Portal Community
Flow Studio

DID Authentication

Authenticating a workflow actor or external party via DID challenge/response — proving control of a DID without sharing credentials.

How DID Auth Works

  1. The DIDAuthNode generates a cryptographic challenge nonce
  2. Sends a DIDComm authentication-request message to the subject's DID
  3. The subject signs the nonce with their DID private key and sends back a authentication-response
  4. The node verifies the signature against the DID document's authentication keys
  5. If valid, the actor is authenticated — the node succeeds

Node Configuration

{
  "nodeType": "DIDAuth",
  "name": "authenticatePartner",
  "config": {
    "subjectDid": "$json.partnerDid",
    "senderDidCredentialId": 88,
    "challenge": "acme-onboarding-$context.executionId",
    "timeoutMinutes": 30
  }
}

Node Output

{
  "authenticated": true,
  "did": "did:web:partner.example.com",
  "challenge": "acme-onboarding-exec-abc123",
  "authenticatedAt": "2026-05-25T10:15:00Z",
  "authenticationMethod": "did:web:partner.example.com#key-1"
}
DID Auth vs VC verification: DID authentication proves that the communicating party controls a specific DID. VC verification proves that a credential was legitimately issued to a DID holder by a trusted issuer. For partner onboarding, use both: DID auth first (prove they control the DID), then VC verification (prove they hold a valid business credential).
← Verify VC Next: Trust Registry →