Section 01 · Introduction
Why degrees are moving on chain
A paper degree spends most of its life inside a frame on a wall. Its useful job — proving you graduated — is done in five second windows when an employer asks. That job has always been hard.
Quick answer
What is a degree NFT? A degree NFT is a soulbound ERC721 token issued by a university registrar to a graduate's wallet. The token cannot be transferred, sold, or gifted because the contract's transfer hook reverts on every non mint, non burn move. Employers verify the credential by calling a public view function on the contract. The registrar can revoke a credential later if academic misconduct is discovered, without destroying the historical record.
The current state of degree verification is a vendor like World Education Services or HEC attestation queues that take weeks to confirm a graduation. Forged degrees are common because the verification surface is so slow that employers often skip it. The actual cost of a fake degree shows up later as a wrongful hire.
A soulbound NFT collapses verification to a single contract read. The employer types the tokenId into a verifier app, the app calls verify(id) on the university's contract, the contract returns the program, year, and revocation status. Seconds instead of weeks. Tamper proof by design.
The same ERC721 base contract is the starting point. The interesting work is the soulbound transfer hook and the verification surface.
Soulbound is not a separate standard
Soulbound tokens use the regular ERC721 standard. The difference is that the transfer hook reverts on every move. There is no special EIP for soulbound — it is a policy choice expressed in one if statement in the contract.
Section 02 · The Contract
ERC721 plus registrar role plus credential struct
The university is the issuer. The registrar wallet is the only address allowed to mint or revoke.
// Degree NFT — soulbound ERC721 with revocation
contract Degree is ERC721, AccessControl {
bytes32 public constant REGISTRAR_ROLE = keccak256("REGISTRAR_ROLE");
struct Credential {
string program; // "BSCS", "MBA", "Diploma in Design"
uint16 graduationYear;
bytes32 transcriptHash; // hash of off chain transcript PDF
bool revoked;
}
mapping(uint256 => Credential) public credential;
uint256 public nextId;
event Issued(uint256 indexed id, address indexed graduate, string program);
event Revoked(uint256 indexed id, string reason);
constructor() ERC721("Degree", "DEG") {
_grantRole(DEFAULT_ADMIN_ROLE, msg.sender);
}
function issue(
address graduate,
string calldata program,
uint16 graduationYear,
bytes32 transcriptHash
) external onlyRole(REGISTRAR_ROLE) returns (uint256 id) {
id = ++nextId;
credential[id] = Credential(program, graduationYear, transcriptHash, false);
_safeMint(graduate, id);
emit Issued(id, graduate, program);
}
function revoke(uint256 id, string calldata reason)
external
onlyRole(REGISTRAR_ROLE)
{
require(_ownerOf(id) != address(0), "Degree: unknown id");
credential[id].revoked = true;
emit Revoked(id, reason);
}
}The Credential struct holds the program name, the graduation year, a transcript hash, and a revoked flag. The transcript itself stays off chain because it contains personally identifiable data — grades, courses, sometimes medical accommodations. Only the hash lives on chain. An employer who needs the transcript receives it through the normal channel and checks the hash matches.
The issue function is registrar only. The registrar wallet sits inside the university's student information system and only fires after the academic records office confirms the graduation. The transcript hash is computed at issuance time from the canonical PDF the registrar archives.
Section 03 · Soulbound Rules
Three overrides that disable every transfer path
A degree NFT must be impossible to sell or gift. Three small overrides on the standard ERC721 close every transfer path.
// Soulbound — block every transfer that is not a mint or burn
function _beforeTokenTransfer(address from, address to, uint256, uint256)
internal
pure
override
{
require(from == address(0) || to == address(0), "Degree: soulbound");
}
// Operator approval is meaningless for a soulbound token — disable it
function approve(address, uint256) public pure override {
revert("Degree: soulbound");
}
function setApprovalForAll(address, bool) public pure override {
revert("Degree: soulbound");
}The transfer hook is the primary gate. Any function call that would move the token reverts unless one party is the zero address — that is, the call is a mint or a burn. Direct transfers fail. transferFrom fails. safeTransferFrom fails.
The approve and setApprovalForAll overrides close the secondary path. Without them, a graduate could give a marketplace contract permission to move the NFT, and the marketplace could try to transfer on their behalf. Disabling approval at the contract level means no marketplace can ever list the token.
Burn is allowed because revocation needs an exit
The university must be able to destroy a credential issued in error. The burn path is reachable through a registrar only function. Allowing burn while blocking transfer is the standard soulbound pattern.
Revocation is preferred over burn
Revoking a degree sets the revoked flag but keeps the NFT in the graduate's wallet with its history visible. Burning destroys the record. For academic misconduct, revoke is cleaner — the historical fact that a degree was issued and then revoked is itself useful information.
The graduate can renounce voluntarily
A graduate who wants to disown a credential — common after a name change or a deadname disclosure — can call a renounce function the contract exposes. It burns the token from their own wallet. The university can then re issue under the new name.
Be careful with off chain marketplaces
Some NFT marketplaces ignore the transfer hook revert and list the token anyway, then fail at trade time. This is harmless on chain but confusing for the graduate. Universities should publish a verifier page that explains the soulbound policy clearly.
