Construct a VC JSON-LD document with @context including https://www.w3.org/ns/credentials/v2, type array including 'VerifiableCredential' and a specific credential type, issuer (DID or URL), validFrom, credentialSubject with id and claims.
Sign the VC using a supported proof method: for JWT-based VCs, encode as a JWT with vc claim (compact serialization); for JSON-LD Data Integrity proofs, use a cryptosuite such as ecdsa-rdfc-2019 or eddsa-rdfc-2022.
For Data Integrity proofs, generate a proof document with type, cryptosuite, created, verificationMethod (DID URL pointing to the signing key), proofPurpose ('assertionMethod'), and proofValue (base58btc or multibase-encoded signature).
To verify, resolve the issuer DID to obtain the DID Document, dereference the verificationMethod to get the public key, and verify the signature over the canonicalized VC document.
Check validFrom <= now <= validUntil (if present), confirm the issuer is trusted for the credential type, and check revocation status via credentialStatus if included.
Known gotchas
VC Data Model 2.0 replaced validFrom/validUntil for the deprecated issuanceDate/expirationDate from v1.1; mixing v1 and v2 context causes JSON-LD processing errors.
JSON-LD canonicalization (RDF Dataset Normalization, RDNA) is required for Data Integrity proofs; signing or verifying raw JSON (without canonicalization) produces an invalid proof.
DID resolution must be performed at verification time using a trusted resolver; caching DID Documents without respecting cache-control may cause verification to succeed with a revoked key.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp