Verifiable Credentials as Access Controls for public Blockchains-Is it possible?

Pushed forward by companies like Disco and made possible by teams like uPort/3Box (creators of the 3ID specification) Verifiable Credentials (paired with DIDs) provide a new way to imagine digital identity.

Verifiable credentials (VCs) are an essential building block to fully realizing web3’s vision. Spearheaded by the teams at uPort, Disco, and others, VCs provide a new way to image digital identity by inverting the trust model of the internet, putting the holder of a credential at the center of trust, as opposed to companies like Facebook and Google.

As blockchain technology gains popularity, self-sovereign identity will become a fundamental mechanism in governing the exchange of data and monitoring who has access to what resources. However, VCs live off-chain, so how can we use verifiable credentials to provide on-chain access controls across public blockchains?

The Underlying Problem

Generally speaking, verifiable credentials are not a blockchain technology. Blockchains are public ledgers and registering personal identifying and private information on-chain largely defeats the inherit privacy preserving properties of VCs.

Verifiable Credentials enable the cryptographic verification of data authenticity, without relying on a centralized authority to verify the legitimacy of the supplied attestations/information. In this context, utilizing public blockchains to register decentralized identifiers or act as public key infrastructure is a great use case, but ultimately blockchains should not be considered a piece of the Decentralized Identifier and Verifiable Credential stack.

Verifiable credentials, by themselves help solve several core problems with today’s Internet:

  1. Data Authenticity i.e. where did this information come from

  2. Credential Verification i.e. why is information important and to whom

  3. Privacy Preserving i.e can be stored anywhere without losing properties 1 and 2

However,a scalable, secure, and private identity stack is meaningless unless it is able to interoperate with the other systems around us, primarily blockchains like Ethereum. Whether it’s a close-knit DAO operating an on-chain treasury or regulated entities interoperating with decentralized finance hyperstructures, unlocking real-time access controls in smart contracts is essential to the growth and evolution of Web3.

Large institutions have to consider compliance and regulatory constraints when interacting with DeFi protocols, a significant obstacle to institutional web3 adoption today. Organizations like J.P. Morgan have already begun experimenting with using Verifiable Credentials to unlock access controls in blockchain systems.

So, how can we bring together self-sovereign identity and public blockchains like Ethereum?

District Labs has a few ideas.

Web3 of Trust - Next Generation Access Controls

Verifiable Credentials and Decentralized Identifiers are two closely related W3C (World Wide Web Consortium) specifications. When used together the two specifications can enable what is called a Web of Trust.

A Web of Trust is where Internet native digital identities can begin to emerge.

Instead of relying on centralized authorities to control our digital identities, we can start to form connections and relationships using cryptography: with or without blockchains.

What we really want (and need) is the ability for trust to have transitive properties. To allow our digital identities to be utilized and contextualized across a range of digital environments, whether that’s in small localized networks (friends/family) or global coordination systems like the Ethereum blockchain.

Unlocking Smart Contracts using Verifiable Credentials

The root of our problem starts with the fact that smart contracts on public blockchains have limited access control capabilities and are prone to sybil attacks. That’s on purpose. Blockchains are designed to be open and accessible for everyone. Because it needs to be. It’s a global coordination system.

But that does not mean we want every public smart contract method to be accessible by everyone. In fact quite the opposite. We want people and organizations to have real-time access controls for blockchain smart contracts.

Can we solve these problems inherent to blockchains?

Yes! And it starts with building a trust network.


The question we really need to ask now is… “Can Verifiable Credentials solve the smart contract access control problem and also help address sybil resistance at scale, without sacrificing the primary benefits of Verifiable Credentials?”

The District Labs TrustAnchorGateway V0 is a proof of concept to help answer that question.

The TrustAnchorGateway is an off-chain API service designed and developed by District Labs and Disco. The gateway converts verifiable credentials into smart contract access controls using counterfactual delegation via the Delegatable framework.

Providing a pathway from off-chain data to on-chain permissions via a simple and easy-to-understand architecture, while also preserving the privacy of the verifiable credential holder. User’s are given permissions in real-time i.e a just-in-time access control.

Before we get into the specifics of the implementation let’s first take a step back.

A traditional Web of Trust uses Trust Anchors to issue Verifiable Credentials.

A Trust Anchor Gateway is an extension of the Trust Anchor concept applied to Web3.

Trust Anchors, in a Web of Trust issue Verifiable Credentials.

Trust Anchor Gateway in a Web3 of Trust issue JITAccessControls from Verifiable Credentials.

Similar to Trust Anchors in a traditional Web of Trust, the Trust Anchor Gateway in a Web3 of Trust acts as arbiters of “truth” about the world from a non-blockchain perspective. In other words, a TrustAnchorGateway is designed to be an intermediary between off-chain data and on-chain access controls.

Why TrustAnchorGateways?

The short answer:
The Verifiable Credential specification was designed to be privacy preserving.

And as it stands blockchains are less than ideal when it comes to preserving privacy for users. Until we have robust zero-knowledge infrastructure and better Verifiable Credential adoption and usage we need solutions that address today’s problems.

**We don’t want to compromise on security.**But we also want something that will meet today’s needs.

The Trust Anchor Gateway is designed to maintain privacy preservation of Verifiable Credentials, while also adding scalable sybil resistance at the smart contract access control level.

**The long answer:
**Zero-knowledge proofs in a public blockchain environment provide a lot of utility.

One of which is access controls using privacy preserving methods. Identity systems like and play a big part in scaling of Web3 ecosystems; both at a blockchain protocol layer, and when applied in the right context at the application layer.

But, they’re also complex and don’t lend themselves to shorter development lifecycles, where flexibility is equally important as functionality.

Zero-knowledge proofs are intricate, require specialized knowledge to do right, and much of the underlying technology is still very new. If the underlying smart contract containing the zero-knowledge circuits contains a bug the security of the entire system is compromised.

A strong focus on standards, flexibility, and simplicity

TrustAnchorGateways take a pragmatic approach to on-chain access controls using off-chain data.

  1. Use existing standards i.e. Verifiable Credentials and Decentralized Identifiers.

  2. Easily scalable architecture and customizable off-chain API infrastructure.

  3. Signing standard (EIP712) that is both human readable and machine interpretable. Balancing developer experience, security, and functionality.

A TrustAnchorGateway Live Demonstration

Want to see a TrustAnchorGateway in action? Do you have an official Disconaut Credential that is publicly accessible? Visit and mint a Disco District NFT today.

The Disco District NFT is available on the Ethereum and Optimism networks.


Verifiable Credentials and Decentralized Identifiers are W3C specifications reshaping the building blocks for modern digital identities. Blockchain technologies (Ethereum, Optimism, Celestia, etc…) are fundamentally changing the way we coordinate at scale.

Together these two Web3 technologies (self-sovereign identity and blockchains) will change how we think about ourselves and the world around us. A launchpad into a new digital frontier.

As a previous member of uPort (one of the original teams pushing forward Decentralized Identity in Web3) and early contributor to the 3ID specification (product design and name) I’m excited to see the resurgence of Verifiable Credentials thanks in large part to the Disco team.


Kames Geraghty, CTO at District Labs

Justin Bassey, CEO at District Labs

Subscribe to District Labs
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
This entry has been permanently stored onchain and signed by its creator.