Identity
assertionMethod
A DID document purpose binding that declares which verificationMethods are authorized to sign assertions — the purpose W3C VCs use.
DID documents declare which verificationMethods can be used for which purpose. Purposes are separate fields: [authentication](/glossary/authentication-method) (for signing challenges during login), assertionMethod (for signing verifiable credentials), keyAgreement (for ECDH-derived encryption), capabilityInvocation and capabilityDelegation (for object-capability systems).
For W3C Verifiable Credentials, the relevant purpose is assertionMethod. A credential's proof carries proofPurpose: "assertionMethod", and verification requires the proof.verificationMethod to be one of the DID's declared assertionMethod entries.
LearnCoin's DID document declares each tenant's verificationMethod fragment under assertionMethod, so credentials signed by #tenant-ewance are only valid if #tenant-ewance is an assertion method in the DID doc at issuance time. Key rotation involves adding a new verificationMethod + assertionMethod entry and removing the old one — old credentials remain valid as long as they reference a key that was an assertion method when the credential was signed.