diff --git a/src/_data/flowIcons.js b/src/_data/flowIcons.js
index 0338249..2a669ab 100644
--- a/src/_data/flowIcons.js
+++ b/src/_data/flowIcons.js
@@ -88,7 +88,7 @@ export default {
     <line x1="36" y1="39" x2="44" y2="39" stroke="#2f6b4f" stroke-width="1" stroke-dasharray="3,2"/>
   </svg>`,
 
-  govIssue: `<svg viewBox="0 0 80 80" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
+  studentIdIssue: `<svg viewBox="0 0 80 80" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
     <rect x="18" y="48" width="44" height="20" rx="0" fill="none" stroke="#1b1a17" stroke-width="1.5"/>
     <line x1="26" y1="48" x2="26" y2="68" stroke="#1b1a17" stroke-width="1.5"/>
     <line x1="36" y1="48" x2="36" y2="68" stroke="#1b1a17" stroke-width="1.5"/>
@@ -96,11 +96,11 @@ export default {
     <line x1="54" y1="48" x2="54" y2="68" stroke="#1b1a17" stroke-width="1.5"/>
     <polygon points="12,48 40,22 68,48" fill="none" stroke="#1b1a17" stroke-width="1.5"/>
     <text x="40" y="42" text-anchor="middle" font-size="9" fill="#1b1a17" font-family="Georgia,serif">&#x2605;</text>
-    <text x="40" y="62" text-anchor="middle" font-size="7" fill="#514c43" font-family="Georgia,serif" letter-spacing=".06em">DMV</text>
+    <text x="40" y="62" text-anchor="middle" font-size="7" fill="#514c43" font-family="Georgia,serif" letter-spacing=".06em">UNI</text>
     <rect x="10" y="68" width="60" height="3" rx="0" fill="#1b1a17" opacity=".15"/>
   </svg>`,
 
-  govHold: `<svg viewBox="0 0 80 80" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
+  studentIdHold: `<svg viewBox="0 0 80 80" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
     <rect x="26" y="10" width="28" height="50" rx="5" fill="#1b1a17"/>
     <rect x="30" y="16" width="20" height="36" rx="2" fill="#f4f0e6"/>
     <rect x="32" y="18" width="16" height="12" rx="1" fill="#ece6d6" stroke="#1b1a17" stroke-width=".75"/>
@@ -108,13 +108,13 @@ export default {
     <line x1="40" y1="20" x2="46" y2="20" stroke="#c9c0ab" stroke-width="1"/>
     <line x1="40" y1="23" x2="45" y2="23" stroke="#c9c0ab" stroke-width="1"/>
     <line x1="40" y1="26" x2="46" y2="26" stroke="#c9c0ab" stroke-width="1"/>
-    <text x="47" y="30" font-size="5" fill="#c0341d" font-family="Georgia,serif">DL</text>
+    <text x="47" y="30" font-size="5" fill="#c0341d" font-family="Georgia,serif">ID</text>
     <path d="M35,38 l5,-3 l5,3 v6 a5,5 0 0,1 -10,0 z" fill="none" stroke="#9a7b2e" stroke-width="1.5"/>
     <circle cx="40" cy="43" r="1.5" fill="#9a7b2e"/>
     <rect x="34" y="56" width="12" height="2" rx="1" fill="#c9c0ab"/>
   </svg>`,
 
-  govDisclose: `<svg viewBox="0 0 80 80" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
+  studentIdDisclose: `<svg viewBox="0 0 80 80" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
     <rect x="8" y="22" width="36" height="44" rx="2" fill="#ece6d6" stroke="#c9c0ab" stroke-width="1" opacity=".7"/>
     <line x1="14" y1="32" x2="38" y2="32" stroke="#c9c0ab" stroke-width="1"/>
     <line x1="14" y1="38" x2="36" y2="38" stroke="#c9c0ab" stroke-width="1"/>
@@ -124,7 +124,7 @@ export default {
     <line x1="24" y1="32" x2="14" y2="44" stroke="#c0341d" stroke-width="1" opacity=".4"/>
     <text x="22" y="62" text-anchor="middle" font-size="7" fill="#c9c0ab" font-family="Georgia,serif" font-style="italic">full ID</text>
     <rect x="36" y="30" width="38" height="26" rx="2" fill="#f4f0e6" stroke="#2f6b4f" stroke-width="2"/>
-    <text x="55" y="42" text-anchor="middle" font-size="9" fill="#2f6b4f" font-family="Georgia,serif" font-weight="bold">OVER 21</text>
+    <text x="55" y="42" text-anchor="middle" font-size="8" fill="#2f6b4f" font-family="Georgia,serif" font-weight="bold">ENROLLED</text>
     <text x="55" y="52" text-anchor="middle" font-size="8" fill="#2f6b4f" font-family="Georgia,serif">&#x2713; verified</text>
   </svg>`,
 
diff --git a/src/assets/diagrams/government-flow.svg b/src/assets/diagrams/student-id-flow.svg
similarity index 100%
rename from src/assets/diagrams/government-flow.svg
rename to src/assets/diagrams/student-id-flow.svg
diff --git a/src/verticals/education/build/issuer.njk b/src/verticals/education/build/issuer.njk
index d6e0c0e..841c132 100644
--- a/src/verticals/education/build/issuer.njk
+++ b/src/verticals/education/build/issuer.njk
@@ -1,128 +1,159 @@
 ---
 title: "Build an issuer — academic credentials"
-description: "Issue diplomas over VCALM in 3 steps: start an exchange, deliver a signed VC, confirm. Server-side HTTP quick start."
+description: "Issue diplomas as a VCALM coordinator: create an exchange, share an interaction URL, poll for the result. A workflow service does the protocol work."
 permalink: /education/build/issuer/
 ---
-{# Layer 4 — issuer coordinator quick start. The recommended path is the
-   @bedrock/vc-delivery server; the raw HTTP loop below shows what it runs. #}
+{# Layer 4 — issuer coordinator. A coordinator is a CLIENT of a workflow
+   service; it does not run @bedrock/vc-delivery itself. It only creates
+   exchanges, hosts/shares interaction URLs, and polls for results. #}
 <article class="prose">
   <h1>Build an issuer</h1>
   <p>
-    You run the university side: start an exchange and deliver a signed diploma
-    credential into the graduate's wallet — over the same VCALM exchange loop
-    the wallet speaks.
+    You run the university side. As a <strong>coordinator</strong> you speak
+    VCALM — just the coordinator side of it. You don't run <em>VCALM
+    delivery</em>, the on-the-wire exchange with the graduate's wallet; a
+    <em>workflow service</em> does that. Your whole job is three calls: create an
+    exchange, share an interaction URL that points the graduate's wallet at it,
+    then poll the exchange until the diploma has been issued.
   </p>
 
   <aside class="recommended">
     <p class="kicker">Recommended</p>
-    <h2>Run the coordinator with @bedrock/vc-delivery</h2>
+    <h2>Drive a workflow service — don't build the protocol</h2>
     <p>
-      You don't have to build the exchange loop by hand. Digital Bazaar's
+      The protocol mess — VCALM delivery, OID4VCI, OID4VP, and interoperating with
+      whatever wallet a graduate brings — is handled by a <em>workflow
+      service</em>. Digital Bazaar's
       <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>
-      runs it for you today and is the supported path for issuers.
+      is one. <strong>The workflow service runs that library; you don't.</strong>
     </p>
-    <p><code class="install">npm install @bedrock/vc-delivery</code></p>
     <p>
-      You define a <em>workflow</em> (a reusable issuance config) and the module
-      handles each <em>exchange</em>. It serves VCALM (<code>vcapi</code>) and
-      also speaks OID4VCI and OID4VP, so one workflow delivers credentials over
-      whichever protocol a wallet selects.
+      A goal of VCALM is to let you use a workflow service off the shelf. An
+      administrator loads the <em>workflows</em> you need (a reusable issuance
+      config — what to issue, what to ask for). From then on, whenever a graduate
+      action requires a credential exchange, you create an exchange against that
+      workflow and read back the result.
     </p>
   </aside>
 
-  <h2>Under the hood: the raw VCALM exchange</h2>
-  <p>
-    Want to build your own coordinator, or just see exactly what the server does
-    on the wire? It's a short HTTP loop — three things:
-  </p>
+  <h2>What the coordinator does</h2>
   <ol>
-    <li>Expose an interaction URL (in a QR code or link) that advertises
-        <code>vcapi</code>.</li>
-    <li>When the wallet POSTs to your exchange URL, respond with the
-        diploma in a <code>verifiablePresentation</code>.</li>
-    <li>Optionally ask the wallet to authenticate first (DID Auth), then
-        deliver; finish the exchange.</li>
+    <li><strong>Create an exchange</strong> by POSTing the workflow's variables
+        to its <code>exchanges</code> endpoint.</li>
+    <li><strong>Host and share an interaction URL</strong> that points the
+        graduate's wallet at that exchange.</li>
+    <li><strong>Poll the exchange</strong> until it completes, then read the
+        result.</li>
   </ol>
+  <p>
+    The workflow service does everything in between — protocol negotiation,
+    DID authentication, signing, talking to whatever wallet shows up — and hands
+    you back just the result.
+  </p>
 
-  <h2>1. Advertise the exchange</h2>
+  <h2>1. Create the exchange</h2>
   <p>
-    The wallet dereferences your interaction URL (<code>iuv=1</code>) and you
-    return the protocols you support. Offer <code>vcapi</code> for VCALM:
+    POST to your workflow's <code>exchanges</code> endpoint. The body carries a
+    <code>ttl</code> and the <code>variables</code> the workflow expects — here,
+    who the diploma is for:
   </p>
+  {% highlight "bash" %}
+POST https://workflows.example/workflows/diploma-issuance/exchanges
+  {% endhighlight %}
   {% highlight "json" %}
 {
-  "protocols": {
-    "vcapi": "https://issuer.university.example/exchanges/diploma-789"
+  "ttl": 900,
+  "variables": {
+    "subject": "did:example:graduate123",
+    "degree": "B.Sc. Computer Science"
   }
 }
   {% endhighlight %}
+  <p>
+    This call is authenticated (your service uses a capability or OAuth2 token).
+    On success the service returns <code>204 No Content</code> with a
+    <code>Location</code> header — that's your exchange URL:
+  </p>
+  {% highlight "http" %}
+HTTP/1.1 204 No Content
+Location: https://workflows.example/workflows/diploma-issuance/exchanges/z19xQ...
+  {% endhighlight %}
 
-  <h2>2. Deliver the credential</h2>
+  <h2>2. Host and share the interaction URL</h2>
   <p>
-    The wallet POSTs an empty body to start. You respond with the signed diploma
-    wrapped in a <code>verifiablePresentation</code>:
+    The exchange URL <em>is</em> the <code>vcapi</code> interaction endpoint.
+    Hosting and sharing it is the coordinator's responsibility — put it in a QR
+    code or a link, typically wrapped in a presentation request the wallet
+    understands:
   </p>
   {% highlight "json" %}
 {
-  "verifiablePresentation": {
-    "@context": ["https://www.w3.org/ns/credentials/v2"],
-    "type": ["VerifiablePresentation"],
-    "verifiableCredential": [{
-      "@context": [
-        "https://www.w3.org/ns/credentials/v2",
-        "https://w3id.org/education/v2"
-      ],
-      "type": ["VerifiableCredential", "UniversityDegreeCredential"],
-      "issuer": "did:web:university.example",
-      "credentialSubject": {
-        "id": "did:example:graduate123",
-        "degree": {"type": "BachelorDegree", "name": "B.Sc. Computer Science"}
-      },
-      "proof": { "...": "issuer signature" }
-    }]
+  "VerifiablePresentation": {
+    "interact": {
+      "service": [{
+        "type": "VerifiableCredentialApiExchangeService",
+        "serviceEndpoint": "https://workflows.example/workflows/diploma-issuance/exchanges/z19xQ..."
+      }]
+    }
   }
 }
   {% endhighlight %}
   <p>
-    The exchange is complete when you return no
-    <code>verifiablePresentationRequest</code>.
+    The graduate's wallet POSTs to that endpoint and runs the exchange with the
+    workflow service directly. DID authentication and credential delivery happen
+    there — you are not in that loop.
   </p>
 
