DIDKit and Verifiable Credentials

Michael Ruminer
3 min readDec 16, 2023
logo for DIDKit

Recently I made a post on Veramo and Verified Credentials where I discussed a little bit about Veramo and my findings in trying to use it. This post is about DIDKit from SpruceID. DIDKit is another set of packages for creating DIDs, verifiable credentials, verifiable presentations, etc. I only used the command line interface (CLI) tool in my experimentation with it and was entirely focused on DID creation. This is how it went.

First off, let me say that I tried DIDKit not only because I wanted to see how another tool worked but because when using Veramo there is no way via the CLI to get the private key for a DID I created. I suspect with enough magic it could be retrieved via JavaScript, but maybe not. It’s locked away in a key management system (KMS).

Secondly, I found Create and Post Your Own did:web post to be easier to navigate than the directions on the SpruceID site. I did find somewhere in the DIDKit docs how to create a did:web from their did:key generation command but can’t find it again which only goes to show how difficult it is to find some information in their documentation. (Since initially writing this I looked harder and did find it at “did-web in minutes”)Although SpruceID says it supports did:web it seems that it can resolve did:web but it doesn’t create a did:web fully. You must create a did:key and make some edits on it to make it into a did:web. The edits are minor, but I consider this a weird limitation. I read somewhere along the way that it only supports the ED25519 curve in creating did:key/did:web, but I am not sure if that limitation referred only to creation or resolving as well.

Once I created a JSON Web Key (JWK) using one of their key generation functions, built the did:key from the key, edited it to be a did:web, and published it to manicprogrammer.github.io/.well-known/did.json it resolved fine with their “didkit did-resolve” command.

Unlike the Veramo tool, I found no way through the CLI to add services so I just manually added a DIDComm service to the DID. As with my Veramo post let me say — don’t message me on that DIDComm service as I don’t have nor have I found a mobile device agent/wallet to which I can add an existing DID and mediator endpoints for DIDComm much less the DIDComm v2 endpoint I gave it. So I can’t get the messages. Even blocktrust.dev which has the mediator doesn’t have such a thing. Perhaps I’ll setup a browser based DIDComm messaging app to test it out if I can find a DIDComm V2 set of libraries for the browser. (I’ll have to get proficient with JavaScript though, which I have never found the time to do.) Why do I have the endpoint in the DID then? Just for fun to see that I could add one and it properly resolve. Obviously, I have not been able to test it.

What else did I find in my experience with DIDKit? In the documentation, I couldn’t find what the below ‘key” parameter did. But, following the directions to create a did:key the below command worked:

didkit key-to-did key -k issuer_key.jwk

I also found that on its Github it doesn’t have a discussion section.

All in all, the toolkit did a good job from the CLI. I am likely to try out the creation of a VC with it. It has packages for Rust (in which DIDKit is written), C, Java/Android, Python, and Javascript.



Michael Ruminer

Delving into verifiable credentials. did:web:manicprogrammer.github.io