// GLOSSARY -- SECURITY & COMPLIANCE

What is a Verifiable Credential?

1 min read Updated

A verifiable credential (VC) is a tamper-evident, cryptographically verifiable digital claim made by an issuer about a subject — following the W3C standard for expressing credentials like identity, qualifications, or authorizations in a machine-readable format.

WHY IT MATTERS

How do you prove something about yourself digitally without revealing everything? Verifiable credentials solve this. An issuer (e.g., a KYC provider) creates a signed credential ('this entity passed identity verification'). The holder presents it to verifiers, who can cryptographically confirm the credential is authentic and unmodified.

VCs support selective disclosure — prove you're over 18 without revealing your exact birthdate. Prove you're a licensed operator without revealing your identity. This privacy-preserving property is important for agent systems operating across organizational boundaries.

For AI agents, VCs could prove: 'this agent is operated by a licensed entity,' 'this agent has passed security audits,' or 'this agent is authorized to spend up to $X.' These credentials can be verified programmatically by other agents and services.

HOW POLICYLAYER USES THIS

PolicyLayer can use verifiable credentials to verify agent identity and spending authority — requiring agents to present valid VCs before enabling certain spending levels or accessing specific features.

FREQUENTLY ASKED QUESTIONS

How are VCs different from API keys?
API keys prove access rights but reveal nothing about the holder. VCs carry claims about the holder (identity, qualifications) that can be independently verified. VCs are more expressive and privacy-preserving.
Who issues verifiable credentials?
Any trusted authority. KYC providers (identity), auditors (security compliance), regulators (licensing), or protocol DAOs (reputation). The verifier decides which issuers they trust.
Are VCs used in crypto today?
Adoption is growing. Gitcoin Passport uses VCs for Sybil resistance. PolygonID provides VC-based identity. The intersection with agent identity is emerging.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.