1 of 100

Product Docs

Getting Started

Product Overview

Dive into cheqd's product and identity functionality

cheqd is a purpose-built network for decentralised identity. This documentation site provides technical and product information for all identity features & functionality on the cheqd network.

Integrate with cheqd

cheqd maintains an array of products and packages with varying levels of integration complexity to allow its partners and customers to have a variety of ways of plugging into cheqd's identity functionality. Via these different packages, customers and partners can create cheqd DIDs, DID-Linked Resources, Status Lists, Trust Registries and Schemas, as well as use cheqd's Credential Payments model, with different levels of integration effort and flexibility.

There are three core ways of integrating and building with cheqd:

What functionality does cheqd offer?

cheqd's identity functionality is fully standards compliant, ensuring interoperability and no vendor lock-in. cheqd's tooling and different product offerings offer a variety of building blocks for any Trusted Data Market.

Industry Standard DID Support

If you want to utilise cheqd DIDs or DID-Linked Resources within applications without a specific cheqd integration, you can incorporate a Universal Registrar or Universal Resolver driver to support did:cheqd alongside other commonly adopted DID methods.

Get started with cheqd Studio

cheqd Studio is the easiest route to get started with cheqd's identity functionality, or for testing with very low integration effort. Using simple REST APIs, it is possible to integrate cheqd Studio in a few lines of code.

Under the hood, cheqd Studio utilises the Veramo SDK cheqd Plugin, providing the most feature complete set of functionality and tooling.

If you'd rather build a deeper integration using a Software Development Kit (SDK) or lower level package, we've created a simple diagram to show how our packages are structured below.

Understanding cheqd's capabilities

cheqd supports a wide array of standards and protocols via different Software Development Kits (SDKs) and integrations.

Understanding the structure of cheqd's packages

One of cheqd's primary motives is to make itself accessible to the widest set of identity applications possible. To accomplish this, cheqd has built a flexible set of packages and tooling to accommodate its identity capabilities into a broad set of external SDKs and applications.

These can be represented through the visual below:

Get involved

The cheqd Discord is our primary chat channel for the open-source community, software developers, and node operators.

Please reach out to us there for discussions, help, and feedback on the project.

🙋 Find us elsewhere

Set up your account

Learn how to set up your account on cheqd Studio.

The user is required to Log In to our cheqd Studio portal and then access their API key to authenticate with our APIs. The API key guards the API from unauthorized access and is required for both testing production environments.

Step 1: Get started with cheqd Studio

Head to our cheqd Studio and click Get Started.

Step 2: Create your account

cheqd Studio uses a third party service called LogTo to handle user authentication and login. This allows users to create new accounts as well as sign in using their email, Google single sign-on, or Discord login.

Step 3: Create a new API key and authenticate with cheqd Studio APIs

Step 4: Start using cheqd

Get started with our tutorials for cheqd Studio functionality.

Step 5: Select a Billing plan

You will be able to get started for free on our free trial, but following the expiry of the free trial, users need to sign up for a paid billing plan. cheqd Studio billing uses Stripe as a payments processor and users will need to input their card information to initiate a billing plan.

API keys

API keys are unique data strings used to authenticate a user and enable access to privileged operations on cheqd Studio APIs. All cheqd Studio APIs use API keys as the mechanism to authenticate client requests. Your API key should be kept confidential and secure at all times.

Authentication is required for all API requests; without it, the requests will fail.
All API requests must be made over HTTPS.

🚧Keep Your API Keys Safe

Because our API keys allow access to cheqd Studio APIs, you must keep them secure at all times.

Ensure your API key is always stored securely as soon as it is initially generated.
Make sure to copy your API key into a secure place, such as a Password Manager.
Never share it or record it in a publicly accessible medium (client-side code, public repositories, etc.).

Caution: If you lose secure control of your API keys, your entity may not be able to access your created DIDs, DID-Linked Resources or Credential Payments.

Step 1: Sign into cheqd Studio

Follow the tutorial here to get started with your cheqd Studio account.

Step 2: Generate API key

Navigate to the "Developers" tab on cheqd Studio and select "Create an API Key". You are able to choose the expiry date of the API key, and it will automatically be set to expire 1 year from the current date.

Step 3: Use your API key to authenticate with cheqd Studio APIs

Navigate to the "APIs" tab and copy/paste your API key into the API key box towards the top of your page. This will enable you to authenticate with the cheqd Studio APIs, allowing users to use cheqd Studio APIs within their existing Billing Plan and usage limits.

Step 4: Start using cheqd

Get started with our tutorials for cheqd Studio functionality.

Token top up

Users may exhaust their usage limits in their cheqd Studio billing plan, but may want to continue using the Studio before their usage limits refresh. Therefore, users can manually top up their account with CHEQ tokens to use any APIs that involve a ledger-write, e.g:

Creating, Updating or Deactivating DIDs
Creating unencrypted or encrypted Status Lists
Creating Trust Registries
Creating other DID-Linked Resources

Step 1: Locate your cheqd address (for CHEQ)

The following API can be used to fetch the new account information:

customer_id is used as an identifier for the particular customer using cheqd Studio. It is generated as a sub-field of the JWT token used in the authorization header.
cheqd_account is used to pay for identity transactions on either testnet or mainnet. A cheqd account is automatically generated when a new customer_id is generated.

Step 2: Adding CHEQ tokens to your account

Users will need to add our token, CHEQ, to their cheqd_account on mainnet in order to be able to use the ledger-based identity functionality on cheqd Studio, such as creating DIDs and DID-Linked Resources.

If you need to add CHEQ tokens to your cheqd Studio cheqd_account, there are a few steps you need to follow:

Mainnet

First you need to setup your wallet which is able to hold CHEQ tokens. We recommend using Leap Wallet which natively supports all CHEQ transactions in a browser plugin or on mobile. Alternatively, follow the tutorial here to setup your Keplr wallet.
You will then need to get CHEQ tokens from any of the listed providers here.
You will need to send CHEQ tokens from your new cheqd Wallet account to your cheqd_account address for using the Credential Service.

Testnet

It is unlikely that you will ever need to top up your Testnet account, as this is handled automatically. However, in the event that your Testnet account runs out of tokens, you can follow the step below.
This is super simple. You can add free CHEQ tokens to your cheqd_account via our Testnet Faucet by inputting your cheqd account address. Access the Testnet Faucet directly here.

Once you have successfully created an account and have topped up your CHEQ tokens, you are ready to get started!

Step 3: Continue using cheqd

Get started with our tutorials for cheqd Studio functionality.

Advanced configuration options

Developer guide for running the cheqd Studio.

Run as standalone application using Docker Compose

This standalone service uses an in-memory database with no persistence, and therefore is recommended only if you're managing key/secret storage separately.

Run with external Key Management System (KMS) and/or authentication service using Docker Compose

Construct the postgres URL and configure the env variables mentioned above.

Configure PostgreSQL database

POSTGRES_USER: Username for Postgres database
POSTGRES_PASSWORD: Password for Postgres database
POSTGRES_MULTIPLE_DATABASES: Database names for multiple databases in the same cluster, e.g.: "app,logto". This sets up multiple databases in the same cluster, which can be used independently for External Veramo KMS or LogTo service.

Then, make the Postgres initialisation scripts executable:

Start LogTo service

Then, run the LogTo service to configure the LogTo application API resources, applications, sign-in experiences, roles etc using Docker Compose:

Start credential-service app

Then, start the service using Docker Compose:

Running app or LogTo migrations

When upgrading either the external Veramo KMS or LogTo, you might need to run migrations for the underlying databases.

For example, to run cheqd Studio app migrations on an existing Postgres database (for external Veramo KMS):

Or to run LogTo migrations on an existing Postgres database:

Build using Docker

Start using cheqd

Create DIDs and Identity keys

Create DIDs and identity keys using cheqd's DID Method (did:cheqd)

A Decentralized Identifier "DID" is a globally unique identifier that does not require a centralized registration authority because it is registered with distributed ledger technology or other form of decentralized network.

What options do I have for creating DIDs on cheqd?

There are many different ways to create DIDs on cheqd, with options for easy integration (e.g. cheqd Studio) and more bespoke integrations (e.g. Credo and Veramo). Below are a list of options for creating cheqd DIDs.

Get started with cheqd Studio

The easiest way to start creating DIDs is with our product cheqd Studio, allowing users to build and create did:cheqd DIDs using REST APIs.

Read up on our DID Method

DIDs created using cheqd Studio use the did:cheqd DID Method. This is fully defined below, as well as the associated ledger-write fees:

Create Issuer DID

Create a DID using the did:cheqd method

To create a cheqd DID (did:cheqd) and associated DID Document there are two ways of building the payload for the request:

Step 1: Set up your account

Make sure you have set up your account with cheqd Studio and are logged in, using our guide below:

Step 2: Create a DID and associated DID Document

Using the /did/create API, users have two options for creating a did:cheqd DID and associated DID Document on-ledger:

Filling out a simple form using the application/x-www-url-form-encoded option within an API client of your choice.
Compiling a DID Document body yourself using the application/json option within an API client of your choice.

Option 1. Choose from a few variables and we will compile the DID for you

This is the easiest way to create DIDs on cheqd and is recommended for users who are not overly familiar with compiling DID Documents.

Using the application/x-www-url-form-encoded option, users are able to choose between the following variables to compile your DID:

network (required)

"testnet" (recommended for testing)
"mainnet" (recommended for production)

methodSpecificIdAlgo (required)

"uuid" - this is a Universally Unique Identifier (recommended)
"base58btc" - this is an identifier which is commonly used for Hyperledger Indy transactions

verificationMethod / type (required)

"Ed25519VerificationKey2018" (recommended)
"Ed25519VerificationKey2020"
"JSONWebKey2020"

assertionMethod (optional)

true (recommended if used for issuing Verifiable Credentials)
false

didDocument (optional)

This input field contains either a complete DID document, or an incremental change (diff) to a DID document. For example:

{
  "service": [
    {
      "id": "did:cheqd:testnet:7bf81a20-633c-4cc7-bc4a-5a45801005e0#service-1",
      "type": "LinkedDomains",
      "serviceEndpoint": [
        "https://example.com"
      ]
    }
  ]
}

From this request, the Credential Service will automatically create and publish a DID and associated DID Document to the ledger and return it as a response.

Option 2. Publish a DID Document body yourself

Instead of generating a DID Document using simple parameters, you can create a fully formatted DID Document yourself. Before, submitting a manually created DID, you will need to have created a set of identity keys to input the key material into the DID document.

Step 1: Create a new keypair

Use the /key/create API to generate a new keypair within the Credential Service key management store. Copy the "publicKeyHex".

Step 2: Utilise the DID Document template helper

To simplify this process of formatting a DID Document using your own keys, we've created a Helper Tool in our DID Registrar here. Simply paste in your publicKeyHex and choose the variables to compile your DID Document template.

Step 3: Paste the response

Within the /did/create JSON payload, paste the response of your DID Document template, with your own signing keys.

Request format:

{
  "didDocument": {
    "id": "did:cheqd:testnet:0ff9df5d-653b-4f77-a66c-0035abc34d63",
    "controller": [
      "did:cheqd:testnet:0ff9df5d-653b-4f77-a66c-0035abc34d63"
    ],
    "verificationMethod": [
      {
        "id": "did:cheqd:testnet:0ff9df5d-653b-4f77-a66c-0035abc34d63#key-1",
        "type": "JsonWebKey2020",
        "controller": "did:cheqd:testnet:0ff9df5d-653b-4f77-a66c-0035abc34d63",
        "publicKeyJwk": {
          "crv": "Ed25519",
          "kty": "OKP",
          "x": "BFSLOxwMJgpmWRtTUuo0JAvz6VXGp4WDDcN0dFfCQKo"
        }
      }
    ],
    "authentication": [
      "did:cheqd:testnet:0ff9df5d-653b-4f77-a66c-0035abc34d63#key-1"
    ]
  }
}

Step 3: Hit execute on the API

Hit execute on the API below to create your did:cheqd DID and associated DID Document.

List DIDs associated with your account

After creating a DID or multiple DIDs, users can list all the created DIDs associated with their account. Using the /did/list API.

Alternatives

Below are a list of alternatives for creating cheqd DIDs.

Create Identity Keys and Subject DIDs

Issuers may want to create identity keypairs for multiple reasons, such as for signing payloads or for creating did:key DIDs.

There is also an option to fetch an identity keypair by inputting a Key ID (kid) as a request format.

Creating a Subject DID

cheqd Studio currently supports two types of subject DIDs:

did:key
did:vda

With the former, you can follow the did:key specification to create a subject DID based on a generated keypair.

