Start with Identity
Standard · recommendation

Decentralized Identifiers (DID)

W3C DID Core 1.0W3CDID Core 1.0 Recommendation (July 2022); DID Resolution and did:web maintained by W3C DID WGOfficial spec ↗

What it is

A Decentralized Identifier (DID) is a globally unique identifier that its subject controls directly, without a central registration authority. It is the addressing layer of decentralized identity: where a URL points to a web page, a DID points to a DID document that holds the public keys and service endpoints needed to interact with the subject, whether that subject is a person, an organization, or a device.

A DID looks like did:method:identifier, for example did:web:example.com or did:key:z6Mk.... It is standardized by W3C DID Core 1.0.

How it works

  • Resolution: software resolves a DID to its DID document using the rules of the DID's method. The document lists verification methods (public keys) and services.
  • Control: the subject holds the private keys, so only they can update the document or sign as the DID. There is no provider to revoke or reassign it.
  • Anchoring credentials: an issuer's DID lets a verifier fetch the issuer's public key and check a verifiable credential signature without a central directory.

DID methods

The method segment determines how a DID is created and resolved. They fall into two broad camps, covered in depth in our DID methods compared guide:

  • Ledgerless: did:web (anchored to a domain over HTTPS, the pragmatic enterprise default), did:key (a self-contained key, no network lookup), did:jwk.
  • Ledger-anchored: did:ion (Bitcoin, Sidetree), did:ethr (Ethereum), did:indy (Hyperledger Indy). These add decentralization at the cost of ledger dependency. See DID method.

Status

DID Core 1.0 has been a W3C Recommendation since July 2022. The DID Working Group continues to maintain resolution and specific method specifications. In practice, did:web dominates enterprise deployments because it needs no blockchain, while wallet and government programs increasingly reference DIDs alongside SD-JWT VC issuance.

When to use it

Use DIDs when you need issuer and holder identifiers that are portable and not tied to one provider's namespace. For most enterprises starting out, did:web gives the benefits of the standard with the operational simplicity of DNS and TLS you already run.

Pitfalls

  • Key management and recovery are your responsibility; losing control of the keys means losing control of the DID.
  • Method choice matters: ledger-anchored methods bring governance and cost considerations that did:web avoids.
  • A DID is only an identifier. Trust still comes from the credentials issued and the trust registries that vouch for issuers.

Related

Guides: what is decentralized identity, DID methods compared. Standards: Verifiable Credentials, OpenID4VC. Glossary: DID, DID document, DID method. Vendors: decentralized identity.

Independent, community-driven reference. Always confirm details against the official specification linked above.