Data Rights Credential (VC)

This page explains how delegation evidence can be conveyed as a Verifiable Credential (VC), without changing the existing policy model (policyIssuer, accessSubject , policySets , rules). The purpose is interoperability with ecosystems using VCs while preserving iSHARE semantics.

Main Differences

  • Semantics stay the same: the delegation evidence JSON (targets, actions, constraints, licenses, validity) and the authorisation decision logic at the Service Provider are unchanged.

  • Envelope and Transport changes: instead of receiving and sending a signed JWT, parties issue and present a VC (or a Verifiable Presentation). Status lists enable revocation and suspension states that are not available with plain short-lived JWTs.

    • The Authorisation Registry MAY issue the credential (on behalf of the Entitled Party) and MAY act as the Verifiable Data Registry; alternatively, scheme owner/data spaces publish the JSON Schemas.

Credential Structure

When using VCs, the Authorisation Registry can issue a DatarightsCredential that embeds the existing datarights evidence. Service Providers verify the credential (including revocation status) and then evaluate the embedded policies as they do today. A DatarightsCredential issued by, or on behalf of, the Authorisation Registry carries the current evidence under credentialSubject.datarightsEvidence. The VC conforms to VC Data Model 2.0 (JSON-LD or VC-JWT).

{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://schemas.ishare.eu/v3/datarights.json"
  ],
  "id": "http://authorisationregistry.example/credentials/e25d402a-d240-48e7-b749-fb5b01546bfd",
  "type": [
    "VerifiableCredential",
    "DatarightsCredential"
  ],
  "issuer": "did:ishare:EU.NL.NTRNL00000000",
  "validFrom": "2025-05-10T08:00:00Z",
  "credentialSubject": {
    "id": "did:ishare:EU.NL.NLNTR-12345678",
    "alsoKnownAs": [
      "did:elsi:LEIXG-724500AZSGBRY55MNS59",
      "did:key:z6MkhfrsD3GUMjGvRxTTSamE1WnS9w3nDJLeZzT1KZVrU5tE",
      "did:web:example.com",
      "AS.JA.NTA:1234567890123"
    ],
    "datarightsEvidence": {
      "notBefore": 1541058939,
      "notOnOrAfter": 2147483647,
      "policySets": [
        {
          "maxDelegationDepth": 0,
          "target": {
            "environment": {
              "licenses": [
                "https://licenses.ishare.eu/general-unrestricted/1.0"
              ]
            }
          },
          "policies": [
            {
              "target": {
                "resource": {
                  "type": "GS1.CONTAINER",
                  "identifiers": [
                    "180621.ABC1234"
                  ],
                  "attributes": [
                    "GS1.CONTAINER.ATTRIBUTE.ETA"
                  ]
                },
                "actions": [
                  "ISHARE.READ"
                ]
              },
              "rules": [
                {
                  "effect": "Permit",
                  "conditions": {
                    "allOf": [
                      {
                        "leftOperand": "serviceProvider",
                        "operator": "equal",
                        "rightOperand": "did:ishare:EU.NL.NTRNL-10000003"
                      }
                    ]
                  }
                }
              ]
            }
          ]
        }
      ]
    }
  },
  "credentialStatus": {
    "id": "https://authorisationregistry.example/status/2025-05#12345",
    "type": "BitstringStatusListEntry",
    "statusPurpose": "revocation",
    "statusListIndex": "12345",
    "statusListCredential": "https://authorisationregistry.example/status/2025-05"
  }
}
PreviousExample casesNextOperational

Last updated