authentication

The authentication purpose in a DID document declares which verificationMethods prove control of the DID. A common use case: a sign-in challenge where a server sends a nonce, and the DID subject signs it with an authentication-method key. If the signature is valid against a key listed under authentication in the DID document, the subject has authenticated.

Authentication is distinct from assertionMethod. A DID might have one key for authentication and a different key for signing credentials — separating the "who are you" question from the "did you endorse this claim" question. In hardware-backed deployments, authentication keys are often on a phone or hardware token while assertion keys live in an HSM.

LearnCoin's credential-issuance flow doesn't use authentication directly — tenants authenticate to the LearnCoin API via bearer API keys, not DIDs. The DID-based authentication model is most relevant for recipient-side wallet flows (OpenID4VP), which are on the 2026-2027 roadmap.