-  <h2>3. (Optional) Authenticate the holder first</h2>
+  <h2>3. Poll for the result</h2>
   <p>
-    To bind the diploma to a holder, respond to the wallet's first POST with a
-    <code>verifiablePresentationRequest</code> for DID Authentication, then
-    deliver on the next turn:
+    While the wallet works, GET the exchange URL (authenticated) until its
+    <code>state</code> is <code>complete</code>:
   </p>
+  {% highlight "bash" %}
+GET https://workflows.example/workflows/diploma-issuance/exchanges/z19xQ...
+  {% endhighlight %}
   {% highlight "json" %}
 {
-  "verifiablePresentationRequest": {
-    "query": [{
-      "type": "DIDAuthentication",
-      "acceptedMethods": [{"method": "example"}]
-    }],
-    "challenge": "99612b24-63d9-11ea-b99f-4f66f3e4f81a",
-    "domain": "issuer.university.example"
+  "exchange": {
+    "id": "z19xQ...",
+    "state": "complete",
+    "variables": {
+      "results": {
+        "didAuthn": {
+          "did": "did:example:graduate123",
+          "verifiablePresentation": { "...": "the wallet's authenticated VP" }
+        }
+      }
+    }
   }
 }
   {% endhighlight %}
+  <p>
+    Verified per-step results land under
+    <code>exchange.variables.results</code>, keyed by the workflow's step names.
+    A <code>complete</code> state means the diploma was issued into the
+    graduate's wallet.
+  </p>
 
   <h2>That's it</h2>
   <p>
-    A conformant education issuer is this exchange: advertise, deliver, confirm.
-    The signing of the credential itself is your issuer instance's job — the
-    coordinator just runs the exchange.
+    An education issuer, as a coordinator, is these three calls: <strong>create
+    an exchange, host and share the interaction URL, poll for the result.</strong>
+    Signing the diploma and speaking every wallet's protocol is the workflow
+    service's job — you just create exchanges and read what comes back.
   </p>
 
   <p class="future">
     On the wallet end, a standalone client-side VCALM library is still planned;
-    until it ships, the raw HTTP flow is the supported path there. For the
-    issuer/coordinator side shown here, use
+    until it ships, wallets run the exchange over the raw HTTP flow. The
+    coordinator side shown here works today against any VCALM workflow service,
+    such as one running
     <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>.
   </p>
 
   <h2>Go deeper</h2>
   <ul>
+    <li><a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery — workflow service</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/#did-authentication">VCALM: DID Authentication</a></li>
     <li><a href="https://www.w3.org/TR/vc-data-model-2.0/">W3C Verifiable Credentials Data Model 2.0</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/">VCALM specification</a></li>
diff --git a/src/verticals/education/build/verifier.njk b/src/verticals/education/build/verifier.njk
index 3553b53..3bdf61c 100644
--- a/src/verticals/education/build/verifier.njk
+++ b/src/verticals/education/build/verifier.njk
@@ -1,135 +1,162 @@
 ---
 title: "Build a verifier — academic credentials"
-description: "Verify diplomas over VCALM in 3 steps: request a presentation, receive it, verify the proof. Server-side HTTP quick start."
+description: "Verify diplomas as a VCALM coordinator: create an exchange, share an interaction URL, poll for the verified result. A workflow service does the protocol work."
 permalink: /education/build/verifier/
 ---
-{# Layer 4 — verifier coordinator quick start. The recommended path is the
-   @bedrock/vc-delivery server; the raw HTTP loop below shows what it runs. #}
+{# Layer 4 — verifier coordinator. A coordinator is a CLIENT of a workflow
+   service; it does not run @bedrock/vc-delivery itself. It creates exchanges,
+   hosts/shares interaction URLs, and polls for verified results. #}
 <article class="prose">
   <h1>Build a verifier</h1>
   <p>
-    You run the admissions side: ask the applicant's wallet to present their
-    diploma, then verify the proof — over the same VCALM exchange loop the
-    wallet speaks.
+    You run the admissions side. As a <strong>coordinator</strong> you speak
+    VCALM — just the coordinator side of it. You don't run <em>VCALM
+    delivery</em>, the on-the-wire exchange with the applicant's wallet; a
+    <em>workflow service</em> does that and verifies the diploma for you. Your
+    job is three calls: create an exchange,
+    share an interaction URL that points the applicant's wallet at it, then poll
+    until the verified result comes back.
   </p>
 
   <aside class="recommended">
     <p class="kicker">Recommended</p>
-    <h2>Run the coordinator with @bedrock/vc-delivery</h2>
+    <h2>Drive a workflow service — don't build the protocol</h2>
     <p>
-      You don't have to build the exchange loop by hand. Digital Bazaar's
+      The protocol mess — VCALM delivery, OID4VP, replay protection, and interoperating
+      with whatever wallet an applicant brings — is handled by a <em>workflow
+      service</em>. Digital Bazaar's
       <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>
-      runs it for you today and is the supported path for verifiers.
+      is one. <strong>The workflow service runs that library; you don't.</strong>
     </p>
-    <p><code class="install">npm install @bedrock/vc-delivery</code></p>
     <p>
-      You define a <em>workflow</em> (a reusable verification config) and the
-      module handles each <em>exchange</em>. It serves VCALM (<code>vcapi</code>)
-      and also speaks OID4VCI and OID4VP, so one workflow requests and verifies
-      presentations over whichever protocol a wallet selects.
+      A goal of VCALM is to let you use a workflow service off the shelf. An
+      administrator loads a <em>workflow</em> (a reusable verification config —
+      what to request, which institutions to trust, what counts as valid). From
+      then on, whenever an applicant action needs a check, you create an exchange
+      and read back a verified result.
     </p>
   </aside>
 
-  <h2>Under the hood: the raw VCALM exchange</h2>
-  <p>
-    Want to build your own coordinator, or just see exactly what the server does
-    on the wire? It's a short HTTP loop — three things:
-  </p>
+  <h2>What the coordinator does</h2>
   <ol>
-    <li>Expose an interaction URL that advertises <code>vcapi</code>.</li>
-    <li>When the wallet POSTs to start, respond with a
-        <code>verifiablePresentationRequest</code> describing the diploma you
-        need.</li>
-    <li>Receive the <code>verifiablePresentation</code> and verify its proof,
-        challenge, and domain.</li>
+    <li><strong>Create an exchange</strong> against a workflow that requests the
+        diploma and names the institutions you trust.</li>
+    <li><strong>Host and share an interaction URL</strong> that points the
+        applicant's wallet at that exchange.</li>
+    <li><strong>Poll the exchange</strong> until it completes, then read the
+        verified result.</li>
   </ol>
+  <p>
+    The workflow service does the rest — it sends the presentation request,
+    receives the wallet's response, and verifies the proof, challenge, domain,
+    trusted issuer, and status before it ever returns a result to you.
+  </p>
 
-  <h2>1. Request the diploma</h2>
+  <h2>1. Create the exchange</h2>
   <p>
-    When the wallet POSTs an empty body to your exchange URL, respond with a
-    <code>QueryByExample</code> asking for the credential type you need:
+    POST to your workflow's <code>exchanges</code> endpoint. The workflow already
+    encodes <em>request a university degree</em> and <em>trust this
+    institution</em>; you pass just the per-exchange variables:
   </p>
+  {% highlight "bash" %}
+POST https://workflows.example/workflows/diploma-check/exchanges
+  {% endhighlight %}
   {% highlight "json" %}
 {
-  "verifiablePresentationRequest": {
-    "query": [{
-      "type": "QueryByExample",
-      "credentialQuery": [{
-        "reason": "Please present your university degree to continue your application.",
-        "example": {
-          "@context": [
-            "https://www.w3.org/ns/credentials/v2",
-            "https://w3id.org/education/v2"
-          ],
-          "type": "UniversityDegreeCredential"
-        },
-        "trustedIssuer": [{
-          "required": true,
-          "issuer": "did:web:university.example"
-        }]
-      }]
-    }],
-    "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
-    "domain": "admissions.example"
+  "ttl": 900,
+  "variables": {
+    "reason": "Please present your university degree to continue your application."
   }
 }
   {% endhighlight %}
   <p>
-    The <code>challenge</code> and <code>domain</code> are what you'll verify in
-    the returned proof — they stop a captured presentation from being replayed.
-    Use <code>trustedIssuer</code> to require a degree from a specific
-    institution.
+    This call is authenticated. On success the service returns
+    <code>204 No Content</code> with a <code>Location</code> header — your
+    exchange URL:
+  </p>
+  {% highlight "http" %}
+HTTP/1.1 204 No Content
+Location: https://workflows.example/workflows/diploma-check/exchanges/z19xQ...
+  {% endhighlight %}
+  <p>
+    The workflow's <code>challenge</code> and <code>domain</code> stop a captured
+    presentation from being replayed; its <code>trustedIssuer</code> setting
+    requires a degree from a specific institution.
   </p>
 
-  <h2>2. Receive the presentation</h2>
+  <h2>2. Host and share the interaction URL</h2>
   <p>
-    The wallet POSTs the signed presentation back to the same exchange URL:
+    The exchange URL <em>is</em> the <code>vcapi</code> interaction endpoint.
+    Hosting and sharing it is the coordinator's responsibility — put it in a QR
+    code or a link, typically wrapped in a presentation request:
   </p>
   {% highlight "json" %}
 {
-  "verifiablePresentation": {
-    "@context": ["https://www.w3.org/ns/credentials/v2"],
-    "type": ["VerifiablePresentation"],
-    "holder": "did:example:graduate123",
-    "verifiableCredential": [{ "...": "the diploma VC" }],
-    "proof": {
-      "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
-      "domain": "admissions.example",
-      "...": "holder signature"
+  "VerifiablePresentation": {
+    "interact": {
+      "service": [{
+        "type": "VerifiableCredentialApiExchangeService",
+        "serviceEndpoint": "https://workflows.example/workflows/diploma-check/exchanges/z19xQ..."
+      }]
     }
   }
 }
   {% endhighlight %}
+  <p>
+    The applicant's wallet POSTs to that endpoint and runs the exchange with the
+    workflow service directly. You are not in that loop.
+  </p>
 
-  <h2>3. Verify the proof</h2>
-  <p>Before you trust the diploma, check all of the following:</p>
-  <ul>
-    <li>The presentation <strong>proof</strong> is valid and the
-        <code>challenge</code> / <code>domain</code> match what you sent.</li>
-    <li>Each credential's <strong>proof</strong> is valid and the issuer is
-        one you trust.</li>
-    <li>The credential is not <strong>revoked or suspended</strong> (check its
-        status).</li>
-    <li>The credential is <strong>unexpired</strong> and the type matches your
-        request.</li>
-  </ul>
+  <h2>3. Poll for the verified result</h2>
+  <p>
+    GET the exchange URL (authenticated) until its <code>state</code> is
+    <code>complete</code>:
+  </p>
+  {% highlight "bash" %}
+GET https://workflows.example/workflows/diploma-check/exchanges/z19xQ...
+  {% endhighlight %}
+  {% highlight "json" %}
+{
+  "exchange": {
+    "id": "z19xQ...",
+    "state": "complete",
+    "variables": {
+      "results": {
+        "diplomaCheck": {
+          "did": "did:example:graduate123",
+          "verifiablePresentation": { "...": "verified: the diploma VC" }
+        }
+      }
+    }
+  }
+}
+  {% endhighlight %}
+  <p>
+    A <code>complete</code> state means the workflow service already verified the
+    presentation for you — proof, challenge, domain, trusted issuer, and
+    revocation/expiry status. The verified result lands under
+    <code>exchange.variables.results</code>, keyed by the workflow's step names.
+  </p>
 
