Everything You Need to Know About VC Revocation

Self-Sovereign Identity (SSI) is a form of identity where users have complete control over their data and how it is shared with others.
Nov 15, 2021

Self-Sovereign Identity (SSI) is a form of identity where users have complete control over their data and how it is shared with others. Verifiable Credentials (VCs), on the other hand, are a W3C standard for implementing SSI.

There are three parties involved in a VC — issuer, holder, and verifier, and together they form what’s called the trust triangle.

The entire process begins when the issuer creates a VC that contains one or more details of a holder. As a part of this process, an issuer also can revoke a VC, as circumstances of the holder may change.

For example, a holder may no longer be a student of a university/college, hence his/her student VC must be revoked. The same applies when a holder is no longer an employee or when a government ID such as a driver’s license, visa, or passport has expired.

Now that you know why VCs need to be revoked, let’s drill down to the implementation.

Status of a VC

The status of a VC is checked by the verifier to ensure that it is still valid. From an implementation standpoint, W3C’s specification has a property called the credentialStatus property that contains information about the current status of a VC.

The credentialStatus property of a VC must include,

  • id — a URL
  • type — describes the status of a credential. The value of this property is used to determine the current status of a VC

The actual implementation varies greatly and could even include a link to an external document that contains the credential’s validity.

Here’s an implementation example.

italic text

The above example is a list-based credential revocation, which means, the status of many VCs is contained in a single list.

Here’s how this list looks.

italic text

Finally, you have to provide the protocol, which is HTTP GET.

italic text

Thus, this is an example of how you can implement VC Revocation.

Moving on, let’s see Affinidi’s implementation of the same.

Affinidi’s VC Revocation APIs

Affinidi has implemented a list-based credential revocation, and its general flow is depicted in the below diagram.

The specific APIs that handle VC Revocation in Affinidi’s stack are:

  • CreateDidAuthRequest
  • Revocation list 2020 Credential (issuerDid)
  • BuildRevocationList2020
  • RevokeCredential
  • PublicRevocationListCredential

Let’s take a look at the functionality of each of these APIs including their sample requests and responses.


In the CreateDidAuthRequest API, the client sends a request to the server that it wants to get authenticated. The server creates a request and the client creates a response for that request using auth. This uses HTTP POST.

Here’s a sample of the request.

italic text

And the response is the “string” itself.

RevocationList2020Credential (issuerDid)

This API is required to check if the VC was revoked. This uses the HTTP GET protocol.

The response to this HTTP request looks like this.

italic text


As the name suggests, this API builds the revocation list and uses the HTTP POST protocol.

The request must include the credentialID and the subjectDID.

italic text

The response will be like this. italic text


This API sets the revoke status based on the id and updates the reason for revocation as well. It also uses the HTTP POST protocol.

The request will contain two parameters, as follows.

italic text

The response will be,

italic text


This API is required to be a separate endpoint at the flow, to have this service generic and revocation service to not know the issuer’s private key (so issuer signing revocationListVC on his side, and then using this endpoint to publish it.

Thus moving forward Verifiers will be able to use it to verify/check the status of revocable VCs related to this revocationList VC).

Here’s a sample of the request.

italic text

And the response will be like this. {

Thus, this is how you can revoke VCs using Affinidi’s stack. As you can discern, these APIs handle the bulk of the functionality and all that you have to do is use them in your application.

If you have any further questions on using these APIs, reach out to us on Discord.

Also, read through our blog posts, join our mailing list, and follow us on LinkedIn, Facebook, and Twitter.

The information materials contained in this article are for general information and educational purposes only. It is not intended to constitute legal or other professional advice.

Get an email whenever Affinidi Publishes!