With the latter, you can setup your did:vda subject DID on your Verida wallet. Using cheqd Studio, you will be able to send credentials to your Verida wallet and use it to store and securely back them up.

Resolve a DID

Resolve a DID to fetch the associated DID Documet

A user is able to input a DID (string) as a request format and resolve the DID to fetch the associated DID Document, DID Resolution Metadata and DID Document metadata.

Update or Deactivate DID

Update or deactivate a DID

Users are able to update DID Documents for various reasons, such as to include a new section or to rotate the Verification Method keys within the DID Document.

With the /did/update API, users are able to input either:

The section of the DID Document they would like to update; or
The full updated DID Document body.

Users are also able to deactivate DID Documents to prevent further updates and to provide client applications the relevant information that the DID Document is no longer actively used.

A /did/deactivate request must be signed by all of the Verification Method keys listed in the DID Document.

Issue Credentials and Presentations

Learn how to issue and manage Verifiable Credentials and Presentations.

Verifiable Credentials are a tamper-evident data format for asserting a set of claims about a subject. You can issue and verify Verifiable Credentials and Presentations without building complex integrations, using our simple cheqd Studio APIs.

What options do I have for issuing credentials anchored on cheqd?

There are many different ways to issue verifiable credentials signed by DIDs anchored on cheqd, with options for easy integration (e.g. cheqd Studio) and more bespoke integrations (e.g. Credo and Veramo). Below are a list of options for issuing credentials with cheqd underneath:

Partner SaaS products

You can use SaaS products from our partners to create best-in-class credential ecosystems, built on cheqd

Get started with cheqd Studio

Supported Credential types

cheqd supports all four major digital Credential types via its selection of SDKs and APIs. Below you can learn about these Credential formats:

Credential Coverage

Depending on what type of credentials you want to use, choose the SDK that suits your tech stack:

Issue Credential

Issue conformant W3C Verifiable Credentials over REST API

Using the /credential/create API, it is possible to issue Verifiable Credentials, signed by a cheqd DID, in a few clicks or lines of code.

Step 1: Set up your account

Make sure you have set up your account with cheqd Studio and are logged in, using our guide below:

Step 2: Create an Issuer DID

Before you can issue a Verifiable Credential, you need to create an Issuer DID which is used to sign the Credential payload. Use the API in the page below to create an Issuer DID:

(Optional) Step 3: Create a Subject DID

Again, before you issue a Verifiable Credential, you need to know to whom you are issuing it. If you need to create a Subject DID, you can take a look at the page here:

Step 4: Compile your Credential body

Within the JSON object of the API request, you will need to input the issuer and subject information, as well as the attributes which you want to issue in the Credential. You may also want to add additional fields such as a credentialSchema.

Users have two options for compiling the Credential bodies and issuing Verifiable Credentials:

Filling out a simple form using the application/x-www-url-form-encoded option within an API client of your choice.
Compiling a Credential body yourself using the application/json option within an API client of your choice.

Option 1. Choose from a few variables and we will compile the Credential body for you

This is the easiest way to issue Credentials and is recommended for users who are not overly familiar with compiling JSON objects.

Using the application/x-www-url-form-encoded option, users are able to choose between the following variables and options to issue Verifiable Credentials:

issuerDid (required)

subjectDid (required)

attributes (required)

credentialSchema (required for Verida wallet)

This is the Schema which the Credential body takes the form of. For the Verida wallet, to display a credential, it needs to have a schema associated with it.

@context (optional)

type (optional)

expirationDate (optional)

format (optional)

Format of the Verifiable Credential. Defaults to VC-JWT.

jwt (VC-JWT)
lds (JSON-LD)

credentialStatus (optional)

credentialStatus properties for VC revocation or suspension. Takes statusListName and statusListPurpose as inputs. If you have already created a Status List, you can include the same inputs here to map this issued credential within the created bitstring.

Additional options for specifying credentialStatus bitstring index

Below are a set of examples of alternative input parameters for users to specify the bitstring index of the issued Credential. The bitstring index is where exactly the issued credential will map to within the Status List. This should be noted and stored by the issuer to keep a record of which issued credentials are active, revoked or suspended:

Example Request Format: Random Bitstring index

Example Request Format: Specified Bitstring index

Example Request Format: Bitstring index within a given range

Example Request Format: Bitstring including omitted bits

Ensure that the "statusPurpose" and "statusListName" is the same as the existing Status List on-ledger.

Option 2. Publish a JSON payload yourself

Instead of using simple form variables, you can issue a Verifiable Credential using a JSON payload with the application/json option.

Request format

Below is an example of the request format for issuing a Verifiable Credential using a custom JSON payload, including some of the possible parameters:

Step 5: Issue a Credential using the API below

Execute the API below to issue a Verifiable Credential, signed by your issuer DID.

Alternatives

Below are a list of alternatives for using Credentials with cheqd support. Each offers a different set of protocols and underlying technical capabilities.

Setup Verida Wallet

Setup your wallet to receive credentials.

cheqd Studio currently is setup to work with the Verida Wallet. In 2024, we will be building compatibility with a full suite of other digital identity wallets.

Verida Wallet

Subject DID

On the "Profile" tab, you will see your did:vda address under the section "DID".

For example: "did:vda:testnet:0xD7477C4a75143Af16A967381d09650A533Bd0DD7"

Rendering credentials

Credentials stored with the credential schema will automatically be rendered in the Verida Wallet as a credential. This custom display includes:

A scannable QR code
The profile icon of the Verida DID that issued / signed the credential
A tick of approval indicating the credential has been verified

Verify Credential

Verify a Credential using cheqd Studio.

Once you have issued your credential and have a JWT as part of the credential proof, you can use the /credential/verify API to check that the JWT has not been tampered.

Step 1: Obtain Credential to Verify

Step 2: Configure Verification Parameters

The user is able to set verification parameters to filter whether they want to verify certain aspects of a Credential, including:

verifyStatus

true (indicates that the user wants to verify the Credential Status, requiring a credentialStatus property to be present in the Credential)
false (Default. Indicates that the user does not want to verify the Credential Status.

fetchRemoteContexts

When dealing with JSON-LD type Verifiable Credentials you also MUST provide the proper contexts within a Credential body. Set this to true ONLY if you want the @context URLs to be fetched in case they are a custom context.

true
false (default)

Step 3: Pass the Credential to the API

Simply paste the JWT or the full credential body into the request field of the /credential/verify API, and the API will give you a response including the following verification policies:

Whether the Credential has been tampered
Whether the Credential has a valid issuance date
Whether the Credential has expired
Whether the Credential Status is valid

Verify Presentation

Verify presentations on cheqd Studio.

A Verifiable Presentation is a collection of multiple Verifiable Credentials that are being presented by a holder to a verifier. In addition to checking whether the Credentials are untampered, Verifiable Presentation verification also checks that the holder subject DID is valid.

Step 1: Obtain Presentation to Verify

To verify a Credential, you can either pass the full VP-JWT string or a JSON object. These can be either obtained from a Verifiable Presentation presented to the user.

Step 2: Configure Verification Parameters

The user is able to set verification parameters to filter whether they want to verify certain aspects of a Presentation, including:

verifyStatus

true (indicates that the user wants to verify the Credential Statuses within the Presentatiuon, requiring a credentialStatus property to be present in at least one Credential within the Presentation)
false (Default. Indicates that the user does not want to verify the Credential Status.

fetchRemoteContexts

true
false (default)

Step 3: Execute the API

Use the API below to verify a Presentation

Revoke Credential

Using cheqd's innovative DID-Linked Resource module, cheqd is able to support decentralized and scalable Verifiable Credential revocation and suspension. Using this API, the user is able to choose whether they would like to publish the revocation status to the cheqd ledger or elsewhere.

Step 1: Locate the Credential Body or JWT to be revoked

It is best practice for issuers to keep a record of the Credentials they have issued, including the "statusListIndex" of the Credentials. From this record system, issuers should be able to fetch either the full Credential Body or the JWT proof of the Credential they want to revoke.

Step 2: Decide whether to publish update to the ledger

When revoking a Credential, issuers can decide whether they want to publish an updated Status List on-ledger, with the revoked credential index updated in the bitstring. The parameter below can be changed to reflect this:

publish

true (indicates the issuer wants to publish the updated Status List on ledger)
false (indicates the issuer wants to manually publish a Status List update)

Step 3: Paste the Credential Body or JWT into the API

Paste the Credential Body or JWT into the API below and execute the API to revoke the Credential.

Suspend or Unsuspend Credential

Users are also able to suspend Verifiable Credentials. The difference between revocation and suspension is that suspended Credentials may be unsuspended at a future date; whereas, revoked credentials are permanently revoked.

Step 1: Locate the Credential Body or JWT to be suspended

Step 2: Decide whether to publish update to the ledger

When suspending a Credential, issuers can decide whether they want to publish an updated Status List on-ledger, with the suspended credential index updated in the bitstring. The parameter below can be changed to reflect this:

publish

true (indicates the issuer wants to publish the updated Status List on ledger)
false (indicates the issuer wants to manually publish a Status List update)

Step 3: Paste the Credential Body or JWT into the API

Paste the Credential Body or JWT into the API below and execute the API to suspend the Credential.

Unsuspend (reinstate) Verifiable Credentials

If a Credential has been suspended, and an Issuer wants to unsuspend the Credential to make it once again valid, the Issuer can reinstate a suspended Credential.

Step 1: Locate the Credential Body or JWT to be unsuspended

Step 2: Decide whether to publish update to the ledger

When unsuspending or reinstating a Credential, issuers can decide whether they want to publish an updated Status List on-ledger, with the unsuspended credential index updated in the bitstring. The parameter below can be changed to reflect this:

publish

true (indicates the issuer wants to publish the updated Status List on ledger)
false (indicates the issuer wants to manually publish a Status List update)

Step 3: Paste the Credential Body or JWT into the API

Paste the Credential Body or JWT into the API below and execute the API to unsuspend the Credential.

Understanding Credential Payments

Learn how cheqd's Credential Payments work

Build your knowledge about how cheqd's Credential Payment model works, including setting Access Control Conditions, and privacy-preserving payment flows.

Learn about Credential Payments

Get started

Using cheqd Studio, you can get started setting up your encrypted Status Lists with Access Control Conditions below:

Issue Credential with Encrypted Status List

Understand how to issue a Verifiable Credential including an encrypted Status List in the body.

Issuers are able to add encrypted Status Lists to the body of the Credential if they have previously created an Encrypted Status List on-ledger.

Step 1: Set up your account

Make sure you have set up your account with cheqd Studio and are logged in, using our guide below:

Step 2: Create an Issuer DID

Before you can create an encrypted Status List for charging for Credentials, you need to create a DID which is used to link the Status List on-ledger. Use the API in the page below to create a DID:

Step 3: Create an Encrypted Status List

Follow the tutorial here to create an encrypted Status List with a set of Payment Conditions to unlock:

Step 4: Specify the encrypted Status List within Credential body

Follow the instructions within the /credential/create API below to format and issue a Verifiable Credential.

Ensure that the "statusListName" and "statusPurpose" are the same as the Status List created in Step 3. This makes sure that if the Credential Status is changed, for example, if it is revoked or suspended, the correct Status List will be updated.

Create Verifier pays Issuer flow

How a Verifier pays an Issuer to decrypt an encrypted Status List

cheqd Studio supports payments for verifying Credential Status. This is an innovative feature that is also commonly known as cheqd's Payment Rails. Using the API in this tutorial, there are multiple ways for a Verifier to pay an Issuer to unlock and verify a Credential's status.

Step 1: Set up an account

A Verifier will need a cheqd Studio account to take advantage of the /credential-status/check API and easily use cheqd's Credential Payments. Make sure you are set up and are logged in, using our guide below:

Step 2: Set parameters for check

Using the /credential-status/check API, users have two options for checking whether a particular Credential index is revoked or suspended:

Filling out a simple form using the application/x-www-url-form-encoded option on the Swagger UI.
Compiling the JSON transaction yourself using the application/json option on the Swagger UI.

This is the easiest way to check whether a particular credential index is revoked or suspended.

