Verifiable Credentials

VC-JWT, SD-JWT, Bitstring Status List revocation.

oauth.work includes a W3C Verifiable Credentials rail. Credentials are JWT-secured (VC-JWT and SD-JWT) — no JSON-LD canonicalization — and signed by the tenant’s Ed25519 key, resolvable via did:web:<slug>.oauth.work.

Issue a credential

POST /credentials/issue
{
  "type": ["VerifiableCredential", "EmployeeBadge"],
  "credentialSubject": { "id": "did:web:ada.example", "role": "engineer" },
  "format": "sd-jwt"
}
# → a signed SD-JWT the holder can present selectively

SD-JWT lets the holder disclose only the claims a verifier needs — present role without leaking the rest.

Verify

POST /credentials/verify
{ "credential": "<vc-jwt-or-sd-jwt>" }
# → { "verified": true, "notRevoked": true }

Revocation

Each credential is assigned an index in the tenant’s W3C Bitstring Status List. Revoking flips the bit; /credentials/verify then reports notRevoked: false. No per-credential lookup, no CRL to distribute — just one compact, signed bitstring.