---
title: Credential Verifier Decentralized Identifiers
description: W3C defines Decentralized IDs (DIDs) as a means to identify an entity in a decentralized ecosystem. See the W3C DIDs spec for details. An entities DID is represented as a string and used in the different ID fields, such as issuer, subject, audience, or holder, for Java Web Tokens (JWTs), Verifiable Credentials (VCs), and other JSON objects. The DID is used to find public keys for the entity as well as optional information about how to interact with the entity.
component: pingone-api
page_id: pingone-api:credentials:credential-verifier-decentralized-identifiers
canonical_url: https://developer.pingidentity.com/pingone-api/credentials/credential-verifier-decentralized-identifiers.html
section_ids:
  pingone-hosted-verifier-didweb: PingOne hosted verifier did:web
  assigning-admin-roles-and-permissions-to-this-service: Assigning admin roles and permissions to this service
  credential-verifier-did-data-models: Credential verifier DID data models
---

# Credential Verifier Decentralized Identifiers

W3C defines Decentralized IDs (DIDs) as a means to identify an entity in a decentralized ecosystem. See the W3C DIDs spec for details. An entities DID is represented as a string and used in the different ID fields, such as issuer, subject, audience, or holder, for Java Web Tokens (JWTs), Verifiable Credentials (VCs), and other JSON objects. The DID is used to find public keys for the entity as well as optional information about how to interact with the entity.

The DID specification supports multiple ways to store and represent the DID. Every DID is a colon-separated string with the literal did, a method name, and method-specific data. W3C maintains a list of all of the current DID methods.

A `did:web` identifier is used in the signed JWT that is returned by Credentials Verifications when the wallet requests the Authorization Request. The wallet then resolves the `did:web` to get the public keys and verify the JSON Web Token (JWT) signature. This supports environments with and without custom domains.

Unlike in Credentials Issuance, a different DID identifier is used for every presentation session because the JSON Web Key Set (JWKS) used is different for each session.

PingOne Credentials uses `did:web` for the issuer and verifier and `did:ion` for the holder or subject. PingOne also supports `did:ion` for all parties for backwards compatibility.

## PingOne hosted verifier did:web

The service supports retrieving the `did:web` documents of verifiers hosted by PingOne on both the standard `auth.pingone.com` domain (and regional variants by top level domain, TLD) and custom domains. The DID document contains the public keys for the verifier and optional information about how to interact with the verifier. To retrieve the DID document:

1. The DID of a verifier hosted on the standard `auth.pingone.com` domain is in the format:

   * `did:web:`

   * `auth.pingone.com:`

   * UUID of the verifier's environment

   * `:verifier:`

   * UUID of the presentation session

   * `#`

   * UUID of the signing key

     For an environment UUID `8fd6a2f0-c568-4de8-a319-eb8ddff49dff` and presentation session UUID `d08008f2-d9dc-4d93-8eeb-9d2f7f50b620`, the corresponding URL to retrieve the DID document is:

     ```none
     https://auth.pingone.com/8fd6a2f0-c568-4de8-a319-eb8ddff49dff/verifier/d08008f2-d9dc-4d93-8eeb-9d2f7f50b620/did.json
     ```

2. The DID of a verifier hosted on a custom domain is in the format:

   * `did:web:`

   * the verifier's custom domain

   * `:verifier:`

   * UUID of the presentation session

   * `#`

   * UUID of the signing key

     For a custom domain `verifier.customerdomain.com` and presentation session UUID `d08008f2-d9dc-4d93-8eeb-9d2f7f50b620`, the corresponding URL to retrieve the DID document is:

     ```none
     https://verifier.customerdomain.com/d08008f2-d9dc-4d93-8eeb-9d2f7f50b620/did.json
     ```

## Assigning admin roles and permissions to this service

Admin role assignments determine access to PingOne APIs. When assigning admin roles to this service, refer to [PingOne Permissions by Service](../platform/reference/roles-and-permissions-in-pingone/permissions-by-service.html) for the service-specific permissions.

You can also choose to assign admin roles based on particular service resources. Refer to [PingOne Permissions by Resource](../platform/reference/roles-and-permissions-in-pingone/permissions-by-resource.html) when assigning admin roles per service resources.

Admin assignments to roles are set by:

* [Automatic assignment for some roles](../platform/roles/predefined-roles.html#automatic-role-assignment).

* [Group Role Assignments](../platform/group-role-assignments/group-role-assignments.html).

* [User Role Assignments](../platform/users/user-role-assignments.html).

Refer to [Roles Management](../platform/roles.html) for more information.

## Credential verifier DID data models

| Property                          | Type   | Required? | Mutable?  | Description                                                                                                                                                                                                                           |
| --------------------------------- | ------ | --------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `@context`                        | String | N/A       | Read-only | URL to the DID scheme                                                                                                                                                                                                                 |
| `id`                              | String | N/A       | Read-only | A unique identifier that conforms to [DID Syntax](https://www.w3.org/TR/did-core/#did-syntax)                                                                                                                                         |
| `verificationMethod.id`           | String | N/A       | Read-only | A unique identifier that conforms to [DID URL Syntax](https://www.w3.org/TR/did-core/#did-url-syntax)                                                                                                                                 |
| `verificationMethod.controller`   | String | N/A       | Read-only | The entity that controls the DID in [DID Syntax](https://www.w3.org/TR/did-core/#did-syntax). In PingOne Credentials, the method-specific data is always equal to the domain part of the request URL                                  |
| `verificationMethod.type`         | String | N/A       | Read-only | Name for the type of JWK represented                                                                                                                                                                                                  |
| `verificationMethod.publicKeyJwk` | String | N/A       | Read-only | A JSON Web Key that conforms to RFC 7517, [JSON Web Key (JWK)](https://www.rfc-editor.org/rfc/rfc7517). The contents vary by algorithm as discussed in RFC 7518, [JSON Web Algorithms (JWA)](https://www.rfc-editor.org/rfc/rfc7518). |
| `authentication`                  | String | N/A       | Read-only | A unique identifier that conforms to [DID Syntax](https://www.w3.org/TR/did-core/#did-syntax) including in its fragment a UUID for the key of the `verificationMethod.publicKeyJwk`                                                   |
| `assertionMethod`                 | String | N/A       | Read-only | A unique identifier that conforms to [DID Syntax](https://www.w3.org/TR/did-core/#did-syntax) including in its fragment a UUID for the key of the `verificationMethod.publicKeyJwk`                                                   |