType

A string that identifies the type of resource. This property, along with the resourceName above, can be used to track version changes within a resource. Not to be confused with media type.

resourceVersion

(Optional) A string that identifies the version of resource. This property is provided by the client and can be any value

alsoKnownAs

(Optional) An array that describes alternative URIs for the resource.

Resource Response Parameters

The following list defines which specific parameters a resource response format may contain:

Parameter

Description

resourceUri

resourceCollectionId

A string that conforms to a cheqd-supported unique identifier format. For example a UUID: 46e2af9a-2ea0-4815-999d-730a6778227c

resourceId

A string that uniquely identifies the resource, cheqd uses UUIDs. For example a UUID: 0f964a80-5d18-4867-83e3-b47f5a756f02

resourceName

A string that uniquelt names and identifies a resource. This property, along with the resourceType below, can be used to track version changes within a resource.

resourceType

A string that identifies the type of resource. This property, along with the resourceName above, can be used to track version changes within a resource. Not to be confused with media type.

resourceVersion

(Optional) A string that identifies the version of resource. This property is provided by the client and can be any value

alsoKnownAs

(Optional) An array that describes alternative URIs for the resource.

mediaType

A string that identifies the IANA-media type of the resource.

created

A string that identifies the time the resource was created in XML date-time.

updated

(Optional) A string that identifies the time the resource was updated in XML date-time.

checksum

A string that may be used to prove that the resource has not been tampered.

previousVersionId

(Optional) A string that identifies the previous version of the resource.

nextVersionId

(Optional) A string that identifies the next version of the resource.

Example of a resolved DID with an associated Resource

Let’s take a look at a fully resolved output response for a DID with a Collection and single associated Resource:

{
  "@context": "https://w3id.org/did-resolution/v1",
  "didResolutionMetadata": {
    "contentType": "application/did+ld+json",
    "retrieved": "2022-11-28T05:01:50Z",
    "did": {
      "didString": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
      "methodSpecificId": "1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
      "method": "cheqd"
    }
  },
  "didDocument": {
    "@context": [
      "https://www.w3.org/ns/did/v1"
    ],
    "id": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
    "controller": [
      "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d"
    ],
    "verificationMethod": [
      {
        "id": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d#verKey1",
        "type": "Ed25519VerificationKey2020",
        "controller": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
        "publicKeyMultibase": "zB5wPyMGYL4LbT424Z7yXHm6nZrrLqZZg9eWtVmedodys"
      },
    ],
    "authentication": [
      "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d#verKey1"
    ]
  },
  "didDocumentMetadata": {
    "created": "2015-04-10T11:51:40Z",
    "versionId": "ea2b76cf-a118-403a-8f49-244e56c9dcb8",
    "linkedResourceMetadata": [
      { // First version of a Resource called PassportSchema
        "resourceURI": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d/resources/f3d39687-69f5-4046-a960-3aae86a0d3ca",
        "resourceCollectionId": "1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d", // Derived Collection ID
        "resourceId": "f3d39687-69f5-4046-a960-3aae86a0d3ca",
        "resourceName": "PassportSchema",
        "resourceType": "CL-Schema",
        "mediaType": "application/json",
        "created": "2015-04-16T14:01:42Z",
        "checksum": "72f9d4f96c6f4fedcfd5d1691b10d60d14a008cace269ddb35342aa8d43a30fc",
        "previousVersionId": null, // No previous or next versions
        "nextVersionId": null // No previous or next versions
      }
    ]
  }
}

Example of DID Document with multiple versions of the same resource

Let’s take a look at a fully resolved output response for a DID with a Collection and multiple associated Resources:

{
  "@context": "https://w3id.org/did-resolution/v1",
  "didResolutionMetadata": {
    "contentType": "application/did+ld+json",
    "retrieved": "2022-11-28T05:01:50Z",
    "did": {
      "didString": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
      "methodSpecificId": "1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
      "method": "cheqd"
    }
  },
  "didDocument": {
    "@context": [
      "https://www.w3.org/ns/did/v1"
    ],
    "id": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
    "controller": [
      "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d"
    ],
    "verificationMethod": [
      {
        "id": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d#verKey1",
        "type": "Ed25519VerificationKey2020",
        "controller": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d",
        "publicKeyMultibase": "zB5wPyMGYL4LbT424Z7yXHm6nZrrLqZZg9eWtVmedodys"
      },
    ],
    "authentication": [
      "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d#verKey1"
    ]
  },
  "didDocumentMetadata": {
    "created": "2015-04-10T11:51:40Z",
    "versionId": "9D760202FF2BD4A12344283627FF251BE6C48812C7626C3564C1C2843CAB9085",
    "linkedResourceMetadata": [
      { // First version of a Resource called PassportSchema
        "resourceURI": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d/resources/f3d39687-69f5-4046-a960-3aae86a0d3ca",
        "resourceCollectionId": "1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d", // Derived Collection ID
        "resourceId": "f3d39687-69f5-4046-a960-3aae86a0d3ca",
        "resourceName": "PassportSchema", // Resource name remains the same
        "resourceType": "CL-Schema", // Resource type remains the same
        "mediaType": "application/json",
        "created": "2015-04-16T14:01:42Z",
        "checksum": "72f9d4f96c6f4fedcfd5d1691b10d60d14a008cace269ddb35342aa8d43a30fc",
        "previousVersionId": null,
        "nextVersionId": "8f86d7aa-dc6a-4cee-ac37-97956542d587"
      },
      { // Second version of a Resource called PassportSchema
        "resourceURI": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d/resources/8f86d7aa-dc6a-4cee-ac37-97956542d587",
        "resourceCollectionId": "1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d", // Derived Collection ID
        "resourceId": "8f86d7aa-dc6a-4cee-ac37-97956542d587",
        "resourceName": "PassportSchema", // Resource name remains the same
        "resourceType": "CL-Schema", // Resource type remains the same
        "mediaType": "application/json",
        "created": "2020-06-16T14:02:39Z",
        "checksum": "ec54f8019b869d5511b42678ea859b9dc185f487bf1776cb079fda0930331689",
        "previousVersionId": "f3d39687-69f5-4046-a960-3aae86a0d3ca",
        "nextVersionId": "bd128013-636d-4240-b48b-fc88bf9ee8de"
      },
      { // Third version of a Resource called PassportSchema
        "resourceURI": "did:cheqd:mainnet:1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d/resources/bd128013-636d-4240-b48b-fc88bf9ee8de",
        "resourceCollectionId": "1f8e08a2-eeb6-40c3-9e01-33e4a0d1479d", // Derived Collection ID
        "resourceId": "bd128013-636d-4240-b48b-fc88bf9ee8de",
        "resourceName": "PassportSchema", // Resource name remains the same
        "resourceType": "CL-Schema", // Resource type remains the same
        "mediaType": "application/json",
        "created": "2022-09-16T14:10:46Z",
        "checksum": "cc187364f3bf071e5411cb6074d9c44a1b416a32b8eea581d113e486d1d586cf",
        "previousVersionId": "8f86d7aa-dc6a-4cee-ac37-97956542d587",
        "nextVersionId": null
      }
    ]
  }
}

Collections are identified by a Collection ID which is a unique identifier of the linked, parent DID. Within the DID Document Metadata of the Collection DIDDoc, the Linked Resource metadata describes Resources within this Collection:

Note that the Linked Resource output above does not show the actual data / schema attributes when displaying all Resources in this Collection. It only shows Resource metadata.

This logic prevents GetResourceCollection requests returning large quantities of data, which may be stored across multiple Resources within a Collection.

In order to fetch the actual data, it is necessary to query the specific Resource, rather than the entire Collection.

Versioning and Archiving Resources

As shown in the examples above, there may be previous and next versions of the Resource ID.

Whenever a Resource is updated, a new UUID must be generated. The new Resource references the older version, so the UUID is effectively a version number.

Importantly, the collectionId, resourceName and the resourceType of the Resource must remain the same.

For example, a Resource with the name PassportSchema must always have the same name and resource type to be considered for previous/next version linking.

This could be used, for example, to find the version active at a particular point in time:

Query based dereferencing

Fetching resources using DID resolvers and DID URLs is hugely desirable. Up until this point, we have shown resources identified using path-based syntax.

However, query-based syntax should also be enabled to allow more granular and specific searches within a particular Collection.

IMPORTANT: DID URL queries should be fully qualified so that they uniquely identify a single resource, or single resource version unless expressly specified.