Using the application/x-www-url-form-encoded option on the Swagger UI, users are able to choose between the following variables to compile your DID:

statusPurpose

The purpose of the status list that has already been created on-ledger. Can be:

revocation
suspension

did

DID of the StatusList2021 publisher, or the DID linked to the Status List resources. For example:

did:cheqd:testnet:7bf81a20-633c-4cc7-bc4a-5a45801005e0

statusListName

The name of the existing Status List resource to be checked. For example:

employmentCredentialRevocationList

index

The index within the bitstring that the user wants to query. For example:

Option 1: Automatically paying an Issuer to unlock a Credential Status

To automatically make a payment to an Issuer in order to verify an encrypted Status List, there is an additional variable:

makeFeePayment

This will automatically make the fee payment to the issuer (if required) based on payment conditions to unlock encrypted StatusList2021 DID-Linked Resource. This can be set to:

true (automatically make fee payment)
false (do not automatically make fee payment)

If there is sufficient CHEQ in the account of the Verifier, this will automatically make a payment to the Issuer and meet the Access Control Conditions.

Step 3: Hit the API

In the same action, the Credential Service will perform a verification check on the Credential Status and pay the issuer the fee specified in the Payment Conditions.

Response format

The response format below will indicate clearly whether the check is successful and whether the Credential index in question is revoked / suspended or not.

{
  "checked": true,
  "revoked": false
}

Option 2: Manually Paying an Issuer to unlock a Credential Status

If a Verifier does not want to automatically pay the Issuer using the API, they can choose to make a manual payment to unlock the Credential Status information to build a higher level of trust within the Credential presented to them.

Step 1: Locating Issuers' payment address and conditions

If a Verifier wants to unlock access to the Resource, to gain access to additional information about a Credential presented to them, such as the Credential Status, firstly, the Verifier will be presented Credential, including a link to the Status List within the "credentialStatus" section of the Credential body.

Through following the link in"credentialStatus" section of the Credential body. the The Verifier will be directed to an on-ledger Resource, identifiable through a DID URL, for example:

This on-ledger Resource will contain:

An encrypted potion of the Resource, such as a Status List bitstring. identified by the "encodedList" property.
Unencrypted metadata about the Resource, including the issuers' payment address "feePayerAddress" and and the Payment Conditions, "feePaymentAmount" and "intervalInSeconds".

This gives the verifier requisite information they need in order to pay the Issuer to unlock the Credential Status. You can learn more about Access Control Conditions below.

Step 2: Pay the Issuer

Using one of cheqd's supported wallets, Verifiers can make a payment of the amount specified in the "feePaymentAmount" to the "feePayerAddress".

This payment should be made in CHEQ.

Note that the "feePaymentAmount" may be specified in ncheq. This is lowest denomination of the CHEQ token, "nano" CHEQ which is 1 x 10^-9 CHEQ.

Step 3: Hit the API

cheqd Studio will perform a verification check on the Credential Status and pay the issuer the fee specified in the Payment Conditions.

Note the "intervalInSeconds" which is the amount of time after making the payment that the Verifier has to hit the API and request access to the encrypted Status List.

Response format

The response format below will indicate clearly whether the check is successful and whether the Credential index in question is revoked / suspended or not.

{
  "checked": true,
  "revoked": false
}

Alternatively, if Verifiers have made the payment manually they can also use the /credential/verify API in the tutorial below:

Integrate an SDK

Charge for Status List

Creating an encrypted Status List 2021 Resource using cheqd Studio

To create an encrypted Verifiable Credential Status List v2021 with a set of Access Control Conditions, an Issuer will need to follow the steps below:

Step 1: Set up your account

Make sure you have set up your account with cheqd Studio and are logged in, using our guide below:

Step 2: Create an Issuer DID

Before you can create an encrypted Status List for charging for Credentials, you need to create a DID which is used to link the Status List on-ledger. Use the API in the page below to create a DID:

Step 3: Select the encrypted Status List API

When creating a Status List, a user will have the following options:

/credential-status/create/encrypted

Using this API will encrypt the bitstring of the Status List, meaning that a set of Payment Conditions will need to be met in order to access the Status List contents.

/credential-status/create/unencrypted

Using this API will create a regular Status List on-ledger, where the contents of the Status List are visible to any users who queries the blockchain.

For the purpose of this tutorial, we will assume the user is creating an encrypted Status List. For unencrypted Status Lists, follow the tutorial here.

Step 4: Create encrypted Status List

Using the /credential-status/create/encrypted API, users have two options for creating an encrypted Status List on-ledger:

Filling out a simple form using the application/x-www-url-form-encoded option on the Swagger UI.
Compiling a Status List payload yourself using the application/json option on the Swagger UI.

Option 1. Choose from a few variables and we will compile the Status List for you

This is the easiest way to create encrypted Status Lists on cheqd and is recommended for users who are not overly familiar with compiling JSON objects.

Using the application/x-www-url-form-encoded option on the Swagger UI, users are able to choose between the following variables and options to create an encrypted Status List on-ledger:

statusPurpose (required)

revocation (creates a Status List where each entry refers to revocation status)
suspension (creates a Status List where each entry refers to suspension status. Note that suspended Credentials may become unsuspended).

did (required)

Enter the Decentralized Identifier (DID) of the Status List publisher created in Step 2. For example:

did:cheqd:testnet:0ff9df5d-653b-4f77-a66c-0035abc34d63

statusListName (required)

This is the name of your Status List. This will also need to be kept consistent for all future updates of the same Status List. For example:

employmentCredentialRevocationList

feePaymentAddress (required)

The cheqd payment address where payments to unlock the encrypted StatusList2021 DID-Linked Resource need to be sent. For example:

cheqd1qs0nhyk868c246defezhz5eymlt0dmajna2csg

feePaymentAmount (required)

The amount in CHEQ tokens to unlocked the encrypted StatusList2021 DID-Linked Resource. For example:

feePaymentWindow (required)

Time window (in minutes) within which the payment to unlock the encrypted StatusList2021 DID-Linked Resource is considered valid. For example:

length (optional)

The length of the Status List to be created. The default and minimum length is 140000 which is 16kb. For example:

encoding (optional)

The encoding format of the encrypted StatusList DID-Linked Resource to be created.

base64url
base64
hex

statusListVersion (optional)

A user set value to represent the version of the Status List. For example:

1.0

alsoKnownAs (optional)

A user set field to assign a set of alternative URIs where the DID-Linked Resource can be fetched from. For example:

https://www.foo.com

From this request, cheqd Studio will automatically create and publish an encrypted Status List to the ledger with set Payment Conditions required to be met to unlock.

Option 2. Publish a JSON payload yourself

Instead of using simple form variables, you can create an encrypted Status List using a JSON payload yourself using the application/json option on the Swagger UI.

Request format

An example of the JSON payload needed to be submitted is below:

{
  "did": "did:cheqd:testnet:7c2b990c-3d05-4ebf-91af-f4f4d0091d2e",
  "statusListName": "cheqd-employee-credentials-encrypted",
  "paymentConditions": [
    {
      "feePaymentAddress": "cheqd1qs0nhyk868c246defezhz5eymlt0dmajna2csg",
      "feePaymentAmount": 20,
      "feePaymentWindow": 10
    }
  ]
}

The table below expands on some of the required parameters:

Parameter

Example value

Description

"feePaymentAddress"

"cheqd1xl5wccz667lk06ahama26pdqvrkz5aws6m0ztp"

This specifies the cheqd address to which the payment fee should be sent. This address is associated with the User who wants to charge for Credential Status

"feePaymentAmount"

"1000"

This defines the amount of the payment fee in CHEQ which the Issuer will charge for a third party to unlock the Credential Status. The amount may be up to 2 decimal points, e.g. "1000.25".

"feePaymentWindow"

"10"

The amount of time, in minutes, after making the payment in which a Verifier is able to unlock an encrypted resource.

Step 5: Hit the API

Once the Issuer has populated the requisite information for the encrypted Status List request, they can use the API below to submit it to the ledger.

Encrypted Status List Response format

The following code snippet shows an example of an encrypted Status List response format, which will be published to the ledger:

Note: it is important to save the response, including the "encryptedSymmetricKey" locally, as this will be used for updating encrypted Status List operations.

{
  "created": true,
  "resource": {
    "StatusList2021": {
      "encodedList": "496fdfbeb745b4db03fcdb40566f9c4c4a1c0f184b31255e641b6e7bdfb9b6946c12be87ca3763be0393c00b67ac1e8737c106b32f46ef59c765754415b5e8cc7c65fccaa3374620430ea476301a5e0dd63340e7a27a68bc627518471f22e4a2",
      "type": "StatusList2021Revocation",
      "validFrom": "2023-06-26T11:45:19.349Z"
    },
    "metadata": {
      "type": "StatusList2021Revocation",
      "encoding": "base64url",
      "encrypted": true,
      "encryptedSymmetricKey": "b11182dc524b8181f9a6aef4c4ad0a1c14e40033b9112dffd8d1bcf6cc3b85abc07ded2205ee94068a99f4202502cb0855f322583fa6ce1534d3a05bf36891766ea2c5f90a982b3040680762977d404d758a2370224a239c8279aa7d21e980931c42055b17ca4c7dbffa4782480a8b6279cf989b2f166d5fdb4b2c1b5a63927200000000000000203018dcaba26df45a415bb599218b27ca853a70289d7a3ed3ed0e3730452e8f8d9af91b6e71312565d2c069341f6660ab",
      "paymentConditions": [
        {
          "feePaymentAddress": "cheqd1qs0nhyk868c246defezhz5eymlt0dmajna2csg",
          "feePaymentAmount": "20000000000ncheq",
          "intervalInSeconds": 600,
          "type": "timelockPayment"
        }
      ]
    },
    "resourceMetadata": {
      "resourceURI": "did:cheqd:testnet:7c2b990c-3d05-4ebf-91af-f4f4d0091d2e/resources/5945233a-a4b5-422b-b893-eaed5cedd2dc",
      "resourceCollectionId": "7c2b990c-3d05-4ebf-91af-f4f4d0091d2e",
      "resourceId": "5945233a-a4b5-422b-b893-eaed5cedd2dc",
      "resourceName": "cheqd-revocation-encrypted-1",
      "resourceType": "StatusList2021Revocation",
      "mediaType": "application/json",
      "resourceVersion": "2023-06-26T11:45:19.349Z",
      "created": "2023-06-26T11:45:20Z",
      "checksum": "909e22e371a41afbb96c330a97752cf7c8856088f1f937f87decbef06cbe9ca2",
      "previousVersionId": null,
      "nextVersionId": null
    },
    "symmetricKey": "dfe204ee95ae74ea5d74b94c3d8ff782273905b07fbc9f8c3d961c3b43849f18"
  }
}

Note: The only encrypted element is the "encodedList" element. This provides the Verifier sufficient information to be able to make the payment back the the Issuer and to fulfill the Access Control Conditions, without being able to see the contents of the Status List itself.

Decentralized Trust Chains (DTCs)

Introduction

Verifiable Credentials (VCs) are, in most cases, issued by legal entities. The purpose of Verifiable Credentials is to provide the Relying Party that receives the credentials a Level of Assurance (LoA) that the attributes and claims within the credential are legitimate. However, it is not currently easy to determine whether a legal entity issuing a credential is in fact the entity they claim to be, and not, a fraudulent misrepresentation of that legal entity. This is the challenge that Trust Infrastructure and Trust Registries are positioned to solve.

Note: This Trust Registry challenge is a significant problem for the digital credential industry, and often inhibits the technology reaching a production stage of readiness.

At present, legal entities that issue credentials have no mechanism to establish that they are trustworthy; thus, Relying Parties may not recognise the DIDs signing the Verifiable Credentials they receive. To fully establish trust, Relying Parties need to know who issued the VCs, whether the issuer is recognised as trusted within a particular governance framework, and who accredited the issuer for the purpose of issuing the credential.

To solve this industry-wide challenge, cheqd introduces a Verifiable Trust Infrastructure, that directly complements the model created by EBSI. Within cheqd's Trust Infrastructure, users can create hierarchical chains of trust "Trust Chains" that together encapsulate a "Trust Registry" for a given ecosystem.

The Trust Infrastructure Model also includes permissions and policies set via "Verifiable Accreditations" and an overall "Governance Framework". Herein, permissions govern the scope of , while policies are used to define who made the accreditation; which Trust Framework is followed; and, the legal basis of the credential.

cheqd Trust Infrastructure users make the whole Verifiable Trust Model publicly available by registering it as a collection of DID-Linked Resources on cheqd. cheqd's Trust Infrastructure therefore enables verifiers to automatically resolve and establish trust in hierarchies of trust without needing to know each organisation directly, using industry-standard resolution mechanisms defined in the W3C DID-Core and the DID Resolution Spec.

