# Underlying Modules The zkMe Protocol is built on a modular architecture organized around three functional pillars: **Secure, Underwrite,** and **Gate.** Each pillar addresses a distinct stage of the identity and trust lifecycle, from protecting raw data to issuing verifiable credentials to authorizing agent execution. This page provides a high-level map of all underlying modules and their relationships. For a narrative overview of how these pillars work together, see the [Architecture Overview](/hub/how-works/architecture.md).

{% hint style="info" %} **Note:** This diagram reflects a legacy architecture. An updated version incorporating the latest setup is in progress. {% endhint %} *** ## Identity Infrastructure The Identity Infrastructure modules provide the foundational cryptographic and storage layer that protects user data throughout its entire lifecycle. These modules ensure that sensitive information never leaves the user's control and that all operations occur in privacy-preserving environments.

Module	Description
/pages/PJXVg6WY3BJmBfUHiv0R	Purpose-built Layer 1 EVM-compatible blockchain (CometBFT PoS + EVMOS) serving as the settlement and persistence foundation for all identity operations. Provides instant finality, sub-second block times, and a Decentralized Storage Provider network optimized for credential payloads.
/pages/o5SSNX9sDYwphgFAcwh6	The SSI model underpinning zkMe, including the evolved role definitions (Credential Issuer, ZKP Issuer, Holder, Verifier, Regulator), the zkMe SBT, and the zkMe App (MPC-based SSI wallet).
/pages/LML1W5eTUQFeh1LmmkzZ	The `did:zkme` specification, on-chain DID Registry smart contract, CRUD operations, and DID Document resolution.
/pages/m4fOGTqZi9hQL5OxAiMy	Encrypted secrets management combining TEE-based key hierarchy with threshold encryption (EC-ElGamal), decentralized credential storage on IPFS, and the data recovery procedure for regulatory compliance.
/pages/f35ffdG0aa8TTzBKrzoA	Fully Homomorphic Encryption using the CKKS scheme, enabling computation on encrypted facial feature vectors for privacy-preserving DID creation (Face-to-DID).
/pages/ZLerOKZiiLOaghojUycc	Privacy-preserving ePassport verification using NFC chip reading, Active Authentication, and zero-knowledge proof generation from ICAO 9303 data.
/pages/MPIrpl18CtFcUr3n3dl3	Zero-Knowledge Transport Layer Security for trustless extraction and attestation of Web2 data (bank accounts, credit scores, government records) without exposing raw session content.
/pages/ntNN2rwFAnwNtrVd2Z6w	On-chain contract suite including zkMe Mint, Delegate, Verify & Certify contracts, with deployment addresses across all supported chains.

*** ## Credential System The Credential System is the core issuance and verification infrastructure for all zkMe credentials. It transforms raw identity data into trustless, privacy-preserving, and reusable verifiable credentials anchored on-chain.

Module	Description
/pages/W65KJZ9MjLTqFBYJjz4k	System overview, design goals, the Issuer-Holder-Verifier trust triangle, system architecture (4-layer model), credential data model (W3C VC), Claim Tree and commitment model, full credential lifecycle (issuance, verification, revocation, expiration), and cryptographic assumptions.
/pages/d6tRIsT26ysfJWhHvUkI	Fine-grained privacy control allowing Holders to reveal only specific credential fields via the SD operator. Supports 14 query operators for range matching, set membership, and field extraction. Gas-optimized on-chain verification via circuitQueryHash compression.
/pages/lqy5IoZwUUh5MOPIYBGN	Batch verification of up to 10 queries across multiple credentials in a single proof (LinkedMultiQuery10). Cross-chain identity portability via Delegated Proofs bound to secondary addresses or AI agent DIDs.
/pages/T4yM5WNiPJULaV1LsRAU	Nullifier-based uniqueness enforcement for "one person, one action" guarantees. Unified authentication supporting both BabyJubJub keys and standard Ethereum wallet signatures. Unified SIG/MTP circuit.
/pages/oBuvDcDDLHpY44jpgyUf	The "Verify Once, Prove Anywhere" paradigm, cross-chain credential portability via Delegate smart contracts, and lifecycle management for reusable credentials.
/pages/nBMLaHWcG5quqLsTZ7jG	Credentials optimized for AI agent consumption, featuring cryptographic delegation, machine-readable schemas, and automated proof generation.

*** ## Agent Trust Gateway The Agent Trust Gateway is the authorization and policy enforcement layer for AI agents. It mediates all interactions between autonomous agents and external resources, ensuring that every agent action is backed by a verified human identity, constrained by user-defined policies, and executed inside a hardware-secured enclave.

Module	Description
/pages/0woRBBo2YnaWzOzO8P4z	Core positioning, architectural components (TEE Enclave, Policy Engine, Credential Verifier, Protocol Adapters), and the high-level trust flow.
/pages/J1wX5oMRHA6tgswBDLHk	The complete 8-step session lifecycle from initiation through TEE ingress, credential verification, policy evaluation, optional human-in-the-loop authorization, context provisioning, execution proxying, to audit logging.
/pages/ILcCUPggXSlTCoqHd5hU	Native protocol adapters including MCP, APF/x402, W3C VC/DID, ERC-8004, OIDC4VP, zkTLS, and PASETO.

*** ## Client-Side Tools The following tools provide user-facing interfaces for interacting with the zkMe Protocol. For integration guides and SDK documentation, see the Getting Started section.

Tool	Description
zkMe App	The MPC-based SSI wallet for mobile credential management, featuring OCR document scanning, facial recognition, ZKP generation, and SBT minting.
zkMe SDK	JavaScript SDK for embedding credential verification into web applications.
zkMe Dashboard	Management interface for Verifiers to configure verification profiles, define business eligibility rules, and access analytics.
zkMe API	RESTful API for programmatic access to KYC and KYT verification services.

*** ## **Available as Independent Services** The technology stack behind the zkMe Protocol is commercially available for external organizations to license, deploy, and operate independently. Customers can acquire any single module, any combination across pillars, or a complete pillar as a turnkey technology product.

Pillar	Commercially Available Technology
Identity Infrastructure	8 modules available for independent licensing. See Identity Infrastructure: Available as Independent Services for the full catalog and acquisition models.
Credential System	6 capabilities available for independent licensing. See Credential System: Available as Independent Services for the full catalog and acquisition models.
Agent Trust Gateway	7 capabilities available for independent licensing. See Agent Trust Gateway: Available as Independent Services for the full catalog and acquisition models.

{% hint style="success" %} All modules support flexible engagement models including technology licensing for self-hosted deployment, managed service with pay-as-you-go or committed-use pricing, and full white-label solutions. Contact the zkMe team at . {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.zk.me/hub/how-built/modules.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.