Core Functions with Aleo


DIDKit also supports the issuance and verification of Verifiable Credentials using Aleo accounts.

This is an example using all the core functions of DIDKit-CLI: key generation, credential/presentation issuance, and verification.

git clone
git clone
cd didkit
cargo install --features=didkit/aleo --path cli
cd .. 

Aleo signature functionality requires the didkit/aleo feature.

Start with a keypair

The SSI library can generate an Aleo keypair as an example:

cd ssi
cargo run --example genaleojwk --features=aleo > /tmp/aleokey.jwk

You can also provide the details of an existing Aleo account, although you will need to do some extra work for DIDKit to use it.

The Aleo private JWK format used by DIDKit is non-standard. An example:

  "kty": "OKP",
  "crv": "AleoTestnet1Key",
  "x": "78_Jh_c7Fw46fX31xS9Ifdg_LeuabZ2p2aIl5fn9zw0",
  "d": "f4a9dNLd0omQcg3SEajVHGqEqwFHDGD9yNc2xpzuiZ3sSJjIf5AnEYXWCQ"

The format is as follows:

  • kty: The OKP key type

  • crv: The AleoTestnet1Key curve

  • x: An Aleo account address derived from the private key using Aleo Testnet1 parameters, as a Base64Url value (without the "aleo" prefix that appears in its Base58 formatjsssssssss

  • d: An Aleo private key converted from Base58 (where it starts with "APrivateKey1") to Base64Url value

Generate a DID:Key document

This document gets wrapped around the keypair generated (or passed) in the previous step. For more context on the DID:key method, see the specification.

did=$(didkit key-to-did pkh:aleo -k $key)
issued=$(date -u +'%Y-%m-%dT%H:%M:%SZ')

Prepare credential for issuing.

Here, we'll issue an example credential (unsigned) and save it to a file. For more info about what these properties mean, see the Verifiable Credentials Data Model specification.

cat > credential-unsigned.jsonld <<EOF 
       "@context": [""],
       "type": ["VerifiableCredential"],
       "issuer": "$did",
       "issuanceDate": "$issued",
       "credentialSubject": {"@id": "$did"}

Issue the verifiable credential.

  • We ask DIDKit to issue a verifiable credential using the given keypair file, passing the unsigned credential on standard input.

didkit vc-issue-credential -k $key < credential-unsigned.jsonld \
    > credential-signed.jsonld

Verify a verifiable credential.

  • We pass the newly-issued signed verifiable credential back to didkit for verification.

didkit vc-verify-credential < credential-signed.jsonld

Last updated