   <h2>That's it</h2>
   <p>
-    A conformant education verifier is this exchange: request, receive, verify.
-    The cryptographic verification itself is your verifier instance's job — the
-    coordinator just runs the exchange.
+    An education verifier, as a coordinator, is these three calls: <strong>create
+    an exchange, host and share the interaction URL, poll for the verified
+    result.</strong> The cryptographic verification and protocol interop are the
+    workflow service's job — you create exchanges and read what comes back.
   </p>
 
   <p class="future">
     On the wallet end, a standalone client-side VCALM library is still planned;
-    until it ships, the raw HTTP flow is the supported path there. For the
-    verifier/coordinator side shown here, use
+    until it ships, wallets run the exchange over the raw HTTP flow. The
+    coordinator side shown here works today against any VCALM workflow service,
+    such as one running
     <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>.
   </p>
 
   <h2>Go deeper</h2>
   <ul>
+    <li><a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery — workflow service</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/#query-by-example">VCALM: QueryByExample</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/#verifiable-presentation-request">VCALM: Verifiable Presentation Request</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/">VCALM specification</a></li>
diff --git a/src/verticals/government/build/issuer.njk b/src/verticals/government/build/issuer.njk
deleted file mode 100644
index b159028..0000000
--- a/src/verticals/government/build/issuer.njk
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: "Build an issuer (DMV) — mobile driver's license"
-description: "Issue a mobile driver's license over VCALM in 3 steps: start an exchange, deliver a signed VC, confirm. Server-side HTTP quick start."
-permalink: /government/build/issuer/
----
-{# Layer 4 — issuer coordinator. The recommended path is the
-   @bedrock/vc-delivery server; the raw HTTP loop below shows what it runs. #}
-<article class="prose">
-  <h1>Build an issuer</h1>
-  <p>
-    You run the DMV side: start an exchange and deliver a signed mobile license
-    into the resident's wallet — over the same VCALM exchange loop the wallet
-    speaks.
-  </p>
-
-  <aside class="recommended">
-    <p class="kicker">Recommended</p>
-    <h2>Run the coordinator with @bedrock/vc-delivery</h2>
-    <p>
-      You don't have to build the exchange loop by hand. Digital Bazaar's
-      <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>
-      runs it for you today and is the supported path for issuers.
-    </p>
-    <p><code class="install">npm install @bedrock/vc-delivery</code></p>
-    <p>
-      You define a <em>workflow</em> (a reusable issuance config) and the module
-      handles each <em>exchange</em>. It serves VCALM (<code>vcapi</code>) and
-      also speaks OID4VCI and OID4VP, so one workflow delivers credentials over
-      whichever protocol a wallet selects.
-    </p>
-  </aside>
-
-  <h2>Under the hood: the raw VCALM exchange</h2>
-  <p>
-    Want to build your own coordinator, or just see exactly what the server does
-    on the wire? It's a short HTTP loop — three things:
-  </p>
-  <ol>
-    <li>Expose an interaction URL (in a QR code or link) that advertises
-        <code>vcapi</code>.</li>
-    <li>Authenticate the resident, then deliver the license in a
-        <code>verifiablePresentation</code>.</li>
-    <li>Finish the exchange.</li>
-  </ol>
-
-  <h2>1. Advertise the exchange</h2>
-  <p>
-    The wallet dereferences your interaction URL (<code>iuv=1</code>) and you
-    return the protocols you support. Offer <code>vcapi</code> for VCALM:
-  </p>
-  {% highlight "json" %}
-{
-  "protocols": {
-    "vcapi": "https://issuer.dmv.state.example/exchanges/mdl-456"
-  }
-}
-  {% endhighlight %}
-
-  <h2>2. Authenticate, then deliver</h2>
-  <p>
-    Identity credentials should be bound to the holder. Respond to the wallet's
-    first POST with a DID Authentication request:
-  </p>
-  {% highlight "json" %}
-{
-  "verifiablePresentationRequest": {
-    "query": [{
-      "type": "DIDAuthentication",
-      "acceptedMethods": [{"method": "example"}]
-    }],
-    "challenge": "99612b24-63d9-11ea-b99f-4f66f3e4f81a",
-    "domain": "issuer.dmv.state.example"
-  }
-}
-  {% endhighlight %}
-  <p>On the next turn, deliver the signed mobile license:</p>
-  {% highlight "json" %}
-{
-  "verifiablePresentation": {
-    "@context": ["https://www.w3.org/ns/credentials/v2"],
-    "type": ["VerifiablePresentation"],
-    "verifiableCredential": [{
-      "@context": [
-        "https://www.w3.org/ns/credentials/v2",
-        "https://w3id.org/vc/mdl/v1"
-      ],
-      "type": ["VerifiableCredential", "Iso18013DriversLicenseCredential"],
-      "issuer": "did:web:dmv.state.example",
-      "credentialSubject": {
-        "id": "did:example:resident123",
-        "family_name": "Doe",
-        "given_name": "Jordan",
-        "birth_date": "1998-05-12",
-        "document_number": "D1234567",
-        "driving_privileges": [{"vehicle_category_code": "C"}]
-      },
-      "proof": { "...": "DMV signature" }
-    }]
-  }
-}
-  {% endhighlight %}
-  <p>
-    The exchange is complete when you return no
-    <code>verifiablePresentationRequest</code>.
-  </p>
-
-  <h2>That's it</h2>
-  <p>
-    A conformant DMV issuer is this exchange: advertise, authenticate, deliver,
-    confirm. Signing the credential is your issuer instance's job — the
-    coordinator just runs the exchange.
-  </p>
-
-  <p class="future">
-    On the wallet end, a standalone client-side VCALM library is still planned;
-    until it ships, the raw HTTP flow is the supported path there. For the
-    issuer/coordinator side shown here, use
-    <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>.
-  </p>
-
-  <h2>Go deeper</h2>
-  <ul>
-    <li><a href="https://www.w3.org/TR/vcalm/#did-authentication">VCALM: DID Authentication</a></li>
-    <li><a href="https://www.w3.org/TR/vc-data-model-2.0/">W3C Verifiable Credentials Data Model 2.0</a></li>
-    <li><a href="https://www.w3.org/TR/vcalm/">VCALM specification</a></li>
-  </ul>
-
-  <p class="cta"><a class="btn" href="/government/build/">← Back to roles</a></p>
-</article>
diff --git a/src/verticals/government/build/verifier.njk b/src/verticals/government/build/verifier.njk
deleted file mode 100644
index 6778162..0000000
--- a/src/verticals/government/build/verifier.njk
+++ /dev/null
@@ -1,136 +0,0 @@
----
-title: "Build a verifier (relying party) — mobile driver's license"
-description: "Verify a mobile driver's license over VCALM in 3 steps: request, receive, verify. Selective disclosure — prove age without revealing identity. HTTP quick start."
-permalink: /government/build/verifier/
----
-{# Layer 4 — verifier coordinator. The recommended path is the
-   @bedrock/vc-delivery server; the raw HTTP loop below shows what it runs.
-   Highlights selective disclosure (prove "over 21" without birthdate). #}
-<article class="prose">
-  <h1>Build a verifier</h1>
-  <p>
-    You run the relying-party side — a bar, an airport, a website. You ask the
-    resident's wallet to present just what you need, then verify the proof, over
-    the same VCALM exchange loop the wallet speaks.
-  </p>
-
-  <aside class="recommended">
-    <p class="kicker">Recommended</p>
-    <h2>Run the coordinator with @bedrock/vc-delivery</h2>
-    <p>
-      You don't have to build the exchange loop by hand. Digital Bazaar's
-      <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>
-      runs it for you today and is the supported path for verifiers.
-    </p>
-    <p><code class="install">npm install @bedrock/vc-delivery</code></p>
-    <p>
-      You define a <em>workflow</em> (a reusable verification config) and the
-      module handles each <em>exchange</em>. It serves VCALM (<code>vcapi</code>)
-      and also speaks OID4VCI and OID4VP, so one workflow requests and verifies
-      presentations over whichever protocol a wallet selects.
-    </p>
-  </aside>
-
-  <h2>Under the hood: the raw VCALM exchange</h2>
-  <p>
-    Want to build your own coordinator, or just see exactly what the server does
-    on the wire? It's a short HTTP loop — three things:
-  </p>
-  <ol>
-    <li>Expose an interaction URL that advertises <code>vcapi</code>.</li>
-    <li>When the wallet POSTs to start, respond with a
-        <code>verifiablePresentationRequest</code> for only the fields you need.</li>
-    <li>Receive the <code>verifiablePresentation</code> and verify its proof,
-        challenge, and domain.</li>
-  </ol>
-
-  <h2>1. Request only what you need</h2>
-  <p>
-    Don't ask for the whole license. Request a single attribute — here, proof of
-    age — so the resident reveals nothing more:
-  </p>
-  {% highlight "json" %}
-{
-  "verifiablePresentationRequest": {
-    "query": [{
-      "type": "QueryByExample",
-      "credentialQuery": [{
-        "reason": "Please prove you are over 21 to continue.",
-        "example": {
-          "@context": [
-            "https://www.w3.org/ns/credentials/v2",
-            "https://w3id.org/vc/mdl/v1"
-          ],
-          "type": "Iso18013DriversLicenseCredential"
-        },
-        "trustedIssuer": [{
-          "required": true,
-          "issuer": "did:web:dmv.state.example"
-        }]
-      }]
-    }],
-    "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
-    "domain": "checkout.example"
-  }
-}
-  {% endhighlight %}
-  <p>
-    With selective disclosure, a well-built wallet returns a derived proof of
-    "over 21" — not the birthdate itself. The <code>challenge</code> and
-    <code>domain</code> stop a captured presentation from being replayed.
-  </p>
-
-  <h2>2. Receive the presentation</h2>
-  <p>The wallet POSTs the signed presentation back to the same exchange URL:</p>
-  {% highlight "json" %}
-{
-  "verifiablePresentation": {
-    "@context": ["https://www.w3.org/ns/credentials/v2"],
-    "type": ["VerifiablePresentation"],
-    "holder": "did:example:resident123",
-    "verifiableCredential": [{ "...": "derived proof: age_over_21 = true" }],
-    "proof": {
-      "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
-      "domain": "checkout.example",
-      "...": "holder signature"
-    }
-  }
-}
-  {% endhighlight %}
-
-  <h2>3. Verify the proof</h2>
-  <p>Before you trust the result, check all of the following:</p>
-  <ul>
-    <li>The presentation <strong>proof</strong> is valid and the
-        <code>challenge</code> / <code>domain</code> match what you sent.</li>
-    <li>The credential's <strong>proof</strong> is valid and the issuer is the
-        DMV you trust.</li>
-    <li>The license is not <strong>revoked or suspended</strong> — check its
-        status.</li>
-    <li>The license is <strong>unexpired</strong> and the disclosed claim
-        answers your request.</li>
-  </ul>
-
-  <h2>That's it</h2>
-  <p>
-    A conformant relying-party verifier is this exchange: request, receive,
-    verify. The cryptographic verification is your verifier instance's job — the
-    coordinator just runs the exchange.
-  </p>
-
-  <p class="future">
-    On the wallet end, a standalone client-side VCALM library is still planned;
-    until it ships, the raw HTTP flow is the supported path there. For the
-    verifier/coordinator side shown here, use
-    <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>.
-  </p>
-
-  <h2>Go deeper</h2>
-  <ul>
-    <li><a href="https://www.w3.org/TR/vcalm/#query-by-example">VCALM: QueryByExample</a></li>
-    <li><a href="https://www.w3.org/TR/vcalm/#verifiable-presentation-request">VCALM: Verifiable Presentation Request</a></li>
-    <li><a href="https://www.w3.org/TR/vcalm/">VCALM specification</a></li>
-  </ul>
-
-  <p class="cta"><a class="btn" href="/government/build/">← Back to roles</a></p>
-</article>
diff --git a/src/verticals/government/index.njk b/src/verticals/government/index.njk
deleted file mode 100644
index 8276681..0000000
--- a/src/verticals/government/index.njk
+++ /dev/null
@@ -1,191 +0,0 @@
----
-title: "Mobile driver's licenses & digital ID with VCALM"
-shortName: "Government & digital ID"
-cardTitle: "Mobile driver's licenses & digital ID"
-summary: "Issue mobile driver's licenses and digital IDs residents control — verifiable anywhere, with any wallet."
-description: "Issue mobile driver's licenses (mDL) and digital identity credentials with W3C Verifiable Credentials over VCALM — resident-controlled, any wallet, no allow-lists, privacy by design."
-order: 3
-permalink: /government/
----
-{# Single-page government/DMV vertical. Anchor: mobile driver's license (mDL).
-   Lean on wallet-choice / no-allow-list / privacy — the user-liberty angle. #}
-<script type="application/ld+json">
-{
-  "@context": "https://schema.org",
-  "@type": "FAQPage",
-  "mainEntity": [
-    {"@type": "Question", "name": "How is a mobile driver's license (mDL) issued and verified?",
-     "acceptedAnswer": {"@type": "Answer", "text": "The DMV signs the license as a W3C Verifiable Credential and delivers it to the resident's wallet of choice over VCALM (the VC API). A relying party verifies it cryptographically in person or online — no callbacks to the DMV — and the resident approves each share with one tap."}},
-    {"@type": "Question", "name": "Can a digital ID prove age without revealing a birthdate?",
-     "acceptedAnswer": {"@type": "Answer", "text": "Yes. With selective disclosure, a resident can prove a single fact — such as 'over 21' or 'license valid' — without revealing name, address, or birthdate. Only the field requested is shared."}},
-    {"@type": "Question", "name": "Does a mobile driver's license lock residents to a government app?",
-     "acceptedAnswer": {"@type": "Answer", "text": "Not with VCALM. The license works with any conformant wallet, so residents keep their choice of app. The OpenID/mdoc approach often pairs with wallet attestation and allow-lists, which let the state decide which apps are accepted."}},
-    {"@type": "Question", "name": "Is a VCALM mobile driver's license private?",
-     "acceptedAnswer": {"@type": "Answer", "text": "Yes. Data minimization is built into every request, nothing is shared without explicit one-tap consent, and the state cannot observe where the credential is used."}},
-    {"@type": "Question", "name": "Why VCALM vs. OID4?",
-     "acceptedAnswer": {"@type": "Answer", "text": "The OID4VCI / OID4VP, mdoc-centric approach often pairs with wallet attestation and allow-lists, which means the DMV has to certify, build, and maintain an integration for every wallet it supports. With VCALM you issue once to an open standard and any conformant wallet works, so there is no per-wallet integration to own."}}
-  ]
-}
-</script>
-<section class="hero">
-  <h1>{{ title }}</h1>
-  <p class="promise">
-    Issue mobile driver's licenses and digital IDs that residents truly control —
-    verifiable in person or online, with the wallet of their choice, and without
-    locking citizens to a government-approved app.
-  </p>
-  <p class="direct-answer">
-    To issue a mobile driver's license, a DMV signs it as a
-    <strong>W3C Verifiable Credential</strong> and delivers it to the resident's
-    wallet of choice over <strong>VCALM</strong> (the VC API). A relying party
-    verifies it cryptographically — in person or online — and with selective
-    disclosure the resident can prove one fact, like "over 21," without
-    revealing name, address, or birthdate.
-  </p>
-</section>
-
-<section class="flow">
-  {% set flowSteps = [
-    {icon: flowIcons.govIssue,    label: "DMV issues a mobile license",    caption: "Resident picks their own wallet -- no state-mandated app"},
-    {icon: flowIcons.govHold,     label: "Resident holds and controls it", caption: "Nothing shared without one-tap, explicit consent"},
-    {icon: flowIcons.govDisclose, label: "Proves one fact",                caption: "Over 21 -- no name, address, or birthdate revealed"}
-  ] %}
-  {% set flowFooter = "Any conformant wallet -- no state-mandated app -- selective disclosure by design" %}
-  {% include "partials/flow-diagram.njk" %}
-</section>
-
-<article class="prose experience">
-  <h2>What it feels like to use</h2>
-  <p class="lede">
-    The technology is invisible by design. Here's what each person actually
-    does — and what they no longer have to.
-  </p>
-
-  <ol class="journey">
-    <li>
-      <h3>The DMV issues a mobile license</h3>
-      <p>
-        A resident requests their mobile driver's license from the DMV portal or
-        app. They authenticate once, pick the wallet they already use, and the
-        license lands in it — alongside their existing physical card.
-      </p>
-      <p class="aside">No state-mandated app. Their wallet, their choice.</p>
-    </li>
-    <li>
-      <h3>The resident holds and controls it</h3>
-      <p>
-        The license lives on their phone, under their control. Nothing is shared
-        automatically — every presentation needs an explicit, one-time approval
-        the resident sees and consents to.
-      </p>
-      <p class="aside">The state can't watch where it's used.</p>
-    </li>
-    <li>
-      <h3>They prove just one thing, when needed</h3>
-      <p>
-        At a bar, the resident taps to prove <em>"over 21"</em> — and reveals
-        nothing else. No name, no address, no birthdate. At an airport or a
-        website, they share exactly the fields asked for, and no more.
-      </p>
-      <p class="aside">Selective disclosure: minimum data, every time.</p>
-    </li>
-  </ol>
-
-  <div class="benefits-cols">
-    <div class="benefits-col">
-      <h3><span class="benefits-icon">{{ flowIcons.person | safe }}</span>What the resident experiences</h3>
-      <ul class="benefits">
-        <li><strong>Their choice of wallet.</strong> Not a single government-approved app.</li>
-        <li><strong>Prove a fact, not your identity.</strong> "Over 21" without your birthdate.</li>
-        <li><strong>One-tap consent.</strong> Nothing leaves the phone without approval.</li>
-        <li><strong>No tracking.</strong> The state doesn't see each place it's used.</li>
-      </ul>
-    </div>
-    <div class="benefits-col">
-      <h3><span class="benefits-icon">{{ flowIcons.institution | safe }}</span>What the agency experiences</h3>
-      <ul class="benefits">
-        <li><strong>Privacy by design.</strong> Data minimization is built into every request.</li>
-        <li><strong>Instant, tamper-evident checks.</strong> No call-backs to the DMV.</li>
-        <li><strong>No vendor or wallet lock-in.</strong> Works with every conformant wallet.</li>
-        <li><strong>Standards-based.</strong> Built on open W3C Verifiable Credentials.</li>
-      </ul>
-    </div>
-  </div>
-</article>
-
-<article class="prose">
-  <h2>How it works</h2>
-  <p>One diagram, three actors, one loop.</p>
-
-  <pre class="diagram">
-     DMV                   RESIDENT              RELYING PARTY
-  (issuer)             (wallet of choice)         (verifier)
-     |                      |                          |
-     | -- delivers -->      |                          |
-     |  mobile license VC   |                          |
-     |                      | &lt;-- asks for --           |
-     |                      |   proof of age / validity |
-     |                      | -- presents -->           |
-     |                      |   only what's needed      |
-     |                      |                     verifies (ok)
-  </pre>
-
-  <ul>
-    <li>A mobile license is signed JSON the resident holds and controls.</li>
-    <li>
-      <strong>Delivery</strong> (DMV → resident) and
-      <strong>presentation</strong> (resident → verifier) are the same simple
-      exchange loop: POST, read what the server wants, POST back.
-    </li>
-    <li>
-      With selective disclosure, the resident can prove a single fact —
-      "over 21," "license valid" — without revealing name, address, or birthdate.
-    </li>
-  </ul>
-</article>
-
-<section class="fit">
-  <h2>A good fit if…</h2>
-  <ul>
-    <li>You issue identity or entitlement credentials to the public.</li>
-    <li>You want residents to choose their own wallet, not an approved list.</li>
-    <li>You need selective disclosure — prove a fact without revealing everything.</li>
-  </ul>
-  <p class="cta">
-    <a class="btn primary" href="/government/build/">Start building</a>
-  </p>
-</section>
-
-<article class="prose">
-  <h2>Common questions</h2>
-  <div class="faq">
-    <h3>Can a digital ID prove age without revealing a birthdate?</h3>
-    <p>
-      Yes. With selective disclosure, a resident proves a single fact — "over
-      21," "license valid" — without revealing name, address, or birthdate.
-    </p>
-
-    <h3>Does a mobile driver's license lock residents to a government app?</h3>
-    <p>
-      Not with VCALM — the license works with any conformant wallet. The
-      OpenID/mdoc approach often pairs with attestation and allow-lists that let
-      the state decide which apps are accepted.
-    </p>
-
-    <h3>Is a VCALM mobile driver's license private?</h3>
-    <p>
-      Yes. Data minimization is built into every request, nothing is shared
-      without one-tap consent, and the state can't see where it's used.
-    </p>
-
-    <h3>Why VCALM vs. OID4?</h3>
-    <p>
-      The OID4VCI / OID4VP, mdoc-centric approach often pairs with wallet
-      "attestation" and allow-lists — which means the DMV has to certify, and
-      build and maintain an integration for, every wallet it wants to support.
-      With VCALM, you issue once to an open standard and any conformant wallet
-      works, so there's no per-wallet integration to own. <a href="/why-vcalm/">See
-      the full comparison.</a>
-    </p>
-  </div>
-</article>
diff --git a/src/verticals/government/build/index.njk b/src/verticals/student-id/build/index.njk
similarity index 58%
rename from src/verticals/government/build/index.njk
rename to src/verticals/student-id/build/index.njk
index add604c..5720baf 100644
--- a/src/verticals/government/build/index.njk
+++ b/src/verticals/student-id/build/index.njk
@@ -1,7 +1,7 @@
 ---
-title: "What are you building? — mobile driver's license & digital ID"
-description: "Pick your role: wallet, issuer (DMV), or verifier (relying party). You only implement your piece."
-permalink: /government/build/
+title: "What are you building? — digital student ID"
+description: "Pick your role: wallet, issuer (school/registrar), or verifier (campus service or partner). You only implement your piece."
+permalink: /student-id/build/
 ---
 {# Layer 3 — role picker = conformance-class scoping. #}
 <article class="prose">
@@ -10,25 +10,25 @@ permalink: /government/build/
 
