How Decentralized Identifiers (DIDs) Work on Blockchain - A Practical Guide
Enter a DID string (e.g., did:ethr:0x1234abcd) to validate format and extract blockchain details
did: - Protocol prefix indicating a decentralized identifier
ethr - Method name (Ethereum-specific)
0x1234abcd... - Blockchain-specific identifier
Each DID references a DID Document stored on a blockchain ledger that contains public keys and authentication methods
Ever wondered why the phrase “you own your digital self” keeps popping up in blockchain chats? The secret sauce is decentralized identifiers. Unlike usernames or email addresses that live on a company’s server, DIDs let you prove who you are directly on a blockchain, without a middle‑man. This guide walks you through the nuts and bolts of DIDs, how they sit on a ledger, and what you need to know before you start building.
Decentralized Identifier (DID) is a W3C‑standard string that lets an entity create, own, and control a digital identifier without relying on a centralized registrar. The format always starts with did:, followed by a method name (e.g., ethr for Ethereum) and a unique method‑specific string. A DID looks like did:ethr:0x1234abcd....
The key idea is sovereignty: the owner holds a private key that signs actions, and the corresponding public key lives in a DID Document a JSON‑LD document stored on‑chain that lists public keys, authentication methods, and service endpoints. Anyone can fetch the document, verify the signatures, and trust the identifier.
Think of a blockchain as an immutable notebook. When you create a DID, you submit a transaction that writes the DID Document to the ledger. Because the ledger is consensus‑driven, the entry can’t be altered retroactively-perfect for tamper‑evident identity.
Different blockchains provide different trade‑offs. Ethereum offers strong smart‑contract capabilities but charges gas (≈ $0.45 per write in 2023). The XRP Ledger confirms in 3‑5 seconds with negligible fees (< $0.001). Hyperledger Indy is purpose‑built for identity and can handle thousands of DID writes per second in a permissioned setting.
authentication: [{"type":"Ed25519VerificationKey2018","controller":"did:ethr:0x...","publicKeyBase58":"..."}]).capabilityDelegation or capabilityInvocation field to enable delegated authority.All of these pieces are transparent on the ledger, so any verifier can check them without contacting a central authority.
Each blockchain needs its own “method” to translate the generic DID format into concrete on‑chain actions. Here are the three most used today:
Once you have a DID, you can issue Verifiable Credential a tamper‑proof digital attestation (like a diploma or driver’s license) signed by an issuer’s private key. The holder stores the credential in a wallet, and a verifier checks two things:
Because the verification step only needs the public DID Documents, no centralized database is involved-exactly the privacy advantage that DIDs promise.
| Feature | DIDs (Blockchain) | OAuth/OpenID Connect |
|---|---|---|
| Control | User holds private key; no third‑party issuer. | Identity provider (Google, Microsoft) controls credentials. |
| Privacy | Selective disclosure via zero‑knowledge proofs. | Often share email or profile data. |
| Cost | Transaction fees (variable; cheap on XRPL, higher on Ethereum). | Typically free for end‑users; provider bears infrastructure cost. |
| Scalability | 15‑45 ops/sec on Ethereum; higher on layer‑2 or Indy. | Thousands of auth requests per second. |
| Usability | Requires wallet & key management. | Familiar sign‑in flow; no keys needed. |
| Legal Recognition | Limited (12 countries as of 2023). | Widely accepted worldwide. |
In short, DIDs win on sovereignty and privacy but still lag on mass adoption and ease of use. If you value data minimisation above friction, DIDs are worth exploring.
did:ethr:0xAbCd...).https://resolver.identity.foundation/1.0/identifiers/<did>) or use the SDK’s resolve() function. The resolver fetches the on‑chain Document and returns the JSON‑LD.publicKey field against the signature of any message you receive.Developers typically need 80‑120 hours of training to master all moving parts, while end users can get comfortable after a few practice runs with a wallet.
Researchers predict that by 2026, 40% of DID implementations will combine AI‑driven biometrics with cryptographic proofs. Cross‑chain bridges like Polygon ID’s zk‑proof layer aim to push throughput past 2,000 operations per second, narrowing the gap with OAuth providers.
Key challenges remain:
When those pieces fall into place, DIDs could become the “missing link” between Web3’s trust layer and everyday login experiences, potentially serving billions of users.
A DID needs a trust anchor. Most specifications require a ledger-public or private-so a pure off‑chain DID would break the verifiable‑by‑anyone guarantee.
Because DIDs rely on asymmetric cryptography, a compromised password can be guessed, but a private key can’t be brute‑forced with current computing power. The real risk is losing the key, not it being hacked.
Yes. Wallet apps like MetaMask Mobile, Trust Wallet, and XUMM let you generate and present DIDs directly from your phone, although UX is still improving.
W3C specifications say a DID persists across forks as long as the DID Document remains on the longest‑chain. Some methods add a stateProof to guard against accidental splits.
The DID Resolver 1.0 spec defines a generic HTTP API, and projects like resolver.identity.foundation provide a public endpoint that works for most registered methods, but not every blockchain has a live resolver yet.
Elizabeth Chatwood
Yo DIDs are the future