Privacy-Preserving Identity Verification Infrastructure on Solana
Reference implementation of a stateless verification layer where applications can verify user claims (age, residency, accreditation) without storing or accessing raw identity data.
Today's KYC systems centralize PII, creating honeypots and compliance risk.
Every time an application collects and stores identity documents:
- They become a liability target (data breach lawsuits, regulatory fines)
- They assume custodial risk (GDPR, CCPA, SOC2 compliance)
- Users lose control of their data (repeated uploads, no revocation)
- Privacy is structurally impossible (raw PII must exist somewhere)
SolidKYC explores an alternative:
What if verifiers could validate claims without ever holding raw identity data?
This is infrastructure for privacy-first verification β not a replacement for all KYC, but a demonstration that stateless, zero-knowledge flows are technically feasible today.
SolidKYC is a working prototype that enables privacy-preserving age verification (18+) using zero-knowledge proofs on Solana.
User submits date of birth
β
Backend issues signed credential β stored on Solana
β
User generates ZK proof locally (proves age β₯ 18, reveals nothing else)
β
Verifier validates proof + on-chain credential signature
β
Access granted β no PII stored by verifier
- Stateless verification β Verifiers check proofs against on-chain data; no user database required
- Client-side proof generation β Credentials encrypted locally (IndexedDB); proofs never leave user's browser
- Tamper-proof credentials β EdDSA signatures on BabyJubJub curve, validated on-chain
- Revocable β Issuer can invalidate credentials; proofs fail verification immediately
- Composable β Reference integration shows how DEXs/DApps can consume verification
For detailed architecture and flow diagrams, see: π Raw Architecture Diagram β Excalidraw source file
| Component | Tech Stack | Purpose |
|---|---|---|
| Frontend | React + Vite + TypeScript | Credential issuance UI, ZK proof generation (SnarkJS), encrypted storage (IndexedDB) |
| Backend | Node.js + Express + TypeScript | Credential signing (EdDSA), on-chain issuance via Solana program |
| Solana Program | Rust + Anchor | Credential storage, issuer management, revocation state |
| ZK Circuit | Circom | Age verification circuit (proves currentYear - birthYear β₯ 18) |
| Simulation DEX | Next.js | Reference integration demonstrating age-gated access flow |
- EdDSA on BabyJubJub β ZK-friendly signature scheme
- Poseidon hash β SNARK-efficient hash function
- Groth16 β Proof system (circuit compiled via circom, proofs via SnarkJS)
Clear milestone-based development focused on making this infrastructure production-ready.
Goal: Prove that end-to-end verification without PII storage is feasible.
Delivered:
- β Credential issuance (EdDSA-signed claims stored on Solana)
- β ZK proof generation (client-side, browser-based)
- β On-chain + cryptographic verification
- β Reference integration (simulation-dex demonstrates consumption flow)
Demo: Working deployment on Devnet with video walkthrough
Goal: Handle edge cases and adversarial scenarios.
Status: Implemented in prototype form; needs formal threat modeling, edge-case handling, and documentation.
Planned Work:
- Formalize revocation semantics (immediate vs. grace period)
- Optimize on-chain storage for credential expiry checks
- Document threat model and attack vectors
- Add monitoring/indexing for revoked credentials
- Write security guarantees and limitations guide
Success Criteria:
- Documented revocation flow that developers can reason about
- Tests covering edge cases (expired credentials, revoked signatures, replay attacks)
- Clear guidance on when revocation is checked (proof time vs. verification time)
Estimated Duration: 2-3 weeks
Goal: Make integration frictionless for developers.
Motivation: Current integration requires manual proof verification, callback handling, and on-chain queries. This is a barrier to adoption.
Planned Work:
- JavaScript/TypeScript SDK with clean API
- One-line verification:
await solidkyc.verify(proof, publicInputs) - Automatic fallback handling (RPC errors, proof validation)
- React hooks for wallet integration
- Example projects (Next.js, Remix, vanilla TypeScript)
- Comprehensive API documentation
Success Criteria:
- Developer can integrate age verification in <30 lines of code
- SDK handles all cryptographic complexity
- Clear error messages and debugging surface
Estimated Duration: 3-4 weeks
Goal: Make SolidKYC audit-ready and operationally sound.
