SD-JWT in one minute: the VCT
The VCT (Verifiable Credential Type) is a URL, defined by the SD-JWT-VC specification, that names the kind of credential. It’s the credential’s type identifier: a verifier looking at a presented credential reads itsvct value to know what kind of credential it is, what fields it carries, and how to interpret them. Two credentials with the same VCT are the same kind of credential.
The URL itself doesn’t need to resolve to anything, but the convention is that it could — pointing to a published metadata document describing the credential type, schema, and display rules.
The VCT is the bridge between everyone who touches the credential:
- The preset declares the VCT in its
templateType. - The issued credential carries the VCT in its
vctclaim. - The presentation request uses the VCT in
templateCredentials[].typeto filter the holder’s wallet down to credentials of the right kind.
<author> and <code>:
The shape, end to end
Identifier and metadata
The shared metadata fields (id, author, code, templateName, templateDescription, credentialFormat) are documented on the credential presets intro. The fields specific to SD-JWT are below.
templateType (the VCT)
The VCT for this preset. Set automatically (see SD-JWT in one minute); not user-supplied.
issuerConfig
How the platform signs credentials issued from this preset:
did:web(the typical default) — credentials are signed using the tenant’sdid:webDID. Verifiers fetch the DID document to validate the signature.certificate— credentials are signed using an x509 certificate from the tenant’s certificate pool. The optionalkeyType(P-256orEd25519) narrows the selection to a specific algorithm.
validUntil
How long the issued credentials remain valid. Optional; defaults to five years measured from validFrom.
templateAttributes: the credential’s fields
A flat map from attribute name to its definition. Each entry expresses a field on the credential and how it should behave at presentation time.
The attribute keys you declare (e.g.
firstName, lastName) are what issuers pass under attributes when calling the issuance endpoint, and what verifiers ask for in a presentation request. They become the JSON keys on the issued credential itself.
Nested objects and arrays
SD-JWT supports nested attribute structures. Anobject attribute carries its own properties map; an array attribute carries an items schema:
alwaysDisclosed and selective disclosure
For SD-JWT credentials, the holder controls what they share on a per-presentation basis. alwaysDisclosed: false (the default) means an attribute can be withheld when the credential is presented; alwaysDisclosed: true means it is always revealed.
Set alwaysDisclosed: true only for fields whose presence is meaningful in itself, typically trust signals like a verified flag, where the credential carries no useful meaning without it. For ordinary personal data (name, date of birth, etc.), leave it false and let the holder decide.
What happens at issuance time
When an issuer issues a credential against the preset, the platform uses its structure directly:- The issuer calls the issuance endpoint with
presetIdand anattributesmap containing values for each key intemplateAttributes. - The platform validates the attribute values against
templateAttributes: required fields must be present, types must match, and undeclared keys are rejected. - It produces an SD-JWT credential typed with the preset’s
templateType, signed by the configuredissuerConfig.signer, with the validity window fromvalidUntil. - The credential is offered to the holder’s wallet, where they can accept it.
- Once accepted, the credential lives in the wallet, ready to be used in any presentation request that asks for credentials of this
typefrom a trusted issuer.