   <ul class="role-grid">
     <li>
-      <a href="/government/build/wallet/">
+      <a href="/student-id/build/wallet/">
         <h3>Wallet</h3>
-        <p>The app holding the resident's mobile license.</p>
+        <p>The app holding the student's ID.</p>
         <p><strong>You implement:</strong> an exchange client — POST, handle VPRs, return VPs.</p>
         <p class="effort">~3 things, a few days</p>
       </a>
     </li>
     <li>
-      <a href="/government/build/issuer/">
-        <h3>Issuer (DMV)</h3>
-        <p>The agency issuing the mobile license.</p>
+      <a href="/student-id/build/issuer/">
+        <h3>Issuer (school)</h3>
+        <p>The registrar issuing the student ID.</p>
         <p><strong>You implement:</strong> start an exchange, deliver a signed VC.</p>
         <p class="effort">small, separate piece</p>
       </a>
     </li>
     <li>
-      <a href="/government/build/verifier/">
-        <h3>Verifier (relying party)</h3>
-        <p>Whoever checks the license — bar, airport, website.</p>
+      <a href="/student-id/build/verifier/">
+        <h3>Verifier (campus or partner)</h3>
+        <p>Whoever checks the ID — library, lab door, partner venue.</p>
         <p><strong>You implement:</strong> request a presentation, verify the proof.</p>
         <p class="effort">small, separate piece</p>
       </a>
diff --git a/src/verticals/student-id/build/issuer.njk b/src/verticals/student-id/build/issuer.njk
new file mode 100644
index 0000000..095abdc
--- /dev/null
+++ b/src/verticals/student-id/build/issuer.njk
@@ -0,0 +1,163 @@
+---
+title: "Build an issuer (school) — digital student ID"
+description: "Issue a digital student ID as a VCALM coordinator: create an exchange, share an interaction URL, poll for the result. A workflow service does the protocol work."
+permalink: /student-id/build/issuer/
+---
+{# Layer 4 — issuer coordinator. A coordinator is a CLIENT of a workflow
+   service; it does not run @bedrock/vc-delivery itself. It only creates
+   exchanges, hosts/shares interaction URLs, and polls for results. #}
+<article class="prose">
+  <h1>Build an issuer</h1>
+  <p>
+    You run the school side. As a <strong>coordinator</strong> you speak VCALM —
+    just the coordinator side of it. You don't run <em>VCALM delivery</em>, the
+    on-the-wire exchange with the student's wallet; a <em>workflow service</em>
+    does that. Your whole job is three calls: create an
+    exchange, share an interaction URL that points the student's wallet at it,
+    then poll the exchange until the wallet has been issued the student ID.
+  </p>
+
+  <aside class="recommended">
+    <p class="kicker">Recommended</p>
+    <h2>Drive a workflow service — don't build the protocol</h2>
+    <p>
+      The protocol mess — VCALM delivery, OID4VCI, OID4VP, and interoperating with
+      whatever wallet a student brings — is handled by a <em>workflow
+      service</em>. Digital Bazaar's
+      <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>
+      is one. <strong>The workflow service runs that library; you don't.</strong>
+    </p>
+    <p>
+      A goal of VCALM is to let you use a workflow service off the shelf. An
+      administrator loads the <em>workflows</em> you need (a reusable issuance
+      config — what to issue, what to ask for). From then on, whenever a student
+      action requires a credential exchange, you just create an exchange against
+      that workflow and read back the result.
+    </p>
+  </aside>
+
+  <h2>What the coordinator does</h2>
+  <ol>
+    <li><strong>Create an exchange</strong> by POSTing the workflow's variables
+        to its <code>exchanges</code> endpoint.</li>
+    <li><strong>Host and share an interaction URL</strong> that points the
+        student's wallet at that exchange.</li>
+    <li><strong>Poll the exchange</strong> until it completes, then read the
+        result.</li>
+  </ol>
+  <p>
+    The workflow service does everything in between — protocol negotiation,
+    DID authentication, signing, talking to whatever wallet shows up — and hands
+    you back just the result.
+  </p>
+
+  <h2>1. Create the exchange</h2>
+  <p>
+    POST to your workflow's <code>exchanges</code> endpoint. The body carries a
+    <code>ttl</code> and the <code>variables</code> the workflow expects — here,
+    who the student ID is for:
+  </p>
+  {% highlight "bash" %}
+POST https://workflows.example/workflows/student-id-issuance/exchanges
+  {% endhighlight %}
+  {% highlight "json" %}
+{
+  "ttl": 900,
+  "variables": {
+    "subject": "did:example:student123",
+    "student_number": "S1234567"
+  }
+}
+  {% endhighlight %}
+  <p>
+    This call is authenticated (your service uses a capability or OAuth2 token).
+    On success the service returns <code>204 No Content</code> with a
+    <code>Location</code> header — that's your exchange URL:
+  </p>
+  {% highlight "http" %}
+HTTP/1.1 204 No Content
+Location: https://workflows.example/workflows/student-id-issuance/exchanges/z19xQ...
+  {% endhighlight %}
+
+  <h2>2. Host and share the interaction URL</h2>
+  <p>
+    The exchange URL <em>is</em> the <code>vcapi</code> interaction endpoint.
+    Hosting and sharing it is the coordinator's responsibility — put it in a QR
+    code or a link, typically wrapped in a presentation request the wallet
+    understands:
+  </p>
+  {% highlight "json" %}
+{
+  "VerifiablePresentation": {
+    "interact": {
+      "service": [{
+        "type": "VerifiableCredentialApiExchangeService",
+        "serviceEndpoint": "https://workflows.example/workflows/student-id-issuance/exchanges/z19xQ..."
+      }]
+    }
+  }
+}
+  {% endhighlight %}
+  <p>
+    The student's wallet POSTs to that endpoint and runs the exchange with the
+    workflow service directly. DID authentication and credential delivery happen
+    there — you are not in that loop.
+  </p>
+
+  <h2>3. Poll for the result</h2>
+  <p>
+    While the wallet works, GET the exchange URL (authenticated) until its
+    <code>state</code> is <code>complete</code>:
+  </p>
+  {% highlight "bash" %}
+GET https://workflows.example/workflows/student-id-issuance/exchanges/z19xQ...
+  {% endhighlight %}
+  {% highlight "json" %}
+{
+  "exchange": {
+    "id": "z19xQ...",
+    "state": "complete",
+    "variables": {
+      "results": {
+        "didAuthn": {
+          "did": "did:example:student123",
+          "verifiablePresentation": { "...": "the wallet's authenticated VP" }
+        }
+      }
+    }
+  }
+}
+  {% endhighlight %}
+  <p>
+    Verified per-step results land under
+    <code>exchange.variables.results</code>, keyed by the workflow's step names.
+    A <code>complete</code> state means the student ID was issued into the
+    student's wallet.
+  </p>
+
+  <h2>That's it</h2>
+  <p>
+    A school issuer, as a coordinator, is these three calls: <strong>create an
+    exchange, host and share the interaction URL, poll for the result.</strong>
+    Signing the student ID and speaking every wallet's protocol is the workflow
+    service's job — you just create exchanges and read what comes back.
+  </p>
+
+  <p class="future">
+    On the wallet end, a standalone client-side VCALM library is still planned;
+    until it ships, wallets run the exchange over the raw HTTP flow. The
+    coordinator side shown here works today against any VCALM workflow service,
+    such as one running
+    <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>.
+  </p>
+
+  <h2>Go deeper</h2>
+  <ul>
+    <li><a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery — workflow service</a></li>
+    <li><a href="https://www.w3.org/TR/vcalm/#did-authentication">VCALM: DID Authentication</a></li>
+    <li><a href="https://www.w3.org/TR/vc-data-model-2.0/">W3C Verifiable Credentials Data Model 2.0</a></li>
+    <li><a href="https://www.w3.org/TR/vcalm/">VCALM specification</a></li>
+  </ul>
+
+  <p class="cta"><a class="btn" href="/student-id/build/">← Back to roles</a></p>
+</article>
diff --git a/src/verticals/student-id/build/verifier.njk b/src/verticals/student-id/build/verifier.njk
new file mode 100644
index 0000000..4041a62
--- /dev/null
+++ b/src/verticals/student-id/build/verifier.njk
@@ -0,0 +1,169 @@
+---
+title: "Build a verifier (campus or partner) — digital student ID"
+description: "Verify a digital student ID as a VCALM coordinator: create an exchange, share an interaction URL, poll for the verified result. Selective disclosure — prove enrollment without revealing identity."
+permalink: /student-id/build/verifier/
+---
+{# Layer 4 — verifier coordinator. A coordinator is a CLIENT of a workflow
+   service; it does not run @bedrock/vc-delivery itself. It creates exchanges,
+   hosts/shares interaction URLs, and polls for verified results. The workflow
+   here requests only "currently enrolled" — selective disclosure. #}
+<article class="prose">
+  <h1>Build a verifier</h1>
+  <p>
+    You run the relying-party side — a library, a lab door, a partner venue. As
+    a <strong>coordinator</strong> you speak VCALM — just the coordinator side of
+    it. You don't run <em>VCALM delivery</em>, the on-the-wire exchange with the
+    student's wallet; a <em>workflow service</em> does that and verifies the
+    proof for you. Your job
+    is three calls: create an exchange, share an interaction URL that points the
+    student's wallet at it, then poll until the verified result comes back.
+  </p>
+
+  <aside class="recommended">
+    <p class="kicker">Recommended</p>
+    <h2>Drive a workflow service — don't build the protocol</h2>
+    <p>
+      The protocol mess — VCALM delivery, OID4VP, replay protection, and interoperating
+      with whatever wallet a student brings — is handled by a <em>workflow
+      service</em>. Digital Bazaar's
+      <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>
+      is one. <strong>The workflow service runs that library; you don't.</strong>
+    </p>
+    <p>
+      A goal of VCALM is to let you use a workflow service off the shelf. An
+      administrator loads a <em>workflow</em> (a reusable verification config —
+      what to request, which schools to trust, what counts as valid). From then
+      on, whenever a student action needs a check, you create an exchange and
+      read back a verified result.
+    </p>
+  </aside>
+
+  <h2>What the coordinator does</h2>
+  <ol>
+    <li><strong>Create an exchange</strong> against a workflow that requests only
+        what you need — here, proof of enrollment.</li>
+    <li><strong>Host and share an interaction URL</strong> that points the
+        student's wallet at that exchange.</li>
+    <li><strong>Poll the exchange</strong> until it completes, then read the
+        verified result.</li>
+  </ol>
+  <p>
+    The workflow service does the rest — it sends the presentation request,
+    receives the wallet's response, and verifies the proof, challenge, domain,
+    issuer, and status before it ever returns a result to you.
+  </p>
+
+  <h2>1. Create the exchange</h2>
+  <p>
+    POST to your workflow's <code>exchanges</code> endpoint. The workflow already
+    encodes <em>request only "currently enrolled"</em> and <em>trust the
+    school</em>; you pass just the per-exchange variables:
+  </p>
+  {% highlight "bash" %}
+POST https://workflows.example/workflows/enrollment-check/exchanges
+  {% endhighlight %}
+  {% highlight "json" %}
+{
+  "ttl": 900,
+  "variables": {
+    "reason": "Please prove you are currently enrolled to continue."
+  }
+}
+  {% endhighlight %}
+  <p>
+    This call is authenticated. On success the service returns
+    <code>204 No Content</code> with a <code>Location</code> header — your
+    exchange URL:
+  </p>
+  {% highlight "http" %}
+HTTP/1.1 204 No Content
+Location: https://workflows.example/workflows/enrollment-check/exchanges/z19xQ...
+  {% endhighlight %}
+  <p>
+    Because the workflow asks for a single derived attribute, a well-built wallet
+    returns proof of "currently enrolled" — not the name, photo, or student
+    number. The workflow's <code>challenge</code> and <code>domain</code> stop a
+    captured presentation from being replayed.
+  </p>
+
+  <h2>2. Host and share the interaction URL</h2>
+  <p>
+    The exchange URL <em>is</em> the <code>vcapi</code> interaction endpoint.
+    Hosting and sharing it is the coordinator's responsibility — put it in a QR
+    code or a link, typically wrapped in a presentation request:
+  </p>
+  {% highlight "json" %}
+{
+  "VerifiablePresentation": {
+    "interact": {
+      "service": [{
+        "type": "VerifiableCredentialApiExchangeService",
+        "serviceEndpoint": "https://workflows.example/workflows/enrollment-check/exchanges/z19xQ..."
+      }]
+    }
+  }
+}
+  {% endhighlight %}
+  <p>
+    The student's wallet POSTs to that endpoint and runs the exchange with the
+    workflow service directly. You are not in that loop.
+  </p>
+
+  <h2>3. Poll for the verified result</h2>
+  <p>
+    GET the exchange URL (authenticated) until its <code>state</code> is
+    <code>complete</code>:
+  </p>
+  {% highlight "bash" %}
+GET https://workflows.example/workflows/enrollment-check/exchanges/z19xQ...
+  {% endhighlight %}
+  {% highlight "json" %}
+{
+  "exchange": {
+    "id": "z19xQ...",
+    "state": "complete",
+    "variables": {
+      "results": {
+        "enrollmentCheck": {
+          "did": "did:example:student123",
+          "verifiablePresentation": { "...": "verified: enrolled = true" }
+        }
+      }
+    }
+  }
+}
+  {% endhighlight %}
+  <p>
+    A <code>complete</code> state means the workflow service already verified the
+    presentation for you — proof, challenge, domain, trusted issuer, and
+    revocation/expiry status. The verified result lands under
+    <code>exchange.variables.results</code>, keyed by the workflow's step names.
+  </p>
+
+  <h2>That's it</h2>
+  <p>
+    A relying-party verifier, as a coordinator, is these three calls:
+    <strong>create an exchange, host and share the interaction URL, poll for the
+    verified result.</strong> The cryptographic verification and protocol interop
+    are the workflow service's job — you create exchanges and read what comes
+    back.
+  </p>
+
+  <p class="future">
+    On the wallet end, a standalone client-side VCALM library is still planned;
+    until it ships, wallets run the exchange over the raw HTTP flow. The
+    coordinator side shown here works today against any VCALM workflow service,
+    such as one running
+    <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>.
+  </p>
+
+  <h2>Go deeper</h2>
+  <ul>
+    <li><a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery — workflow service</a></li>
+    <li><a href="https://www.w3.org/TR/vcalm/#query-by-example">VCALM: QueryByExample</a></li>
+    <li><a href="https://www.w3.org/TR/vcalm/#verifiable-presentation-request">VCALM: Verifiable Presentation Request</a></li>
+    <li><a href="https://www.w3.org/TR/vcalm/">VCALM specification</a></li>
+  </ul>
+
+  <p class="cta"><a class="btn" href="/student-id/build/">← Back to roles</a></p>
+</article>
diff --git a/src/verticals/government/build/wallet.njk b/src/verticals/student-id/build/wallet.njk
similarity index 70%
rename from src/verticals/government/build/wallet.njk
rename to src/verticals/student-id/build/wallet.njk
index 03bb735..1100e92 100644
--- a/src/verticals/government/build/wallet.njk
+++ b/src/verticals/student-id/build/wallet.njk
@@ -1,12 +1,12 @@
 ---
-title: "VCALM tutorial: build a wallet — mobile driver's license"
-description: "Make your wallet speak VCALM in 3 steps: dereference, POST to start, loop. HTTP example for mobile driver's licenses and digital ID."
-permalink: /government/build/wallet/
+title: "VCALM tutorial: build a wallet — digital student ID"
+description: "Make your wallet speak VCALM in 3 steps: dereference, POST to start, loop. HTTP example for digital student IDs."
+permalink: /student-id/build/wallet/
 ---
-{# Layer 4 — exchange client. Same VCALM loop, mDL credential. #}
+{# Layer 4 — exchange client. Same VCALM loop, student-ID credential. #}
 <article class="prose">
   <h1>Build a wallet</h1>
-  <p>Make your wallet speak VCALM: pick up and present a mobile license over an exchange.</p>
+  <p>Make your wallet speak VCALM: pick up and present a student ID over an exchange.</p>
 