Section 04 · Employer Verification
The whole point — one contract read
A traditional degree verification is two weeks of bureaucracy. The soulbound NFT version is a single RPC call from a public verifier app.
// Employer verifies a degree without contacting the university
function verify(uint256 id) external view returns (
address graduate,
string memory program,
uint16 year,
bool valid
) {
address owner = _ownerOf(id);
require(owner != address(0), "Degree: not found");
Credential memory c = credential[id];
valid = !c.revoked;
return (owner, c.program, c.graduationYear, valid);
}
// Optional — verify the transcript file the employer received matches on chain
function verifyTranscript(uint256 id, bytes calldata transcriptFile)
external
view
returns (bool)
{
return keccak256(transcriptFile) == credential[id].transcriptHash
&& !credential[id].revoked;
}
The employer's verifier app is a thin front end over a single RPC call. It takes the tokenId from the candidate's resume or LinkedIn profile, calls verify on the university's known contract address, and renders the result. The university operates the contract but does not see the verification request. Privacy from the registrar side is automatic.
For verifying the transcript file itself — which the candidate sends to the employer through email or a portal — the employer hashes the file and compares to the on chain hash. If they match, the file has not been tampered with since issuance. If they differ, the file was modified after the university issued it.
| Field | On chain | Notes |
|---|---|---|
| Graduate wallet address | Yes | Anyone can read who holds the credential |
| Program name and graduation year | Yes | Public — the visible degree |
| Revocation flag | Yes | True if registrar revoked |
| Transcript content | No | PDF held by graduate and university |
| Course grades | No | Inside transcript only |
| Personal data (DOB, ID number) | No | Never on chain |
Section 05 · What This Buys
Why a university would actually do this
The student benefits are obvious. The institutional benefits are bigger.
Verification queue collapses
A registrar's office spends 20 to 40 percent of staff time on verification requests. Soulbound NFTs route every employer to a public RPC call. The verification queue shrinks to near zero. Staff reallocate to academic work.
Forgery becomes detectable instantly
A fake degree printed on quality paper passes a quick scan. A fake tokenId either does not exist in the contract or points to a different graduate. The verifier app catches both in the same call.
International recognition becomes a one liner
A foreign employer hiring a graduate from a Pakistani university today goes through HEC attestation, embassy attestation, and a translation service. The soulbound NFT verification works identically from anywhere in the world. The path is a single contract read.
Lifelong learning gets a clean attachment surface
Continuing education credits, executive certificates, online microdegrees — each can issue its own soulbound NFT into the same wallet. A graduate's wallet becomes their verified academic record across institutions.
Section 06 · Integration
What a university actually has to build
Three pieces: the contract, the registrar dashboard, the public verifier. None of them is large.
The contract is what is in this post. Audited once, deployed once, never upgraded. Pick a chain with cheap writes — Polygon or Base — because the university only writes on graduation day and revocation events.
The registrar dashboard is a small internal tool with two screens: a batch issuance form (paste a CSV of graduate wallets plus program details, the dashboard signs the issue calls) and a revocation form. The registrar wallet sits inside a hardware HSM with a 2 of 3 multisig for safety.
The public verifier is a one page app on the university's domain. It takes a tokenId, calls verify, renders the result with the institution's seal. The whole verifier is roughly 200 lines of TypeScript. Employers bookmark the URL and never touch the registrar again.
Section 07 · FAQ
Common questions about degree NFTs
What registrars and academic administrators ask before considering this.
What is a degree NFT?
A degree NFT is a soulbound ERC721 token issued by a university registrar to a graduate's wallet. The token represents one credential — a bachelor's, master's, diploma, or certificate. Because the contract's transfer hook reverts on every non mint, non burn move, the credential cannot be sold or gifted. Employers verify it through a public view function on the contract.
Can a degree NFT be transferred or sold?
No. The contract's transfer hook reverts on any call that would move the token to a different wallet. The approve and setApprovalForAll overrides also revert, so no marketplace can list the token. The only state transitions allowed are issuance by the registrar and burning, which happens when a credential is voluntarily renounced.
What happens if a university needs to revoke a degree?
The registrar calls a revoke function that flips a revoked flag inside the credential struct. The NFT stays in the graduate's wallet so the historical record persists, but every verify call returns valid = false. This pattern is preferred over burning because the existence of a revocation is itself information employers want to see.
How does an employer verify a degree NFT?
The employer uses a public verifier app provided by the issuing university. The app takes the tokenId from the candidate's resume or LinkedIn profile, calls the contract's verify function over a public RPC, and displays the program name, graduation year, and current validity. The whole verification takes seconds and does not contact the university's registrar office.
What about the transcript with grades and course details?
The transcript stays off chain because it contains personally identifiable data. Only its hash sits on the contract. When an employer needs the full transcript, the graduate sends the PDF directly. The employer hashes the file and compares to the on chain hash to confirm the file has not been altered since issuance. Privacy is preserved; integrity is provable.
Section 08 · Next Steps
The contract is the easy part — the institutional process change is the work
A university that pilots this with one program can validate the model in a single graduating class.
We help universities, online learning platforms, and certification bodies ship soulbound credential systems, including the contract, the registrar dashboard, the public verifier, and the integration with existing student information systems. The same pattern applies to professional licenses, training certifications, and any credential where ownership must stay with the original holder.