Credential System Stack

The Credential System is the core issuance, verification, and lifecycle management infrastructure for all zkMe credentials. It sits at the center of the Underwrite pillar, transforming raw identity data into trustless, privacy-preserving, and reusable verifiable credentials that can be consumed by both human users and autonomous AI agents.

Every credential in the zkMe ecosystem, whether it represents a KYC verification, a credit score attestation, a passport check, or an agent authorization, is built on the same underlying Credential System. This ensures consistency, interoperability, and composability across all zkMe products.

What the Credential System Does

The Credential System solves three fundamental problems:

1. How to represent identity data in a standardized, tamper-evident format. The system uses the W3C Verifiable Credentials data model, extended with zkMe-specific claim schemas and cryptographic commitments anchored on-chain via Merkle Trees.

2. How to verify identity claims without exposing the underlying data. Through Zero-Knowledge Proofs generated on the Holder’s device, the system enables Verifiers to confirm eligibility (e.g., “user is over 18”, “user is not sanctioned”) without ever seeing the actual credential values.

3. How to manage the full credential lifecycle. From issuance through verification, reuse, revocation, and expiration, the system provides a complete set of on-chain and off-chain mechanisms to ensure credentials remain valid, current, and trustworthy.

Sub-Modules

The Credential System is organized into four sub-modules, each addressing a distinct aspect of the credential infrastructure:

Core Concepts

The foundational reference for the entire Credential System. This page covers the system architecture (4-layer model), the credential data model (W3C VC format, JSON-LD schemas), the Claim Tree and Merkle commitment model, the complete credential lifecycle (issuance, verification, revocation, expiration), the Issuer-Holder-Verifier trust triangle, and the cryptographic assumptions underpinning the system.

Read Core Concepts first if you are new to the zkMe Credential System.

Selective Disclosure

Fine-grained privacy control allowing Holders to reveal only specific credential fields during verification. This page covers the Selective Disclosure operator (SD, operator=16), the full set of 14 Enhanced Query Operators for range matching, set membership, and field extraction, and gas-optimized on-chain verification via circuitQueryHash compression.

Read Selective Disclosure if you need to understand how zkMe achieves privacy beyond simple boolean proofs.

Multi-Credential Proofs & Delegation

Batch verification and cross-chain identity portability. This page covers Multi-Credential Proofs via the LinkedMultiQuery10 circuit (aggregating up to 10 queries in a single proof), the complementary security design between batch query and core verification circuits, and Delegated Proofs that bind a verified identity to secondary addresses or AI agent DIDs without re-verification.

Read Multi-Credential Proofs & Delegation if you need to verify complex user profiles spanning multiple credentials, or enable cross-chain identity portability.

Anti-Sybil Mechanisms

Uniqueness enforcement and unified authentication. This page covers nullifier-based "one person, one action" guarantees, unified authentication supporting both BabyJubJub keys and standard Ethereum wallet signatures, and the unified SIG/MTP circuit that simplifies developer integration.

Read Anti-Sybil Mechanisms if you need to prevent duplicate claims, enforce voting uniqueness, or understand the authentication options available to your users.

Reusable Credentials

The “Verify Once, Prove Anywhere” paradigm. This page explains how a credential issued for one service can be reused across the entire Web3 ecosystem without re-verification, how cross-chain portability works via the Delegate smart contracts, and how credential lifecycle management (expiration, revocation) ensures that reusability does not compromise security.

Read Reusable Credentials if you are a Verifier looking to reduce onboarding friction by accepting existing zkMe credentials.

Agent-Ready Credentials

Credentials optimized for consumption by autonomous AI agents. This page covers the cryptographic delegation protocol (how a Holder authorizes an agent without sharing raw credentials), machine-readable schemas designed for LLM parsing, and automated proof generation via the Agent Trust Gateway.

Read Agent-Ready Credentials if you are building AI agents that need to prove user eligibility or perform authorized actions on behalf of human users.

How the Credential System Relates to Other Modules

The Credential System consumes the guarantees provided by the Identity Infrastructure layer and feeds into the Agent Trust Gateway:

• Identity Infrastructure → Credential System: The SSI model defines the trust roles. The DID Method provides identifiers. The zkVault stores encrypted credentials. FHE and zkPassport provide privacy-preserving data acquisition. Smart Contracts anchor credential state on-chain.

• Credential System → Agent Trust Gateway: Agent-Ready Credentials are the input to the Gateway’s policy evaluation engine. The Gateway verifies these credentials, evaluates user-defined policies, and issues scoped authorization tokens for agent execution.

• Credential System → Product Catalog: The specific credential types offered by zkMe (zkKYC, zkOBS, zkKYB, zkKYA, KYT) are all built on the Credential System’s infrastructure. See the Credential Catalog for the full list.

Available as Independent Services

The Credential System technology stack is available for licensing and deployment by external organizations. Customers can acquire any capability independently or license the full stack to build and operate their own credential issuance and verification infrastructure using zkMe's ZKP circuits, Merkle commitment model, and on-chain verification contracts.