Glossary

There are many terms used within this guide, and as such, familiarise yourself or refer back to the concepts within the glossary below:

Abbreviation

Term

Description

Accreditation Policy

Part of a Verifiable Credential, using the termsOfUse section to reference the parentAccreditation in the Trust Chain

DID

Decentralised Identifier

Legal entity identifier for Trust Registry, cannot be natural person in context of Trust Infrastructure

Governance Authority

The legal entity or consortia responsible for writing the Governance Framework. In many instances the Governance Authority is also a Root TAO

Governance Framework

A policy document outlining the purpose, roles, scopes and permissions for a given ecosystem using the Trust Infrastructure.

Root TAO

Root Trusted Accreditation Organization

Legal entity governing the whole trust chain

TAO

Trusted Accreditation Organization

Legal entity governing a trust chain segment

Trust Chain

Hierarchy of Verifiable Accreditations. Multiple Trust Chains may comprise a Trust Registry.

Trusted Issuer

Legal entity participating in a trust chain as an issuer

Trust Infrastructure

The overall set of technical and governance components to establish end-to-end trust.

Verifiable Accreditation

Type of on-ledger Verifiable Credential that is specifically used for establishing governance permissions and policies

Verifiable Trust Model

Permissions with policies to either accredit, or to attest

Establishing a Trust Hierarchy

cheqd's Trust Registry model is predicated on the notion of a trust hierarchy, which is conceptually very similar to traditional Public Key Infrastructure (PKI). Specifically, the model relies on a Root of Trust from which trusted relationships can be established.

In our model, each organisation in the trust hierarchy is able to issue Verifiable Accreditations to other entities, conveying a set of permissions or scopes that determine what the recipient entity is permitted to do.

The following diagram show how a Root TAO accredits two TAOs lower in the hierarchy:

where:

Root of Trust (rTAO) DID:
- Controls Verifiable Accreditations (VAs) issued from rTAO to TAOs.
Accredited Org (TAO) DID:
- Controls Verifiable Accreditations (VAs) issued from TAOs to Trusted Issuers.
Trusted Issuer DID:
- Issues Verifiable Credentials with Issuance Policies
Verifiable Credentials
- Issued including the Issuance Policies in the TermsOfUse section of the data model.
- Issued to Digital Identity Wallet of user or organisation, which can be later verified up the entire trust chain.

Trust Infrastructure Roles and their Permissions

As shown in the diagram above, legal entities can play the following roles:

Root Trusted Accreditation Organisation (Root TAO)
Trusted Accreditation Organisation (TAO)
Trusted Issuer (TI)

A Trust Chain should contain all three roles, even if one single DID would represent all three roles. The roles must be RTAO, TAO, and TI, where only TI may issue domain-specific Verifiable Credentials.

Root Trusted Accreditation Organisation (RTAO)

The Root TAO is the owner of a Trust Chain, responsible for the governance of the whole Trust Chain. Root TAOs may:

accredit itself to govern or issue domain-specific Verifiable Credentials
accredit TAOs to govern a segment of the Trust Chain
accredit a Trusted Issuer to issue domain-specific Verifiable Credentials
revoke an accreditation from a legal entity that is participating in the Trust Chain

The RTAO permission is defined by VerifiableAuthorisationForTrustChain, and the policies are contained in termsOfUse as TrustFrameworkPolicy.

Trusted Accreditation Organisation (TAO)

A TAO governs an accredited segment on behalf of the RTAO. It may:

accredit itself to issue domain-specific Verifiable Credentials
accredit another TAO to govern a segment of the Trust Chain
accredit a Trusted Issuer to issue domain-specific Verifiable Credentials
revoke accreditation from a legal entity that was accredited by the TAO

The TAO permission is defined by VerifiableAccreditationToAccredit, and the policies are contained in termsOfUse as AccreditationPolicy.

Trusted Issuer (TI)

A Trusted Issuer represents the Issuer in a Trust Chain. It may issue domain-specific Verifiable Credential types defined by the received accreditation.

Note that issuers may issue Verifiable Credentials outside the Trust Chain, but these are not associated or recognised by a Root TAO and therefore contain no weight within the Trust Chain's governance framework.

The TI permission is defined by VerifiableAccreditationToAttest, and the policies are contained in termsOfUse as AccreditationPolicy. When the Trusted Issuer is using their accreditation to issue a domain-specific VC, the issued domain VC must contain a termsOfUse property with AttestationPolicy type, which links to the Trusted Issuer's accreditation and into Root TAO's accreditation, where both are located in TIR.

Policies Overview

The Governance Framework Policy is a document, written by a Governance Authority, that defines requirements that must be met for the Trust Ecosystem. These requirements may include security, legal, operational, or functional requirements and may relate to regulation, directives, national policy, or similar documents.

All Trust Model policies are located in the termsOfUse property of the corresponding Accreditation or credential that contains the permissions related to the policy.

Trust Types

Accreditations

Accreditations are certifications of being qualified to accredit or attest. Accreditations are attribute-driven and are always restricted to domain-specific credential types. These restrictions cannot be extended. For example, if a legal entity is accredited to accredit Issuers of diploma VCs, they may only pass this or a subset downstream of the hierarchy. Depending on the accreditation, the accredited legal entity may govern (accredit) or issue (attest), but always within the Trust Model and the accredited boundaries.

Each Verifiable Accreditation is also associated with an AccreditationPolicy in the termsOfUse section of the credential. This Policy links to the parent or root accreditation to enable verifiers to traverse the trust registry.

Credentials

All Verifiable Credentials are attestations of something. Any issuer may issue credentials (default), while accredited Trusted Issuers may issue domain-specific VCs with the accreditation, by attaching the AttestationPolicy into termsOfUse.

End Users (legal entities or natural persons) can accumulate multiple Verifiable Credentials from one or many Trust Models.

Set up Veramo CLI for cheqd

If you're looking to use the Veramo CLI with cheqd or develop a proof-of-concept application, use the official Veramo CLI setup guide.

Step 1: Install requisite packages

Node version recommended Nodev16. You can install Node here

1.1. Install Veramo CLI

This step is exactly as described in Veramo CLI docs:

npm i @veramo/cli@latest -g

Note: Depending on your system permissions, you might be prompted for additional permissions. Add sudo to the beginning of the command in case that happens.

Verify the installation was correct. Command below should output latest version of veramo you installed.

veramo -v
x.x.x

1.2. Install the `did-provider-cheqd` package

Install the did-provider-cheqd NPM package in a similar fashion:

npm install @cheqd/did-provider-cheqd@latest -g

You can check all of your NPM package versions by running the command:

npm list -g

Step 2: Modify the cheqd plugin Agent configuration file

2.1. Get the `agent.yml` configuration file

Download the agent.yml file that contains the configuration for cheqd network to be used with Veramo CLI.

You can do this in terminal through:

wget -c https://raw.githubusercontent.com/cheqd/did-provider-cheqd/main/agent.yml

Note: Alternatively, you can also fetch this by cloning the did-provider-cheqd repository.

2.2. Open the `agent.yml` file in an editor to customise the config

You can open the agent.yml in a text editor/IDE of your choice to edit a few mandatory settings.

In terminal, you can edit the agent.yml file using an editor like nano:

nano <path/to/>agent.yml

Make sure you provide the actual relative/absolute path to the file.

2.3. Generate a new local database encryption key

By default, the did-provider-cheqd package has a default SQLite database password, but it's a good idea to modify and change this to a new key unique to your install.

$ veramo config gen-key

X25519 raw private key (hex encoded):

4a5aeb56c7956dd6f3312e7094130a03afc060b95621fa3a86577aaf2b67cc1d

You can use this key with @veramo/kms-local#SecretBox
or replace the default agent.yml 'dbEncryptionKey' constant

Take the key generated and replace the value under dbEncryptionKey in the agent.yml file.

2.4. Set your DID Resolver endpoint

In order to be able to read/query did:cheqd entries from the ledger, you need to configure a REST API endpoint for a cheqd DID Resolver instance.

did-cheqd-resolver:
    $require: '@cheqd/did-provider-cheqd?t=function&p=/cheqd#getResolver'
    $args:
        - url: 'https://resolver.cheqd.net/1.0/identifiers/'

The default value is set to resolver.cheqd.net, which is an instance of the cheqd DID Resolver hosted by the cheqd team. This DID Resolver instance can handle requests for did:cheqd:mainnet as well as did:cheqd:testnet namespaces.

If you want, you can replace the url property with a different REST API endpoint for a different instance of the cheqd DID Resolver.

Alternative/Optional: Use Universal Resolver instead

Note: This configuration is an advanced step and not recommended for most users. Skip it and continue to the next step in most cases, unless you know why you want to switch the resolver interface.

If you plan on interacting with multiple DID methods using Veramo CLI, you can alternatively query did:cheqd using a Universal Resolver instance instead. This allows your CLI configuration to handle any DID method supported by Universal Resolver.

Firstly, comment out the custom did-cheqd-resolver entry and uncomment the universal-resolver entry. This tells Veramo CLI to use the Universal Resolver interface for did:cheqd.

# DID resolvers
didResolver:
    $require: '@veramo/did-resolver#DIDResolverPlugin'
    $args:
        - resolver:
              $require: did-resolver#Resolver
              $args:
                  - key:
                        $ref: /did-key-resolver
                    # cheqd:
                    #  $ref: /did-cheqd-resolver
                    cheqd:
                        $ref: /universal-resolver

Also comment out this section for the did-cheqd-resolver:

# did-cheqd-resolver:
#   $require: '@cheqd/did-provider-cheqd?t=function&p=/cheqd#getResolver'
#   $args:
#     - url: 'https://resolver.cheqd.net/1.0/identifiers/'

Finally, uncomment and configure the universal-resolver interface:

universal-resolver:
    $require: '@veramo/did-resolver#UniversalResolver'
    $args:
        - url: https://dev.uniresolver.io/1.0/identifiers/

2.5. Add cheqd-testnet to your Keplr wallet

In order to add cheqd-testnet to your Keplr extension, please follow the following instructions:

Go to Axelar to add a custom network, then replace everything with cheqd-testnet json configuration below.

{
    "chainId": "cheqd-testnet-6",
    "chainName": "cheqd Testnet",
    "rpc": "https://rpc.cheqd.network",
    "rest": "https://api.cheqd.network",
    "stakeCurrency": {
        "coinDenom": "CHEQ",
        "coinMinimalDenom": "ncheq",
        "coinDecimals": 9,
        "coinGeckoId": "cheqd-network"
    },
    "walletUrlForStaking": "https://wallet.cheqd.io",
    "bip44": {
        "coinType": 118
    },
    "bech32Config": {
        "bech32PrefixAccAddr": "cheqd",
        "bech32PrefixAccPub": "cheqdpub",
        "bech32PrefixValAddr": "cheqdvaloper",
        "bech32PrefixValPub": "cheqdvaloperpub",
        "bech32PrefixConsAddr": "cheqdvalcons",
        "bech32PrefixConsPub": "cheqdvalconspub"
    },
    "currencies": [
        {
            "coinDenom": "CHEQ",
            "coinMinimalDenom": "ncheq",
            "coinDecimals": 9,
            "coinGeckoId": "cheqd-network"
        }
    ],
    "feeCurrencies": [
        {
            "coinDenom": "CHEQ",
            "coinMinimalDenom": "ncheq",
            "coinDecimals": 9,
            "coinGeckoId": "cheqd-network",
            "gasPriceStep": {
                "low": 25,
                "average": 50,
                "high": 100
            }
        }
    ],
    "coinType": 118,
    "beta": true
}

2.6. Configure your cheqd/Cosmos account keys and RPC endpoints

While reading/querying from the cheqd ledger incurs no cost, if you want to create/update a DID to cheqd ledger, you need to pay transaction fees for the ledger writes.

# DID Manager
didManager:
---
defaultProvider: did:cheqd:testnet
providers:
    did:cheqd:mainnet:
        $require: '@cheqd/did-provider-cheqd#CheqdDIDProvider'
        $args:
            - defaultKms: local
              cosmosPayerMnemonic: <your_cosmos_mnemonic_paying_for_did_txs>
              networkType: mainnet
              rpcUrl: 'https://rpc.cheqd.net'
    did:cheqd:testnet:
        $require: '@cheqd/did-provider-cheqd#CheqdDIDProvider'
        $args:
            - defaultKms: local
              cosmosPayerMnemonic: <your_cosmos_mnemonic_paying_for_did_txs>
              networkType: testnet
              rpcUrl: 'https://rpc.cheqd.network'

You need to configure this in under didManager section as shown above, where you'll need to edit:

cosmosPayerMnemonic: Mnemonic associated with your cheqd/Cosmos SDK account. This is only stored locally, and the mnemonic is used to reconstitute the account address and keys used to pay for the transaction.
rpcUrl: For both did:cheqd:mainnet: as well as did:cheqd:testnet: sections, you can specify a Cosmos SDK RPC endpoint. This endpoint is where transactions are sent to. By default, this is populated with rpc.cheqd.net (for mainnet) and rpc.cheqd.network (for testnet), but you can can modify this to a different hosted RPC endpoint for cheqd or even your own local/private RPC endpoint.
defaultProvider: The default cheqd network is set to did:cheqd:testnet to allow developers to test out network functionality. However, if you prefer, you can switch this out to did:cheqd:mainnet instead.

