Verifiable Credential Rendering Methods

Draft Community Group Report

Latest published version:
https://www.w3.org/vc-render-method/
Latest editor's draft:
https://w3c-ccg.github.io/vc-render-method/
Editors:
Manu Sporny (Digital Bazaar)
Dmitri Zagidulin (MIT Digital Credentials Consortium)
Calvin Cheng (Government Technology Agency of Singapore)
Kyle Huang Junyuan (Government Technology Agency of Singapore)
Patrick St. Louis (Open Security and Identity)
Authors:
Manu Sporny (Digital Bazaar)
Dmitri Zagidulin (MIT Digital Credentials Consortium)
Calvin Cheng (Government Technology Agency of Singapore)
Kyle Huang Junyuan (Government Technology Agency of Singapore)
Patrick St. Louis (Open Security and Identity)
Feedback:
GitHub w3c-ccg/vc-render-method (pull requests, new issue, open issues)

Copyright © 2025 the Contributors to the Verifiable Credential Rendering Methods Specification, published by the Credentials Community Group under the W3C Community Contributor License Agreement (CLA). A human-readable summary is available.

Abstract

This specification describes mechanisms that can be used to represent a Verifiable Credential through a visual, auditory, or haptic medium. It covers rendering a Verifiable Credential to a physical document, digital image, screen reader, or braille output.

Status of This Document

This is a preview

Do not attempt to implement this version of the specification. Do not reference this version as authoritative in any way. Instead, see https://w3c-ccg.github.io/vc-render-method/ for the Editor's draft.

This specification was published by the Credentials Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.

This is an experimental specification and is undergoing regular revisions. It is not fit for production deployment.

GitHub Issues are preferred for discussion of this specification.

1. Introduction

Rendering methods can be used when the issuer has a specific way that they want to express a verifiable credential to an observer through a visual, auditory, or haptic mechanism. For example, an issuer of an employee badge credential might want to include rich imagery of their corporate logo and specific placement of employee information in specific areas of the badge. They might also want to provide an audio read out of the important aspects of the badge for individuals that have accessibility needs related to their eyesight.

1.1 Terminology

The following terms are used to describe concepts in this specification.

claim
An assertion made about a subject.
credential
A set of one or more claims made by an issuer. The claims in a credential can be about different subjects.

Our definition of credential differs from, NIST's definitions of credential.

data minimization
The act of limiting the amount of shared data strictly to the minimum necessary to successfully accomplish a task or goal.
decentralized identifier
A portable URL-based identifier, also known as a DID, associated with an entity. These identifiers are most often used in a verifiable credential and are associated with subjects such that a verifiable credential itself can be easily ported from one credential repository to another without the need to reissue the credential. An example of a DID is did:example:123456abcdef.
default graph
The graph containing all claims that are not explicitly part of a named graph.
entity
Anything that can be referenced in statements as an abstract or concrete noun. Entities include but are not limited to people, organizations, physical things, documents, abstract concepts, fictional characters, and arbitrary text. Any entity might perform roles in the ecosystem, if it is capable of doing so. Note that some entities fundamentally cannot take actions, e.g., the string "abc" cannot issue credentials.
graph
A set of claims, forming a network of information composed of subjects and their relationship to other subjects or data. Each claim is part of a graph; this is either explicit in the case of named graphs, or implicit for the default graph.
holder
A role an entity might perform by possessing one or more verifiable credentials and generating verifiable presentations from them. A holder is often, but not always, a subject of the verifiable credentials they are holding. Holders store their credentials in credential repositories.
identity provider
An identity provider, sometimes abbreviated as IdP, is a system for creating, maintaining, and managing identity information for holders, while providing authentication services to relying party applications within a federation or distributed network. In this case the holder is always the subject. Even if the verifiable credentials are bearer credentials, it is assumed the verifiable credentials remain with the subject, and if they are not, they were stolen by an attacker. This specification does not use this term unless comparing or mapping the concepts in this document to other specifications. This specification decouples the identity provider concept into two distinct concepts: the issuer and the holder.
issuer
A role an entity can perform by asserting claims about one or more subjects, creating a verifiable credential from these claims, and transmitting the verifiable credential to a holder.
named graph
A graph associated with specific properties, such as verifiableCredential. These properties result in separate graphs that contain all claims defined in the corresponding JSON objects.
credential repository
A program, such as a storage vault or personal verifiable credential wallet, that stores and protects access to holders' verifiable credentials.
subject
A thing about which claims are made.
verifiable credential
A verifiable credential is a tamper-evident credential that has authorship that can be cryptographically verified. Verifiable credentials can be used to build verifiable presentations, which can also be cryptographically verified.
verifiable data registry
A role a system might perform by mediating the creation and verification of identifiers, keys, and other relevant data, such as verifiable credential schemas, revocation registries, issuer public keys, and so on, which might be required to use verifiable credentials. Some configurations might require correlatable identifiers for subjects. Some registries, such as ones for UUIDs and public keys, might just act as namespaces for identifiers.
verifiable presentation
A verifiable presentation is a tamper-evident presentation encoded in such a way that authorship of the data can be trusted after a process of cryptographic verification. Certain types of verifiable presentations might contain data that is synthesized from, but do not contain, the original verifiable credentials (for example, zero-knowledge proofs).
verification
The evaluation of whether a verifiable credential or verifiable presentation is an authentic and current statement of the issuer or presenter, respectively. This includes checking that: the credential (or presentation) conforms to the specification; the proof method is satisfied; and, if present, the status check succeeds. Verification of a credential does not imply evaluation of the truth of claims encoded in the credential.
verifier
A role an entity performs by receiving one or more verifiable credentials, optionally inside a verifiable presentation for processing. Other specifications might refer to this concept as a relying party.

