Vouchsafe

What is Vouchsafe?

Vouchsafe is a specification for self-contained identity and trust. It defines how to use JWTs to express who someone is — and what they’re allowed to do — without lookups, shared secrets, or centralized databases.

In traditional systems, a user or service presents a secret, and the system performs a lookup to figure out who they are, whether to trust them and what permissions they have.

Vouchsafe flips that model.

Instead of asking a server, the user presents a self-issued token — and optionally other Vouchsafe tokens — that prove their identity and communicate exactly what actions they’re authorized to perform.

The tokens contain everything needed to validate those claims: the identity, the public key, and the cryptographic proof.

No central lookup. No guesswork. Just portable, verifiable trust — by design.

Too Long; Didn’t Read

Vouchsafe defines how to create a cryptographically provable identity — and how to express what that identity is allowed to do.

It also lets one identity vouch for another — delegating trust in a clear, verifiable way.

Built on JWTs, it works anywhere JWTs work — and requires no central authority, no key distribution, and no infrastructure.

Originally built for decentralized systems but useful anywhere identity and trust matter.

In short: portable, easy-to-use identity and trust, secured by strong cryptography.

How It Works

Vouchsafe starts with a cryptographic identity triple:

A Vouchsafe ID — a human-readable URN, mathematically derived from a public key
A public/private keypair — generated and controlled by the identity owner
A binding — the ID is a fingerprint of the public key

That means the ID and key are inseparable: change the key, and the ID changes too. You can’t spoof or swap.

Here’s the clever part: The public key is included inside every Vouchsafe token.

In most systems, that would be a security risk — but not here.

Because the Vouchsafe ID is derived from the key itself, any mismatch between the ID and key fails instantly. No lookup. No registry. No config. Just math.

Each token is a standard JWT, with a few additional claims:

iss — the Vouchsafe ID (identity)
iss_key — the public key
A signature — created using the matching private key
Optional claims — for vouching, delegation, and purpose

A Closed Cryptographic Loop

Every token proves itself:

The ID proves the public key is correct
The signature proves the private key was used
The public key proves the signature is valid

If those three checks pass — you can trust the identity.

No servers. No shared secrets. No directories. Just a token — and the math to prove it.

And because one identity can vouch for another, you can build portable webs of trust — delegating authority, granting permission, or verifying claims — all without infrastructure.

Why?

Decentralized services need identity, trust, and continuity — across devices, across time, and across connection gaps. Vouchsafe provides all of that, without centralized components.

Vouchsafe moves identity to the edge, where it’s safe from censorship, corporate capture, or institutional overreach.

It puts you in charge of your identity — not opaque systems or central servers.

It's revolutionary, but not complicated: Vouchsafe tokens are just JWTs with special fields and standardized validation rules — so they work anywhere JWTs work.

What Vouchsafe Solves

Identity proof

Passwords are a terrible idea.

To prove who you are, you have to give away a secret — and hope the system you gave it to doesn't get hacked, phished, or leak it. If it does, someone else can become you.

Vouchsafe works the opposite way. You keep your key. You use it to sign proofs — without ever giving the key away. Systems never see it, store it, or touch it. That means it can’t be stolen, guessed, or misused.

You don’t give away your identity to prove it. You prove it by holding on to it.

Identity ownership

In most systems, your identity lives in someone else’s database.

You just access it. That means if someone else can access it, they can impersonate you. And if someone can block your access, you lose your identity.

Vouchsafe flips that model. Your identity lives with you, cryptographically. No one can use it without your key. Services have to ask you for access — not the other way around.

Offline Trust

Almost every system fails when the network goes down.

If the server can’t be reached, identity checks stop working. In a disaster zone, your phone might not even know you’re allowed to use it — because it can’t ask.

Vouchsafe works anywhere — even offline. Vouchsafe tokens carry everything needed to prove who you are, what you’ve purchased, or what access you’re entitled to. That proof travels with you — not locked away in a remote data center.

No signal? No problem. Trust still works.

Decentralized Identity

Decentralized and dynamic networks have special needs.

