Underlying Modules
The zkMe Protocol is built on a modular architecture organized around three functional pillars: Secure, Underwrite, and Gate. Each pillar addresses a distinct stage of the identity and trust lifecycle, from protecting raw data to issuing verifiable credentials to authorizing agent execution.
This page provides a high-level map of all underlying modules and their relationships. For a narrative overview of how these pillars work together, see the Architecture Overview.
Note: This diagram reflects a legacy architecture. An updated version incorporating the latest setup is in progress.
Identity Infrastructure
The Identity Infrastructure modules provide the foundational cryptographic and storage layer that protects user data throughout its entire lifecycle. These modules ensure that sensitive information never leaves the user's control and that all operations occur in privacy-preserving environments.
Purpose-built Layer 1 EVM-compatible blockchain (CometBFT PoS + EVMOS) serving as the settlement and persistence foundation for all identity operations. Provides instant finality, sub-second block times, and a Decentralized Storage Provider network optimized for credential payloads.
The SSI model underpinning zkMe, including the evolved role definitions (Credential Issuer, ZKP Issuer, Holder, Verifier, Regulator), the zkMe SBT, and the zkMe App (MPC-based SSI wallet).
The did:zkme specification, on-chain DID Registry smart contract, CRUD operations, and DID Document resolution.
Encrypted secrets management combining TEE-based key hierarchy with threshold encryption (EC-ElGamal), decentralized credential storage on IPFS, and the data recovery procedure for regulatory compliance.
Fully Homomorphic Encryption using the CKKS scheme, enabling computation on encrypted facial feature vectors for privacy-preserving DID creation (Face-to-DID).
Privacy-preserving ePassport verification using NFC chip reading, Active Authentication, and zero-knowledge proof generation from ICAO 9303 data.
Zero-Knowledge Transport Layer Security for trustless extraction and attestation of Web2 data (bank accounts, credit scores, government records) without exposing raw session content.
On-chain contract suite including zkMe Mint, Delegate, Verify & Certify contracts, with deployment addresses across all supported chains.
Credential System
The Credential System is the core issuance and verification infrastructure for all zkMe credentials. It transforms raw identity data into trustless, privacy-preserving, and reusable verifiable credentials anchored on-chain.
System overview, design goals, the Issuer-Holder-Verifier trust triangle, system architecture (4-layer model), credential data model (W3C VC), Claim Tree and commitment model, full credential lifecycle (issuance, verification, revocation, expiration), and cryptographic assumptions.
Fine-grained privacy control allowing Holders to reveal only specific credential fields via the SD operator. Supports 14 query operators for range matching, set membership, and field extraction. Gas-optimized on-chain verification via circuitQueryHash compression.
Batch verification of up to 10 queries across multiple credentials in a single proof (LinkedMultiQuery10). Cross-chain identity portability via Delegated Proofs bound to secondary addresses or AI agent DIDs.
Nullifier-based uniqueness enforcement for "one person, one action" guarantees. Unified authentication supporting both BabyJubJub keys and standard Ethereum wallet signatures. Unified SIG/MTP circuit.
The "Verify Once, Prove Anywhere" paradigm, cross-chain credential portability via Delegate smart contracts, and lifecycle management for reusable credentials.
Credentials optimized for AI agent consumption, featuring cryptographic delegation, machine-readable schemas, and automated proof generation.
Agent Trust Gateway
The Agent Trust Gateway is the authorization and policy enforcement layer for AI agents. It mediates all interactions between autonomous agents and external resources, ensuring that every agent action is backed by a verified human identity, constrained by user-defined policies, and executed inside a hardware-secured enclave.
Core positioning, architectural components (TEE Enclave, Policy Engine, Credential Verifier, Protocol Adapters), and the high-level trust flow.
The complete 8-step session lifecycle from initiation through TEE ingress, credential verification, policy evaluation, optional human-in-the-loop authorization, context provisioning, execution proxying, to audit logging.
Native protocol adapters including MCP, APF/x402, W3C VC/DID, ERC-8004, OIDC4VP, zkTLS, and PASETO.
Client-Side Tools
The following tools provide user-facing interfaces for interacting with the zkMe Protocol. For integration guides and SDK documentation, see the Getting Started section.
The MPC-based SSI wallet for mobile credential management, featuring OCR document scanning, facial recognition, ZKP generation, and SBT minting.
JavaScript SDK for embedding credential verification into web applications.
Management interface for Verifiers to configure verification profiles, define business eligibility rules, and access analytics.
RESTful API for programmatic access to KYC and KYT verification services.
Available as Independent Services
The technology stack behind the zkMe Protocol is commercially available for external organizations to license, deploy, and operate independently. Customers can acquire any single module, any combination across pillars, or a complete pillar as a turnkey technology product.
Identity Infrastructure
8 modules available for independent licensing. See Identity Infrastructure: Available as Independent Services for the full catalog and acquisition models.
Credential System
6 capabilities available for independent licensing. See Credential System: Available as Independent Services for the full catalog and acquisition models.
Agent Trust Gateway
7 capabilities available for independent licensing. See Agent Trust Gateway: Available as Independent Services for the full catalog and acquisition models.
All modules support flexible engagement models including technology licensing for self-hosted deployment, managed service with pay-as-you-go or committed-use pricing, and full white-label solutions. Contact the zkMe team at [email protected].
Last updated