Securing Verifiable Credentials for a world of agentic AI

Since hitting publish on Anonymous credentials for the web (no, not those kind) I've been doing some work for Kerri Lemoie at the Digital Credentials Consortium and it's made me think that PACT (Private Access Control Tokens) might actually be useful for Verifiable Credentials (VCs), too.

On the surface, it looks like they're solving different problems:

• A VC is a signed assertion about a person, for example "this person completed this course" with the signature proving that it's genuine. The holder of the VC decides when and with whom to share it.
• PACT answers the question "how can a website know you're a real, human user, without you having to reveal your identity?"

It's essentially the dffThink of it as the difference between:

• VC: "I am qualified" (an assertion of achievement)
• PACT: "I am not a bot operating at industrial scale" (an assertion of scarcity)

So if we put these together, we get... scarce achievements (or more appropriately scarce endorsements)

---

With VCs, an issuer signs a credential and gives it to a holder, who presents it to a verifier. The verifier checks the issuer's signature. Whereas with PACT the three roles are:

• Anchor: an entity that already has a real relationship with you (e.g. VPN provider, your email host, your employer). They vouch that you're a legitimate, scarce user, not because they know your identity, but because you have an account with them that costs something to create.
• Moderator: a neutral entity (e.g. a service run by a browser vendor or CDN) that takes a voucher provided by an Anchor voucher and turns it into a rate-limited credential.
• Credential: not a claim about who you are, but a claim that you have a remaining budget of actions (e.g., 10 requests to this site today).

Importantly, the Moderator can't tell which Anchor backed your identity, you just prove that you were endorsed by one of the trusted Anchors, using the same family of zero-knowledge proofs that underpin selective disclosure for VCs.

I guess the big difference between the two is what might be termed statefulness. An Verifiable Credential is a static signed document saying the same thing every time you present it. A PACT Credential, on the other hand, is spent as you use it meaning that each presentation decrements a counter, so the same credential can't be replayed at bot-scale.

---

So why is this useful? It's an additional layer operating more like a turnstile than a certificate. Especially in a world of agentic AI with control over people's browsers and desktop apps, we need a way of preventing industrial-scale credential fraud. PACT allows for anti-bearer-token abuse, which is something that Verifiable Credentials currently cannot prevent. IN other words, a PACT layer on top of a VC presentation could act as a rate-limit: the verifier demands both "here is my badge" and "here is proof I'm operating at human scale."

Additionally, because most VCs are issued by trusted institutions (e.g. universities, training providers) they already have trusted relationship with the VC holder. It wouldn't be difficult to generate PACT Endorsements so that the holder can prove "a trusted institution vouches for my legitimacy" without revealing which one.

At the same time, unlike the current VC ecosystem, PACT explicitly contemplates AI agents acting on a user's behalf. This is important, as if an agent presents your credentials to automated hiring systems, PACT gives the verifier assurance the agent is operating under a human-scale budget and not just spamming the whole ecosystem. There's a level of human oversight to it.

---

Of course, at the time of writing, PACT is still a proposal with the cryptography heading to IETF for ratification and the browser API spec heading to W3C. It can't be wired into VC wallets any time soon, but it's something interesting to keep an eye on...