Creating a DID
When to use
You already have one DID (provisioned at signup), but you want a second — typically for role separation (one for personal credentials, one for agent operation, one for issuing). DIDs are cheap; create as many as your use case needs.
Before you begin
- You must be signed in.
- Your account quota allows the new DID (default: 25 DIDs/account; ops-tunable).
Steps
- Navigate to My DIDs (
/dids). - Click Create DID (top-right).
3. Choose key type:
- Ed25519 (default, recommended for credential signing) — see §12.3 Cryptography.
- secp256k1 — useful if you need EVM-address compatibility or cross-chain interop.
- (Optional) attach one or more services (each
{ id, type, serviceEndpoint }) — these are written into the DID Document. - Click Create. The portal calls
POST /api/v1/dids(did.go:56). The request body accepts only two fields:keyType("Ed25519"or"Secp256k1", defaults toEd25519) and an optionalservices[]array. - Watch the status pill go from Pending → Active (typically 2–5 seconds on testnet).
API & SDK
Response:
Verify
The DID appears in /dids. Resolve it:
Troubleshooting
3.1.3. The DID Document Explained ##### Overview
A DID Document is a JSON-LD object that describes the DID’s keys and endpoints. The shape conforms to W3C DID Core 1.0 §5. On IDA, your DID Document is autogenerated when the DID is created and editable for service endpoints, delegates, and attributes.
Anatomy
Why it matters
Every signature you make in the platform is verified against one of these public keys. If your DID Document is wrong (key revoked, endpoint stale), every relying party will see your verifications fail — silently. Treat the DID Document as your public profile for anything cryptographic.
How it fits
The DID Document is stored on chain in the DIDRegistry contract (see §11.2) and cached in the API’s Postgres. The cache is invalidated by chain events (DIDUpdated, DIDDeactivated). Off-chain readers can either trust the cache (faster) or read directly from chain (more authoritative).
3.1.4. Updating Service Endpoints ##### When to use
You want to add a service endpoint to your DID Document — typically a DIDComm receive URL, an agent card URL, or a custom service for a domain-specific protocol.
Before you begin
- You own the DID (you cannot edit someone else’s).
- The endpoint URL is reachable from the public internet (or the receiver explicitly allows non-public URLs).
Steps
- Open
/dids/:did(DID Detail page). - Scroll to Services, click Add service.
3. Fill in:
- Type — e.g.
DIDCommMessaging,LinkedDomains,AgentCard. - Service endpoint — full URL.
- ID (auto-generated, hash-suffixed).
- Type — e.g.
- Click Save. The portal calls
PUT /api/v1/dids/{did}(did.go:123) with the merged DID Document. The API verifies you own the DID, signs the chain transaction (using your wallet’s MPC key), and emitsDIDUpdated.
API & SDK
Verify
The new service object should be in the service array.
Troubleshooting
3.1.5. Key Rotation ##### When to use
- You suspect (or know) the key has been compromised.
- The platform’s recommended rotation cadence (90 days for high-risk DIDs).
- You are migrating from secp256k1 to Ed25519 for credential signing.
Before you begin
- You own the DID.
- You will not need the old key for anything in the next 5 minutes (the rotation is immediate; old key is no longer authoritative).
Steps
- Open
/dids/:didand click Rotate key. 2. Confirm the key type for the new key (defaults to the same as the existing one). - Click Rotate. The portal calls
POST /api/v1/dids/{did}/rotate-key(did.go:197). - Server-side:
- Verifies caller owns the DID.
- Generates a new keypair.
- Builds a new DID Document with the new
verificationMethod. - Submits
updateDIDto the DIDRegistry signed by the current (about-to-be-rotated) key. (After this transaction, the old key is no longer inverificationMethod.) - Inserts the old key into
did_key_historyfor audit/replay diagnostics.
API & SDK
Verify
Re-resolve the DID. The verificationMethod should now contain the new publicKeyMultibase. The updated field on the DID Document metadata should reflect the new timestamp.
