Skip to main content

Getting Started with TrustVC SDK

Introduction

TrustVC (@trustvc/trustvc) is a comprehensive library for signing, verifying, and managing W3C Verifiable Credentials and OpenAttestation v2 Verifiable Documents. It provides a unified API for credential issuance, selective disclosure, and multi-format verification.

Prerequisites

  • Node.js >= 20.0.0
  • npm or yarn

Installation

npm install @trustvc/trustvc

Key Concepts

W3C Verifiable Credentials

Verifiable Credentials (VCs) are a W3C standard for expressing tamper-evident claims about a subject. TrustVC implements the VC Data Model v2.0, enabling you to issue, hold, and verify credentials in a standardized, interoperable format.

Cryptographic Suites

TrustVC supports two cryptographic suites for signing credentials. The default is ecdsa-sd-2023 (using P-256 elliptic curve keys), which provides selective disclosure through mandatory pointers. The alternative is bbs-2023 (using BLS12-381 keys), which also supports selective disclosure. Both produce DataIntegrityProof signatures.

DID (Decentralized Identifier)

A Decentralized Identifier (DID) is a globally unique identifier that does not require a centralized registration authority. In TrustVC, the issuer of a credential is identified by a DID (e.g., did:web:example.com:issuer:1), and the signing key is resolved from the DID document.

Selective Disclosure

Selective disclosure allows a credential holder to reveal only specific fields from a signed credential to a verifier, keeping the rest hidden. This is achieved by deriving a new credential from the original signed credential using JSON pointer paths to select which fields to disclose.

Quick Start: Sign and Verify

This example walks through the full lifecycle: creating a raw credential, signing it, and verifying the result.

import { signW3C, verifyDocument, VerificationType } from '@trustvc/trustvc';

// 1. Define the raw credential
const credential = {
'@context': [
'https://www.w3.org/ns/credentials/v2',
'https://w3id.org/security/data-integrity/v2',
'https://w3id.org/vc/status-list/2021/v1',
],
type: ['VerifiableCredential'],
issuer: 'did:web:example.com:issuer:1',
validFrom: '2024-01-01T00:00:00Z',
validUntil: '2029-12-31T23:59:59Z',
credentialSubject: {
type: ['Person'],
givenName: 'John',
birthDate: '1990-01-01T00:00:00Z',
},
};

// 2. Define the signing key pair
const keyPair = {
'@context': 'https://w3id.org/security/multikey/v1',
id: 'did:web:example.com:issuer:1#multikey-1',
type: VerificationType.Multikey,
controller: 'did:web:example.com:issuer:1',
publicKeyMultibase: '<your-public-key-multibase>',
secretKeyMultibase: '<your-secret-key-multibase>',
};

// 3. Sign the credential (defaults to ecdsa-sd-2023)
const signedCredential = await signW3C(credential, keyPair);
console.log('Signed credential:', signedCredential);

// 4. Verify the signed credential
const fragments = await verifyDocument(signedCredential);

// 5. Check the result
const allValid = fragments.every((f) => f.status === 'VALID' || f.status === 'SKIPPED');
console.log('Verification passed:', allValid);

Using the DocumentBuilder

The DocumentBuilder provides a fluent API for constructing, signing, deriving, and verifying credentials in a single chain.

import { DocumentBuilder } from '@trustvc/trustvc';

// 1. Build and sign a credential
const builder = new DocumentBuilder()
.credentialSubject({
type: ['Person'],
givenName: 'Alice',
familyName: 'Smith',
birthDate: '1985-06-15T00:00:00Z',
})
.credentialStatus({
id: 'https://example.com/credentials/statuslist/1#0',
type: 'BitstringStatusListEntry',
statusPurpose: 'revocation',
statusListIndex: '0',
statusListCredential: 'https://example.com/credentials/statuslist/1',
});

// 2. Sign the credential
const signedDoc = await builder.sign(keyPair);
console.log('Signed:', signedDoc);

// 3. Derive with selective disclosure (reveal only givenName)
const derivedDoc = await builder.derive({
selectivePointers: ['/credentialSubject/givenName'],
});
console.log('Derived:', derivedDoc);

// 4. Verify the derived credential
const verificationResult = await builder.verify();
console.log('Valid:', verificationResult);

Selective Disclosure

After signing a credential with ecdsa-sd-2023 or bbs-2023, you can derive a new credential that reveals only selected fields using JSON pointer paths.

import { deriveW3C } from '@trustvc/trustvc';

const derivedCredential = await deriveW3C(signedCredential, {
selectivePointers: ['/type', '/credentialSubject/givenName'],
});

// The derived credential reveals only `type` and `givenName`.
// All other fields (e.g., `birthDate`) are hidden from the verifier.

The derived credential is independently verifiable -- the verifier does not need access to the original signed credential.

Core Functions Reference

FunctionDescription
signW3CSign a W3C Verifiable Credential (ecdsa-sd-2023 or bbs-2023)
signOASign an OpenAttestation document (v2)
deriveW3CDerive a credential with selective disclosure from a signed W3C VC
verifyDocumentVerify any signed document (W3C VC or OA v2 VD)
wrapOADocumentWrap a single OpenAttestation document
encrypt / decryptEncrypt and decrypt data using ChaCha20
DocumentBuilderFluent API for building, signing, deriving, and verifying credentials

Supported Networks

TrustVC supports on-chain verification across the following networks:

Mainnets

NetworkCodeChain ID
EthereumETH1
PolygonPOL137
XDCXDC50
StabilityFREE101010
AstronASTRON1338

Testnets

NetworkCodeChain ID
Sepolia (Ethereum)ETH11155111
Amoy (Polygon)POL80002
XDC ApothemXDC51
Stability TestnetFREE20180427
Astron TestnetASTRON21002

What's Next