   <h2>You'll do exactly 3 things</h2>
   <ol>
@@ -19,15 +19,15 @@ permalink: /government/build/wallet/
   <h2>1. Discover protocols</h2>
   <p>A scanned QR code encodes an interaction URL with <code>iuv=1</code>. GET it:</p>
   {% highlight "http" %}
-GET /interactions/mdl-456?iuv=1
-Host: dmv.state.example
+GET /interactions/student-id-456?iuv=1
+Host: registrar.university.example
 Accept: application/json
   {% endhighlight %}
   <p>The response lists supported protocols; pick <code>vcapi</code> for VCALM:</p>
   {% highlight "json" %}
 {
   "protocols": {
-    "vcapi": "https://vcapi.dmv.state.example/exchanges/mdl-456"
+    "vcapi": "https://vcapi.registrar.university.example/exchanges/student-id-456"
   }
 }
   {% endhighlight %}
@@ -35,8 +35,8 @@ Accept: application/json
   <h2>2. Start the exchange</h2>
   <p>POST an empty body to the <code>vcapi</code> URL:</p>
   {% highlight "http" %}
-POST /exchanges/mdl-456
-Host: vcapi.dmv.state.example
+POST /exchanges/student-id-456
+Host: vcapi.registrar.university.example
 Content-Type: application/json
 
 {}
@@ -45,7 +45,7 @@ Content-Type: application/json
   <h2>3. Run the loop</h2>
   <p>
     When the server returns a <code>verifiablePresentationRequest</code>, find
-    the matching license, build a signed Verifiable Presentation — disclosing
+    the matching student ID, build a signed Verifiable Presentation — disclosing
     only the requested fields — and POST it back to the <strong>same exchange
     URL</strong>. When the server returns a <code>verifiablePresentation</code>,
     store the delivered credential. The exchange is done when the server stops
@@ -53,7 +53,7 @@ Content-Type: application/json
   </p>
 
   <h2>That's it</h2>
-  <p>A conformant mobile-license wallet is this loop. Nothing more.</p>
+  <p>A conformant student-ID wallet is this loop. Nothing more.</p>
 
   <details class="future">
     <summary>Prefer a library to raw HTTP?</summary>
@@ -69,5 +69,5 @@ Content-Type: application/json
     <li><a href="https://www.w3.org/TR/vcalm/">VCALM specification</a></li>
   </ul>
 
-  <p class="cta"><a class="btn" href="/government/build/">← Back to roles</a></p>
+  <p class="cta"><a class="btn" href="/student-id/build/">← Back to roles</a></p>
 </article>
diff --git a/src/verticals/student-id/index.njk b/src/verticals/student-id/index.njk
new file mode 100644
index 0000000..421b067
--- /dev/null
+++ b/src/verticals/student-id/index.njk
@@ -0,0 +1,196 @@
+---
+title: "Student IDs & campus credentials with VCALM"
+shortName: "Student IDs"
+cardTitle: "Student IDs & campus credentials"
+summary: "Issue student IDs students control — verifiable across campus and beyond, with any wallet."
+description: "Issue digital student IDs with W3C Verifiable Credentials over VCALM — student-controlled, any wallet, no allow-lists, privacy by design. Prove enrollment without revealing identity."
+order: 3
+permalink: /student-id/
+---
+{# Single-page student-ID vertical. Anchor: digital campus/student ID.
+   Distinct from the education (diploma) vertical — this is identity and
+   entitlement, not transcripts. Lean on wallet-choice / no-allow-list /
+   privacy — the student-liberty angle. #}
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "FAQPage",
+  "mainEntity": [
+    {"@type": "Question", "name": "How is a digital student ID issued and verified?",
+     "acceptedAnswer": {"@type": "Answer", "text": "The school signs the student ID as a W3C Verifiable Credential and delivers it to the student's wallet of choice over VCALM (the VC API). A campus service or partner verifies it cryptographically in person or online — no callbacks to the registrar — and the student approves each share with one tap."}},
+    {"@type": "Question", "name": "Can a student ID prove enrollment without revealing identity?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Yes. With selective disclosure, a student can prove a single fact — such as 'currently enrolled' or 'valid student' — without revealing name, photo, or student number. Only the field requested is shared."}},
+    {"@type": "Question", "name": "Does a digital student ID lock students to a school app?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Not with VCALM. The student ID works with any conformant wallet, so students keep their choice of app. The OpenID/mdoc approach often pairs with wallet attestation and allow-lists, which let the school decide which apps are accepted."}},
+    {"@type": "Question", "name": "Is a VCALM student ID private?",
+     "acceptedAnswer": {"@type": "Answer", "text": "Yes. Data minimization is built into every request, nothing is shared without explicit one-tap consent, and the school cannot observe where the credential is used."}},
+    {"@type": "Question", "name": "Why VCALM vs. OID4?",
+     "acceptedAnswer": {"@type": "Answer", "text": "The OID4VCI / OID4VP, mdoc-centric approach often pairs with wallet attestation and allow-lists, which means the school has to certify, build, and maintain an integration for every wallet it supports. With VCALM you issue once to an open standard and any conformant wallet works, so there is no per-wallet integration to own."}}
+  ]
+}
+</script>
+<section class="hero">
+  <h1>{{ title }}</h1>
+  <p class="promise">
+    Issue student IDs that students truly control — verifiable across campus and
+    with partners, in person or online, with the wallet of their choice, and
+    without locking students to a school-approved app.
+  </p>
+  <p class="direct-answer">
+    To issue a digital student ID, a school signs it as a
+    <strong>W3C Verifiable Credential</strong> and delivers it to the student's
+    wallet of choice over <strong>VCALM</strong> (the VC API). A campus service
+    or partner verifies it cryptographically — in person or online — and with
+    selective disclosure the student can prove one fact, like "currently
+    enrolled," without revealing their name, photo, or student number.
+  </p>
+</section>
+
+<section class="flow">
+  {% set flowSteps = [
+    {icon: flowIcons.studentIdIssue,    label: "School issues a student ID",      caption: "Student picks their own wallet -- no school-mandated app"},
+    {icon: flowIcons.studentIdHold,     label: "Student holds and controls it",   caption: "Nothing shared without one-tap, explicit consent"},
+    {icon: flowIcons.studentIdDisclose, label: "Proves one fact",                 caption: "Currently enrolled -- no name, photo, or student number revealed"}
+  ] %}
+  {% set flowFooter = "Any conformant wallet -- no school-mandated app -- selective disclosure by design" %}
+  {% include "partials/flow-diagram.njk" %}
+</section>
+
+<article class="prose experience">
+  <h2>What it feels like to use</h2>
+  <p class="lede">
+    The technology is invisible by design. Here's what each person actually
+    does — and what they no longer have to.
+  </p>
+
+  <ol class="journey">
+    <li>
+      <h3>The school issues a student ID</h3>
+      <p>
+        A student requests their digital ID from the registrar portal or campus
+        app. They authenticate once, pick the wallet they already use, and the
+        ID lands in it — alongside their physical card.
+      </p>
+      <p class="aside">No school-mandated app. Their wallet, their choice.</p>
+    </li>
+    <li>
+      <h3>The student holds and controls it</h3>
+      <p>
+        The student ID lives on their phone, under their control. Nothing is
+        shared automatically — every presentation needs an explicit, one-time
+        approval the student sees and consents to.
+      </p>
+      <p class="aside">The school can't watch where it's used.</p>
+    </li>
+    <li>
+      <h3>They prove just one thing, when needed</h3>
+      <p>
+        At the library or a lab door, the student taps to prove <em>"currently
+        enrolled"</em> — and reveals nothing else. No name, no photo, no student
+        number. At a partner venue offering a student discount, they share
+        exactly the field asked for, and no more.
+      </p>
+      <p class="aside">Selective disclosure: minimum data, every time.</p>
+    </li>
+  </ol>
+
+  <div class="benefits-cols">
+    <div class="benefits-col">
+      <h3><span class="benefits-icon">{{ flowIcons.person | safe }}</span>What the student experiences</h3>
+      <ul class="benefits">
+        <li><strong>Their choice of wallet.</strong> Not a single school-approved app.</li>
+        <li><strong>Prove a fact, not your identity.</strong> "Currently enrolled" without your student number.</li>
+        <li><strong>One-tap consent.</strong> Nothing leaves the phone without approval.</li>
+        <li><strong>No tracking.</strong> The school doesn't see each place it's used.</li>
+      </ul>
+    </div>
+    <div class="benefits-col">
+      <h3><span class="benefits-icon">{{ flowIcons.institution | safe }}</span>What the school experiences</h3>
+      <ul class="benefits">
+        <li><strong>Privacy by design.</strong> Data minimization is built into every request.</li>
+        <li><strong>Instant, tamper-evident checks.</strong> No call-backs to the registrar.</li>
+        <li><strong>No vendor or wallet lock-in.</strong> Works with every conformant wallet.</li>
+        <li><strong>Standards-based.</strong> Built on open W3C Verifiable Credentials.</li>
+      </ul>
+    </div>
+  </div>
+</article>
+
+<article class="prose">
+  <h2>How it works</h2>
+  <p>One diagram, three actors, one loop.</p>
+
+  <pre class="diagram">
+     SCHOOL                STUDENT              CAMPUS / PARTNER
+    (issuer)           (wallet of choice)          (verifier)
+     |                      |                          |
+     | -- delivers -->      |                          |
+     |  student ID VC       |                          |
+     |                      | &lt;-- asks for --           |
+     |                      |   proof of enrollment     |
+     |                      | -- presents -->           |
+     |                      |   only what's needed      |
+     |                      |                     verifies (ok)
+  </pre>
+
+  <ul>
+    <li>A student ID is signed JSON the student holds and controls.</li>
+    <li>
+      <strong>Delivery</strong> (school → student) and
+      <strong>presentation</strong> (student → verifier) are the same simple
+      exchange loop: POST, read what the server wants, POST back.
+    </li>
+    <li>
+      With selective disclosure, the student can prove a single fact —
+      "currently enrolled," "valid student" — without revealing name, photo, or
+      student number.
+    </li>
+  </ul>
+</article>
+
+<section class="fit">
+  <h2>A good fit if…</h2>
+  <ul>
+    <li>You issue identity or entitlement credentials to students.</li>
+    <li>You want students to choose their own wallet, not an approved list.</li>
+    <li>You need selective disclosure — prove a fact without revealing everything.</li>
+  </ul>
+  <p class="cta">
+    <a class="btn primary" href="/student-id/build/">Start building</a>
+  </p>
+</section>
+
+<article class="prose">
+  <h2>Common questions</h2>
+  <div class="faq">
+    <h3>Can a student ID prove enrollment without revealing identity?</h3>
+    <p>
+      Yes. With selective disclosure, a student proves a single fact —
+      "currently enrolled," "valid student" — without revealing name, photo, or
+      student number.
+    </p>
+
+    <h3>Does a digital student ID lock students to a school app?</h3>
+    <p>
+      Not with VCALM — the student ID works with any conformant wallet. The
+      OpenID/mdoc approach often pairs with attestation and allow-lists that let
+      the school decide which apps are accepted.
+    </p>
+
+    <h3>Is a VCALM student ID private?</h3>
+    <p>
+      Yes. Data minimization is built into every request, nothing is shared
+      without one-tap consent, and the school can't see where it's used.
+    </p>
+
+    <h3>Why VCALM vs. OID4?</h3>
+    <p>
+      The OID4VCI / OID4VP, mdoc-centric approach often pairs with wallet
+      "attestation" and allow-lists — which means the school has to certify, and
+      build and maintain an integration for, every wallet it wants to support.
+      With VCALM, you issue once to an open standard and any conformant wallet
+      works, so there's no per-wallet integration to own. <a href="/why-vcalm/">See
+      the full comparison.</a>
+    </p>
+  </div>
+</article>
diff --git a/src/verticals/government/government.json b/src/verticals/student-id/student-id.json
similarity index 61%
rename from src/verticals/government/government.json
rename to src/verticals/student-id/student-id.json
index f141cce..d8c3cab 100644
--- a/src/verticals/government/government.json
+++ b/src/verticals/student-id/student-id.json
@@ -1,4 +1,4 @@
 {
   "layout": "layouts/base.njk",
-  "tags": "government"
+  "tags": "student-id"
 }
diff --git a/src/verticals/supply-chain/build/issuer.njk b/src/verticals/supply-chain/build/issuer.njk
index 787c3e2..92c64b8 100644
--- a/src/verticals/supply-chain/build/issuer.njk
+++ b/src/verticals/supply-chain/build/issuer.njk
@@ -1,130 +1,159 @@
 ---
 title: "Build an issuer (brand) — product provenance"
-description: "Issue authenticity credentials over VCALM in 3 steps: start an exchange, deliver a signed VC, confirm. Server-side HTTP quick start."
+description: "Issue authenticity credentials as a VCALM coordinator: create an exchange, share an interaction URL, poll for the result. A workflow service does the protocol work."
 permalink: /supply-chain/build/issuer/
 ---
-{# Layer 4 — issuer coordinator. The recommended path is the
-   @bedrock/vc-delivery server; the raw HTTP loop below shows what it runs. #}
+{# Layer 4 — issuer coordinator. A coordinator is a CLIENT of a workflow
+   service; it does not run @bedrock/vc-delivery itself. It only creates
+   exchanges, hosts/shares interaction URLs, and polls for results. #}
 <article class="prose">
   <h1>Build an issuer</h1>
   <p>
-    You run the brand side: start an exchange and deliver a signed authenticity
-    credential into the product's wallet — over the same VCALM exchange loop
-    the wallet speaks.
+    You run the brand side. As a <strong>coordinator</strong> you speak VCALM —
+    just the coordinator side of it. You don't run <em>VCALM delivery</em>, the
+    on-the-wire exchange with the product's wallet; a <em>workflow service</em>
+    does that. Your whole job is three calls: create an
+    exchange, share an interaction URL that points the product's wallet at it,
+    then poll the exchange until the credential has been issued.
   </p>
 
