Classical authentication mechanisms have various drawbacks such as the weak security properties they achieve, users' privacy, service providers' data quality, and the necessary protection of the collected data. Credential-based authentication is a first step towards overcoming these drawbacks. When used with anonymous credentials, the personal data disclosed can be reduced to the minimum w.r.t. a business purpose while improving the assurance of the communicated data. However, this privacy-preserving combination of technologies is not used today. One reason for this lack of adoption is that a comprehensive framework for privacy-enhancing credential-based authentication is not available. In this paper we review the different components of such an authentication framework and show that one remaining missing piece is a translation between high-level authentication policies and the cryptographic token specification level. We close this gap by (1) proposing an adequate claim language specifying which certified data a user wants to reveal to satisfy a policy and by (2) providing translation algorithms for generating the anonymous credentials (cryptographic tokens) providing the data to be revealed. For the latter we consider the Identity Mixer and the U-Prove technologies, where we provide detailed translation instructions for the former. © 2011 ACM.