2.7. Save the `agent.yml` file and exit

Make sure all your edits above are persisted and saved to a file that you can access.

Step 3: Verify your configuration file is correct

Once you've completed Step 2 above, verify that your Veramo configuration is accurate using the following command. If your configuration is correct, you should get a success message like the one below.

$ veramo config check -f <path/to/>agent.yml

Your Veramo configuration seems fine. An agent can be created and the 'agent.execute()' method can be called on it.

If the config check throws an error, check out our troubleshooting guide for Veramo CLI setup to see common errors and fixes.

Next steps

Now that your Veramo CLI installation is successfully set up to work with cheqd, try following our tutorials for creating a new DID or querying existing DIDs.

Context for developing DID-Linked Resources

Understanding "Resources" in decentralised identity

In self-sovereign identity (SSI) ecosystems, “resources” are often required in tandem with W3C Verifiable Credentials, to provide supporting information or additional context to verifiers receiving Verifiable Presentations.

For example, common types of resources that might be required to issue and validate Verifiable Credentials are:

Schemas;
Status lists;
Trust registries;
Visual Representations of Verifiable Credentials;
Documents; or
Logos

Schemas

Schemas describe the fields and content types in a credential in a machine-readable format. Prominent examples of this include schema.org, Hyperledger Indy schema objects, etc. You can think of them as a template for what is included in a Verifiable Credential.

Below is an example of a schema.org residential address with full URLs:

{ 
    "@type": "http://schema.org/Person", 
    "http://schema.org/address": {   
        "@type": "http://schema.org/PostalAddress",   
        "http://schema.org/streetAddress": "123 Main St.",   
        "http://schema.org/addressLocality": "Blacksburg",   
        "http://schema.org/addressRegion": "VA",   
        "http://schema.org/postalCode": "24060",   
        "http://schema.org/addressCountry": "US" 
    }
}

This might also take the form of evidence schemes, which describe additional information about the processes used to validate the information presented in a Verifiable Credential in common, machine-readable format.

Prominent examples of this include Schema.org, Hyperledger AnonCreds SCHEMA objects, etc.

Status and Revocation Lists

Status lists allow recipients of a Verifiable Credential exchange to check the status of a credential for validity. Prominent examples of this include the W3C Status List 2021 specification, Hyperledger AnonCreds Revocation, etc.

Trust registries

Trust registries enable recipients of a Verifiable Credential exchange to check that the Decentralized Identifier of the issuer is listed in a trusted registry. This provides a level of assurance in the authenticity of the issuer. Examples of Trust Registries include the ToIP Trust Registry Specification, EBSI Trust Registry API, etc.

Visual representations for Verifiable Credentials

Although Verifiable Credentials can be exchanged digitally, in practice most identity wallets want to present “human-friendly” representations. Examples of this include the Overlays Capture Architecture (OCA) specification, Apple Wallet PassKit (".pkpass"), Google Wallet Pass, etc. A resource, using something like Overlay Capture Architecture (OCA) may enable a credential representation to be shown according to the brand guidelines of the issuer, internationalisation (“i18n”) translations, etc.

Figure 1: Overlays Capture Architecture Specification Version 1.0.0

Such visual representations can also be used to quickly communicate information visually during identity exchanges, such as airline mobile boarding passes.

Figure 2: Mobile boarding passes in Apple Wallet showing different visual styles (source: British Airways media centre)

In the example above from British Airways, the pass at the front is for a “Gold” loyalty status member, whereas the pass at the back is for a “standard” loyalty status member. This information can be represented in a Verifiable Credential, of course, but the example here uses the Apple Wallet / Google Wallet formats to overlay a richer display.

While it’s useful to have digital credentials that can be verified cryptographically, the reality is that there are often occasions when a quick “visual check” is done instead. For example, when at an airport, an airline staff member might visually check a mobile boarding pass to direct people to the correct queue they need to join. The mobile boarding pass does get scanned at points like check-in, security, boarding etc., to digitally read the information, other scenarios where this is not done are equally valid. However, most Verifiable Credential formats do not explicitly provide such “human-friendly” forms of showing the data held in a credential.

Documents

More broadly, there are other types of resources that might be relevant for companies beyond SSI vendors, that want a way to represent information about themselves in an immutable and trustworthy way.

Many companies require documentation such as Privacy Policies, Data Protection Policies or Terms of Use to be made publicly available. Moreover, Trust over IP (ToIP) recommends making Governance Frameworks available through DID URLs, which would typically be a text file, a Markdown file, PDF etc.

Logos

Companies may want to provide authorised image logos to display across different websites, exchanges or block explorers. Examples of this include key-publishing sites like Keybase.io (which is used by Cosmos SDK block explorers such as our own to show logos for validators) and “favicons” (commonly used to set the logo for websites in browser tabs).

The current uses for resources are therefore very broad across the SSI ecosystem, and in addition, for other companies that may want to use DIDs to reference relevant information on ledger. For this reason, it is essential that the SSI community strengthens the way that resources are stored, referenced and retrieved in SSI ecosystems.

In our demo for IIW, we showed an IIW logo as a resource on-ledger, being used within the body of a Verifiable Credential. In the JSON below, you will be able to see the resources being used in both the "@context" and "logo" sections.

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://veramo.io/contexts/profile/v1",
    "https://resolver.cheqd.net/1.0/identifiers/did:cheqd:testnet:z6jKUJA5YcZsNxZgsrQPKPipL2FRTf4s/resources/a20aa56a-a76f-4828-8a98-4c85d9494545"
  ],
  "type": [
    "VerifiableCredential",
    "EventReservation"
  ],
  "issuanceDate": "2022-11-17T03:19:03.328Z",
  "credentialSubject": {
    "id": "did:key:z6MkwTr46BWU42YejmZrDDCbL127dBoxSXeLuaHS75vTCg7i"
  },
  "reservationId": "4810116769",
  "reservationStatus": "https://schema.org/ReservationConfirmed",
  "reservationFor": {
    "@type": "Event",
    "name": "Internet Identity Workshop IIWXXXV",
    "startDate": "2022-11-16T16:00:00",
    "endDate": "2022-11-18T00:00:00",
    "location": "Computer History Museum, 1401 N Shoreline Blvd, Mountain View, CA 94043",
    "logo": "https://resolver.cheqd.net/1.0/identifiers/did:cheqd:testnet:z6jKUJA5YcZsNxZgsrQPKPipL2FRTf4s/resources/8140ec3a-d8bb-4f59-9784-a1cbf91a4a35"
  },
  "issuer": {
    "id": "did:cheqd:mainnet:zAXwwqZzhCZA1L77ZBa8fhVNjL9MQCHX"
  },
  "proof": {
    "type": "JwtProof2020",
    "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vdmVyYW1vLmlvL2NvbnRleHRzL3Byb2ZpbGUvdjEiLCJodHRwczovL3Jlc29sdmVyLmNoZXFkLm5ldC9kaWQ6Y2hlcWQ6dGVzdG5ldDp6NmpLVUpBNVljWnNOeFpnc3JRUEtQaXBMMkZSVGY0cy9yZXNvdXJjZXMvYTIwYWE1NmEtYTc2Zi00ODI4LThhOTgtNGM4NWQ5NDk0NTQ1Il0sInR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJFdmVudFJlc2VydmF0aW9uIl0sImNyZWRlbnRpYWxTdWJqZWN0Ijp7ImlkIjoiZGlkOmtleTp6Nk1rd1RyNDZCV1U0Mlllam1ackREQ2JMMTI3ZEJveFNYZUx1YUhTNzV2VENnN2kifX0sIkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIiwiaHR0cHM6Ly92ZXJhbW8uaW8vY29udGV4dHMvcHJvZmlsZS92MSIsImh0dHBzOi8vcmVzb2x2ZXIuY2hlcWQubmV0L2RpZDpjaGVxZDp0ZXN0bmV0Ono2aktVSkE1WWNac054WmdzclFQS1BpcEwyRlJUZjRzL3Jlc291cmNlcy9hMjBhYTU2YS1hNzZmLTQ4MjgtOGE5OC00Yzg1ZDk0OTQ1NDUiXSwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIkV2ZW50UmVzZXJ2YXRpb24iXSwiaXNzdWFuY2VEYXRlIjoiMjAyMi0xMS0xN1QwMzoxOTowMy4zMjhaIiwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6a2V5Ono2TWt3VHI0NkJXVTQyWWVqbVpyRERDYkwxMjdkQm94U1hlTHVhSFM3NXZUQ2c3aSJ9LCJyZXNlcnZhdGlvbklkIjoiNDgxMDExNjc2OSIsInJlc2VydmF0aW9uU3RhdHVzIjoiaHR0cHM6Ly9zY2hlbWEub3JnL1Jlc2VydmF0aW9uQ29uZmlybWVkIiwicmVzZXJ2YXRpb25Gb3IiOnsiQHR5cGUiOiJFdmVudCIsIm5hbWUiOiJJbnRlcm5ldCBJZGVudGl0eSBXb3Jrc2hvcCBJSVdYWFhWIiwic3RhcnREYXRlIjoiMjAyMi0xMS0xNlQxNjowMDowMCIsImVuZERhdGUiOiIyMDIyLTExLTE4VDAwOjAwOjAwIiwibG9jYXRpb24iOiJDb21wdXRlciBIaXN0b3J5IE11c2V1bSwgMTQwMSBOIFNob3JlbGluZSBCbHZkLCBNb3VudGFpbiBWaWV3LCBDQSA5NDA0MyIsImxvZ28iOiJodHRwczovL3Jlc29sdmVyLmNoZXFkLm5ldC8xLjAvaWRlbnRpZmllcnMvZGlkOmNoZXFkOnRlc3RuZXQ6ejZqS1VKQTVZY1pzTnhaZ3NyUVBLUGlwTDJGUlRmNHMvcmVzb3VyY2VzLzgxNDBlYzNhLWQ4YmItNGY1OS05Nzg0LWExY2JmOTFhNGEzNSJ9LCJpc3N1ZXIiOnsiaWQiOiJkaWQ6Y2hlcWQ6bWFpbm5ldDp6QVh3d3FaemhDWkExTDc3WkJhOGZoVk5qTDlNUUNIWCJ9LCJzdWIiOiJkaWQ6a2V5Ono2TWt3VHI0NkJXVTQyWWVqbVpyRERDYkwxMjdkQm94U1hlTHVhSFM3NXZUQ2c3aSIsIm5iZiI6MTY2ODY1NTE0MywiaXNzIjoiZGlkOmNoZXFkOm1haW5uZXQ6ekFYd3dxWnpoQ1pBMUw3N1pCYThmaFZOakw5TVFDSFgifQ.U4vPbvdY7724a1jJwiDeCH_4_YC5sKUMcH6lY_XCVWBTE1RvYAnTj4fPHWMy6zSVFL9TAk4ZBOqFjKUtShBSCw"
  }
}

By clicking the image below, you will see that this is actually being pulled and resolved from the cheqd ledger:

Rationale for storing resources on-ledger

What are the problems with the way resources are stored?

There are multiple approaches to decentralised identity which rely on centralised infrastructure across different technical layers. Decentralised Identifiers (DIDs): are often stored on ledgers (e.g., cheqd, Hyperledger Indy, distributed storage (e.g., IPFS in Sidetree), or non-ledger distributed systems (e.g., KERI). Yet, DIDs can be stored on traditional centralised-storage endpoints (e.g., did:web, did:git.

The issue of centralisation affects resources providing extra context and information to support Verifiable Credentials. These resources, such as schemas and revocation lists, are often stored and referenced using centralised hosting providers.

Using centralised hosting providers to store resources may have a significant difference in the longevity and authenticity of Verifiable Credentials. For example, a passport (which typically has a 5–10 year validity) issued as a Verifiable Credential anchored to a DID (regardless of whether the DID was on-ledger or not) might stop working if the credential schema, visual presentation format, or other necessary resources were stored off-ledger on traditional centralised storage.

