Skip to content

Credentials

A credential is an attestation that a project has met a specific policy.

Credentials are typically issued once an auditing team deems the policy’s requirements have been implemented to a satisfactory degree. When issuing a credential, the issuer must always specify an expiration date. An active credential can also be revoked at any time.

Key concepts and actions associated with credentials include:

Credentials are machine-readable JSON files which follow the W3C Verifiable Credential format.

Each credential includes:

  • The project and policy it attests to.
  • The declarations and reviews that support the attestation, referenced by their CIDs.
  • The person who issued the credential.
  • A validity period, defined by its issue date and expiration date.
  • A revocation status, so the credential can be revoked before its expiration date if needed.

Because every credential is cryptographically-signed, anyone can verify who issued it and confirm it has not been altered since. Credentials appear under the Certification tab of an applied policy, in the Issued Credentials table. Once a policy has an active credential, the project displays a Certified status.

A credential can be issued at any time, regardless of how many controls in the policy have been marked Compliant.

To issue a credential:

  1. From an applied policy, select the Certification tab
  2. Select Issue Credential
  3. Enter an Expiration Date and choose the date and time the credential will expire
  4. Select Review
  5. Review the credential summary, then select Issue Credential

A credential can be downloaded as a JSON file for independent verification.

To download a credential:

  1. From an applied policy, select the Certification tab
  2. In the Issued Credentials table, select the actions menu (⋮) on the credential’s row
  3. Select Download Credential

Revoking a credential invalidates it before its expiration date. This can be used, for example, if a project’s compliance status changes after the credential was issued.

Revoked credentials cannot be made active again — a new credential would have to be issued.

To revoke a credential:

  1. From an applied policy, select the Certification tab
  2. In the Issued Credentials table, select the actions menu (⋮) on the credential’s row
  3. Select Revoke Credential
  4. Provide a reason for revoking the credential
  5. Select Revoke Credential to confirm

Once revoked, the credential’s reason for revocation — along with who revoked it and when — can be viewed by selecting the credential’s row in the Issued Credentials table.