Chapter 19: Advanced DID Implementation

In Chapter 6, we talked about DIDs as the "Tattooed Passport"—the concept of self-sovereign identity that no platform can revoke.

That was theory.

This is where we build it.

I'm going to walk you through the actual terminal commands, the actual code, the actual file structure. By the end of this chapter, you won't just understand DIDs—you'll have forged your own cryptographic keys and deployed your sovereign identity to the web.

This is the Locksmith's Manual.

You're about to stop being a name that platforms verify. You're about to become a cryptographically signed entity that the internet's border guards can verify in milliseconds.

• • •

The Vault and the Key

Think of did:web as your own private Digital Vault sitting on your website.

The vault has two components:

Component	What It Is	Where It Lives
Private Key	The Master Key	Your computer (never shared)
Public Key	The Lockbox	Your website (publicly visible)

The Private Key is your secret. It never leaves your machine. It's what you use to "sign" claims, proving they came from you.

The Public Key is the verification mechanism. It lives on your website in a specific location. When an AI or system wants to verify your signature, it retrieves your public key and checks the math.

If the signature matches the public key, the claim is verified as authentically yours.

This is the death of permission.

You don't need Twitter's blue checkmark. You don't need LinkedIn's verification. You verify yourself using the laws of mathematics.

• • •

Why Ed25519?

We use the Ed25519 cryptographic curve because it's the 2026 gold standard:

Fast: Signatures are generated and verified in microseconds
Secure: No known attacks; used to secure billions in digital assets
Compact: Small key sizes, efficient for web transmission
W3C Compliant: Preferred by the DID-Core specification

Ed25519 is the same technology securing cryptocurrency wallets and high-security authentication systems. It's not experimental—it's battle-tested.

• • •

Step 1: Forging the Master Key

Open your computer's Terminal:

Mac/Linux: Terminal application
Windows: PowerShell or Windows Terminal

Generate Your Ed25519 Keypair

Run this command:

# Generate the Ed25519 Private Key
ssh-keygen -t ed25519 -f ./my_veracity_key -N ""

What this does:

-t ed25519 specifies the Ed25519 algorithm
-f ./my_veracity_key names the output file
-N "" sets an empty passphrase (for automation; add a passphrase for extra security)

Result: Two files are created:

my_veracity_key — Your private key (NEVER share this)
my_veracity_key.pub — Your public key

Extract the Public Key

To view your public key in the format needed for the DID document:

# Display the public key
ssh-keygen -y -f ./my_veracity_key

Output example:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGv7X9B2kLp...

You'll need to convert this to JWK (JSON Web Key) format for the DID document. More on that below.

• • •

Step 2: Converting to JWK Format

The DID specification requires keys in JWK (JSON Web Key) format. Here's how to convert your Ed25519 public key:

Option A: Using Node.js

If you have Node.js installed, create a file called convert-key.js:

const crypto = require('crypto');
const fs = require('fs');

// Read the public key file
const pubKeyData = fs.readFileSync('./my_veracity_key.pub', 'utf8');

// Extract the base64 portion (after "ssh-ed25519 ")
const parts = pubKeyData.trim().split(' ');
const keyData = Buffer.from(parts[1], 'base64');

// Ed25519 public keys in SSH format have a header; extract the raw key
// The raw 32-byte public key starts at byte 19 for Ed25519
const rawPublicKey = keyData.slice(19, 51);

// Convert to base64url (required for JWK)
const base64url = rawPublicKey.toString('base64')
  .replace(/\+/g, '-')
  .replace(/\//g, '_')
  .replace(/=/g, '');

console.log('Your JWK public key (x parameter):');
console.log(base64url);

Run it:

node convert-key.js

Option B: Using Python

import base64
import sys

# Read the public key file
with open('./my_veracity_key.pub', 'r') as f:
    pub_key_data = f.read().strip()

# Extract the base64 portion
parts = pub_key_data.split(' ')
key_data = base64.b64decode(parts[1])

# Extract raw 32-byte public key (starts at byte 19 for Ed25519)
raw_public_key = key_data[19:51]

# Convert to base64url
base64url = base64.urlsafe_b64encode(raw_public_key).decode().rstrip('=')

print('Your JWK public key (x parameter):')
print(base64url)

Run it:

python3 convert-key.py

Option C: Online Converters

For simpler setups, use a trusted online converter. Search for "SSH to JWK converter" and use the base64url output for the x parameter.