In distributed systems, identity is hard. There’s no central server to check — so how do nodes agree on who someone is? How do you keep identity stable across time, across devices, across disconnects?

Vouchsafe was built for this. A Vouchsafe identity is cryptographically bound to a key — and it's always the same. No lookup needed. If the token verifies, the identity is real.

That means any node can authenticate a user, store data tied to them, or act on their behalf — without coordination, and without the risk of being fooled.

Key Distribution

No pre-shared keys needed — trust is built into the tokens themselves.

Traditional cryptographic systems depend on pre-sharing keys — a step most leave as “figure it out yourself.” Until the key is delivered, there’s no trust. And worse, identifiers like email addresses aren’t secure — anyone can register them first and hijack the mapping.

Vouchsafe skips all of that.

The identity is the key. It’s cryptographically bound to the public key — change the key, and the identity (the URN) changes too. That means the token can safely include the key right inside it.

No setup. No registry. The key arrives with the token, and the math proves it’s legit.

Key configuration management

Trust can be delegated, so systems don't need static key lists or manual updates.

Most key management systems are brittle. New keys need to be added, old ones rotated, updates pushed everywhere — and if anything falls out of sync, the whole system breaks.

Vouchsafe takes a smarter approach. Keys are delivered with the tokens they’re meant to verify. You don’t manage keys — you manage trust. A token proves identity, and includes the key, already bound to the identity.

Need to authorize someone new? Just provide a vouch token for their identity. Need to revoke that trust? Issue a revocation token. No manual updates. No system-wide redeploys. Trust relationships become portable, scoped, and dynamic.

Trust communication

Trust relationships can be expressed, validated, and shared using vouch tokens.

Vouchsafe lets you express trust with precision. You can vouch for a specific token, for a specific purpose — like allowing a service to send messages or access a resource — and that service can present your vouch as proof when making a request elsewhere.

This enables fine-grained, verifiable trust between systems. No shared configs. No mistaken identity. Just clear, portable statements of who’s trusted to do what — and cryptographic proof that the trust is real.

Vouchsafe makes trust something you can hand over — and prove.

Trust Delegation

Let others act on your behalf — in limited, auditable ways.

With Vouchsafe, you can say: “I trust Bob to save a file to my personal storage — up to 5MB — and nothing more.”

That trust can be encoded in a token, signed by you. No need for server-side lookups, special configs, or pre-integrated accounts. The storage system checks the token, verifies your signature, and knows: this action is allowed, and it came from you.

No overreach. No ambiguity. Just clear, verifiable delegation — scoped exactly how you define it.

The Practical Upshot

Vouchsafe was built for decentralized systems — where traditional identity and trust mechanisms simply fall apart.

Vouchsafe gives you things that are difficult, awkward, or outright impossible without it: portable identity, offline verification, and flexible, scoped delegation — all without needing a blockchain, a central server, or a swarm of microservices.

It works in disconnected environments. It works in peer-to-peer apps. It works even if the devices involved have never talked before. And the best part? It’s human-scale.

You don’t need a data center. You don’t need a PhD in cryptography. If you can use JSON and JWTs, you can use Vouchsafe.

And because it’s built on familiar, widely supported standards, it works just as well in traditional systems — adding cryptographic trust and portable identity to APIs, services, and apps that already use JWTs today.

Whether you're building the next decentralized protocol, or just trying to fix broken login flows in a SaaS app — Vouchsafe has your back.

Ready to start building using Vouchsafe?

📦 Get the Library – Use it in your app today (reference library in JavaScript, browser or Node)
📖 Read the Spec – Everything is open, documented, and implementation-ready

Remember, vouchsafe already works anywhere JWTs work, so you can use it no matter what tech stack you are in. Talk to us on Discord if you are using it / creating a convenience library for other languages, we're happy to help.

Join the Community

💬 Join the Discord – Help shape the ecosystem

Who's behind this?

Vouchsafe was created by Jay Kuri. It is maintained by the folks at Ionzero.

Vouchsafe is an open protocol.

Vouchsafe is a revolutionary way to represent identity and trust — portable, self-verifying and secured by strong cryptography.