How verified credentials work

§1

The problem with paper certificates

A PDF certificate is a claim with no mechanism for verification. When a hiring manager sees “Completed the Advanced Machine Learning Specialization” on a resume, they have no way to check whether the course required anything, whether the learner actually completed it, or whether the certificate was edited in Photoshop. The market has priced this correctly: PDF certificates are largely ignored.

The same is true of employer-hosted badge platforms. When a Credly badge links to a completion certificate, verification requires: visiting Credly, trusting that Credly's records match what the issuer intended, and accepting that if Credly shuts down the badge disappears. The credential's validity is fully dependent on a third-party platform remaining solvent and cooperative.

Cryptographic verifiable credentials solve this differently. The issuer signs the document with a private key. Anyone with access to the corresponding public key can verify the signature — and therefore confirm the document's integrity — without involving the issuer, the badge platform, or any intermediary. The verification is mathematical: the signature either checks out or it does not.

§2

How Ed25519 signing works

Ed25519 is a public-key signature algorithm. The core idea is simple: UpSkillZone holds a private key (a 32-byte secret that never leaves our servers) and publishes a corresponding public key (a 32-byte value anyone can download). When we mint a credential, we compute a signature over the credential's content using the private key. The signature is a 64-byte value that is attached to the credential.

When an employer verifies the credential, their verifier:

1. Fetches the credential from the credential URL — a JSON-LD document.
2. Reads the key identifier from the proof.verificationMethod field inside the credential.
3. Fetches the public key from the JWKS endpoint at https://upskillzone.ai/.well-known/jwks.json.
4. Verifies the signature — confirms that the 64-byte signature in the credential was produced by the private key corresponding to the fetched public key, over the exact bytes of the credential content.
5. Checks revocation status against the status list URL embedded in the credential.

Steps 1 through 5 require no interaction with UpSkillZone beyond the two public endpoints (JWKS and status list). If UpSkillZone's main servers are down, verification still works. If we were acquired and the new owners wanted to disclaim credentials, the public key would still verify credentials issued under the original key — the mathematics does not change.

§3

Anatomy of an UpSkillZone credential

Every credential is a JSON-LD document at a stable URL. Here is the shape, with the fields that matter most:

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://purl.imsglobal.org/spec/ob/v3p0/context.json"
  ],
  "type": ["VerifiableCredential", "OpenBadgeCredential"],
  "id": "https://upskillzone.ai/cert/{publicId}",
  "issuer": {
    "id": "did:web:upskillzone.ai",
    "name": "UpSkillZone"
  },
  "issuanceDate": "2026-05-06T00:00:00Z",
  "credentialSubject": {
    "id": "did:web:upskillzone.ai:u:{handle}",
    "achievement": [
      {
        "type": "Achievement",
        "name": "llm.rag.retrieval-pipeline",
        "description": "...",
        "evidence": { "url": "https://..." }
      }
      // one entry per asserted skill
    ]
  },
  "credentialStatus": {
    "type": "StatusList2021Entry",
    "statusListCredential": "https://upskillzone.ai/credentials/status/{listId}"
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "verificationMethod": "did:web:upskillzone.ai#key-1",
    "proofValue": "z..."   // 64-byte signature, base58btc-encoded
  }
}

Abbreviated for readability. The live credential also contains grader metadata, kappa scores, and attempt timestamps.

A few things worth noting:

• The issuer is a DID. did:web:upskillzone.ai is a Decentralized Identifier that resolves to a DID document containing our public key. A DID survives domain transfers and key rotation without breaking existing credentials.
• Each skill is a separate achievement. The credential lists every skill assertion independently, each with its evidence URL. An employer can look up exactly which Job Twin produced a specific skill claim.
• Revocation is non-destructive. The status list is a bitfield — flipping a bit revokes a credential without modifying the credential document itself. Revocation history is auditable.

§4

Open Badges 3.0 compatibility

Open Badges 3.0 (OB3) is the latest version of the IMS Global Open Badges standard, updated to build on the W3C Verifiable Credentials Data Model 2.0. It defines a standard vocabulary for educational achievements — including the evidence, criteria, and alignment fields that make a badge useful to an employer rather than decorative.

UpSkillZone credentials are issued as OB3 credentials, which means:

• Any OB3-compliant verifier can read and display them — not just UpSkillZone's verifier.
• The credential can be imported into wallets and platforms that support OB3 (IMS Global maintains a registry of compliant implementations).
• The schema is an open standard — if UpSkillZone ever winds down, the credential format is not proprietary.

This is one of the properties that distinguishes UpSkillZone credentials from employer-specific credentialing systems. A Salesforce Trailhead badge is meaningful to Salesforce and Salesforce shops. An OB3 credential is meaningful to any employer who understands the standard — and the number of employers and ATS platforms supporting OB3 is growing.