Important: Only convert the PUBLIC key online. Never paste your private key anywhere.

• • •

Step 3: Creating Your did.json File

Now create the DID Document. This is the "Lockbox" that tells the world who you are.

The Master Template

Create a file called did.json:

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3c-ccg.github.io/lds-jws2020/contexts/v1"
  ],
  "id": "did:web:YOUR-DOMAIN.com",
  "verificationMethod": [
    {
      "id": "did:web:YOUR-DOMAIN.com#owner",
      "type": "JsonWebKey2020",
      "controller": "did:web:YOUR-DOMAIN.com",
      "publicKeyJwk": {
        "kty": "OKP",
        "crv": "Ed25519",
        "x": "YOUR_BASE64URL_PUBLIC_KEY_HERE"
      }
    }
  ],
  "authentication": [
    "did:web:YOUR-DOMAIN.com#owner"
  ],
  "assertionMethod": [
    "did:web:YOUR-DOMAIN.com#owner"
  ]
}

Field Explanations

Field	Purpose
@context	Declares the vocabularies used (W3C DID standard)
id	Your DID identifier (must match your domain)
verificationMethod	Contains your public key(s)
type: JsonWebKey2020	Specifies the key format
kty: OKP	Key type: Octet Key Pair (for Ed25519)
crv: Ed25519	Curve: Ed25519
x	Your actual public key in base64url format
authentication	Keys authorized to authenticate as this DID
assertionMethod	Keys authorized to make assertions (sign claims)

Example with Real Structure

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3c-ccg.github.io/lds-jws2020/contexts/v1"
  ],
  "id": "did:web:super-intelligent.ai",
  "verificationMethod": [
    {
      "id": "did:web:super-intelligent.ai#owner",
      "type": "JsonWebKey2020",
      "controller": "did:web:super-intelligent.ai",
      "publicKeyJwk": {
        "kty": "OKP",
        "crv": "Ed25519",
        "x": "Gv7X9B2kLpQmN8vR5tY1uW3xZ6aB4cD7eF9gH0iJ2kL"
      }
    }
  ],
  "authentication": [
    "did:web:super-intelligent.ai#owner"
  ],
  "assertionMethod": [
    "did:web:super-intelligent.ai#owner"
  ]
}

• • •

Step 4: Deploying to Your Domain

The did.json file must be hosted at a specific location—the Front Door where AI border guards look for proof.

Required Path

https://YOUR-DOMAIN.com/.well-known/did.json

Server Configuration

Apache (.htaccess):

# Ensure .well-known directory is accessible
<Directory "/.well-known">
    Options -Indexes
    AllowOverride None
    Require all granted
</Directory>

# Set correct MIME type for JSON
<FilesMatch "\.json$">
    Header set Content-Type "application/json"
</FilesMatch>

Nginx:

location /.well-known/ {
    default_type application/json;
    add_header Access-Control-Allow-Origin *;
}

Vercel/Netlify:

Create a _headers file:

/.well-known/*
  Content-Type: application/json
  Access-Control-Allow-Origin: *

Upload Process

Create the .well-known directory in your web root
Upload did.json to that directory
Verify it's accessible at https://your-domain.com/.well-known/did.json

• • •

Step 5: Testing Your Implementation

Method 1: Direct Browser Check

Navigate to:

https://YOUR-DOMAIN.com/.well-known/did.json

You should see your DID Document displayed as JSON.

Method 2: Universal Resolver

Use the Universal DID Resolver to test resolution:

Go to https://dev.uniresolver.io
Enter your DID: did:web:YOUR-DOMAIN.com
Click "Resolve"

If successful, you'll see your DID Document returned. This confirms:

The file is accessible
The format is correct
AI systems can resolve your identity

Method 3: Command Line Check

curl -H "Accept: application/json" https://YOUR-DOMAIN.com/.well-known/did.json

Should return your DID Document.