Fetch all credential exchange records

get

Query parameters

connection_idstringOptional

Connection identifier

Example: {"value":"3fa85f64-5717-4562-b3fc-2c963f66afa6"}

limitintegerOptional

Number of results to return

Example: {"value":50}

offsetintegerOptional

Offset for pagination

Example: {"value":0}

rolestring · enumOptional

Role assigned in credential exchange

Possible values:

statestring · enumOptional

Credential exchange state

Possible values:

thread_idstringOptional

Thread identifier

Example: {"value":"3fa85f64-5717-4562-b3fc-2c963f66afa6"}

Responses

200Success

application/json

get

GET /issue-credential-2.0/records HTTP/1.1
Host: 
Accept: */*

200Success

{
  "results": [
    {
      "cred_ex_record": {
        "auto_issue": false,
        "auto_offer": false,
        "auto_remove": false,
        "by_format": {
          "cred_issue": {},
          "cred_offer": {},
          "cred_proposal": {},
          "cred_request": {}
        },
        "connection_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "created_at": "2021-12-31T23:59:59Z",
        "cred_ex_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "cred_issue": {
          "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "@type": "https://didcomm.org/my-family/1.0/my-message-type",
          "comment": "text",
          "credentials~attach": [
            {
              "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "byte_count": 1234,
              "data": {
                "base64": "ey4uLn0=",
                "json": "{\"sample\": \"content\"}",
                "jws": {
                  "header": {
                    "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                  },
                  "protected": "ey4uLn0",
                  "signature": "ey4uLn0",
                  "signatures": [
                    {
                      "header": {
                        "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                      },
                      "protected": "ey4uLn0",
                      "signature": "ey4uLn0"
                    }
                  ]
                },
                "links": [
                  "https://link.to/data"
                ],
                "sha256": "617a48c7c8afe0521efdc03e5bb0ad9e655893e6b4b51f0e794d70fba132aacb"
              },
              "description": "view from doorway, facing east, with lights off",
              "filename": "IMG1092348.png",
              "lastmod_time": "2021-12-31T23:59:59Z",
              "mime-type": "image/png"
            }
          ],
          "formats": [
            {
              "attach_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "format": "aries/ld-proof-vc-detail@v1.0"
            }
          ],
          "replacement_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
        },
        "cred_offer": {
          "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "@type": "https://didcomm.org/my-family/1.0/my-message-type",
          "comment": "text",
          "credential_preview": {
            "@type": "issue-credential/2.0/credential-preview",
            "attributes": [
              {
                "mime-type": "image/jpeg",
                "name": "favourite_drink",
                "value": "martini"
              }
            ]
          },
          "formats": [
            {
              "attach_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "format": "aries/ld-proof-vc-detail@v1.0"
            }
          ],
          "offers~attach": [
            {
              "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "byte_count": 1234,
              "data": {
                "base64": "ey4uLn0=",
                "json": "{\"sample\": \"content\"}",
                "jws": {
                  "header": {
                    "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                  },
                  "protected": "ey4uLn0",
                  "signature": "ey4uLn0",
                  "signatures": [
                    {
                      "header": {
                        "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                      },
                      "protected": "ey4uLn0",
                      "signature": "ey4uLn0"
                    }
                  ]
                },
                "links": [
                  "https://link.to/data"
                ],
                "sha256": "617a48c7c8afe0521efdc03e5bb0ad9e655893e6b4b51f0e794d70fba132aacb"
              },
              "description": "view from doorway, facing east, with lights off",
              "filename": "IMG1092348.png",
              "lastmod_time": "2021-12-31T23:59:59Z",
              "mime-type": "image/png"
            }
          ],
          "replacement_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
        },
        "cred_preview": {
          "@type": "issue-credential/2.0/credential-preview",
          "attributes": [
            {
              "mime-type": "image/jpeg",
              "name": "favourite_drink",
              "value": "martini"
            }
          ]
        },
        "cred_proposal": {
          "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "@type": "https://didcomm.org/my-family/1.0/my-message-type",
          "comment": "text",
          "credential_preview": {
            "@type": "issue-credential/2.0/credential-preview",
            "attributes": [
              {
                "mime-type": "image/jpeg",
                "name": "favourite_drink",
                "value": "martini"
              }
            ]
          },
          "filters~attach": [
            {
              "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "byte_count": 1234,
              "data": {
                "base64": "ey4uLn0=",
                "json": "{\"sample\": \"content\"}",
                "jws": {
                  "header": {
                    "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                  },
                  "protected": "ey4uLn0",
