JWS

JWS (JSON Web Signature, RFC 7515) is the IETF standard for cryptographically signing payloads. A JWS has three URL-safe base64-encoded parts separated by dots: the header (declares the signing algorithm), the payload (any JSON), and the signature. Verification requires decoding the signature, looking up the declared key, and checking the signature against the first two parts concatenated.

JWS is everywhere in modern web auth. Every JWT is a JWS. OpenID Connect ID tokens are JWS. Most OAuth 2.0 token responses use JWS. It's the de facto JSON signature format when you're not specifically in a JSON-LD ecosystem.

For LearnCoin credentials, JWS isn't the primary signature format — we use MerkleProof2019 over URDNA2015-canonicalized JSON-LD. But JWS appears in the eventual OpenID4VCI flow: the credential offer, the token endpoint, and (optionally) the VC-JWT variant of a credential all use JWS under the hood.