# Verifiable Credentials (JWT VC) TrustOriginality issues **W3C Verifiable Credentials** as ES256-signed JWTs, built on the existing `trustoriginality-attestation/1.0` data and signing keys. **Status:** non-qualified issuer (QEAA / QTSP is a separate roadmap step). > VC outputs are **decision-support documentation** — not QEAA, eIDAS qualified trust services, > government certification, or sole proof in court without qualified review. ## Discovery | Resource | URL | |----------|-----| | Issuer metadata | `GET /.well-known/trustoriginality-credential-issuer.json` | | Content schema | `GET /.well-known/vc-schemas/content-authenticity.json` | | Analysis schema | `GET /.well-known/vc-schemas/analysis-report.json` | | Legacy attestation keys | `GET /.well-known/trustoriginality-attestation.json` | ## Credential types | Type | `vct` | Source data | |------|-------|-------------| | `TrustOriginalityContentAuthenticityCredential` | `https://trustoriginality.ai/credentials/v1/content-authenticity` | Provenance registry | | `TrustOriginalityAnalysisReportCredential` | `https://trustoriginality.ai/credentials/v1/analysis-report` | Analysis activity | Format identifier: `trustoriginality-jwt-vc/1.0` ## Issue (authenticated — resource owner only) Issuance requires `AnalyzeAccess` (panel session or API key). The authenticated user must own the underlying provenance registration or analysis run. ```bash # Content authenticity (registered SHA-256 hash, owner only) curl -sk "https://panel.trustoriginality.ai/api/credentials/content/{sha256}.jwt" \ -H "Authorization: Bearer YOUR_API_KEY" # Analysis report (owner only) curl -sk "https://panel.trustoriginality.ai/api/credentials/analysis/{runId}.jwt" \ -H "Authorization: Bearer YOUR_API_KEY" ``` Panel users can also download analysis VCs from **Activity Log** (`Download VC` button). Response: ```json { "format": "trustoriginality-jwt-vc/1.0", "jwt": "eyJhbGciOiJFUzI1NiIs...", "credentialType": "TrustOriginalityContentAuthenticityCredential", "subject": "https://panel.trustoriginality.ai/verify/content/{hash}", "issuedAt": "2026-06-16T12:00:00Z", "expiresAt": "2027-06-16T12:00:00Z", "jti": "vc-...", "verifyUrl": "https://panel.trustoriginality.ai/api/credentials/verify", "legacyAttestationUrl": "https://panel.trustoriginality.ai/api/attestation/content/{hash}.json", "nonQualifiedDisclaimer": "..." } ``` Each issuance is recorded in `Tbl_VerifiableCredentials` (audit log with `jti`). ## Verify (public) Anyone can verify a JWT without authentication: ```bash curl -sk -X POST https://panel.trustoriginality.ai/api/credentials/verify \ -H "Content-Type: application/json" \ -d '{"jwt":"eyJhbGciOiJFUzI1NiIs..."}' ``` Returns signature validity, expiry, credential type, subject, and revocation status. ## Revoke (authenticated — issuer owner) Revoke a previously issued credential by `jti` (from the issue response or JWT payload): ```bash curl -sk -X POST https://panel.trustoriginality.ai/api/credentials/revoke \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{"jti":"vc-...","reason":"key rotation"}' ``` Revoked credentials fail verification with `revoked: true`. ## Configuration ```json { "Credentials": { "IssuerBaseUrl": "https://panel.trustoriginality.ai", "TtlDays": 365, "IssuerDisplayName": "TrustOriginality.ai", "LegalEntityName": "Soluzyn OÜ" } } ``` `IssuerBaseUrl` is used as the canonical `iss` claim in JWTs (override in `appsettings.Development.json` for local testing, e.g. `https://localhost:7270`). Uses the same ECDSA-P256 key as attestations (`Attestation:PrivateKeyPem` or `keys/attestation-signing.pem`). ## Legal See `legal/ACCEPTABLE-USE-POLICY.md` §5 and public AUP at `/docs/regulatory/acceptable-use-policy.md`. ## Roadmap (not yet implemented) - SD-JWT selective disclosure (`_sd` claims) - OID4VCI issuance protocol + credential offer - OID4VP presentation exchange - W3C Status List 2021 (batch revocation list) - QEAA / qualified trust service (eIDAS 2) ## Code | Component | Path | |-----------|------| | JWT VC issuer/verifier | `TrustOriginality_Global/Credentials/JwtVerifiableCredentialIssuer.cs` | | VC service | `TrustOriginality_ai_dashboard/Services/VerifiableCredentialService.cs` | | API routes | `TrustOriginality_ai_dashboard/Program.cs` | | Issuance audit / revocation | `TrustOriginality_ai_db/Scripts/CreateTbl_VerifiableCredentials.sql` |