DIDs could be tampered by compromising the hosting provider: DIDs and DID Documents ("DIDDocs") stored at a centralised web endpoint can be compromised and replaced by malicious actors.
Hosting providers could unilaterally cease to host particular clients: Hosting providers could terminate accounts due to factors such as non-payment of fees, violation of Terms of Service, etc.
Single point-of-failure in resiliency: Even for highly-trusted and sophisticated hosting providers who may not present a risk of infrastructure being compromised, a service outage at the hosting provider can make a DID anchored on their systems inaccessible.

Single points of failure

Even for highly-trusted and sophisticated hosting providers who may not present a risk of infrastructure being compromised, a service outage at the hosting provider can make a resource anchored on their systems inaccessible.

The high centralisation of cloud providers and history of noteworthy outages clearly demonstrates why we should not host resources on centralised cloud storage in production environments. In Q1 of 2022, the three largest players in the cloud (AWS, Google Cloud, Microsoft Azure) dominated with 65 per cent in nearly all regions (outside of China).

Figure 3: Breakdown of global cloud provider market share (source: CoinTelegraph)

Beyond cloud providers, there are other events that exemplify the issuers relying on larger players. The Facebook outage of 2021 (shown in the graph below) took down apps that used “Login with Facebook” functionality. This highlights the risks of “contagion impact” (e.g., a different Facebook outage took down Spotify, TikTok, Pinterest) of centralised digital systems — even ones run by extremely-capable tech providers.

Figure 4: Graph showing drop in Facebook traffic from their global service outage in 2021 (source: Kentik)

Likewise, with decentralised identity, there has been excellent work to decentralise, with standards that remove the need for centralised intermediaries — notably around Verifiable Credentials and the decentralised trust provided by DID Authentication. Yet, all of this excellent work may be eroded in practice, unless every component of an SSI ecosystem is able to maintain an equivalent level of decentralised trust. Resources are currently an area that has been centralised for the sake of convenience.

Link rot

"Link rot" happens when over time, URLs become inaccessible, either because the endpoint where the content was stored is no longer active, or the URL format itself changes. The graph below from an analysis by The New York Times of linkrot shows degradation over time of URLs.

Figure 5: Linkrot analysis over 1996-2019 by New York Times (source: Columbia Journalism Review / New York Times)

For this reason, keeping an up-to-date version of the links themselves is crucial. Furthermore, a study of link rot found at least 66.5% of links to sites in the last 9 years are dead. This can have an adverse impact on the digital longevity of Verifiable Credentials if there’s “link rot” in the resources necessary to process the credential. For this reason, projects such as The Internet Archive’s Wayback Machine exist to snapshot digital ephemera before they are lost forever.

Figure 6: Pie chart showing root causes of link rot (source: Ahrefs)

This illustrates that link rot can affect a significant proportion of links in a relatively small amount of time, and once again, looking at how resources are currently stored in SSI ecosystems, if the resource locations are moved and the links are broken, the Verifiable Credentials relying on these resources become unusable. Therefore, resources, once defined, should be architected to be used and referenced indefinitely, without being changed.

Tamper-evident changes and censorship resistance

Finally, the centralised way that resources are currently stored and managed is not immutable, and as a result, it is liable to tampering. For example, if a hosting provider is compromised, or if malicious actors are working for the company, resources may be changed and previous resource versions may be purged from the central database.

As we move towards a new web infrastructure with Web 3 (and beyond…), and as more projects leverage blockchain and distributed ledgers, it’s important not to port the previous issues of the web, and instead find novel ways to better manage information, with longevity in mind. This is why at cheqd, we have decided to redesign the way resources are captured on the ledger.

Semantic Linkage

Solutions that do currently store schemas on ledger (e.g., Hyperledger Indy) don't have semantic linkage between old and new versions. In this instance, current ledgers allow new versions to be made but don't offer an easy way for client apps to discover linkages as they evolve over time.

Addressing risk vectors using DID-Linked Resources

We took the following design principles into consideration, along with an explanation of how we addressed them:

Built using existing, familiar DID Core Spec patterns: Wherever possible, our design attempts to utilise existing patterns and behaviours within the W3C DID Core specification (such as the use of DID URLs to identify resources), instead of trying to implement proprietary/custom approaches. We believe that similar designs could be adopted by other DID methods if they choose.
Protection against linkrot for long-term retrieval: Any Resource stored on-ledger is replicated across multiple nodes.
1. If any individual node or endpoint is down, lookup requests can be sent to any other node on the network.
2. In a catastrophic scenario where the network itself stops to exist, e.g., companies shutting down, getting acquired etc the on-ledger data can still be restored by digital archivists using ledger snapshots. A practical example of this is how Cosmos Hub makes historical chain archives available which can be restored. While this can be cumbersome, we wanted to design for this as a fail-safe.
Extensible by default: Our objective was to build a flexible design pattern that allowed developers to define and extend their own resource types. Trying to control what kinds of resources could be written to ledger would make the ledger-side logic complex. Instead, we opted for a design where the cheqd ledger acts agnostically to store resources, as long as correctly authorised, as a permanently-accessible endpoint.
Design for DID-spec "dumb" as well as DID-spec "smart" client applications: Many approaches in this space assume that client applications must be adept at parsing DIDDocs and resolving complex inter-DIDDoc relationships. We saw describing resources using DIDDocs as metadata about the resource which could be independently-parsed by "smart" client applications; while also providing a fallback approach for "dumb" client applications. We internally considered this as "What if an identity wallet understood how to parse JSON, but didn't understand the DID Core spec?"
Version controlled: The ability to evolve a resource over time is critical for identity use cases. As described above, examples of this include when identity document schemas change, logos evolve, etc. Current approaches (such as Hyperledger Indy CredDefs) deal with this by creating entirely new, unlinked resources. We designed to make it easy, using existing DID Core specification techniques, so that client applications could query "What was the version of a resource with this name on this date/time?"
Make re-use of resources simple: We liked the concept of Schema.org in the sense that it promotes a common, machine-readable specification. Therefore, our design allows for patterns where the controllers of a DID can reference resources created by other DID owners/controllers, e.g., referencing a pre-existing schema. Taking this line of thought further, it allows for an arbitrary depth of how resources can be nested, as long as they are discoverable/resolvable.
Notalltypes of resources should be stored on a ledger...but can be made discoverable through similar design patterns: Distributed ledgers are great for redundancy, but the cost of this duplication (in terms of storage required by node, block size, transaction finality speeds, etc) can be quite significant. For instance, a distributed ledger is probably not the best storage and retrieval mechanism for a video file (which can run into many GBs/TBs); or even a PDF larger than a few MBs. cheqd network restricts the block size for an individual block to ~200 KB. This can be updated via an on-ledger vote, but the trade-off of asking node operators to provision ever-expanding storage would be not ideal. Our design therefore restricts the file/payload size of on-ledger resources (in our case, ~190 KB - giving enough room for transaction data besides the resource itself), while allowing the same techniques below to be used for describing off-ledger resources. E.g., our first DID on cheqd network references a 7+ MB image accessible via IPFS. We recognise and accept that DID owners/creators may choose to use their own centralised/decentralised storage, and the design patterns described below accommodate that.

Learn more about the technical details on learn how we have architected DID-Linked resources, and how we achieve these design principles.

Create Status List

Create Verifiable Credential Status List v2021 on cheqd

The Status List 2021 Specification indicates that it may be desirable to store the actual StatusList using something like a Content Distribution Network to lessen the load on the server maintained by the issuer to return a result in real-time.

Using cheqd's Resource Module, the same benefits may be achieved. In fact, storing a StatusList as an on-ledger Resource is a much better application of technology than using a Verifiable Credential for the same purpose.

By storing a StatusList on the cheqd Network as a Resource, it creates a much more resilient and decentralised mechanism for storing and maintaining the revocation/suspension status of Verifiable Credentials. The benefits of using the cheqd Resource module over traditional centralised architecture are detailed here.

Moreover, cheqd's Resource Module enables individual Resources to be referenced and retrieved using a DID URL in conformance with DID Core. This is being standardized at the Trust over IP Foundation within a specification called DID URLs for Digital Resources.

Creating a StatusList Resource using Veramo SDK for cheqd

Using the cheqd Resource module, the same content and semantics of StatusList2021 can be replicated, with additional benefits of enabling DID Resolvers to fetch the contents of the StatusList.

Create a DID and DID Document with keys to manage the StatusList

You can follow the tutorial to create a DID and DID Document here.

Let's assume that the following DID is created.

"didDocument": {
    "@context": [
      "https://www.w3.org/ns/did/v1"
    ],
    "id": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
    "controller": [
      "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY"
    ],
    "verificationMethod": [
      {
        "id": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY#verkey-1",
        "type": "Ed25519VerificationKey2020",
        "controller": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
        "publicKeyMultibase": "zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpYAZPD1M9tvwyzE"
      },
    ],
    "authentication": [
      "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY#verkey-1"
    ]
  }

Prepare encodedList content

Prepare a file with the StatusList2021 bitstring encodedList and encode it into base64, following the same generate algorithm as in the Status List2021 Specification.

Note: The uncompressed bitstring MUST be at least 16KB in size to maintain herd privacy for the holder.

Create a unique ID for the StatusList Resource

UUIDs are used to identify Resources. On Unix systems, the uuidgen tool can be used to generate a new UUID.

Create a new Resource for an unencrypted StatusList

{
  "kms": "local",
  "payload": {
    "collectionId": "zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
    "id": "4a71319b-00b1-4db9-bc05-56dc426f7062",
    "name": "ExampleStatusList2021",
    "resourceType": "StatusList2021Revocation",
    "encrypted": false
    "data": "SGVsbG8sIHdvcmxk"
  },
  "signInputs": [
    {
      "verificationMethodId": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY#verkey-1",
      "keyType": "Ed25519",
      "privateKeyHex": "0f5c124886178037952e87e0cdc55d185732577fca19ae877e64ac9ab24a0cc534e5326e70f1a42d785d93048aee806c359ec75a7b06f39253befd1746708438"
    }
  ]
}

Where the fields within the payload have the following meaning:

Parameter

Description

collectionId

The unique identifier of the parent DID, to link the Resource to a particular DID

A UUID for the resource, to enable it to be specifically referenced and fetched

name

This must be a unique name indicating the type of Status List, but also a qualifying name for the List. For example: ExampleStatusList2021

resourceType

This must indicate the statusPurpose. This value should be either: StatusList2021Revocation or StatusList2021Suspension

data

Base 64 encoded file containing the full bitstring for the StatusList

Note: If an issuer wants to create multiple StatusLists within the same Collection, they must have unique and distinct names.

Note association between DID and Resource

Once created, the StatusList2021 Resource will be associated with the parent DID, and referenced in the DID Document Metadata as follows:

{
  "didDocument": {
    "@context": ["https://www.w3.org/ns/did/v1"],
    "id": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
    "controller": ["did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY"],
    "verificationMethod": [
      {
        "id": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY#verkey-1",
        "type": "Ed25519VerificationKey2020",
        "controller": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
        "publicKeyMultibase": "zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpYAZPD1M9tvwyzE"
      }
    ],
    "authentication": [
      "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY#verkey-1"
    ]
  },
  "didDocumentMetadata": {
    "created": "2022-09-16T11:15:20Z",
    "versionId": "204e296f-d55b-4552-9fec-0b242a689f96",
    "linkedResourceMetadata": [
      {
        "resourceURI": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY/resources/4a71319b-00b1-4db9-bc05-56dc426f7062",
        "resourceCollectionId": "zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
        "resourceId": "4a71319b-00b1-4db9-bc05-56dc426f7062",
        "resourceName": "ExampleStatusList2021",
        "resourceType": "StatusList2021Revocation",
        "mediaType": "application/json",
        "created": "2022-09-16T11:15:52Z",
        "checksum": "0f503dfbff29de9ac74fd07f1720ba560eb388e28062367884890c311736ec9d",
        "previousVersionId": "",
        "nextVersionId": ""
      }
    ]
  }
}

Creating new StatusList2021 Resource Version

An issuer may want to regularly update the bitstring whenever there is a certain amount of revocation status updates. The issuer will therefore need to create a new version for the initial StatusList2021 Resource.

Resources with the same Collection ID and name are grouped into version sets. Each resource in such a set has a link to the previous version (except the first version) and the next version (if it's not the most recent version).

To create a resource and mark it as a new version within a particular group, it is necessary to use the same collection-id, name and type as in the previous version. Links between versions will be created automatically.