1.2 Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, OPTIONAL, RECOMMENDED, and REQUIRED in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

A conforming render method is any concrete expression of the data model that complies with the normative statements in this specification. Specifically, all relevant normative statements in Sections 2. Data Model and 3. Algorithms of this document MUST be enforced.

A conforming processor is any algorithm realized as software and/or hardware that generates or consumes a conforming render method. Conforming processors MUST produce errors when non-conforming documents are consumed.

This document also contains examples that contain JSON and JSON-LD content. Some of these examples contain characters that are invalid JSON, such as inline comments (//) and the use of ellipsis (...) to denote information that adds little value to the example. Implementers are cautioned to remove this content if they desire to use the information as valid JSON or JSON-LD.

2. Data Model

The following sections outline the data model that is used by this specification for rendering methods

2.1 The renderMethod Property

The renderMethod property is a reserved extension point in the Verifiable Credentials Data Model specification [VC-DATA-MODEL-2.0]. An issuer can utilize this property in a verifiable credential to express one or more preferred render methods.

renderMethod
The value of the renderMethod property MUST specify one or more rendering methods that can be used by software to express the verifiable credential using a visual, auditory, or haptic mechanism. Each renderMethod value MUST specify its type, for example, TemplateRenderMethod. The precise contents of each rendering hint is determined by the specific renderMethod type definition.

2.2 TemplateRenderMethod

When an issuer desires to specify template-based rendering instructions for a verifiable credential, they MAY add a renderMethod property that uses the data model described below.

Property Description
id An OPTIONAL string that follows the URL Standard and, when fetched, dereferences to a render template.
type A REQUIRED string that MUST be the value TemplateRenderMethod.
renderSuite A REQUIRED string that identifies the algorithms that are used for generating the concrete rendering.
name An OPTIONAL human-readable string that can be displayed to provide a hint to the type of rendering that will be performed. This property might be used in a graphical interface that enables an individual to select between multiple presentation modes.
description An OPTIONAL human-readable string that provides a more involved description than name of when the particular rendering might be useful.
renderProperty An OPTIONAL list of string values that each conform to the JavaScript Object Notation (JSON) Pointer syntax that specifies which properties from the verifiable credential are exposed when using this specific render method. If renderProperty is not provided, the entire verifiable credential is presumed to be shared when the render method is used.
template An OPTIONAL string or map that provides the template that will be used to perform the rendering. If the value is a string, it MUST be a URL. If the value is a map, it MUST conform to the following rules:
Property Description
id An REQUIRED string that follows the URL Standard and, when fetched, dereferences to a template such as an SVG or PDF file.
mediaType A RECOMMENDED string that identifies the media type for the id value as specified in Media Type Specifications and Registration Procedures.
digestMultibase An OPTIONAL multibase-encoded Multihash of the template file. The multibase value MUST be u (base64url-nopad) and the multihash value MUST be SHA-2 with 256-bits of output (0x12).
digestMultibase An OPTIONAL multibase-encoded Multihash of the render method referenced if id is specified. The multibase value MUST be u (base64url-nopad) and the multihash value MUST be SHA-2 with 256-bits of output (0x12).