   <aside class="recommended">
     <p class="kicker">Recommended</p>
-    <h2>Run the coordinator with @bedrock/vc-delivery</h2>
+    <h2>Drive a workflow service — don't build the protocol</h2>
     <p>
-      You don't have to build the exchange loop by hand. Digital Bazaar's
+      The protocol mess — VCALM delivery, OID4VCI, OID4VP, and interoperating with
+      whatever wallet a product or owner brings — is handled by a <em>workflow
+      service</em>. Digital Bazaar's
       <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>
-      runs it for you today and is the supported path for issuers.
+      is one. <strong>The workflow service runs that library; you don't.</strong>
     </p>
-    <p><code class="install">npm install @bedrock/vc-delivery</code></p>
     <p>
-      You define a <em>workflow</em> (a reusable issuance config) and the module
-      handles each <em>exchange</em>. It serves VCALM (<code>vcapi</code>) and
-      also speaks OID4VCI and OID4VP, so one workflow delivers credentials over
-      whichever protocol a wallet selects.
+      A goal of VCALM is to let you use a workflow service off the shelf. An
+      administrator loads the <em>workflows</em> you need (a reusable issuance
+      config — what to issue, what to ask for). From then on, whenever a product
+      action requires a credential exchange, you create an exchange against that
+      workflow and read back the result.
     </p>
   </aside>
 
-  <h2>Under the hood: the raw VCALM exchange</h2>
-  <p>
-    Want to build your own coordinator, or just see exactly what the server does
-    on the wire? It's a short HTTP loop — three things:
-  </p>
+  <h2>What the coordinator does</h2>
   <ol>
-    <li>Expose an interaction URL (on a tag, QR, or link) that advertises
-        <code>vcapi</code>.</li>
-    <li>When the wallet POSTs to your exchange URL, respond with the
-        authenticity credential in a <code>verifiablePresentation</code>.</li>
-    <li>Optionally bind the credential to the current owner first, then deliver;
-        finish the exchange.</li>
+    <li><strong>Create an exchange</strong> by POSTing the workflow's variables
+        to its <code>exchanges</code> endpoint.</li>
+    <li><strong>Host and share an interaction URL</strong> that points the
+        product's wallet at that exchange.</li>
+    <li><strong>Poll the exchange</strong> until it completes, then read the
+        result.</li>
   </ol>
+  <p>
+    The workflow service does everything in between — protocol negotiation,
+    optional owner binding, signing, talking to whatever wallet shows up — and
+    hands you back just the result.
+  </p>
 
-  <h2>1. Advertise the exchange</h2>
+  <h2>1. Create the exchange</h2>
   <p>
-    The wallet dereferences your interaction URL (<code>iuv=1</code>) and you
-    return the protocols you support. Offer <code>vcapi</code> for VCALM:
+    POST to your workflow's <code>exchanges</code> endpoint. The body carries a
+    <code>ttl</code> and the <code>variables</code> the workflow expects — here,
+    which product the credential is for:
   </p>
+  {% highlight "bash" %}
+POST https://workflows.example/workflows/provenance-issuance/exchanges
+  {% endhighlight %}
   {% highlight "json" %}
 {
-  "protocols": {
-    "vcapi": "https://issuer.brand.example/exchanges/bag-456"
+  "ttl": 900,
+  "variables": {
+    "subject": "did:example:bag-456",
+    "sku": "HB-2026-0042"
   }
 }
   {% endhighlight %}
+  <p>
+    This call is authenticated (your service uses a capability or OAuth2 token).
+    On success the service returns <code>204 No Content</code> with a
+    <code>Location</code> header — that's your exchange URL:
+  </p>
+  {% highlight "http" %}
+HTTP/1.1 204 No Content
+Location: https://workflows.example/workflows/provenance-issuance/exchanges/z19xQ...
+  {% endhighlight %}
 
-  <h2>2. Deliver the credential</h2>
+  <h2>2. Host and share the interaction URL</h2>
   <p>
-    The wallet POSTs an empty body to start. You respond with the signed
-    authenticity credential wrapped in a <code>verifiablePresentation</code>:
+    The exchange URL <em>is</em> the <code>vcapi</code> interaction endpoint.
+    Hosting and sharing it is the coordinator's responsibility — put it on a tag,
+    QR code, or link, typically wrapped in a presentation request the wallet
+    understands:
   </p>
   {% highlight "json" %}
 {
-  "verifiablePresentation": {
-    "@context": ["https://www.w3.org/ns/credentials/v2"],
-    "type": ["VerifiablePresentation"],
-    "verifiableCredential": [{
-      "@context": [
-        "https://www.w3.org/ns/credentials/v2",
-        "https://w3id.org/traceability/v1"
-      ],
-      "type": ["VerifiableCredential", "ProductPassportCredential"],
-      "issuer": "did:web:brand.example",
-      "credentialSubject": {
-        "id": "did:example:bag-456",
-        "product": {"sku": "HB-2026-0042", "model": "Atelier Tote"},
-        "origin": {"country": "FR", "facility": "Paris Atelier"},
-        "manufacturedOn": "2026-03-14"
-      },
-      "proof": { "...": "brand signature" }
-    }]
+  "VerifiablePresentation": {
+    "interact": {
+      "service": [{
+        "type": "VerifiableCredentialApiExchangeService",
+        "serviceEndpoint": "https://workflows.example/workflows/provenance-issuance/exchanges/z19xQ..."
+      }]
+    }
   }
 }
   {% endhighlight %}
   <p>
-    The exchange is complete when you return no
-    <code>verifiablePresentationRequest</code>.
+    The product's wallet POSTs to that endpoint and runs the exchange with the
+    workflow service directly. Owner binding and credential delivery happen
+    there — you are not in that loop.
   </p>
 
-  <h2>3. (Optional) Bind to the current owner first</h2>
+  <h2>3. Poll for the result</h2>
   <p>
-    To tie the credential to whoever holds the product, respond to the wallet's
-    first POST with a <code>verifiablePresentationRequest</code> for DID
-    Authentication, then deliver on the next turn:
+    While the wallet works, GET the exchange URL (authenticated) until its
+    <code>state</code> is <code>complete</code>:
   </p>
+  {% highlight "bash" %}
+GET https://workflows.example/workflows/provenance-issuance/exchanges/z19xQ...
+  {% endhighlight %}
   {% highlight "json" %}
 {
-  "verifiablePresentationRequest": {
-    "query": [{
-      "type": "DIDAuthentication",
-      "acceptedMethods": [{"method": "example"}]
-    }],
-    "challenge": "99612b24-63d9-11ea-b99f-4f66f3e4f81a",
-    "domain": "issuer.brand.example"
+  "exchange": {
+    "id": "z19xQ...",
+    "state": "complete",
+    "variables": {
+      "results": {
+        "ownerBinding": {
+          "did": "did:example:bag-456",
+          "verifiablePresentation": { "...": "the wallet's authenticated VP" }
+        }
+      }
+    }
   }
 }
   {% endhighlight %}
+  <p>
+    Verified per-step results land under
+    <code>exchange.variables.results</code>, keyed by the workflow's step names.
+    A <code>complete</code> state means the authenticity credential was issued
+    into the product's wallet.
+  </p>
 
   <h2>That's it</h2>
   <p>
-    A conformant provenance issuer is this exchange: advertise, deliver, confirm.
-    Signing the credential is your issuer instance's job — the coordinator just
-    runs the exchange.
+    A provenance issuer, as a coordinator, is these three calls: <strong>create
+    an exchange, host and share the interaction URL, poll for the result.</strong>
+    Signing the credential and speaking every wallet's protocol is the workflow
+    service's job — you just create exchanges and read what comes back.
   </p>
 
   <p class="future">
     On the wallet end, a standalone client-side VCALM library is still planned;
-    until it ships, the raw HTTP flow is the supported path there. For the
-    issuer/coordinator side shown here, use
+    until it ships, wallets run the exchange over the raw HTTP flow. The
+    coordinator side shown here works today against any VCALM workflow service,
+    such as one running
     <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>.
   </p>
 
   <h2>Go deeper</h2>
   <ul>
+    <li><a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery — workflow service</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/#did-authentication">VCALM: DID Authentication</a></li>
     <li><a href="https://www.w3.org/TR/vc-data-model-2.0/">W3C Verifiable Credentials Data Model 2.0</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/">VCALM specification</a></li>
diff --git a/src/verticals/supply-chain/build/verifier.njk b/src/verticals/supply-chain/build/verifier.njk
index 7df405d..5f96fb3 100644
--- a/src/verticals/supply-chain/build/verifier.njk
+++ b/src/verticals/supply-chain/build/verifier.njk
@@ -1,135 +1,162 @@
 ---
 title: "Build a verifier (buyer/retailer) — product provenance"
-description: "Verify product authenticity over VCALM in 3 steps: request a presentation, receive it, verify the proof. Server-side HTTP quick start."
+description: "Verify product authenticity as a VCALM coordinator: create an exchange, share an interaction URL, poll for the verified result. A workflow service does the protocol work."
 permalink: /supply-chain/build/verifier/
 ---
-{# Layer 4 — verifier coordinator. The recommended path is the
-   @bedrock/vc-delivery server; the raw HTTP loop below shows what it runs. #}
+{# Layer 4 — verifier coordinator. A coordinator is a CLIENT of a workflow
+   service; it does not run @bedrock/vc-delivery itself. It creates exchanges,
+   hosts/shares interaction URLs, and polls for verified results. #}
 <article class="prose">
   <h1>Build a verifier</h1>
   <p>
-    You run the buyer or retailer side: ask the product's wallet to present its
-    authenticity credential, then verify the proof — over the same VCALM
-    exchange loop the wallet speaks.
+    You run the buyer or retailer side. As a <strong>coordinator</strong> you
+    speak VCALM — just the coordinator side of it. You don't run <em>VCALM
+    delivery</em>, the on-the-wire exchange with the product's wallet; a
+    <em>workflow service</em> does that and verifies the credential
+    for you. Your job is three calls: create
+    an exchange, share an interaction URL that points the product's wallet at it,
+    then poll until the verified result comes back.
   </p>
 
   <aside class="recommended">
     <p class="kicker">Recommended</p>
-    <h2>Run the coordinator with @bedrock/vc-delivery</h2>
+    <h2>Drive a workflow service — don't build the protocol</h2>
     <p>
-      You don't have to build the exchange loop by hand. Digital Bazaar's
+      The protocol mess — VCALM delivery, OID4VP, replay protection, and interoperating
+      with whatever wallet a product or owner brings — is handled by a
+      <em>workflow service</em>. Digital Bazaar's
       <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>
-      runs it for you today and is the supported path for verifiers.
+      is one. <strong>The workflow service runs that library; you don't.</strong>
     </p>
-    <p><code class="install">npm install @bedrock/vc-delivery</code></p>
     <p>
-      You define a <em>workflow</em> (a reusable verification config) and the
-      module handles each <em>exchange</em>. It serves VCALM (<code>vcapi</code>)
-      and also speaks OID4VCI and OID4VP, so one workflow requests and verifies
-      presentations over whichever protocol a wallet selects.
+      A goal of VCALM is to let you use a workflow service off the shelf. An
+      administrator loads a <em>workflow</em> (a reusable verification config —
+      what to request, which brands to trust, what counts as valid). From then
+      on, whenever a sale or check needs it, you create an exchange and read back
+      a verified result.
     </p>
   </aside>
 
-  <h2>Under the hood: the raw VCALM exchange</h2>
-  <p>
-    Want to build your own coordinator, or just see exactly what the server does
-    on the wire? It's a short HTTP loop — three things:
-  </p>
+  <h2>What the coordinator does</h2>
   <ol>
-    <li>Expose an interaction URL that advertises <code>vcapi</code>.</li>
-    <li>When the wallet POSTs to start, respond with a
-        <code>verifiablePresentationRequest</code> describing the credential you
-        need.</li>
-    <li>Receive the <code>verifiablePresentation</code> and verify its proof,
-        challenge, and domain.</li>
+    <li><strong>Create an exchange</strong> against a workflow that requests the
+        authenticity credential and names the brands you trust.</li>
+    <li><strong>Host and share an interaction URL</strong> that points the
+        product's wallet at that exchange.</li>
+    <li><strong>Poll the exchange</strong> until it completes, then read the
+        verified result.</li>
   </ol>
+  <p>
+    The workflow service does the rest — it sends the presentation request,
+    receives the wallet's response, and verifies the proof, challenge, domain,
+    trusted issuer, and status before it ever returns a result to you.
+  </p>
 
-  <h2>1. Request the credential</h2>
+  <h2>1. Create the exchange</h2>
   <p>
-    When the wallet POSTs an empty body to your exchange URL, respond with a
-    <code>QueryByExample</code> asking for the credential type you need:
+    POST to your workflow's <code>exchanges</code> endpoint. The workflow already
+    encodes <em>request a product passport</em> and <em>trust the real
+    brand</em>; you pass just the per-exchange variables:
   </p>
+  {% highlight "bash" %}
+POST https://workflows.example/workflows/authenticity-check/exchanges
+  {% endhighlight %}
   {% highlight "json" %}
 {
-  "verifiablePresentationRequest": {
-    "query": [{
-      "type": "QueryByExample",
-      "credentialQuery": [{
-        "reason": "Please present this product's authenticity credential.",
-        "example": {
-          "@context": [
-            "https://www.w3.org/ns/credentials/v2",
-            "https://w3id.org/traceability/v1"
-          ],
-          "type": "ProductPassportCredential"
-        },
-        "trustedIssuer": [{
-          "required": true,
-          "issuer": "did:web:brand.example"
-        }]
-      }]
-    }],
-    "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
-    "domain": "retailer.example"
+  "ttl": 900,
+  "variables": {
+    "reason": "Please present this product's authenticity credential."
   }
 }
   {% endhighlight %}
   <p>
-    The <code>challenge</code> and <code>domain</code> are what you'll verify in
-    the returned proof — they stop a captured presentation from being replayed.
-    Use <code>trustedIssuer</code> to require the credential come from the real
-    brand.
+    This call is authenticated. On success the service returns
+    <code>204 No Content</code> with a <code>Location</code> header — your
+    exchange URL:
+  </p>
+  {% highlight "http" %}
+HTTP/1.1 204 No Content
+Location: https://workflows.example/workflows/authenticity-check/exchanges/z19xQ...
+  {% endhighlight %}
+  <p>
+    The workflow's <code>challenge</code> and <code>domain</code> stop a captured
+    presentation from being replayed; its <code>trustedIssuer</code> setting
+    requires the credential come from the real brand.
   </p>
 
-  <h2>2. Receive the presentation</h2>
+  <h2>2. Host and share the interaction URL</h2>
   <p>
-    The wallet POSTs the signed presentation back to the same exchange URL:
+    The exchange URL <em>is</em> the <code>vcapi</code> interaction endpoint.
+    Hosting and sharing it is the coordinator's responsibility — put it on a tag,
+    QR code, or link, typically wrapped in a presentation request:
   </p>
   {% highlight "json" %}
 {
-  "verifiablePresentation": {
-    "@context": ["https://www.w3.org/ns/credentials/v2"],
-    "type": ["VerifiablePresentation"],
-    "holder": "did:example:bag-456",
-    "verifiableCredential": [{ "...": "the authenticity VC" }],
-    "proof": {
-      "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
-      "domain": "retailer.example",
-      "...": "holder signature"
+  "VerifiablePresentation": {
+    "interact": {
+      "service": [{
+        "type": "VerifiableCredentialApiExchangeService",
+        "serviceEndpoint": "https://workflows.example/workflows/authenticity-check/exchanges/z19xQ..."
+      }]
     }
   }
 }
   {% endhighlight %}
+  <p>
+    The product's wallet POSTs to that endpoint and runs the exchange with the
+    workflow service directly. You are not in that loop.
+  </p>
 
-  <h2>3. Verify the proof</h2>
-  <p>Before you trust the product is genuine, check all of the following:</p>
-  <ul>
-    <li>The presentation <strong>proof</strong> is valid and the
-        <code>challenge</code> / <code>domain</code> match what you sent.</li>
-    <li>The credential's <strong>proof</strong> is valid and the issuer is the
-        brand you trust.</li>
-    <li>The credential is not <strong>revoked</strong> (e.g. reported stolen or
-        recalled) — check its status.</li>
-    <li>The credential is <strong>unexpired</strong> and the type matches your
-        request.</li>
-  </ul>
+  <h2>3. Poll for the verified result</h2>
+  <p>
+    GET the exchange URL (authenticated) until its <code>state</code> is
+    <code>complete</code>:
+  </p>
+  {% highlight "bash" %}
+GET https://workflows.example/workflows/authenticity-check/exchanges/z19xQ...
+  {% endhighlight %}
+  {% highlight "json" %}
+{
+  "exchange": {
+    "id": "z19xQ...",
+    "state": "complete",
+    "variables": {
+      "results": {
+        "authenticityCheck": {
+          "did": "did:example:bag-456",
+          "verifiablePresentation": { "...": "verified: the authenticity VC" }
+        }
+      }
+    }
+  }
+}
+  {% endhighlight %}
+  <p>
+    A <code>complete</code> state means the workflow service already verified the
+    presentation for you — proof, challenge, domain, trusted issuer, and
+    revocation/expiry status. The verified result lands under
+    <code>exchange.variables.results</code>, keyed by the workflow's step names.
+  </p>
 
   <h2>That's it</h2>
   <p>
-    A conformant provenance verifier is this exchange: request, receive, verify.
-    The cryptographic verification is your verifier instance's job — the
-    coordinator just runs the exchange.
+    A provenance verifier, as a coordinator, is these three calls: <strong>create
+    an exchange, host and share the interaction URL, poll for the verified
+    result.</strong> The cryptographic verification and protocol interop are the
+    workflow service's job — you create exchanges and read what comes back.
   </p>
 
   <p class="future">
     On the wallet end, a standalone client-side VCALM library is still planned;
-    until it ships, the raw HTTP flow is the supported path there. For the
-    verifier/coordinator side shown here, use
+    until it ships, wallets run the exchange over the raw HTTP flow. The
+    coordinator side shown here works today against any VCALM workflow service,
+    such as one running
     <a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery</a>.
   </p>
 
   <h2>Go deeper</h2>
   <ul>
+    <li><a href="https://github.com/digitalbazaar/bedrock-vc-delivery">@bedrock/vc-delivery — workflow service</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/#query-by-example">VCALM: QueryByExample</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/#verifiable-presentation-request">VCALM: Verifiable Presentation Request</a></li>
     <li><a href="https://www.w3.org/TR/vcalm/">VCALM specification</a></li>