Verifiable Credentials Use Cases

W3C Editor's Draft 30 May 2024

More details about this document
This version:
https://w3c.github.io/vc-use-cases/
Latest published version:
https://www.w3.org/TR/vc-use-cases/
Latest editor's draft:
https://w3c.github.io/vc-use-cases/
History:
https://www.w3.org/standards/history/vc-use-cases/
Commit history
Editors:
Shane McCarron ( Spec-Ops )
Joe Andrieu ( Legendary Requirements )
Matt Stone ( The Brightlink )
Tzviya Siegman ( Wiley )
Gregg Kellogg ( Spec-Ops )
Ted Thibodeau, Jr. ( OpenLink Software, Inc. )
Kevin Dean ( GS1 )
Authors:
Nate Otto ( Badge Alliance )
Sunny Lee ( Badge Alliance )
Brian Sletten ( Bosatsu Consulting, Inc. )
Daniel Burnett ( Standards Play )
Manu Sporny ( Digital Bazaar, Inc. )
Ken Ebert ( Sovrin Foundation )
Feedback:
GitHub w3c/vc-use-cases ( pull requests , new issue , open issues )

Copyright © 2024 2025 World Wide Web Consortium . W3C ® liability , trademark and permissive document license rules apply.

Abstract

A verifiable claim is a qualification, achievement, quality, or piece of information about an entity's background such as a name, government ID, payment provider, home address, or university degree. Such a claim describes a quality or qualities, property or properties of an entity which establish its existence and uniqueness. The use cases outlined here are provided in order to make progress toward possible future standardization and interoperability of both low- and high-stakes claims with the goals of storing, transmitting, and receiving digitally verifiable proof of attributes such as qualifications and achievements. The use cases in this document focus on concrete scenarios that the technology defined by the group should address.

Status of This Document

This is a preview

Do not attempt to implement this version of the specification. Do not reference this version as authoritative in any way. Instead, see https://w3c.github.io/vc-use-cases/ for the Editor's draft.

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.

This document represents a concise but limited collection of use cases readers should review alongside the Verifiable Credentials Data Model .

The work on this document was carried out under tight time constraints due to limitations of the W3C process and publishing deadlines. Under such conditions, errors are unavoidable and some of the ideas presented here are incomplete. The Working Group hopes that in the future, W3C process can be revised to better support the dynamic nature of standards work in a more consistent way across different groups.

Comments regarding this document are welcome. Please file directly on GitHub , or send them to public-vc-comments@w3.org ( subscribe , archives ).

This document was published by the Verifiable Credentials Working Group as an Editor's Draft.

Publication as an Editor's Draft does not imply endorsement by W3C and its Members.

This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the W3C Patent Policy . W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy .

This document is governed by the 03 November 2023 W3C Process Document .

1. Introduction

The Verifiable Claims Working Group at the W3C is developing standards for expressing and exchanging " claims " that have been verified by a third party and to make them easier and more secure on the Web.

Note
This document does NOT attempt to define an architecture for the support of Verifiable Claims. Instead it expresses the sorts of needs that real users have that could be addressed through support for some sort of self-sovereign claim environment. It attempts to use terminology that is consistent with the other deliverables of the Verifiable Claims Working Group (you can see the relevant terms in Appendix A).

1.1 Importance of this work

Entities (people, organizations, devices) need to make many kinds of claims as part of their everyday activities. As more and more of these important activities move to the Internet, entities need to be able to transmit instantly verifiable claims (e.g., about their location, accomplishments, value, what-have-you). From educational records to payment account access, the next generation of web applications will authorize entities to perform actions based on rich sets of credentials issued by trusted parties. Human- and machine-mediated decisions about job applications, account access, collaboration, and professional development will depend on filtering and analyzing growing amounts of data. It is essential that data be verifiable.

Standardization of digital claim technologies makes it possible for many stakeholders to issue, earn, and trust these essential records about their counterparties, without being locked into proprietary platforms.

1.2 Use case model

This document presents an aggregate use case model, composed of Needs, Roles, Tasks, and Sequences. Taken together, these models define the use cases that the Verifiable Claims Working Group has addressed.

User needs define the problem space addressed by verifiable credentials . User Roles specify the roles different entities play when interacting with verifiable credentials . Tasks define the functions users can accomplish, and sequences demonstrate how tasks might be realized, by interactions between entities over time.

As with all models, this use case model is neither exhaustive nor complete. The listed uses cannot capture all possible use cases. Similarly, the models do not completely characterize the use cases represented. However, the combined model is intended to provide specific, coherent guidance for the work ahead.

