Vouchsafe

What is Vouchsafe

Vouchsafe is a foundational primitive for representing identity and trust, built on JWT.

Which is a fancy way of saying: it lets you easily know who someone is and what they are allowed to do.

At its simplist, Vouchsafe is JWTs but better - JWTs that are both more powerful and easier to work with.

👩‍💻 For Traditional Application Developers, Vouchsafe makes your life easier:

EASY One-line identity & key generation (code or CLI)
Human-readable identifiers instead of opaque UUIDs
No key distribution headaches - the token carries its own key
Instant verification - no API calls, no pre-shared keys, even offline
Simple interface for creating and validating Vouchsafe tokens
Drop-in compatible - use it anywhere you already use JWTs, with only minor code changes.

🛰️ For advanced developers, Vouchsafe gives you real power tools:

Globally unique, registry-free IDs - no resolver required
Cryptographically provable identity ↔ key binding
Portable Identity across services and orgs same ID = same actor, guaranteed
Simpler API configs - better security, no opaque key blobs
Portable trust chains - attest information, delegate authority, revoke cleanly

🔓 If you like Decentralization, you get all the power, with none of the baggage:

Identity that is truly yours - self-issued and portable
Locally owned, globally verifiable - Anyone can confirm, no registry needed
No infrastructure required - No resolvers, no central servers, works even offline
Truly portable - Works across systems, even if they’ve never met
Continuous identity across time and connections - you remain yourself, without handshakes, central servers or resumption protocols
Web of Trust without intermediaries - anyone can vouch for anyone
No corporate lock-in - not Google, not Apple, not anyone

Too Long; Didn’t Read

Vouchsafe is “JWTs, with superpowers” - portable, self-verifying tokens that eliminate key distribution, make identities human-readable and consistent across systems, all without central servers or databases.

It’s drop-in compatible with vanilla JWTs, simple enough for everyday developers, and powerful enough for decentralized systems. For traditional development, it removes friction and adds security. For the future of the internet, it opens the door to a new way of handling identity and trust.

Identity doesn’t have to be a corporate shade of green.

The corporate capture of online identity is recent - and those same corporations would like us to believe it’s inevitable. They benefit from the idea that identity must be centralized to work. But it isn’t true. Vouchsafe proves that identity can thrive without centralized servers, that we can trust each other without them in the middle.

And unlike corporate systems that hoard that power, Vouchsafe wants you to wield it. Portable, self-verifying, and secured by cryptography, it makes self-sovereign identity not just possible, but practical.

Is Vouchsafe for you?

If you want JWTs that don’t suck: Vouchsafe is for you.
If you want powerful, easy-to-use tools for consistent, verifiable trust: Vouchsafe is for you.
If you’re ready to build a world where identity isn’t held hostage by central authorities: Vouchsafe is definitely for you.

How It Works

Vouchsafe starts with a cryptographic identity triple:

A Vouchsafe ID — a human-readable URN, mathematically derived from a public key
A public/private keypair — generated and controlled by the identity owner
A binding — the ID is a fingerprint of the public key

That means the ID and key are inseparable: change the key, and the ID changes too. You can’t spoof or swap.

Here’s the clever part: The public key is included inside every Vouchsafe token.

In most systems, that would be a security risk — but not here.

Because the Vouchsafe ID is derived from the key itself, any mismatch between the ID and key fails instantly. No lookup. No registry. No config. Just math.

Each token is a standard JWT, with a few additional claims:

iss — the Vouchsafe ID (identity)
iss_key — the public key
A signature — created using the matching private key
Optional claims — for vouching, delegation, and purpose

A Closed Cryptographic Loop

Every token proves itself:

The ID proves the public key is correct
The signature proves the private key was used
The public key proves the signature is valid

If those three checks pass — you can trust the token came from the identity.

No servers. No shared secrets. No directories. Just a token — and the math to prove it.

And because one identity can vouch for another, you can build portable webs of trust — delegating authority, granting permission, or verifying claims — all without infrastructure.

Why?

Decentralized services need identity, trust, and continuity - across devices, across time, and across connection gaps. Vouchsafe provides all of that, without centralized components.

Vouchsafe moves identity to the edge, where it’s safe from censorship, corporate capture, or institutional overreach.

It puts you in charge of your identity - not opaque systems or central servers.

It's revolutionary, but not complicated: Vouchsafe tokens are just JWTs with special fields and standardized validation rules - so they work anywhere JWTs work.

What Vouchsafe Solves

Key Distribution

No pre-shared keys needed - trust is built into the tokens themselves.

Traditional cryptographic systems depend on pre-sharing keys - a step most leave as “figure it out yourself.” Until the key is delivered, there’s no trust. And worse, identifiers like email addresses aren’t secure - they are loosely bound to the key by the server. This rests the entire integrity of what you are doing on a single dynamic association in the servers database.

Vouchsafe skips all of that.

The identity is the key. It’s cryptographically bound to the public key - change the key, and the identity (the URN) changes too. That means the token can safely include the public key right inside it.