New versions have dedicated unique IDs and can be referenced and retrieved as any other resources.

For example:

{
  "kms": "local",
  "payload": {
    "collectionId": "zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY", // Same Collection ID
    "id": "6922ae19-777e-4e05-8b10-8a2f0a2d418d", // New unique ID
    "name": "ExampleStatusList2021", // Same name
    "resourceType": "StatusList2021Revocation", // Same Resource Type
    "data": "hwbWB8FnRwXxmxk" // New base 64 encoded value with updated bitstring
  },
  "signInputs": [
    {
      "verificationMethodId": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY#verkey-1", // Same Verification key
      "keyType": "Ed25519",
      "privateKeyHex": "0f5c124886178037952e87e0cdc55d185732577fca19ae877e64ac9ab24a0cc534e5326e70f1a42d785d93048aee806c359ec75a7b06f39253befd1746708438"
    }
  ]
}

Resulting in the following metadata syntax:

{
  "didDocument": {
    "@context": ["https://www.w3.org/ns/did/v1"],
    "id": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
    "controller": ["did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY"],
    "verificationMethod": [
      {
        "id": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY#verkey-1",
        "type": "Ed25519VerificationKey2020",
        "controller": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
        "publicKeyMultibase": "zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpYAZPD1M9tvwyzE"
      }
    ],
    "authentication": [
      "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY#verkey-1"
    ]
  },
  "didDocumentMetadata": {
    "created": "2022-09-16T11:15:20Z",
    "versionId": "204e296f-d55b-4552-9fec-0b242a689f96",
    "linkedResourceMetadata": [
      {
        "resourceURI": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY/resources/4a71319b-00b1-4db9-bc05-56dc426f7062",
        "resourceCollectionId": "zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
        "resourceId": "4a71319b-00b1-4db9-bc05-56dc426f7062",
        "resourceName": "ExampleStatusList2021",
        "resourceType": "StatusList2021Revocation",
        "mediaType": "application/json",
        "created": "2022-09-16T11:15:52Z",
        "checksum": "0f503dfbff29de9ac74fd07f1720ba560eb388e28062367884890c311736ec9d",
        "previousVersionId": "",
        "nextVersionId": "6922ae19-777e-4e05-8b10-8a2f0a2d418d"
      },
      {
        "resourceURI": "did:cheqd:testnet:zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY/resources/6922ae19-777e-4e05-8b10-8a2f0a2d418d",
        "resourceCollectionId": "zGgLTsq96mTsFcFBUCxX6k4kc5i5RNpY",
        "resourceId": "6922ae19-777e-4e05-8b10-8a2f0a2d418d",
        "resourceName": "ExampleStatusList2021",
        "resourceType": "StatusList2021Revocation",
        "mediaType": "application/json",
        "created": "2022-10-16T09:04:17Z",
        "checksum": "0f503dfbff29de9ac74fd07f1720ba560eb388e28062367884890c311736ec9d",
        "previousVersionId": "4a71319b-00b1-4db9-bc05-56dc426f7062",
        "nextVersionId": ""
      }
    ]
  }
}

Create a DID-Linked Resource

Follow these instructions to create a new DID-Linked Resource on cheqd mainnet or testnet.

⚠️ Before you begin...
Make sure you've correctly configured the cheqd plugin's agent settings for Veramo CLI

Instructions

1. Create a DID

Follow this tutorial to generate keys and create a DID.

2. Create your Resource content and save the file locally

DID-Linked Resources can be any type of file or content that is below ~200kb in size.

For the purpose of an example, lets use an AnonCreds schema (JSON file) as the resource:

{
  "name": "degreeSchema",
  "version": "1.5.7",
  "attrNames": ["name", "age", "degree", "grade"]
 }

Save this file locally and call it something like resource.json.

3. Create a UUID for the Resource

UUIDs are used to identify DID-Linked Resources. On Unix systems, the uuidgen tool can be used to generate a new UUID:

$ uuidgen
e7b662f8-d3f8-4a83-bd00-2cdcd6cc50ab

4. Choose an option for passing the resource that best suits you

Option 1: Passing resource as Base64

Prepare a file with resource and encode it into base64. On Unix systems, you can use the following command input:

$ base64 -w 0 resource.json
<path-to-the-resource-file>

Expected output:

$ base64 -w 0 resource.json
SGVsbG8sIHdvcmxk

You will need to paste the output of the Base64 into the data field of the payload.json file as shown in step 5.

Option 2: Passing resource as file

Once you have saved your Resource file locally, you can copy the path and enter it in the file field of the payload.json file as shown in step 5.

5. Prepare your payload file

Before carrying out a Resource transaction, you will need to prepare the payload.json file. This file can be saved wherever you choose, but the location must be specified in the create Resource command. (By default, it will be saved under the project root directory.)

Parameters

kms (default local): Key Management System (KMS) to be used for storage;
payload: Resource definition
- collectionId: The last fragment of the corresponding DIDDoc
- id: Use output from the previous step here
- name: Arbitrary human-readable string used to identify the resource
- resourceType: Resource type, such as CL-Schema, JSONSchema2020, etc
- version: (Optional) client-given resource version
- alsoKnownAs: (Optional) alternative URI(s) provided for the resource
- data: (Optional) base64 encoded data of resource file
signInputs: Keys used to sign the corresponding DIDDoc. These must match the ones specified in the DIDDoc, otherwise an error will be thrown
- verificationMethodId: Verification method ID from DIDDoc where key is published
- keyType should match values that you used to create the DIDDoc
- privateKeyHex should match values that you used to create the DIDDoc
file: (Optional) path to resource file
fee:
- amount: An array of coins, coins are represented as an object with 2 fields
  - denom: ncheq (smallest denomination classification)
  - amount: See section below on fees
- gas: Each transaction must specify the maximum amount of gas it may consume.
- payer (Optional): The cheqd fee payer address
- granter (Optional): The cheqd fee granter address, Provided the grantee has an allowance by the granter

The Payload file can include a Resource passed either as a file or a base64 encoded string:

Example Payload file for passing Resource as Base64 encoded string

{
    "kms": "local",
    "payload": {
        "collectionId": "d3e515cf-81af-40cb-9ac1-154827986d29", // unique ID of associated 'parent' DID
        "id": "e7b662f8-d3f8-4a83-bd00-2cdcd6cc50ab",
        "name": "TestResource",
        "resourceType": "JsonDocument",
        "version": "",
        "alsoKnownAs": [],
        "data": "SGVsbG8sIHdvcmxk" // note that the base64 encoded content is passed here
    },
    "network": "testnet",
    "signInputs": [{
        "verificationMethodId": "did:cheqd:testnet:d3e515cf-81af-40cb-9ac1-154827986d29#key-1",
        "keyType": "Ed25519",
        "privateKeyHex": "0f5c124886178037952e87e0cdc55d185732577fca19ae877e64ac9ab24a0cc534e5326e70f1a42d785d93048aee806c359ec75a7b06f39253befd1746708438"
    }],
    "fee": {
      "amount": [{
        "denom": "ncheq",
        "amount": "2500000000" // 2.5 CHEQ is the fixed fee for a JSON transaction
        }],
      "gas": "1000000",
      "payer": "cheqd1rnr5jrt4exl0samwj0yegv99jeskl0hsxmcz96" // must match the account set in the agent.yaml file
    }
}

Example Payload file for passing Resource as file

{
    "kms": "local",
    "payload": {
        "collectionId": "d3e515cf-81af-40cb-9ac1-154827986d29",
        "id": "e7b662f8-d3f8-4a83-bd00-2cdcd6cc50ab",
        "name": "TestResource",
        "resourceType": "JsonDocument"
        "version": "",
        "alsoKnownAs": []
    },
    "network": "testnet",
    "signInputs": [{
        "verificationMethodId": "did:cheqd:testnet:d3e515cf-81af-40cb-9ac1-154827986d29#key-1",
        "keyType": "Ed25519",
        "privateKeyHex": "0f5c124886178037952e87e0cdc55d185732577fca19ae877e64ac9ab24a0cc534e5326e70f1a42d785d93048aee806c359ec75a7b06f39253befd1746708438"
    }],
    "file": "/path/to/resource.json", // note that the resource passed as file is inputted here
    "fee": {
      "amount": [{
        "denom": "ncheq",
        "amount": "2500000000" // 2.5 CHEQ is the fixed fee for a JSON transaction
        }],
      "gas": "1000000",
      "payer": "cheqd1rnr5jrt4exl0samwj0yegv99jeskl0hsxmcz96" // must match the account set in the agent.yaml file
    }
}

6. Understanding Resource Fees

The maximum file size for a resource is roughly 46KB which may require a gas fee of up to 2000000.

The fee for a resource transaction changes depending on the file type being passed to the ledger. Currently there are three different variations on the fee:

JSON file

Within the payload file the amount should be specified as:

denom: ncheq
amount: 2500000000

This equates to 2.5 CHEQ.

Image file

Within the payload file the amount should be specified as:

denom: ncheq
amount: 10000000000

This equates to 10 CHEQ.

Note that images may also require a larger 'gas' fee of up to 2000000

Default (any other) file

Within the payload file the amount should be specified as:

denom: ncheq
amount: 5000000000

This equates to 5 CHEQ.

Note that transaction fees are paid by the cheqd account set in the agent.yml configuration file, setup here. If you do not specify a fee in the transaction, the ledger will automatically deduct the appropriate fee from the account set in youragent.yml configuration. Each of cheqd's on-ledger identity transactions has a fixed fee, the pricing for cheqd DIDs and DID-Linked Resources can be found here. If your account has insufficient balance the transaction will fail.

7. Create new DID-Linked Resource

veramo execute -m cheqdCreateLinkedResource --argsFile path/to/payload.json

If you do not specify the --argsFile in the previous step, you can also paste a JSON inline argument object by using the --argsJSON flag followed by the JSON payload.

Verifier pays Issuer

Paying an Issuer to unlock a Credential Status

A Verifier may need to pay an Issuer to unlock Status information about the presented Credential. Without meeting the payment conditions, the Verifier will not be able to ascertain whether the Credential has been revoked (or suspended) or not.

A Verifier can choose to make a payment to the Issuer if they want to obtain this extra Credential Status information to build a higher level of trust within the Credential presented to them.

Step 1: Locating Issuers' payment address and conditions

If a Verifier wants to unlock access to the Resource, to gain access to additional information about a Credential presented to them, such as the Credential Status, firstly, the Verifier will be presented Credential, including a link to the StatusList within the "credentialStatus" section of the Credential body.

Through following the link in"credentialStatus" section of the Credential body. the The Verifier will be directed to an on-ledger Resource, identifiable through a DID URL, for example:

This on-ledger Resource will contain:

An encrypted potion of the Resource, such as a Status List bitstring. identified by the "encodedList" property.
Unencrypted metadata about the Resource, including the issuers' payment address "feePayerAddress" and and the Payment Conditions, "feePaymentAmount" and "intervalInSeconds".

This gives the verifier requisite information they need in order to pay the Issuer to unlock the Credential Status. You can learn more about Access Control Conditions below.

Step 2: Pay the Issuer

Using one of cheqd's supported wallets, Verifiers can make a payment of the amount specified in the "feePaymentAmount" to the "feePayerAddress".

This payment should be made in CHEQ.

Note that the "feePaymentAmount" may be specified in ncheq. This is lowest denomination of the CHEQ token, "nano" CHEQ which is 1 x 10^-9 CHEQ.

Step 3: Constructing a payload to verify the Credential

Once the Verifier makes a payment of the specified amount in the payment conditions back to the Issuer, the Access Control Conditions will be met.

Note the "intervalInSeconds" which indicates how long after making the payment the Verifier has to verify the Credential.