1.3 Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key word MUST in this document is to be interpreted as described in BCP 14 [ RFC2119 ] [ RFC8174 ] when, and only when, they appear in all capitals, as shown here.

2. User Roles

There are four roles supported by verifiable credentials : Issuer , Verifier , Subject , and Holder .

Verifiable Credential User Roles
Figure 1 Verifiable Credential User Roles
Issuer
The entity that creates a claim and associates it with a particular subject .
Verifier
The entity verifying a claim about a given subject .
Subject
The entity about whom a claim is issued.
Holder
A role an entity may perform by possessing one or more verifiable credentials . A holder is usually, but not always, the subject of the verifiable credentials that they are holding. Holders store their credentials in credential repositories .

3. User Needs

Verifiable credentials address user needs in a number of key domains:

Education
E.1 Digital Transcript
E.2 Taking a Test
E.3 Transferring Schools
E.4 Online Classes
Retail
R.1 Digital Transcript
R.2 Taking a Test
R.3 Transferring Schools
R.4 Bona-fide Shopper
Finance
F.1 Reuse Know
Your Customer
F.2 Money Transfer
F.3 Closing Account
F.4 Trying out a new service
F.5 New Bank
Account from Home
Healthcare
H.1 Prescribing
H.2 Online Pharmacy
H.3 Insurance Claim
H.4 Traveling Illness
H.5 Proving Legal
Disability Status
Professional Credentials
C.1 Find a Doctor
C.2 Busy Doctor
C.3 Bad University
C.4 New Employer
C.5 Social Authority
C.6 Job Applicant
Legal Identity
L.1 Digital Driver's License
L.2 Seamless Integration
L.3 Speedy Air Travel
L.4 Refugee Crisis
Devices
D.1 Devices
During Manufacturing
D.2 Devices During Delivery
D.3 Device setup for
operating autonomously
Figure 2 Verifiable Credentials, Example Domains for User Needs

3.1 Education

The education domain includes all levels of the educational experience; from primary through professional continuing education.

Error 

Cannot
GET
/uploads/HPpIoM/short/e1_digital_transcript.html

/uploads/kX2T4k/short/e1_digital_transcript.html
Error 

Cannot
GET
/uploads/HPpIoM/short/e2_taking_a_test.html

/uploads/kX2T4k/short/e2_taking_a_test.html
Error 

Cannot
GET
/uploads/HPpIoM/short/e3_transferring_schools.html

/uploads/kX2T4k/short/e3_transferring_schools.html
Error 

Cannot
GET
/uploads/HPpIoM/short/e4_online_classes.html

/uploads/kX2T4k/short/e4_online_classes.html

3.2 Retail

The retail domain encompasses all things where there is an exchange of value on an individual level. This includes brick-and-mortar store fronts, web-only venues, and even person-to-person sales.

Error 

Cannot
GET
/uploads/HPpIoM/short/r1_address-verification.html

/uploads/kX2T4k/short/r1_address-verification.html
Error 

Cannot
GET
/uploads/HPpIoM/short/r2_adult_beverages.html

/uploads/kX2T4k/short/r2_adult_beverages.html
Error 

Cannot
GET
/uploads/HPpIoM/short/r3_fraud_detection.html

/uploads/kX2T4k/short/r3_fraud_detection.html
Error 

Cannot
GET
/uploads/HPpIoM/short/r4_bona_fide_shopper.html

/uploads/kX2T4k/short/r4_bona_fide_shopper.html

3.3 Finance

The Finance domain includes banking, brokerage, insurance, and other industries where there is a high value placed on knowing exactly with whom you are dealing.

Error 

Cannot
GET
/uploads/HPpIoM/short/f1_reuse_know_your_customer.html

/uploads/kX2T4k/short/f1_reuse_know_your_customer.html
Error 

Cannot
GET
/uploads/HPpIoM/short/f2_money_transfer.html

/uploads/kX2T4k/short/f2_money_transfer.html
Error 

Cannot
GET
/uploads/HPpIoM/short/f3_closing_account.html

/uploads/kX2T4k/short/f3_closing_account.html
Error 

Cannot
GET
/uploads/HPpIoM/short/f4_trying_out_a_new_service.html

/uploads/kX2T4k/short/f4_trying_out_a_new_service.html
Error 

Cannot
GET
/uploads/HPpIoM/short/f5_new_bank_account_from_home.html

/uploads/kX2T4k/short/f5_new_bank_account_from_home.html
<ins class="diff-chg"> Error </ins>

Cannot
GET
/uploads/kX2T4k/short/f6_proof_of_creditworthiness.html

3.4 Healthcare

Privacy is critically important in the healthcare industry. This domain looks at everything from physical interaction to connecting patients and providers with service organizations.