                  "signature": "ey4uLn0",
                  "signatures": [
                    {
                      "header": {
                        "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                      },
                      "protected": "ey4uLn0",
                      "signature": "ey4uLn0"
                    }
                  ]
                },
                "links": [
                  "https://link.to/data"
                ],
                "sha256": "617a48c7c8afe0521efdc03e5bb0ad9e655893e6b4b51f0e794d70fba132aacb"
              },
              "description": "view from doorway, facing east, with lights off",
              "filename": "IMG1092348.png",
              "lastmod_time": "2021-12-31T23:59:59Z",
              "mime-type": "image/png"
            }
          ],
          "formats": [
            {
              "attach_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "format": "aries/ld-proof-vc-detail@v1.0"
            }
          ]
        },
        "cred_request": {
          "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "@type": "https://didcomm.org/my-family/1.0/my-message-type",
          "comment": "text",
          "formats": [
            {
              "attach_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "format": "aries/ld-proof-vc-detail@v1.0"
            }
          ],
          "requests~attach": [
            {
              "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "byte_count": 1234,
              "data": {
                "base64": "ey4uLn0=",
                "json": "{\"sample\": \"content\"}",
                "jws": {
                  "header": {
                    "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                  },
                  "protected": "ey4uLn0",
                  "signature": "ey4uLn0",
                  "signatures": [
                    {
                      "header": {
                        "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                      },
                      "protected": "ey4uLn0",
                      "signature": "ey4uLn0"
                    }
                  ]
                },
                "links": [
                  "https://link.to/data"
                ],
                "sha256": "617a48c7c8afe0521efdc03e5bb0ad9e655893e6b4b51f0e794d70fba132aacb"
              },
              "description": "view from doorway, facing east, with lights off",
              "filename": "IMG1092348.png",
              "lastmod_time": "2021-12-31T23:59:59Z",
              "mime-type": "image/png"
            }
          ]
        },
        "error_msg": "The front fell off",
        "initiator": "self",
        "parent_thread_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "role": "issuer",
        "state": "done",
        "thread_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "trace": true,
        "updated_at": "2021-12-31T23:59:59Z"
      },
      "indy": {
        "created_at": "2021-12-31T23:59:59Z",
        "cred_ex_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "cred_ex_indy_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "cred_id_stored": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "cred_request_metadata": {},
        "cred_rev_id": "12345",
        "rev_reg_id": "WgWxqztrNooG92RXvxSTWv:4:WgWxqztrNooG92RXvxSTWv:3:CL:20:tag:CL_ACCUM:0",
        "state": "active",
        "updated_at": "2021-12-31T23:59:59Z"
      },
      "ld_proof": {
        "created_at": "2021-12-31T23:59:59Z",
        "cred_ex_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "cred_ex_ld_proof_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "cred_id_stored": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "state": "active",
        "updated_at": "2021-12-31T23:59:59Z"
      },
      "vc_di": {
        "auto_issue": false,
        "auto_offer": false,
        "auto_remove": false,
        "by_format": {
          "cred_issue": {},
          "cred_offer": {},
          "cred_proposal": {},
          "cred_request": {}
        },
        "connection_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "created_at": "2021-12-31T23:59:59Z",
        "cred_ex_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "cred_issue": {
          "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "@type": "https://didcomm.org/my-family/1.0/my-message-type",
          "comment": "text",
          "credentials~attach": [
            {
              "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "byte_count": 1234,
              "data": {
                "base64": "ey4uLn0=",
                "json": "{\"sample\": \"content\"}",
                "jws": {
                  "header": {
                    "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                  },
                  "protected": "ey4uLn0",
                  "signature": "ey4uLn0",
                  "signatures": [
                    {
                      "header": {
                        "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                      },
                      "protected": "ey4uLn0",
                      "signature": "ey4uLn0"
                    }
                  ]
                },
                "links": [
                  "https://link.to/data"
                ],
                "sha256": "617a48c7c8afe0521efdc03e5bb0ad9e655893e6b4b51f0e794d70fba132aacb"
              },
              "description": "view from doorway, facing east, with lights off",
              "filename": "IMG1092348.png",
              "lastmod_time": "2021-12-31T23:59:59Z",
              "mime-type": "image/png"
            }
          ],
          "formats": [
            {
              "attach_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "format": "aries/ld-proof-vc-detail@v1.0"
            }
          ],
          "replacement_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
        },
        "cred_offer": {
          "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "@type": "https://didcomm.org/my-family/1.0/my-message-type",
