Vouchsafe

Vouchsafe is a decentralized system for identity, trust, and verification — powered entirely by cryptography, not infrastructure.

It is an open cryptographic protocol and specification that defines how to create, verify, and exchange identity-bound tokens that work offline, across systems, and without the need for central servers or authorities.

What is Vouchsafe TL;DR How? Why? Blog Get Involved

What is Vouchsafe

Vouchsafe is a simple, open protocol and a set of specifications for distributed, cryptographically verifiable identity and trust.

It starts with a Vouchsafe ID (urn:vouchsafe:<label>.<hash>), a self-verifying identity derived directly from a public key. Anyone can confirm it’s real and unchanged with math alone: no registry, blockchain, or certificate authority required.

Then you add Vouchsafe tokens, specially formatted JWTs that express trust and authorization.

Each token is a signed, self-contained statement that can:

all verifiable offline and portable across systems.

Like GPG or PKI, your identity is tied to a key. Unlike those systems, Vouchsafe binds your identity to your key using math… not central servers or certificate chains.

Then it moves the unit of trust from keys to tokens. Each token says who you trust, for what, and for exactly how long all cryptographically verifiable, anywhere, even offline.

That’s a big shift: instead of trusting a key forever and trying to limit the damage later, you grant trust precisely, by purpose and by lifespan.

In short:

Vouchsafe makes identity, encryption, and trust self-contained. No servers. No authorities. Just math.

Vouchsafe provides a simple way to represent identity and trust relationships, giving you the power to prove, delegate, and verify trust anywhere, online or offline, without complex key infrastructure or reliance on central servers or authorities.

It’s usable anywhere and validates everywhere: no network connection, no blockchain, no trusted directory. Just simple, self-verifying tokens that you can verify locally, in milliseconds, using only math.

What does that mean for me?

Vouchsafe is “JWTs, with superpowers.” Portable, self-verifying tokens that eliminate key distribution, make identities human-readable and consistent across systems… all without central servers or databases.

It’s drop-in compatible with vanilla JWTs, simple enough for everyday developers, and powerful enough for fully distributed systems.

Anyone can create a Vouchsafe ID: a URN like

urn:vouchsafe:yourname.fzr5ph7jcw2tc4uvqj5fmwix4zb7y7suahy7ok7pw7umf75cywtq

and use it to sign tokens that verify themselves, no prior key exchange or trusted directory required.

Put another way, your frontend only needs to know the backend’s Vouchsafe ID to validate tokens locally, instantly, with no network calls.

For traditional development, it removes friction and adds security.

And it also opens the door to a new kind of application: one that still has strong authorization but keeps working when the network is intermittent or entirely offline.

With Vouchsafe, you can agree on trust relationships without ever connecting directly. You issue a token, and anyone, anywhere, can verify it: whenever and wherever they are.

And the best part? It’s Free.

Free as in beer, and free as in speech.

Vouchsafe isn’t a product you buy or a platform you get locked into. It’s an idea, a new way of doing things… that rewrites how we can handle identity and trust.

It doesn’t tell you who to trust. It gives you the power to verify trust for yourself - anytime, anywhere.

No central servers. No blockchains. No gatekeepers.

Just math. Just proof. Just trust that stands on its own.

Is Vouchsafe for you?

And if you want to build the future:

With Vouchsafe, you can build apps that have real identity and trust without central servers, fragile APIs, or complex auth flows.

Person to person. App to app.

Trust that works everywhere: online, offline, or when the network is gone entirely.

Whether you’re building a peer-to-peer platform, a community tool, or a system meant to coordinate in a disaster zone Vouchsafe gives you the tools to make it work, anywhere.

Vouchsafe makes distributed identity and trust practical… it’s ready today and you can start building with it right now.

How It Works

Vouchsafe starts with a cryptographic identity triple:

That means the ID and key are inseparable: change the key, and the ID changes too. You can’t spoof or swap.

Here’s the clever part: The public key is included inside every Vouchsafe token.

In most systems, that would be a security risk — but not here.

Because the Vouchsafe ID is derived from the key itself, any mismatch between the ID and key fails instantly. No lookup. No registry. No config. Just math.

Each token is a standard JWT, with a few additional claims:

A Closed Cryptographic Loop

Every token proves itself:

If those three checks pass — you can trust the token came from the identity.

No servers. No shared secrets. No directories. Just a token — and the math to prove it.

And because one identity can vouch for another, you can build portable webs of trust — delegating authority, granting permission, or verifying claims — all without infrastructure.

Why?

Decentralized services need identity, trust, and continuity - across devices, across time, and across connection gaps. Vouchsafe provides all of that, without centralized components.

Vouchsafe moves identity to the edge, where it’s safe from censorship, corporate capture, or institutional overreach.

It puts you in charge of your identity - not opaque systems or central servers.

It's revolutionary, but not complicated: Vouchsafe tokens are just JWTs with special fields and standardized validation rules - so they work anywhere JWTs work.