Error 

Cannot
GET
/uploads/HPpIoM/short/h1_prescribing.html

/uploads/kX2T4k/short/h1_prescribing.html
Error 

Cannot
GET
/uploads/HPpIoM/short/h2_online_pharmacy.html

/uploads/kX2T4k/short/h2_online_pharmacy.html
Error 

Cannot
GET
/uploads/HPpIoM/short/h3_insurance_claim.html

/uploads/kX2T4k/short/h3_insurance_claim.html
Error 

Cannot
GET
/uploads/HPpIoM/short/h4_traveling_illness.html

/uploads/kX2T4k/short/h4_traveling_illness.html
Error 

Cannot
GET
/uploads/HPpIoM/short/h5_proving_legal_disability_status.html

/uploads/kX2T4k/short/h5_proving_legal_disability_status.html

3.5 Professional Credentials

In many aspects of life it is important to know that entities are who they say they are, and that they can do what they say. Professional accreditation is one way of learning about the abilities of an entity . Being able to verify these credentials is essential to their value.

Error 

Cannot
GET
/uploads/HPpIoM/short/c1_find_a_doctor.html

/uploads/kX2T4k/short/c1_find_a_doctor.html
Error 

Cannot
GET
/uploads/HPpIoM/short/c2_busy_doctor.html

/uploads/kX2T4k/short/c2_busy_doctor.html
Error 

Cannot
GET
/uploads/HPpIoM/short/c3_bad_university.html

/uploads/kX2T4k/short/c3_bad_university.html
Error 

Cannot
GET
/uploads/HPpIoM/short/c4_new_employer.html

/uploads/kX2T4k/short/c4_new_employer.html
Error 

Cannot
GET
/uploads/HPpIoM/short/c5_social_authority.html

/uploads/kX2T4k/short/c5_social_authority.html
Error 

Cannot
GET
/uploads/HPpIoM/short/c6_job_applicant.html

/uploads/kX2T4k/short/c6_job_applicant.html

3.7 Devices

Intelligence devices are created and deployed so that they can interact with other entities (people, organizations, devices). Establishing trust and maintaining secure relationships with these devices is especially critical.

Error 

Cannot
GET
/uploads/HPpIoM/short/d1_devices_during_manufacturing.html

/uploads/kX2T4k/short/d1_devices_during_manufacturing.html
Error 

Cannot
GET
/uploads/HPpIoM/short/d2_devices_during_delivery.html

/uploads/kX2T4k/short/d2_devices_during_delivery.html
Error 

Cannot
GET
/uploads/HPpIoM/short/d3_devices_setup_for_operating_autonomously.html

/uploads/kX2T4k/short/d3_devices_setup_for_operating_autonomously.html

4. User Tasks

Use cases are often used as a driver for requirements. While the users of verifiable credentials have needs across many domains, the tasks associated with those needs span the domains. This section summarizes those tasks, as well as requirements related to the tasks, and maps the tasks and requirements back to the associated needs.

Note

It is worth noting that the subject may or may not be the same entity as the holder . There are no tasks in these examples that require participation of the subject .

Verifiable Credential User Tasks
Figure 3 Verifiable Credential User Tasks

4.1 Issue Claim

Requirement
It MUST be possible for any entity to issue a verifiable credential .
Motivation
Individuals and organizations need a way to issue claims about themselves or others that can be verified and trusted.
Needs
F.1 , E.1 , L.1 , H.1

4.2 Assert Claim

Requirement
It MUST be possible for the holder of a verifiable credential to restrict the amount of information exposed in a credential they choose to share. It also MUST be possible for the holder to limit the duration for which that information is shared.
Motivations
Credentials may be issued about a subject that include multiple attributes, only some of which are required when verifying a specific criteria is satisfied. The holder should have the ability to satisfy the criteria without revealing additional attributes that are not required.
Needs
R.2 , H.4

4.3 Verify Credential

Requirement
It is expected to be possible for a verifier to verify that the credential is an authentic statement of an issuer's claims about the subject . Verifiers MUST have the capability to cryptographically prove that a credential has not been tampered with since issuance (authenticity) and that the issuer continues to assert the claims as true (currency).

To check authenticity, the issuer's verification method(s), such as a public key, must be discoverable from the credential itself. It is expected that the issuer identifier either is itself cryptographically verifiable, or that it can be used to reliably discover the cryptographic material necessary to confirm that the content of a credential has not been changed since issuance. It is understood that verification depends on the verifier's acceptance of the robustness of the cryptographic mechanisms used for testing authenticity and for discovering verification methods. An untrusted verification method cannot be relied upon for verification.