§5 · For technical readers

JWKS walkthrough

The verification flow for a developer building an integration:

# 1. Fetch the credential
curl https://upskillzone.ai/cert/{publicId}
# → JSON-LD VerifiableCredential

# 2. Extract the key ID from proof.verificationMethod
# → "did:web:upskillzone.ai#key-1"

# 3. Fetch the DID document
curl https://upskillzone.ai/.well-known/did.json
# → { "verificationMethod": [{ "id": "#key-1", "type":
#   "Ed25519VerificationKey2020", "publicKeyMultibase": "z..." }] }

# 4. Or fetch the JWKS directly
curl https://upskillzone.ai/.well-known/jwks.json
# → { "keys": [{ "kty": "OKP", "crv": "Ed25519",
#   "kid": "key-1", "x": "..." }] }

# 5. Verify the Ed25519Signature2020 proof
# Using any W3C VC library (e.g. @digitalbazaar/vc in Node.js,
# PyLD + PyNaCl in Python)
import json, base64
from nacl.signing import VerifyKey
from nacl.encoding import RawEncoder

# Load credential, extract proof.proofValue (base58btc)
# Verify signature over the canonical document bytes

The Ed25519Signature2020 suite signs over the RDF Dataset Normalization of the credential JSON-LD, minus the proof node. The canonical form is deterministic — the same document always produces the same bytes — so the signature is stable across JSON serialization differences (whitespace, key ordering).

Open-source verification libraries exist for Node.js (@digitalbazaar/vc), Python (pyld + pynacl), and Go. We maintain a reference verifier at /verify that runs in the browser.

§6 · For employers

What the employer sees

When a candidate shares their credential URL, the employer pastes it into upskillzone.ai/verify. The verifier shows:

• Signature status. Green check = valid Ed25519 signature against the current issuer key. The key ID and issuance date are shown.
• Revocation status. Active or revoked. Revoked credentials display the revocation date. A revoked credential's signature is still valid — revocation is a separate status check, not a key revocation.
• Skill assertions. Each skill in the credential is listed with its score (as a percentile against the cohort), the Job Twin that produced it, and the mentor's kappa at grading time.
• Evidence links. If the learner has opted to make their artifacts public, the employer can view the graded submission — the actual code, the eval results, the tradeoff writeup.

No login required for any of this. The verifier is a static client-side tool. Employers can also verify by integrating directly with our JWKS endpoint in their ATS or internal tooling — the API is documented at /api/v1/verify.

§7

Credential longevity

Credentials are designed to survive the platform. Our commitments:

• 10-year key publication window. We commit to keeping the JWKS endpoint live and returning the issuer public keys for at least 10 years after a key is used to sign credentials. After 10 years, we give 12 months' notice before decommissioning a key.
• Open-source verifier. The credential verifier is published as an open-source library. If upskillzone.ai is offline, anyone can run the verifier locally with a cached copy of the public key.
• Self-contained credential body. The credential JSON contains everything needed to verify the signature. A verifier with a cached copy of the public key can verify offline, with no network access.
• No proprietary schema. W3C VC Data Model 2.0 + Open Badges 3.0 are open standards. The credential does not depend on UpSkillZone-specific tooling to be read.

FAQ

Frequently asked questions

What is a verifiable credential?

A verifiable credential is a tamper-evident digital document that contains claims about a subject — in this case, skills an engineer has demonstrated. It is signed with a cryptographic key so any party can confirm the document has not been altered since it was issued, without contacting the issuer.

How does an employer verify an UpSkillZone credential?

The employer pastes the credential URL into a W3C VC verifier (or ours at /verify). The verifier fetches the credential JSON, reads the key identifier from the document, fetches the public key from the JWKS endpoint, and verifies the Ed25519 signature. No login, no API key, no phone call to UpSkillZone.

What happens to my credential if UpSkillZone shuts down?

The credential JSON and the public verification key are designed to outlive the platform. We commit to a 10-year key publication window and an open-source verifier library so credentials can be checked even if upskillzone.ai is offline. The credential body is self-contained — it includes everything needed to verify the signature.

What is Open Badges 3.0?

Open Badges 3.0 is an IMS Global standard for digital credentials that extends the W3C Verifiable Credentials Data Model. It defines how to represent educational achievements — including the evidence behind each claim — in a portable, interoperable format that any compliant verifier can read.

Can I see what is inside my credential?

Yes. The credential is a JSON-LD document at a stable URL. You can open it in a browser, paste it into any JSON viewer, or run it through the UpSkillZone verifier at /verify. It contains your skills, your graded artifacts (de-identified if you choose), the mentor key ID, and the Ed25519 signature.