The data model shown above is expressed in a verifiable credential in the example below.

Example 1: Usage of the render property by an issuer 
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://www.w3.org/ns/credentials/examples/v2",
    "https://w3id.org/vc/render-method/v1"
  ],
  "id": "http://example.edu/credentials/3732",
  "type": ["VerifiableCredential", "UniversityDegreeCredential"],
  "issuer": "https://example.edu/issuers/14",
  "validFrom": "2010-01-01T19:23:24Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "degree": {
      "type": "BachelorDegree",
      "name": "Bachelor of Science and Arts"
    }
  },
  "renderMethod": {
    "type": "TemplateRenderMethod",
    "renderSuite": "svg-mustache",
    "template": {
      "id": "https://example.edu/credential-templates/BachelorDegree",
      "mediaType": "image/svg+xml",
      "digestMultibase": "zQmerWC85Wg6wFl9znFCwYxApG270iEu5h6JqWAPdhyxz2dR",
      "renderProperty": [
        "/issuer", "/validFrom", "/credentialSubject/degree/name"
      ]
    }
  }
  
}

In the example above, the issuer has provided a Mustache-based SVG rendering template for a Bachelor's degree that will be filled in with specific information from the verifiable credential listed in renderProperty.

2.2.1 The svg-mustache Render Suite

The svg-mustache render suite uses the Mustache templating language to modify an SVG file, which is then used to render a visual representation of the verifiable credential.

In the example below, a fully embedded SVG file is used as the rendering template.

Example 2: Basic usage of the svg-mustache render suite 
{
  ...
  "renderMethod": {
    "type": "TemplateRenderMethod",
    "renderSuite": "svg-mustache",
    // the SVG file is embedded in the VC
    "template": "data:image/svg+xml;base64,Qjei89...3jZpW"
  }
}

The next example links to the SVG file on the Web and secures it against modification by using the digestMultibase property.

Example 3: A remotely hosted SVG file for an SVG render template 
{
...
"renderMethod": {
  "type": "TemplateRenderMethod",
  "renderSuite": "svg-mustache",
  "template": {
    // this SVG file is fetched from the Web
    "id": "https://degree.example/credential-templates/bachelors",
    "mediaType": "image/svg+xml",
    "digestMultibase": "zQmerWC85Wg6wFl9znFCwYxApG270iEu5h6JqWAPdhyxz2dR"
  }
}

The next example links to the rendering template on the Web and secures it using the digestMultibase property:

Example 4: A remotely hosted SVG render method 
{
...
"renderMethod": {
  // this render method is fetched from the Web
  "id": "https://degrees.example/bachelors-svg.jsonld",
  "mediaType": "application/ld+json",
  "type": "TemplateRenderMethod",
  "renderSuite": "svg-mustache",
  "digestMultibase": "zQmG270iEu5h6JqWAPdhyxz2dRerWC85Wg6wFl9znFCwYxAp"
}

2.2.2 The pdf-mustache Render Suite

The pdf-mustache render suite uses the Mustache templating language to modify a PDF file, which is then used to render a visual representation of the verifiable credential.

In the example below, a fully embedded PDF file is used as the rendering template.

Example 5: Basic usage of the pdf-mustache render suite 
{
  ...
  "renderMethod": {
    "type": "TemplateRenderMethod",
    "renderSuite": "pdf-mustache",
    // this PDF file is embedded in the VC
    "template": "data:application/pdf;base64,k309SK...pwK83b"
  }
}

The next example links to the PDF file on the Web and secures it against modification by using the digestMultibase property.

Example 6: Remotely hosted PDF file for a PDF rendering template 
{
...
"renderMethod": {
  "type": "TemplateRenderMethod",
  "renderSuite": "pdf-mustache",
  "template": {
    // this PDF file is fetched from the Web
    "id": "https://degree.example/bachelors.pdf",
    "mediaType": "application/pdf",
    "digestMultibase": "zQmznFCwYxApG270iEu5h6JqWAPdhyxz2dRerWC85Wg6wFl9"
  }
}

The next example links to the rendering template on the Web and secures it using the digestMultibase property:

Example 7: Remotely hosted PDF rendering template 
{
...
"renderMethod": {
  // this render method is fetched from the Web
  "id": "https://degrees.example/bachelors-pdf.jsonld",
  "type": "TemplateRenderMethod",
  "renderSuite": "pdf-mustache",
  "digestMultibase": "zQmEu5h6JqWAPdhyxmz2dRerWC85Wg6wFl9znFCwYxApG270"
}

2.2.3 The nfc Render Suite

The nfc render suite transmits a binary payload representing the verifiable credential over a wireless NFC connection.

