Student IDs & campus credentials with VCALM

Q: How is a digital student ID issued and verified?

The school signs the student ID as a W3C Verifiable Credential and delivers it to the student's wallet of choice over VCALM (the VC API). A campus service or partner verifies it cryptographically in person or online — no callbacks to the registrar — and the student approves each share with one tap.

Q: Can a student ID prove enrollment without revealing identity?

Yes. With selective disclosure, a student can prove a single fact — such as 'currently enrolled' or 'valid student' — without revealing name, photo, or student number. Only the field requested is shared.

Q: Does a digital student ID lock students to a school app?

Not with VCALM. The student ID works with any conformant wallet, so students keep their choice of app. The OpenID/mdoc approach often pairs with wallet attestation and allow-lists, which let the school decide which apps are accepted.

Issue student IDs that students truly control — verifiable across campus and with partners, in person or online, with the wallet of their choice, and without locking students to a school-approved app.

To issue a digital student ID, a school signs it as a W3C Verifiable Credential and delivers it to the student's wallet of choice over VCALM (the VC API). A campus service or partner verifies it cryptographically — in person or online — and with selective disclosure the student can prove one fact, like "currently enrolled," without revealing their name, photo, or student number.

School issues a student ID

Student picks their own wallet -- no school-mandated app
Student holds and controls it

Nothing shared without one-tap, explicit consent
Proves one fact

Currently enrolled -- no name, photo, or student number revealed

What it feels like to use

The technology is invisible by design. Here's what each person actually does — and what they no longer have to.

The school issues a student ID

A student requests their digital ID from the registrar portal or campus app. They authenticate once, pick the wallet they already use, and the ID lands in it — alongside their physical card.

No school-mandated app. Their wallet, their choice.
The student holds and controls it

The student ID lives on their phone, under their control. Nothing is shared automatically — every presentation needs an explicit, one-time approval the student sees and consents to.

The school can't watch where it's used.
They prove just one thing, when needed

At the library or a lab door, the student taps to prove "currently enrolled" — and reveals nothing else. No name, no photo, no student number. At a partner venue offering a student discount, they share exactly the field asked for, and no more.

Selective disclosure: minimum data, every time.

What the student experiences

Their choice of wallet. Not a single school-approved app.
Prove a fact, not your identity. "Currently enrolled" without your student number.
One-tap consent. Nothing leaves the phone without approval.
No tracking. The school doesn't see each place it's used.

What the school experiences

Privacy by design. Data minimization is built into every request.
Instant, tamper-evident checks. No call-backs to the registrar.
No vendor or wallet lock-in. Works with every conformant wallet.
Standards-based. Built on open W3C Verifiable Credentials.

How it works

One diagram, three actors, one loop.

     SCHOOL                STUDENT              CAMPUS / PARTNER
    (issuer)           (wallet of choice)          (verifier)
     |                      |                          |
     | -- delivers -->      |                          |
     |  student ID VC       |                          |
     |                      | <-- asks for --           |
     |                      |   proof of enrollment     |
     |                      | -- presents -->           |
     |                      |   only what's needed      |
     |                      |                     verifies (ok)

A student ID is signed JSON the student holds and controls.
Delivery (school → student) and presentation (student → verifier) are the same simple exchange loop: POST, read what the server wants, POST back.
With selective disclosure, the student can prove a single fact — "currently enrolled," "valid student" — without revealing name, photo, or student number.

A good fit if…

You issue identity or entitlement credentials to students.
You want students to choose their own wallet, not an approved list.
You need selective disclosure — prove a fact without revealing everything.

Start building

Common questions

Can a student ID prove enrollment without revealing identity?

Yes. With selective disclosure, a student proves a single fact — "currently enrolled," "valid student" — without revealing name, photo, or student number.

Does a digital student ID lock students to a school app?

Not with VCALM — the student ID works with any conformant wallet. The OpenID/mdoc approach often pairs with attestation and allow-lists that let the school decide which apps are accepted.

Is a VCALM student ID private?

Yes. Data minimization is built into every request, nothing is shared without one-tap consent, and the school can't see where it's used.

Why VCALM vs. OID4?

The OID4VCI / OID4VP, mdoc-centric approach often pairs with wallet "attestation" and allow-lists — which means the school has to certify, and build and maintain an integration for, every wallet it wants to support. With VCALM, you issue once to an open standard and any conformant wallet works, so there's no per-wallet integration to own. See the full comparison.