Planned Work:
- Security audit (smart contract + cryptographic implementation)
- Formal verification of circuit constraints
- Performance benchmarking (proof generation time, verification cost)
- Multi-issuer support (federated trust model)
- Mainnet deployment strategy
- Governance framework for protocol upgrades
Success Criteria:
- Third-party security audit with public report
- <2s client-side proof generation on median hardware
- <0.01 SOL verification cost per proof
- Documentation of trust assumptions and threat model
Estimated Duration: 6-8 weeks (dependent on audit timeline)
solidkyc_mvp.mp4
- End-to-end flow from credential issuance β proof generation β verification
- Real Solana integration (transactions on Devnet)
- Reference DEX integration showing how third-party apps consume SolidKYC
- Client-side encryption with password-protected credential vault
See SETUP.md for complete installation and local development instructions.
Quick start:
# Clone and install
git clone https://github.com/adithya-adee/SolidKYC.git
cd SolidKYC
# See SETUP.md for detailed steps
# You'll need: Node.js 18+, Rust, Solana CLI, Anchor CLI- SETUP.md β Installation, local development, environment setup
- Backend API Docs β Endpoint documentation
- Raw Architecture Diagram β Architecture diagram using Excalidraw
- Smart Contract Source β Anchor program
- ZK Circuit β Circom age verification circuit
- β EdDSA signatures (BabyJubJub curve)
- β Client-side encryption (AES-GCM with PBKDF2 key derivation)
- β On-chain credential verification
- β Proof verification (circuit + signature validation)
- β Credential expiry (1 hour default, configurable)
- β Revocation (issuer-initiated)
- Single issuer β Prototype uses one trusted issuer; multi-issuer support planned
- Age verification only β Other attributes (residency, accreditation) not yet supported
- No formal audit β Cryptographic implementation not independently reviewed
- Devnet only β Not deployed to mainnet
- Re-issuance enabled β For testing; should be rate-limited in production
Formal threat model documentation is in development. Current assumptions:
- Issuer is trusted to validate identity claims before signing
- User's browser environment is not compromised
- Solana RPC endpoints are honest (no proof forgery via RPC manipulation)
- Verifiers correctly implement proof validation (SDK mitigates this)
SolidKYC is a reference implementation of stateless verification infrastructure, developed fully in the open.
All components β protocol design, cryptographic flow, backend, ZK circuits, smart contracts, and reference integration β were implemented and deployed by a single contributor.
Engineering artifacts delivered:
- Stateless verification flow β Verifiers validate user claims without storing PII or long-term state
- ZK proof-based credential verification β Proof verifies attributes, not identity data itself
- End-to-end working system β Issuance β proof generation β verification, deployed on Devnet
- Reference integration (simulation-dex) β Demonstrates how real applications consume SolidKYC
Received feedback from early developers reviewing the architecture and integration flow. Key themes:
- Verification flow clarity β Requests for clearer documentation of when/where verification happens
- Revocation handling β Questions about revocation semantics and edge cases (addressed in Milestone 2)
- SDK ergonomics β Requests for easier integration APIs (addressed in Milestone 3)
- Threat model transparency β Developers want explicit documentation of trust assumptions
Feedback has directly shaped the roadmap prioritization.
SolidKYC is developed fully in the open, with all design decisions, tradeoffs, and limitations documented publicly.
- License: MIT (permissive, grant-compatible)
- Repo: Public from day one
- Transparency: All architectural choices and limitations documented
- Community-first: Built to be composable infrastructure, not a closed platform
Evidence of execution capability:
- β Working deployment (Devnet, accessible for testing)
- β Video demo (full flow demonstration)
- β Multi-component system (frontend, backend, smart contracts, ZK circuits)
- β Reference integration proving composability
This is not a whitepaper project β it's running code.
Contributions are welcome, especially:
- Circuit optimization (proof generation performance)
- Threat modeling and security review
- Integration examples (other frameworks, languages)
- Documentation improvements
How to contribute:
- Fork the repository
- Create feature branch (
git checkout -b feature/improvement) - Make changes with clear commit messages
- Open a Pull Request with context
For major changes, please open an issue first to discuss the approach.
SolidKYC builds on excellent open-source primitives:
- Circom & SnarkJS β ZK circuit tooling by Iden3
- Anchor β Solana smart contract framework
- Iden3 Cryptographic Libraries β EdDSA, Poseidon, ZK identity protocols
- Solana β High-performance blockchain infrastructure
MIT License - see LICENSE for details.
This is permissive, grant-compatible licensing. Use, fork, and build freely.
Experimental prototype for research and demonstration purposes.
This code has not been formally audited. Do not use in production with real user data or funds without independent security review.
SolidKYC demonstrates technical feasibility, not production readiness.
Built for a privacy-first web