In the example below, a fully embedded NFC payload is used as the rendering template, which only discloses the barcode identifier associated with the credential.

Example 8: Usage of the nfc render suite 
{
  ...
  "renderMethod": {
    "type": "TemplateRenderMethod",
    "renderSuite": "nfc",
    "name": "Tap to send",
    // the NFC payload is embedded
    "template": "data:application/octet-stream;base64,2QZkpQGDG...G8XJWnROcY4Biw",
    // only the barcode is transmitted over NFC
    "renderProperty": ["/credentialSubject/barcode"]
  }
  
}

2.3 OpenAttestationEmbeddedRenderer

OpenAttestationEmbeddedRenderer is used by an issuer to render a verifiable credential. The verifiable credential is rendered in HTML within an embedded <iframe> through a Template Renderer website referenced in the document. This arrangement allows for interactive selective disclosure using OpenAttestationMerkleProofSignature2018.

The Template Renderer is a web application embedded in an iframe. It renders verifiable credentials based on selected templates and must listen for specific messages from the Host application to facilitate the rendering process.

There currently exists a number of OpenAttestationEmbeddedRenderer issuers and decentralized renderer implementations.

When an issuer desires to specify an embedded rendering instructions for a verifiable credential, they MAY add a renderMethod property that uses the data model described below.

Property Description
id A URL that locates a website that implements the OpenAttestationEmbeddedRenderer Action API.
type The type property MUST be OpenAttestationEmbeddedRenderer.
renderName Name of the template used by the website specified by id to render the document. A different template can be used for the decentralized renderer to present a different HTML view of the verifiable credential.

The data model shown above is expressed in a verifiable credential in the example below.

Example 9: Usage of the renderMethod property by an issuer 
{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://schemata.openattestation.com/com/openattestation/4.0/alpha-context.json"
  ],
  "type": ["VerifiableCredential", "OpenAttestationCredential"],
  "validFrom": "2021-03-08T12:00:00+08:00",
  "name": "Republic of Singapore Driving Licence",
  "issuer": {
    "id": "did:ethr:0xB26B4941941C51a4885E5B7D3A1B861E54405f90",
    "type": "OpenAttestationIssuer",
    "name": "Government Technology Agency of Singapore (GovTech)",
    "identityProof": { "identityProofType": "DNS-DID", "identifier": "example.openattestation.com" }
  },
  "credentialSubject": {
    "id": "urn:uuid:a013fb9d-bb03-4056-b696-05575eceaf42",
    "type": ["DriversLicense"],
    "name": "John Doe",
    "address": "123 Choa Chu Kang Road, Singapore 123456",
    "licenses": [
      {
        "class": "3",
        "description": "Motor cars with unladen weight <= 3000kg",
        "effectiveDate": "2013-05-16T00:00:00+08:00"
      },
      {
        "class": "3A",
        "description": "Motor cars with unladen weight <= 3000kg",
        "effectiveDate": "2013-05-16T00:00:00+08:00"
      }
    ]
  },
  "renderMethod": [{
    "id": "https://demo-renderer.opencerts.io",
    "type": "OpenAttestationEmbeddedRenderer",
    "rendererName": "GOVTECH_DEMO"
  }]
}

The verifiable credential specifies a decentralized renderer at https://demo-renderer.opencerts.io, using the template named GOVTECH_DEMO.

The decentralized renderer can support different templates that can provide different views of the verifiable credentials. Below are two renderings of the same verifiable credential using different templates.

Certificate Template
Figure 1 Certificate Template
Transcript Template
Figure 2 Transcript Template

2.3.1 Action API

The Host is the application that displays the document with the help of the Template Renderer. The Template Renderer MUST be a web application embedded within an iframe specified by renderMethod.id. It MUST communicate with the Host application using postMessage API to perform actions.

All actions follow the same structure. They are composed of type and payload:

  1. type indicates the kind of action being executed, for instance, RENDER_DOCUMENT means rendering a document. The type of an action is mandatory.
  2. payload indicates optional data associated to the type, for instance, the content of the document to render.