What Vouchsafe Solves

No pre-shared keys needed - trust is built into the tokens themselves.

Traditional cryptographic systems depend on pre-sharing keys - a step most leave as “figure it out yourself.” Until the key is delivered, there’s no trust. And worse, identifiers like email addresses aren’t secure - they are loosely bound to the key by the server. This rests the entire integrity of what you are doing on a single dynamic association in the servers database.

Vouchsafe skips all of that.

The identity is the key. It’s cryptographically bound to the public key - change the key, and the identity (the URN) changes too. That means the token can safely include the public key right inside it.

No setup. No registry. The key arrives with the token, and the math proves it’s legit.

Trust relationships can be expressed, validated, and shared using vouch tokens.

Vouchsafe lets you express trust with precision. You can vouch for a specific token, for a specific purpose - like allowing a service to send messages or access a resource - and that service can present your vouch as proof when making a request elsewhere.

This enables fine-grained, verifiable trust between systems. No shared configs. No mistaken identity. Just clear, portable statements of who’s trusted to do what - and cryptographic proof that the trust is real.

Vouchsafe makes trust something you can hand over - and prove.

Passwords are a terrible idea.

To prove who you are, you have to give away a secret - and hope the system you gave it to is legitimate (phishing), and doesn't get hacked or leak it. If it does, someone else can become you.

Vouchsafe works the opposite way. You keep your key. You use it to sign proofs - without ever giving the key away. Systems never see it, store it, or touch it. That means it can’t be stolen, guessed, or misused.

You don’t give away your identity to prove it. You prove it by holding on to it.

In most systems, your identity lives in someone else’s database.

You just access it. That means if someone else can access it, they can impersonate you. And if someone can block your access, you lose your identity.

Vouchsafe flips that model. Your identity lives with you, cryptographically. No one can use it without your key. Services have to ask you for access - not the other way around.

Almost every system fails when the network goes down.

If the server can’t be reached, identity checks stop working. In a disaster zone, your phone might not even know you’re allowed to use it - because it can’t ask.

Vouchsafe works anywhere - even offline. Vouchsafe tokens carry everything needed to prove who you are, what you’ve purchased, or what access you’re entitled to. That proof travels with you - not locked away in a remote data center.

No signal? No problem. Trust still works.

Decentralized and dynamic networks have special needs.

In distributed systems, identity is hard. There’s no central server to check - so how do nodes agree on who someone is? How do you keep identity stable across time, across devices, across disconnects?

Vouchsafe was built for this. A Vouchsafe identity is cryptographically bound to a key - and it's always the same. No lookup needed. If the token verifies, the identity is real.

That means any node can authenticate a user, store data tied to them, or act on their behalf - without coordination, and without the risk of being fooled.

Trust can be delegated, so systems don't need static key lists or manual updates.

Most key management systems are brittle. New keys need to be added, old ones rotated, updates pushed everywhere - and if anything falls out of sync, the whole system breaks.

Vouchsafe takes a smarter approach. Keys are delivered with the tokens they’re meant to verify. You don’t manage keys - you manage trust. A token proves identity, and includes the key, already bound to the identity.

Need to authorize someone new? Just provide a vouch token for their identity. Need to revoke that trust? Issue a revocation token. No manual updates. No system-wide redeploys. Trust relationships become portable, scoped, and dynamic.

Let others act on your behalf - in limited, auditable ways.

With Vouchsafe, you can say: “I trust Bob to save a file to my personal storage - up to 5MB - and nothing more.”

That trust can be encoded in a token, signed by you. No need for server-side lookups, special configs, or pre-integrated accounts. The storage system checks the token, verifies your signature, and knows: this action is allowed, and it came from you.

No overreach. No ambiguity. Just clear, verifiable delegation - scoped exactly how you define it.

The Practical Upshot

Vouchsafe was built for decentralized systems - where traditional identity and trust mechanisms simply fall apart.

Vouchsafe gives you things that are difficult, awkward, or outright impossible without it: portable identity, offline verification, and flexible, scoped delegation - all without needing a blockchain, a central server, or a swarm of microservices.

It works in disconnected environments. It works in peer-to-peer apps. It works even if the devices involved have never talked before. And the best part? It’s human-scale.

You don’t need a data center. You don’t need a PhD in cryptography. If you can use JSON and JWTs, you can use Vouchsafe.

And because it’s built on familiar, widely supported standards, it works just as well in traditional systems - adding cryptographic trust and portable identity to APIs, services, and apps that already use JWTs today.

Whether you're building the next decentralized protocol, or just trying to fix broken login flows in a SaaS app - Vouchsafe has your back.

Ready to start building using Vouchsafe?

Remember, vouchsafe already works anywhere JWTs work, so you can use it no matter what tech stack you are in. Talk to us on Discord if you are using it / creating a convenience library for other languages, we're happy to help.

Join the Community

Who's behind this?

Vouchsafe was created by Jay Kuri. It is maintained by the folks at Ionzero.

Vouchsafe is an open protocol.

Copyright © 2025, Jay Kuri