HomeHelp › Credentials & wallet

8. Credentials & wallet

Beyond ordinary profile chips, Ditto Up issues and accepts W3C Verifiable Credentials (Open Badges v3 compatible). This is the cryptographic, portable form of "I hold this skill / certification / license" — provable to any third party who knows where to look, even if the platform that issued it disappears.

In this section

8.1 What is a verifiable credential?

A verifiable credential (VC) is a small JSON document that says:

  • Who it is about (the "subject" — you).
  • What is being attested (a skill, course completion, license, accomplishment).
  • Who issued it.
  • When it was issued and when, if ever, it expires.
  • A cryptographic signature from the issuer.

Anyone, anywhere, can verify the signature without contacting the issuer. That is what makes it different from a row in a database or a PDF certificate — the proof travels with the credential.

Ditto Up is built around the W3C VC Data Model and is integrating Open Badges v3 (which is itself a profile of the W3C VC standard). The current build uses DIDKit by Spruce (Apache 2.0) under the hood, with did:web for issuers and did:key for holders, and AWS KMS-managed keys.

You don't need to know any of that to use it — you just see "Verified" badges on your profile and can export them. But the standards are open, so any other VC-aware platform can read what we issue.

8.2 The DID document

Every issuer in the W3C system has a DID (Decentralized Identifier). Ditto Up's issuer DID is did:web:ditto-up.network and its DID document lives at the well-known URL:

/.well-known/did.json

The DID document publishes:

  • The platform's public key(s).
  • The verification methods used (e.g. Ed25519VerificationKey2020).
  • The endpoints for status checks and re-key rotation.

Any tool implementing the W3C standard can fetch this document and verify any credential we issue. You don't normally need to look at it directly, but it is a public artifact.

8.3 Viewing one of your credentials

When the platform issues a verifiable credential to you (for example, after an employer signs off a VBQ-graded skill, or after you complete a tracked training course), it shows up:

  1. In the Credentials tab on your profile.
  2. As a small "Verified" badge next to the relevant term chip on the public profile.
  3. In your notifications.

To open the credential viewer:

/credentials/<credential_uuid>/

The viewer shows:

  • The subject (you), the issuer, the type of credential, the term it relates to.
  • Issue date and expiry (if any).
  • The signed JSON-LD payload.
  • A Verify now button that re-runs the signature check.
  • Buttons for export and a one-click public link.

8.4 JSON-LD export

To download the raw signed JSON-LD for a single credential:

/credentials/<credential_uuid>/json

The response is a application/vc+ld+json document conforming to the W3C VC Data Model 2.0. Drop the file into any wallet (Spruce Credible, Microsoft Authenticator's verifiable-credentials feature, the Lissi wallet, etc.) and it will be readable.

This is what you would attach to an email if a third party asked for proof of a specific credential.

8.5 Public verification page

For a third party who doesn't want to install a wallet, every credential also has a public verification URL:

/credentials/<credential_uuid>/verify

The page shows:

  • A green ✅ if the signature, issuer key and revocation status all check out.
  • A red ⚠ otherwise, with the specific reason (signature mismatch, key rotated without re-issue, credential revoked, etc.).
  • The credential's structured contents in human-readable form.

Anyone can open this URL — sharing it does not expose any other private information. It is the simplest "show me you really have X" link.

8.6 Credential status (revocation lists)

Some credentials need to be revocable — for example, a license that was suspended, or a course completion that was challenged. Ditto Up implements this with status lists (a W3C standard, formerly known as Revocation List 2020, now StatusList 2021).

To check whether a credential is currently active:

/credentials/status/<list_id>

The endpoint returns a small bit-string. Each credential carries an index into the list; if the bit at that index is set, the credential is revoked. If you use a wallet that supports status checks, this lookup happens automatically every time you present the credential.

You'll see a red Revoked badge in the Credentials tab if any of yours has been revoked.

8.7 Wallet export

To export everything — every credential you hold, your public DID, your encrypted holder keys — as a portable wallet file:

/wallet/export

This produces a single .jsonl (or zip of .json per credential) you can import into any standards-aware wallet. The contents include:

  • Every active and historical verifiable credential issued to you.
  • Your holder DID (did:key:...) so the wallet can prove the credentials are yours.
  • Your encrypted private key (custodial software-encrypted by default; see security note below).

The export does not include your messages, profile or non-credentialed data — only the W3C-standard credential payloads.

Security note. Holder keys are currently custodial — Ditto Up holds the encrypted private key on your behalf. This is the standard approach for v1 because it keeps the user experience simple and prevents the most common credential-loss disaster (lost private key = unrecoverable wallet). A self-custody mode is on the roadmap.

8.8 Importing credentials from other issuers

If you have a credential issued elsewhere (an Open Badge v3, a Microsoft VC, etc.) and you want it to surface on your Ditto Up profile:

  1. Open /candidate-settingsCredentialsImport.
  2. Upload the JSON-LD file or paste a URL.
  3. The platform fetches the issuer's DID document, verifies the signature and binds the credential to a term in our marketplace.

If we recognise the issuer (Credential Engine, Open Badges, IMS Global, etc.), the credential is automatically linked to the corresponding term on the term graph. If we don't, the credential is shown but not linked — you can manually pick a term match from a dropdown.

Imported credentials are read-only and stored alongside Ditto-Up-issued ones in the same wallet.

8.9 Open Badges v3 compatibility

Open Badges v3 is the IMS Global standard for educational and professional micro-credentials, built directly on top of W3C VCs. The compatibility surface:

  • Every credential we issue includes the Open Badges JSON-LD context.
  • The type array includes both VerifiableCredential and OpenBadgeCredential.
  • The credentialSubject.achievement block follows the OB v3 Achievement schema (name, description, criteria, alignment).
  • The status method is StatusList 2021 (compatible with both standards).

This means an Open-Badges-v3-aware tool (like Concentric Sky's Badgr or any LRS that speaks OBv3) will read our credentials without translation.

8.10 Credential lifecycle on the platform

The end-to-end flow when a credential is issued to you:

  1. Trigger — an event that earns a credential. Examples:
    • Employer signs off your VBQ score for a term, choosing Issue verifiable credential.
    • You complete a tracked training course (post type Training) that the issuer has configured to mint a credential.
    • A platform admin manually issues one (rare, used for migrations or special cases).
  2. Construction — the platform builds the JSON-LD claim, attaches the issuer's did:web and a fresh proof.
  3. Signing — the proof is signed via DIDKit using a platform-managed key in AWS KMS.
  4. Storage — the credential is stored against your account and indexed against the related term.
  5. Notification — you get a notification ("New verified credential: <term name> from <issuer>").
  6. Display — the term chip on your profile gains a Verified badge that links to the verification page.

If a credential is later revoked, the status-list bit is flipped, the chip's badge turns red and a notification is sent. Revocation is logged on your side but the original credential file is not deleted — anyone who saved it can still verify and see the revocation.

Next: 9. Account & privacy — visibility, settings, deletion, and everything else about your account.

Help
How can we help?
Pick one — both reach our team.
FeedbackShare a suggestion or idea Raise a ticketReport a bug or problem