The Verifier should input the presented Credential into a payload file, including the parameter:

"fetchList": true

This indicates that the Verifier wants to claim that they have met the Access Control Conditions, and for the nodes to query whether the Access Control Condition has been met. For example:

Example Request Format

{
    "credential": {
        "credentialSubject": {
            "name": "eengineer1",
            "id": "did:key:z6MkvG4dpKVpYwYqnwcjRdw8VZ3km4Sisgxm1igaPCFzskxe"
        },
        "issuer": {
            "id": "did:cheqd:testnet:322761ea-587d-454a-a955-745200301b99"
        },
        "type": [
            "VerifiableCredential"
        ],
        "credentialStatus": {
            "id": "https://resolver.cheqd.net/1.0/identifiers/did:cheqd:testnet:322761ea-587d-454a-a955-745200301b99?resourceName=revocation-list-encrypted-inverse-timelock&resourceType=StatusList2021Revocation#79444",
            "type": "StatusList2021Entry",
            "statusPurpose": "revocation",
            "statusListIndex": "79444"
        },
        "@context": [
            "https://www.w3.org/2018/credentials/v1",
            "https://veramo.io/contexts/profile/v1",
            "https://w3id.org/vc-status-list-2021/v1"
        ],
        "issuanceDate": "2023-06-30T10:04:01.000Z",
        "proof": {
            "type": "JwtProof2020",
            "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vdmVyYW1vLmlvL2NvbnRleHRzL3Byb2ZpbGUvdjEiLCJodHRwczovL3czaWQub3JnL3ZjLXN0YXR1cy1saXN0LTIwMjEvdjEiXSwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCJdLCJjcmVkZW50aWFsU3ViamVjdCI6eyJuYW1lIjoiZWVuZ2luZWVyMSJ9LCJjcmVkZW50aWFsU3RhdHVzIjp7ImlkIjoiaHR0cHM6Ly9yZXNvbHZlci5jaGVxZC5uZXQvMS4wL2lkZW50aWZpZXJzL2RpZDpjaGVxZDp0ZXN0bmV0OjMyMjc2MWVhLTU4N2QtNDU0YS1hOTU1LTc0NTIwMDMwMWI5OT9yZXNvdXJjZU5hbWU9cmV2b2NhdGlvbi1saXN0LWVuY3J5cHRlZC1pbnZlcnNlLXRpbWVsb2NrJnJlc291cmNlVHlwZT1TdGF0dXNMaXN0MjAyMVJldm9jYXRpb24jNzk0NDQiLCJ0eXBlIjoiU3RhdHVzTGlzdDIwMjFFbnRyeSIsInN0YXR1c1B1cnBvc2UiOiJyZXZvY2F0aW9uIiwic3RhdHVzTGlzdEluZGV4IjoiNzk0NDQifX0sInN1YiI6ImRpZDprZXk6ejZNa3ZHNGRwS1ZwWXdZcW53Y2pSZHc4Vloza200U2lzZ3htMWlnYVBDRnpza3hlIiwibmJmIjoxNjg4MTE5NDQxLCJpc3MiOiJkaWQ6Y2hlcWQ6dGVzdG5ldDozMjI3NjFlYS01ODdkLTQ1NGEtYTk1NS03NDUyMDAzMDFiOTkifQ.fWCayAbmL4qivVfMz97o6tEFN2W411OFaF3wgZAb5gqoBkJ1uoV2Cp_31LI60ehSPXcDXiIUmDJbFP3S8bnNDg"
        }
    },
    "fetchList": true
}

Step 4: Submitting the Credential verify transaction

Using the Veramo CLI. Verifiers can submit the following transaction, alongside the payload file to verify the Credential:

veramo execute -m cheqdVerifyCredential --argsFile path/to/payload.json

If successful, the Verifier will obtain the keys to decrypt the Status List and access the Credential Status information. The Verifier will receive a response indicating whether the Credential:

Is verified and untampered
Has been revoked (or suspended) or not

Example Response Format

Result : {
  "verified": true,
  "payload": {
    "vc": {
      "@context": [
        "https://www.w3.org/2018/credentials/v1",
        "https://veramo.io/contexts/profile/v1",
        "https://w3id.org/vc-status-list-2021/v1"
      ],
      "type": [
        "VerifiableCredential"
      ],
      "credentialSubject": {
        "name": "tweeddalex"
      },
      "credentialStatus": {
        "id": "https://resolver.cheqd.net/1.0/identifiers/did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404?resourceName=testing-payment-rails&resourceType=StatusList2021Revocation#123979",
        "type": "StatusList2021Entry",
        "statusPurpose": "revocation",
        "statusListIndex": "123979"
      }
    },
    "sub": "did:key:z6MkvG4dpKVpYwYqnwcjRdw8VZ3km4Sisgxm1igaPCFzskxe",
    "nbf": 1692322793,
    "iss": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404"
  },
  "didResolutionResult": {
    "didDocumentMetadata": {
      "created": "2023-08-17T08:26:26Z",
      "versionId": "c9fed6ca-22c5-4656-af06-dcfe41e4b3b5",
      "linkedResourceMetadata": [
        {
          "resourceURI": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404/resources/08990db4-b759-4b7b-bd9b-823ccddbab83",          "resourceCollectionId": "cc8e5d9f-05f8-4f09-93c5-b9dba4b45404",
          "resourceId": "08990db4-b759-4b7b-bd9b-823ccddbab83",
          "resourceName": "testing-payment-rails",
          "resourceType": "StatusList2021Revocation",
          "mediaType": "application/json",
          "resourceVersion": "2023-08-17T08:39:47.206Z",
          "created": "2023-08-17T08:39:52Z",
          "checksum": "3a505b5902a797c892a1e88e4bc086067f292df65b3b2c63b404f6f4c2d84e02",
          "previousVersionId": null,
          "nextVersionId": "fa9ff872-64c3-4045-95fb-bba50b25fcc1"
        },
        {
          "resourceURI": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404/resources/fa9ff872-64c3-4045-95fb-bba50b25fcc1",          "resourceCollectionId": "cc8e5d9f-05f8-4f09-93c5-b9dba4b45404",
          "resourceId": "fa9ff872-64c3-4045-95fb-bba50b25fcc1",
          "resourceName": "testing-payment-rails",
          "resourceType": "StatusList2021Revocation",
          "mediaType": "application/json",
          "resourceVersion": "2023-08-18T03:05:52.818Z",
          "created": "2023-08-18T03:05:54Z",
          "checksum": "9c8a18e451366cc4518c6a6db99d24705e3a15fd2b127b3ece89a7749adb2935",
          "previousVersionId": "08990db4-b759-4b7b-bd9b-823ccddbab83",
          "nextVersionId": null
        }
      ]
    },
    "didResolutionMetadata": {
      "contentType": "application/did+ld+json",
      "retrieved": "2023-08-18T03:06:40Z",
      "did": {
        "didString": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404",
        "methodSpecificId": "cc8e5d9f-05f8-4f09-93c5-b9dba4b45404",
        "method": "cheqd"
      }
    },
    "didDocument": {
      "@context": [
        "https://www.w3.org/ns/did/v1",
        "https://w3id.org/security/suites/jws-2020/v1"
      ],
      "id": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404",
      "controller": [
        "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404"
      ],
      "verificationMethod": [
        {
          "id": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404#key-1",
          "type": "JsonWebKey2020",
          "controller": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404",
          "publicKeyJwk": {
            "crv": "Ed25519",
            "kty": "OKP",
            "x": "BikmGt6Jjtpk0qCXjzhYI3ZwEL9JxgQXetg33seTPxY"
          }
        }
      ],
      "authentication": [
        "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404#key-1"
      ]
    },
    "@context": "https://w3id.org/did-resolution/v1"
  },
  "issuer": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404",
  "signer": {
    "id": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404#key-1",
    "type": "JsonWebKey2020",
    "controller": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404",
    "publicKeyJwk": {
      "crv": "Ed25519",
      "kty": "OKP",
      "x": "BikmGt6Jjtpk0qCXjzhYI3ZwEL9JxgQXetg33seTPxY"
    }
  },
  "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vdmVyYW1vLmlvL2NvbnRleHRzL3Byb2ZpbGUvdjEiLCJodHRwczovL3czaWQub3JnL3ZjLXN0YXR1cy1saXN0LTIwMjEvdjEiXSwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCJdLCJjcmVkZW50aWFsU3ViamVjdCI6eyJuYW1lIjoidHdlZWRkYWxleCJ9LCJjcmVkZW50aWFsU3RhdHVzIjp7ImlkIjoiaHR0cHM6Ly9yZXNvbHZlci5jaGVxZC5uZXQvMS4wL2lkZW50aWZpZXJzL2RpZDpjaGVxZDp0ZXN0bmV0OmNjOGU1ZDlmLTA1ZjgtNGYwOS05M2M1LWI5ZGJhNGI0NTQwND9yZXNvdXJjZU5hbWU9dGVzdGluZy1wYXltZW50LXJhaWxzJnJlc291cmNlVHlwZT1TdGF0dXNMaXN0MjAyMVJldm9jYXRpb24jMTIzOTc5IiwidHlwZSI6IlN0YXR1c0xpc3QyMDIxRW50cnkiLCJzdGF0dXNQdXJwb3NlIjoicmV2b2NhdGlvbiIsInN0YXR1c0xpc3RJbmRleCI6IjEyMzk3OSJ9fSwic3ViIjoiZGlkOmtleTp6Nk1rdkc0ZHBLVnBZd1lxbndjalJkdzhWWjNrbTRTaXNneG0xaWdhUENGenNreGUiLCJuYmYiOjE2OTIzMjI3OTMsImlzcyI6ImRpZDpjaGVxZDp0ZXN0bmV0OmNjOGU1ZDlmLTA1ZjgtNGYwOS05M2M1LWI5ZGJhNGI0NTQwNCJ9.RPt5D021S0MzUscptUc0CZtK9a2sEvGYOkJkx0EO8xqQwTIQRfL7-Z-ZTbOo2OiHs-kDrXQ8SbTMf2yk1QR_Ag",
  "policies": {
    "expirationDate": true,
    "audience": true,
    "credentialStatus": false,
    "issuanceDate": true,
    "aud": true
  },
  "verifiableCredential": {
    "credentialSubject": {
      "name": "tweeddalex",
      "id": "did:key:z6MkvG4dpKVpYwYqnwcjRdw8VZ3km4Sisgxm1igaPCFzskxe"
    },
    "issuer": {
      "id": "did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404"
    },
    "type": [
      "VerifiableCredential"
    ],
    "credentialStatus": {
      "id": "https://resolver.cheqd.net/1.0/identifiers/did:cheqd:testnet:cc8e5d9f-05f8-4f09-93c5-b9dba4b45404?resourceName=testing-payment-rails&resourceType=StatusList2021Revocation#123979",
      "type": "StatusList2021Entry",
      "statusPurpose": "revocation",
      "statusListIndex": "123979"
    },
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
      "https://veramo.io/contexts/profile/v1",
      "https://w3id.org/vc-status-list-2021/v1"
    ],
    "issuanceDate": "2023-08-18T01:39:53.000Z",
    "proof": {
      "type": "JwtProof2020",
      "jwt": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9.eyJ2YyI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSIsImh0dHBzOi8vdmVyYW1vLmlvL2NvbnRleHRzL3Byb2ZpbGUvdjEiLCJodHRwczovL3czaWQub3JnL3ZjLXN0YXR1cy1saXN0LTIwMjEvdjEiXSwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCJdLCJjcmVkZW50aWFsU3ViamVjdCI6eyJuYW1lIjoidHdlZWRkYWxleCJ9LCJjcmVkZW50aWFsU3RhdHVzIjp7ImlkIjoiaHR0cHM6Ly9yZXNvbHZlci5jaGVxZC5uZXQvMS4wL2lkZW50aWZpZXJzL2RpZDpjaGVxZDp0ZXN0bmV0OmNjOGU1ZDlmLTA1ZjgtNGYwOS05M2M1LWI5ZGJhNGI0NTQwND9yZXNvdXJjZU5hbWU9dGVzdGluZy1wYXltZW50LXJhaWxzJnJlc291cmNlVHlwZT1TdGF0dXNMaXN0MjAyMVJldm9jYXRpb24jMTIzOTc5IiwidHlwZSI6IlN0YXR1c0xpc3QyMDIxRW50cnkiLCJzdGF0dXNQdXJwb3NlIjoicmV2b2NhdGlvbiIsInN0YXR1c0xpc3RJbmRleCI6IjEyMzk3OSJ9fSwic3ViIjoiZGlkOmtleTp6Nk1rdkc0ZHBLVnBZd1lxbndjalJkdzhWWjNrbTRTaXNneG0xaWdhUENGenNreGUiLCJuYmYiOjE2OTIzMjI3OTMsImlzcyI6ImRpZDpjaGVxZDp0ZXN0bmV0OmNjOGU1ZDlmLTA1ZjgtNGYwOS05M2M1LWI5ZGJhNGI0NTQwNCJ9.RPt5D021S0MzUscptUc0CZtK9a2sEvGYOkJkx0EO8xqQwTIQRfL7-Z-ZTbOo2OiHs-kDrXQ8SbTMf2yk1QR_Ag"
    }
  },
  "revoked": false
}

This provides the Verifier the full information to make a trust decision, having paid the Issuer for the Credential Status information.