• • •

Step 6: Securing Your Private Key

Your private key is the Master Key. If someone gets it, they can sign claims as you.

Security Practices

Never upload to version control

# Add to .gitignore
echo "my_veracity_key" >> .gitignore

Store in secure location
- Hardware security key (YubiKey)
- Encrypted disk partition
- Password manager vault
Create secure backup
- Encrypted USB drive stored offline
- Multiple geographic locations for redundancy

Consider passphrase protection

# Generate with passphrase
ssh-keygen -t ed25519 -f ./my_veracity_key
# (Enter passphrase when prompted)

• • •

Step 7: Signing Claims with Your Key

Once deployed, you can sign content to prove it came from you.

Basic Signing with Node.js

const crypto = require('crypto');
const fs = require('fs');

// Load your private key
const privateKey = fs.readFileSync('./my_veracity_key', 'utf8');

// The claim you want to sign
const claim = JSON.stringify({
  "@type": "Claim",
  "author": "did:web:your-domain.com",
  "content": "Entity Veracity is the measure of grounded truth",
  "timestamp": new Date().toISOString()
});

// Create signature
const sign = crypto.createSign('SHA256');
sign.update(claim);
const signature = sign.sign(privateKey, 'base64');

console.log('Claim:', claim);
console.log('Signature:', signature);

The signature can be verified by anyone using your public key from the DID Document.

• • •

Linking DID to Legacy IDs

For maximum Entity Veracity, link your DID to your historical identifiers.

Extended DID Document with sameAs

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3c-ccg.github.io/lds-jws2020/contexts/v1",
    "https://schema.org/"
  ],
  "id": "did:web:super-intelligent.ai",
  "verificationMethod": [
    {
      "id": "did:web:super-intelligent.ai#owner",
      "type": "JsonWebKey2020",
      "controller": "did:web:super-intelligent.ai",
      "publicKeyJwk": {
        "kty": "OKP",
        "crv": "Ed25519",
        "x": "YOUR_PUBLIC_KEY_HERE"
      }
    }
  ],
  "authentication": ["did:web:super-intelligent.ai#owner"],
  "assertionMethod": ["did:web:super-intelligent.ai#owner"],
  "sameAs": [
    "https://www.google.com/search?kgmid=/m/0abc123",
    "https://www.linkedin.com/in/yourprofile",
    "https://twitter.com/yourhandle"
  ]
}

The sameAs array creates Bi-Directional Linkage—connecting your sovereign identity to your legacy presence across platforms.

• • •

From Searchable to Verifiable

The transformation is complete.

Before this chapter:

Your identity lived in other people's databases
Platforms could revoke your verification at will
AI had to probabilistically guess who you were

After this chapter:

Your identity is cryptographically anchored to your domain
No platform can revoke mathematical proof
AI can deterministically resolve your identity in milliseconds

You've built your own Vault of Truth.

You keep the keys in your own pocket.

The world's AIs come to you for verification.

Permanent Sovereignty achieved.

Advanced DID Implementation — Terminal & Code

The Vault and the Key

Why Ed25519?

Step 1: Forging the Master Key

Generate Your Ed25519 Keypair

Extract the Public Key

Step 2: Converting to JWK Format

Option A: Using Node.js

Option B: Using Python

Option C: Online Converters

Step 3: Creating Your did.json File

The Master Template

Field Explanations

Example with Real Structure

Step 4: Deploying to Your Domain

Required Path

Server Configuration

Upload Process

Step 5: Testing Your Implementation

Method 1: Direct Browser Check

Method 2: Universal Resolver

Method 3: Command Line Check

Step 6: Securing Your Private Key

Security Practices

Step 7: Signing Claims with Your Key

Basic Signing with Node.js

Linking DID to Legacy IDs

Extended DID Document with sameAs

From Searchable to Verifiable

Chapter Summary

Key Terms

Cross-References