Construct the credential JSON-LD document with the required fields: @context including https://www.w3.org/ns/credentials/v2, type including 'VerifiableCredential', issuer, validFrom, credentialSubject
Generate an ECDSA P-256 key pair for the issuer; publish the public key as a verification method in the issuer's DID document under an assertionMethod relationship
Produce the proof using the ecdsa-rdfc-2022 or ecdsa-jcs-2022 cryptosuite: canonicalize the document (RDFC-1.0 for rdfc variant), hash with SHA-256, sign with ECDSA, and base58btc-encode the proofValue
Attach the proof object to the credential with type 'DataIntegrityProof', cryptosuite, created, verificationMethod (DID URL), proofPurpose 'assertionMethod'
For verification, resolve the DID, fetch the verification method's public key, canonicalize the credential minus the proof, recompute the hash, and verify the ECDSA signature
Validate the credential's validFrom/validUntil dates and optionally check the credentialStatus using BitstringStatusList 2021 or the newer status mechanism
Known gotchas
VC Data Model 2.0 was published as a W3C Recommendation on 15 May 2025; it replaces the issuanceDate field (from v1.1) with validFrom — implementations that still emit issuanceDate are non-conformant with v2.0
JSON-LD context expansion is required before canonicalization; including an incorrect or missing context term will produce a different canonical form and a signature that fails verification
SD-JWT VC (RFC 9901 + draft-ietf-oauth-sd-jwt-vc) and VC Data Model 2.0 with Data Integrity are separate credential formats with different verification flows — do not mix their verification logic
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp