diff --git a/client/credential/sign.go b/client/credential/sign.go
index f90f68bd..3f8efc44 100644
--- a/client/credential/sign.go
+++ b/client/credential/sign.go
@@ -36,6 +36,7 @@ const (
 	flagOverwrite = "overwrite"
 	flagDate      = "date"
 	flagSchemaMap = "schema-map"
+	flagPurpose   = "purpose"
 )
 
 const (
@@ -65,6 +66,9 @@ It will read a verifiable credential from a file (or stdin), sign it, and print
 			"Multiple mappings can be provided by repeating the flag. Example usage: "+
 			"--%[1]s originalURI1=alternativeURI1 --%[1]s originalURI2=alternativeURI2",
 		flagSchemaMap))
+	cmd.Flags().String(flagPurpose, "assertionMethod", "Proof that describes credential purpose, helps prevent it from being misused for some other purpose."+
+		"Example of commonly used proof purpose values:  "+
+		"authentication, assertionMethod, keyAgreement, capabilityDelegation, capabilityInvocation.")
 
 	_ = cmd.MarkFlagRequired(flags.FlagFrom)
 
@@ -120,7 +124,13 @@ func runSignCmd(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
-	err = signVerifiableCredential(documentLoader, vc, signer, date)
+
+	purpose, err := cmd.Flags().GetString(flagPurpose)
+	if err != nil {
+		return err
+	}
+
+	err = signVerifiableCredential(documentLoader, vc, signer, date, purpose)
 	if err != nil {
 		return errorsmod.Wrapf(sdkerr.ErrInvalidRequest, "failed to sign: %v", err)
 	}
@@ -245,7 +255,7 @@ func loadVerifiableCredential(documentLoader ld.DocumentLoader, bs []byte) (*ver
 }
 
 func signVerifiableCredential(
-	documentLoader ld.DocumentLoader, vc *verifiable.Credential, signer KeyringSigner, date time.Time,
+	documentLoader ld.DocumentLoader, vc *verifiable.Credential, signer KeyringSigner, date time.Time, purpose string,
 ) error {
 	didKeyID, err := signer.DIDKeyID()
 	if err != nil {
@@ -265,6 +275,7 @@ func signVerifiableCredential(
 			Suite:                   ed25519signature2020.New(suite.WithSigner(signer)),
 			SignatureRepresentation: verifiable.SignatureProofValue,
 			VerificationMethod:      didKeyID,
+			Purpose:                 purpose,
 		}, jsonld.WithDocumentLoader(documentLoader))
 	case *secp256k1.PubKey:
 		return vc.AddLinkedDataProof(&verifiable.LinkedDataProofContext{
@@ -273,6 +284,7 @@ func signVerifiableCredential(
 			Suite:                   ecdsasecp256k1signature2019.New(suite.WithSigner(signer)),
 			SignatureRepresentation: verifiable.SignatureJWS,
 			VerificationMethod:      didKeyID,
+			Purpose:                 purpose,
 		}, jsonld.WithDocumentLoader(documentLoader))
 	default:
 		return fmt.Errorf("invalid pubkey type: %s; expected oneof %+q",