Verifiers must also be able to inquire about the current status of a credential without revealing to the issuer
  1. The entity requesting that status
  2. The credential for which status is being checked
  3. The subject of the credential being checked
Requiring that verifiers perform this status check is what enables issuers to revoke, suspend, or otherwise moderate the status of the credential.

Similarly, if a discovery mechanism is used to retrieve verification methods for a given issuer, verifiers must be able to do so without revealing unnecessary information to the issuer.

In short, it must be possible to fully verify a credential without leaking usage data to the issuer or anyone else. This is to avoid the so-called "phone home" problem.
Motivations
In many environments (such as order processing), information — such as a payer's address, citizenship, or age — needs to be automatically verified to complete the transaction.

It MUST be possible to verify these in an automated fashion.
Needs
F.2 , C.1 , E.2 , R.1 , F.5 , H.2 , C.6

4.4 Validate Claim

Requirement
It MUST be possible for a verifier to check whether a given claim is appropriate for a particular use. That is, given a credential that is authentic and current, the verifier needs to interpret the claims in the context of their own 'business rules' concerning, for instance, which parties are acceptable authorities, and which cryptographic mechanisms are acceptable for what situations.
  1. Is the issuer someone we know?
  2. Are the claims made by this issuer appropriate for this particular issuer's authority?
  3. Is the holder's presentation an appropriate use of the credential?
The first and second questions will be answered because either the verifier already knows the public identifiers for the issuers it recognizes for specific claims, or there is a discovery mechanism whereby verifiers can find appropriate issuers given their business requirements.

The business rules may allow the use of certain credentials for specific situations, even when verification fails. For example, a suspended or expired professional license may be accepted by an employer as evidence of past experience without it being treated as a current qualification for roles that require that license. For this reason, current status (as part of verification) only deals with the status of the credential as maintained by the Issuer. Timeliness is the domain of validation.

It's important to note that the bounds of authority for a given issuer are specific claim types made by them and relied upon by others. While a region's DMV (Department of Motor Vehicles) or equivalent agency might be an acceptable authority for an individual's driving privilege, it should probably not be treated as authoritative for an individual's hair color or current address, even though DMVs regularly include such claims in today's driver's licenses.

Unlike verification, it may not always be possible to automate validation. Some use cases require human review before accepting a particular credential for a particular use. For example, a digital proof of age system might need a trusted human agent to visually compare the holder/presenter in real-space to a reference photo securely referenced in the VC, before accepting a credential as valid.
Motivations
Verifiers need to be able to apply their own policies and rules to the information they rely on to run their "business" (which we mean broadly, to encompass all activity focused towards a goal).

Given this need, any given VC might be verified but not usable in a particular situation. For example, a self-issued driver's license would likely not be acceptable for a car rental by most car rental agencies, even though the verification succeeds.

Even so, in other cases, such as at a go-cart racing facility, it may be entirely appropriate to accept the name and image from a self-issued license for the purpose of leaderboards, announcements, and correspondence.

These business rules are entirely the province of the verifier. Only after satisfying their rules should a verifier rely upon a claim as an accepted fact for specific use.
Needs
F.2 , C.1 , E.2 , R.1 , F.5 , H.2 , C.6

4.5 Store Claim

Requirement
It MUST be possible for the holder of a claim to store that claim in one or more credential repositories .
Motivation
A claim is under the control of its holder . That holder will choose where their claims are stored based upon a variety of factors (e.g., employer requirements, convenience, service levels, provider cost, business intelligence). The holder needs to be able to easily choose among various credential repositories , and also to be able to migrate their claims to another without requesting new claims from the claim issuer .
Needs
F.4 , E.3 , C.4

4.6 Retrieve Claim

Requirement
It MUST be possible for a holder to select if and which appropriate credential should be sent to a verifier .
Motivations
A verifier may require that a holder verify aspects of their suitability for a transaction. In this case, the holder must be able to select which, if any, verifiable credential stored with their credential repository is used to satisfy the verifier .
Needs
C.5 , E.4

4.7 Revoke Claim

Requirement
It MUST be possible for the issuer of a claim to revoke it, after which it will no longer satisfy verification procedures.
Motivation
An entity ( issuer ) discovers that a claim they have issued and are endorsing for an end user ( subject ), is no longer valid and wishes to revoke the issued claim.
Needs
F.3 , C.2 , C.3

5. Focal Use Cases

Focal Use Cases are meant to provide examples where a blend of features from verifiable credentials standard may be used together to solve complex or challenging marketplace needs.