Troubleshooting
⚠️ Warning — Any active credential signed by the old key remains valid as long as the old key is in the DID’s key history. Verifiers SHOULD check
did_key_history(exposed via the DID Document metadata) when validating older VCs. The Verification Engine in the portal does this automatically.
3.1.6. Deactivating a DID ##### When to use
You no longer want anyone to trust this DID for new credentials/presentations. Deactivation is a soft-delete: the DID Document remains resolvable but is flagged deactivated: true, and the platform refuses to use it for issuance, presentation, or DIDComm.
Before you begin
- You own the DID.
- You have no active credentials issued by this DID that you intend to revoke first (revoke them before deactivating; afterwards the deactivated DID cannot be used to sign revocation entries).
Steps
- Open
/dids/:did. - Click Deactivate (red button at the bottom).
- Confirm in the modal — type the DID into the confirmation field.
- The portal calls
DELETE /api/v1/dids/{did}(did.go:166). The handler emitsDIDDeactivatedon the registry.
API & SDK
Verify
Resolution still works, but the document metadata shows deactivated: true. Per W3C DID Core 1.0 §5.2, this is the canonical end state.
Troubleshooting
3.1.7. Adding & Revoking Delegates ##### When to use
A delegate is a different DID authorised to act on behalf of yours for a specific purpose (e.g. an agent DID that may sign DIDComm messages on your behalf, or an organisational sub-DID that may issue credentials under your authority). Delegation is the cleaner alternative to sharing keys.
Before you begin
- You own the principal DID.
- The delegate’s DID is resolvable.
Steps
- Open
/dids/:didand scroll to Delegates. - Click Add delegate.
3. Fill:
- Delegate (
delegate) — the delegate’s DID or address, e.g.did:adi:0x4f3a.... - Type (
delegateType) — e.g.sigAuth,veriKey(per ERC-1056 conventions). - Validity (
validity) — number of seconds (default 86400 = 24 h).
- Delegate (
- Save. The portal calls
POST /api/v1/dids/{did}/delegates(did.go:290). The body is the params object directly:{ delegateType, delegate, validity }.
API & SDK
Verify
Returns an array [{ delegate, delegateType, validUntil }].
Troubleshooting
3.1.8. DID Attributes ##### When to use
You want to attach a small piece of structured data to your DID — e.g. a service URL, a name, a hash — without modifying the DID Document directly. This mirrors the ERC-1056 attribute mechanism: signed key/value pairs anchored on chain.
Before you begin
- You own the DID.
- The attribute name is short (≤32 bytes) and meaningful.
Steps
- Open
/dids/:didand scroll to Attributes. - Click Set attribute.
- Enter:
- Name — e.g.
did/svc/HubService,did/auth/email. - Value — string or hex-encoded bytes.
- Validity — seconds.
- Name — e.g.
- Save. Calls
POST /api/v1/dids/{did}/attributes(did.go:369).
API & SDK
Verify
Resolve the DID; the attribute is exposed via the didDocumentMetadata.attributes array (or whatever the resolver returns — see §3.1.9).
Troubleshooting
If a value isn’t appearing, the most common cause is a stale cache. Force a re-resolve with:
3.1.9. Universal DID Resolver Tool ##### When to use
You need to fetch the DID Document for any DID — yours, someone else’s, or a DID from a different method entirely. The universal resolver is the public, no-auth endpoint that does this.
Before you begin
Nothing required. The endpoint is unauthenticated.
Steps
- Open the DID Resolver page in the portal (
/tools/did-resolver) — or just call the endpoint directly. - Paste the DID into the input field.
- Click Resolve.
- The portal calls
GET /api/v1/dids/resolve/{did}(did.go:29, registered atrouter.go:74).
Supported methods
API
Response shape (per W3C DID Resolution):
Verify
Compare the returned key fingerprint against an out-of-band channel (e.g., the issuer’s website, a printed business card). DID Documents are public, but their binding to a real-world entity is your responsibility.