No setup. No registry. The key arrives with the token, and the math proves it’s legit.

Trust communication

Trust relationships can be expressed, validated, and shared using vouch tokens.

Vouchsafe lets you express trust with precision. You can vouch for a specific token, for a specific purpose - like allowing a service to send messages or access a resource - and that service can present your vouch as proof when making a request elsewhere.

This enables fine-grained, verifiable trust between systems. No shared configs. No mistaken identity. Just clear, portable statements of who’s trusted to do what - and cryptographic proof that the trust is real.

Vouchsafe makes trust something you can hand over - and prove.

Identity proof

Passwords are a terrible idea.

To prove who you are, you have to give away a secret - and hope the system you gave it to is legitimate (phishing), and doesn't get hacked or leak it. If it does, someone else can become you.

Vouchsafe works the opposite way. You keep your key. You use it to sign proofs - without ever giving the key away. Systems never see it, store it, or touch it. That means it can’t be stolen, guessed, or misused.

You don’t give away your identity to prove it. You prove it by holding on to it.

Identity ownership

In most systems, your identity lives in someone else’s database.

You just access it. That means if someone else can access it, they can impersonate you. And if someone can block your access, you lose your identity.

Vouchsafe flips that model. Your identity lives with you, cryptographically. No one can use it without your key. Services have to ask you for access - not the other way around.

Offline Trust

Almost every system fails when the network goes down.

If the server can’t be reached, identity checks stop working. In a disaster zone, your phone might not even know you’re allowed to use it - because it can’t ask.

Vouchsafe works anywhere - even offline. Vouchsafe tokens carry everything needed to prove who you are, what you’ve purchased, or what access you’re entitled to. That proof travels with you - not locked away in a remote data center.

No signal? No problem. Trust still works.

Decentralized Identity

Decentralized and dynamic networks have special needs.

In distributed systems, identity is hard. There’s no central server to check - so how do nodes agree on who someone is? How do you keep identity stable across time, across devices, across disconnects?

Vouchsafe was built for this. A Vouchsafe identity is cryptographically bound to a key - and it's always the same. No lookup needed. If the token verifies, the identity is real.

That means any node can authenticate a user, store data tied to them, or act on their behalf - without coordination, and without the risk of being fooled.

Key configuration management

Trust can be delegated, so systems don't need static key lists or manual updates.

Most key management systems are brittle. New keys need to be added, old ones rotated, updates pushed everywhere - and if anything falls out of sync, the whole system breaks.

Vouchsafe takes a smarter approach. Keys are delivered with the tokens they’re meant to verify. You don’t manage keys - you manage trust. A token proves identity, and includes the key, already bound to the identity.

Need to authorize someone new? Just provide a vouch token for their identity. Need to revoke that trust? Issue a revocation token. No manual updates. No system-wide redeploys. Trust relationships become portable, scoped, and dynamic.

Trust Delegation

Let others act on your behalf - in limited, auditable ways.

With Vouchsafe, you can say: “I trust Bob to save a file to my personal storage - up to 5MB - and nothing more.”

That trust can be encoded in a token, signed by you. No need for server-side lookups, special configs, or pre-integrated accounts. The storage system checks the token, verifies your signature, and knows: this action is allowed, and it came from you.

No overreach. No ambiguity. Just clear, verifiable delegation - scoped exactly how you define it.

The Practical Upshot

Vouchsafe was built for decentralized systems - where traditional identity and trust mechanisms simply fall apart.

Vouchsafe gives you things that are difficult, awkward, or outright impossible without it: portable identity, offline verification, and flexible, scoped delegation - all without needing a blockchain, a central server, or a swarm of microservices.

It works in disconnected environments. It works in peer-to-peer apps. It works even if the devices involved have never talked before. And the best part? It’s human-scale.

You don’t need a data center. You don’t need a PhD in cryptography. If you can use JSON and JWTs, you can use Vouchsafe.

And because it’s built on familiar, widely supported standards, it works just as well in traditional systems - adding cryptographic trust and portable identity to APIs, services, and apps that already use JWTs today.

Whether you're building the next decentralized protocol, or just trying to fix broken login flows in a SaaS app - Vouchsafe has your back.

Ready to start building using Vouchsafe?

📦 Get the Reference Library – Use it in your app today (reference library in JavaScript, browser or Node)
📖 Read the Spec – Everything is open, documented, and implementation-ready

Remember, vouchsafe already works anywhere JWTs work, so you can use it no matter what tech stack you are in. Talk to us on Discord if you are using it / creating a convenience library for other languages, we're happy to help.

Join the Community

💬 Join the Discord – Help shape the ecosystem

Who's behind this?

Vouchsafe was created by Jay Kuri. It is maintained by the folks at Ionzero.

Vouchsafe is an open protocol.

Vouchsafe is a revolutionary way to represent identity and trust - portable, self-verifying and secured by strong cryptography.