          "comment": "text",
          "credential_preview": {
            "@type": "issue-credential/2.0/credential-preview",
            "attributes": [
              {
                "mime-type": "image/jpeg",
                "name": "favourite_drink",
                "value": "martini"
              }
            ]
          },
          "formats": [
            {
              "attach_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "format": "aries/ld-proof-vc-detail@v1.0"
            }
          ],
          "offers~attach": [
            {
              "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "byte_count": 1234,
              "data": {
                "base64": "ey4uLn0=",
                "json": "{\"sample\": \"content\"}",
                "jws": {
                  "header": {
                    "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                  },
                  "protected": "ey4uLn0",
                  "signature": "ey4uLn0",
                  "signatures": [
                    {
                      "header": {
                        "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                      },
                      "protected": "ey4uLn0",
                      "signature": "ey4uLn0"
                    }
                  ]
                },
                "links": [
                  "https://link.to/data"
                ],
                "sha256": "617a48c7c8afe0521efdc03e5bb0ad9e655893e6b4b51f0e794d70fba132aacb"
              },
              "description": "view from doorway, facing east, with lights off",
              "filename": "IMG1092348.png",
              "lastmod_time": "2021-12-31T23:59:59Z",
              "mime-type": "image/png"
            }
          ],
          "replacement_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
        },
        "cred_preview": {
          "@type": "issue-credential/2.0/credential-preview",
          "attributes": [
            {
              "mime-type": "image/jpeg",
              "name": "favourite_drink",
              "value": "martini"
            }
          ]
        },
        "cred_proposal": {
          "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "@type": "https://didcomm.org/my-family/1.0/my-message-type",
          "comment": "text",
          "credential_preview": {
            "@type": "issue-credential/2.0/credential-preview",
            "attributes": [
              {
                "mime-type": "image/jpeg",
                "name": "favourite_drink",
                "value": "martini"
              }
            ]
          },
          "filters~attach": [
            {
              "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "byte_count": 1234,
              "data": {
                "base64": "ey4uLn0=",
                "json": "{\"sample\": \"content\"}",
                "jws": {
                  "header": {
                    "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                  },
                  "protected": "ey4uLn0",
                  "signature": "ey4uLn0",
                  "signatures": [
                    {
                      "header": {
                        "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                      },
                      "protected": "ey4uLn0",
                      "signature": "ey4uLn0"
                    }
                  ]
                },
                "links": [
                  "https://link.to/data"
                ],
                "sha256": "617a48c7c8afe0521efdc03e5bb0ad9e655893e6b4b51f0e794d70fba132aacb"
              },
              "description": "view from doorway, facing east, with lights off",
              "filename": "IMG1092348.png",
              "lastmod_time": "2021-12-31T23:59:59Z",
              "mime-type": "image/png"
            }
          ],
          "formats": [
            {
              "attach_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "format": "aries/ld-proof-vc-detail@v1.0"
            }
          ]
        },
        "cred_request": {
          "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
          "@type": "https://didcomm.org/my-family/1.0/my-message-type",
          "comment": "text",
          "formats": [
            {
              "attach_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "format": "aries/ld-proof-vc-detail@v1.0"
            }
          ],
          "requests~attach": [
            {
              "@id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
              "byte_count": 1234,
              "data": {
                "base64": "ey4uLn0=",
                "json": "{\"sample\": \"content\"}",
                "jws": {
                  "header": {
                    "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                  },
                  "protected": "ey4uLn0",
                  "signature": "ey4uLn0",
                  "signatures": [
                    {
                      "header": {
                        "kid": "did:sov:LjgpST2rjsoxYegQDRm7EL#keys-4"
                      },
                      "protected": "ey4uLn0",
                      "signature": "ey4uLn0"
                    }
                  ]
                },
                "links": [
                  "https://link.to/data"
                ],
                "sha256": "617a48c7c8afe0521efdc03e5bb0ad9e655893e6b4b51f0e794d70fba132aacb"
              },
              "description": "view from doorway, facing east, with lights off",
              "filename": "IMG1092348.png",
              "lastmod_time": "2021-12-31T23:59:59Z",
              "mime-type": "image/png"
            }
          ]
        },
        "error_msg": "The front fell off",
        "initiator": "self",
        "parent_thread_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "role": "issuer",
        "state": "done",
        "thread_id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
        "trace": true,
        "updated_at": "2021-12-31T23:59:59Z"
      }
    }
  ]
}