An open source reference implementation is available on GitHub.

The interaction between the Host and the Template Renderer is illustrated in the following diagram.

Sequence Diagram
Figure 3 Sequence Diagram
2.3.1.1 Host-to-Frame Actions

When the iframe is first displayed, the host sends commands to the iframe to render the document. The 4 types of actions supported are described below.

type payload action
GET_TEMPLATES 
{ type: "GET_TEMPLATES" }
 Obtain a list of templates supported by the renderer for the given document. The list of templates is returned from UPDATE_TEMPLATES call from the iframe.
SELECT_TEMPLATE 
{
  type: "SELECT_TEMPLATE",
  payload: "CUSTOM_TEMPLATE"
}
 Select the template to be used for rendering. It should be from the list returned by GET_TEMPLATES. If not found, a default template is used.
RENDER_DOCUMENT 
{
  type: "RENDER_DOCUMENT",
  payload: {
    document: {
      credentialSubject: ...,
      renderMethod: ...
    }
  }
}
 Render the verifiable credential inside the IFRAME using the selected template. Document is JSON object form of the verifiable credential.
PRINT 
{ type: "PRINT" }
 MUST show the print dialog so the contents of the IFRAME can be printed.
2.3.1.2 Frame-to-Host Actions

These are used by the iframe to update the host to make adjustments on formatting, or selective redaction.

type payload action
OBFUSCATE 
{
  type: "OBFUSCATE",
  payload: "a[0].b.c",
}
 This is used for selective redaction. The Host is informed of the path of the field that has been obfuscated so that the host can create an updated version of the document with the selected field obfuscated.
UPDATE_HEIGHT 
{
  type: "UPDATE_HEIGHT",
  payload: 150,
}
 Notify the Host of the height of the embedded iframe in pixels so the Host can adjust the size on the browser.
UPDATE_TEMPLATES 
{
  type: "UPDATE_TEMPLATES",
  payload: [
    {
      id: "template1",
      label: "template1",
    },
    {
      id: "template2",
      label: "template2",
    }
  ]
}
 Notify the Host of the list of template names that are usable from RENDER_METHOD, or GET_TEMPLATES calls.

3. Algorithms

The following sections outline the algorithms that is used by this specification for rendering methods.

3.1 Render (TemplateRenderMethod)

The following algorithm is used to transform the SVG image template into the final SVG image that is displayed. The inputs to the algorithm are the verifiable credential (verifiableCredential) and the SVG image source code (svgImage). The output is a SVG image.

  1. Generate a map, replacementMap, by finding all strings in svgImage that start with {{ (double open braces) and end with }} (double close braces). For each string, templateKey, that is found:
    1. Generate another string, templateValue, by evaluating the value of templateKey (without the opening or closing braces) using the JSON Pointer [RFC6901] algorithm with the verifiableCredential as input to the algorithm. If the evaluation is null, set templateValue to the empty string.
    2. Set a key in replacementMap by using templateKey and associate it with templateValue.
  2. For every key in replacementMap, replace each corresponding string in svgImage that matches the key with the associated value in the replacementMap.

4. Security Considerations

Issue 1: Summary of Security Considerations

The list of security considerations listed below need to be converted into sections:

5. Privacy Considerations

Issue 2: Summary of Privacy Considerations

The list of privacy considerations listed below need to be converted into sections:

6. Internationalization Considerations

Issue 3: Summary of Internationalization Considerations

The list of internationalization considerations listed below need to be converted into sections:

A. References

A.1 Normative references

[infra]
Infra Standard. Anne van Kesteren; Domenic Denicola. WHATWG. Living Standard. URL: https://infra.spec.whatwg.org/
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC6838]
Media Type Specifications and Registration Procedures. N. Freed; J. Klensin; T. Hansen. IETF. January 2013. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc6838
[RFC6901]
JavaScript Object Notation (JSON) Pointer. P. Bryan, Ed.; K. Zyp; M. Nottingham, Ed. IETF. April 2013. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6901
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[URL]
URL Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://url.spec.whatwg.org/
[VC-DATA-MODEL-2.0]
Verifiable Credentials Data Model v2.0. Ivan Herman; Michael Jones; Manu Sporny; Ted Thibodeau Jr; Gabe Cohen. W3C. 15 May 2025. W3C Recommendation. URL: https://www.w3.org/TR/vc-data-model-2.0/