Error 

Cannot
GET
/uploads/HPpIoM/focal/1_citizenship_by_parentage.html

/uploads/kX2T4k/focal/1_citizenship_by_parentage.html
Error 

Cannot
GET
/uploads/HPpIoM/focal/2_expert_dive_instructor.html

/uploads/kX2T4k/focal/2_expert_dive_instructor.html
Error 

Cannot
GET
/uploads/HPpIoM/focal/3_international_travel_with_minor_and_upgrade.html

/uploads/kX2T4k/focal/3_international_travel_with_minor_and_upgrade.html
Error 

Cannot
GET
/uploads/HPpIoM/focal/4_gs1_identification.html

/uploads/kX2T4k/focal/4_gs1_identification.html

6. Extant Use Cases

Extant Use Cases are illustrative of market adoption, i.e., examples of the use of verifiable credentials in real-world applications.

7. User Sequences

The transaction examples in this section show basic ways in which verifiable credentials might be used. They are not meant to be architecturally constraining. Instead, they are meant to help illustrate the basic way it could be done in a typical commerce situation. Again — please remember that it is just an example, and should not be thought of as the canonical way such a claims environment must be implemented.

7.1 How a Verifiable Credential Might Be Created

In this first example, a user will request a verifiable credential—a confirmation of their identity. Consider this illustration:

Verifiable Credential Creation Flow Description
Figure 4 Verifiable Credential Creation Flow Diagram

Expanding on these steps:

  1. Jane asks her User Agent to help her get a verifiable credential about her identity.
  2. Her user agent connects her to a credential issuer that is able to verify her identity.
  3. The issuer examines her documentation.
  4. They are satisfied, so the issuer generates a verifiable credential for Jane that includes information about her identity linked to their own trusted credential .
  5. The issuer delivers the verifiable credential back to Jane's User Agent.
  6. Jane views the verifiable credential to ensure it reflects her requirements.
  7. When she is satisfied, she instructs her User Agent to save the verifiable credential so she can use it in the future.
  8. The UA communicates with her credential repository , instructing it to store the new verifiable credential .
  9. The credential repository returns a list of the verifiable credentials it is holding for Jane to the UA.
  10. The UA shows Jane her verifiable credential collection — confirming everything she has available.

7.2 How a Verifiable Credential Might Be Used

In this example, a holder of a claim needs to use that claim in a typical commerce situation:

Verifiable Credential Usage Flow Diagram
Figure 5 Verifiable Credential Usage Flow Diagram
  1. Jane decides to shop on the website WinesOfTheWorld.example.com (merchant).
  2. The merchant's site requires Jane be 21 years of age and requests (via a user agent-supported API call) that Jane prove this.
  3. Jane's user agent asks her credential repository for the proof.
  4. The credential repository shows Jane some verifiable credentials it holds that can support her age claim (e.g., her passport, driving license, and birth certificate).
  5. Jane selects one of these, and authorizes that it be shared with the merchant.
  6. The credential repository returns the selected credential as a response to the user agent-supported API call, which in turn delivers it to the merchant.
  7. The merchant's server verifies that the claim is valid and satisfies the requirement.
  8. The merchant redirects the user agent to the web site with appropriate authorization.

A. Terminology

This section is non-normative.
Error 

Cannot
GET
/uploads/HPpIoM/terms.html

/uploads/kX2T4k/terms.html

B. Example Verifiable Credentials

Error 

Cannot
GET
/uploads/HPpIoM/focal/3_international_travel_with_minor_and_upgrade_examples.html

/uploads/kX2T4k/focal/3_international_travel_with_minor_and_upgrade_examples.html
Error 

Cannot
GET
/uploads/HPpIoM/focal/4_gs1_identification_examples.html

/uploads/kX2T4k/focal/4_gs1_identification_examples.html

C. Acknowledgements

This section is non-normative.

The editors are thankful to the contributions from the Web Payments Workshop, the Web Payments Community Group, the Web Payments Interest Group, the Credentials Community Group, the Verifiable Claims Task Force, and the Verifiable Claims Working Group.

D. References

D.1 Normative references

[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels . S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words . B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[vc-data-model]
Verifiable Credentials Data Model v1.1 . Manu Sporny; Grant Noble; Dave Longley; Daniel Burnett; Brent Zundel; Kyle Den Hartog. W3C. 3 March 2022. W3C Recommendation. URL: https://www.w3.org/TR/vc-data-model/