How to Build a Non-Custodial KYC Verification Service

introduction

DEVELOPER GUIDE

Launching a Non-Custodial KYC Verification Service

A technical guide for developers on implementing a KYC service where users retain control of their identity data using decentralized technologies.

A non-custodial KYC service fundamentally shifts the data custody model. Instead of a central server storing sensitive user documents, the verification process is anchored on-chain while personal data remains encrypted and user-controlled. This approach mitigates the single point of failure and data breach risks inherent in traditional KYC. The core components are a verifiable credential (VC) issued after successful checks, a decentralized identifier (DID) for the user, and a smart contract or zero-knowledge proof system to manage verification states without exposing raw data.

The technical architecture typically involves a backend verifier, an on-chain registry, and a user wallet. The flow begins when a user submits encrypted proofs to the verifier. The verifier, which could be a trusted entity or a decentralized oracle network, performs the compliance checks off-chain. Upon approval, it issues a signed verifiable credential to the user's wallet. Crucially, the credential contains only the attestation (e.g., "KYC-approved") and a proof of validity, not the underlying documents. The user's DID and the credential's status are then recorded—often via a hash or nullifier—on a blockchain like Ethereum or Polygon, creating a public, tamper-proof log of verification events.

For developers, key implementation decisions include choosing a DID method (e.g., did:ethr, did:key), a VC format (W3C Verifiable Credentials), and a privacy layer. Using zero-knowledge proofs (ZKPs) via circuits (e.g., with Circom or Noir) allows users to prove they hold a valid KYC credential for a transaction without revealing the credential itself or their DID. A basic smart contract for a registry might store a mapping of nullifiers to prevent double-spending of a credential. Here's a simplified Solidity example for a registry:

solidity
contract KYCRegistry {
    mapping(bytes32 => bool) public spentNullifiers;
    event CredentialVerified(address indexed user, bytes32 nullifier);
    function verifyAndSpend(bytes32 nullifier, bytes memory zkProof) public {
        require(!spentNullifiers[nullifier], "Credential already used");
        // Verify ZK proof (logic depends on your chosen proof system)
        bool proofIsValid = verifyZKProof(nullifier, zkProof);
        require(proofIsValid, "Invalid proof");
        spentNullifiers[nullifier] = true;
        emit CredentialVerified(msg.sender, nullifier);
    }
}

Integrating this service requires a frontend SDK for wallets (e.g., MetaMask, WalletConnect) to request and store credentials, and backend APIs for the verification process. Major challenges include ensuring the verifier's trustworthiness in a decentralized context, managing credential revocation, and achieving cross-chain interoperability so a credential issued on one chain can be used on another. Projects like Polygon ID and Veramo provide frameworks and SDKs that abstract much of this complexity, offering pluggable modules for DIDs, credential management, and selective disclosure.

The primary use cases are in DeFi (for compliance with Travel Rule or tiered access), DAO governance (for proof-of-personhood or citizenship), and NFT gated communities. By implementing non-custodial KYC, developers can build applications that are both compliant and privacy-preserving, aligning with the core Web3 ethos of user sovereignty. The end result is a reusable, portable identity layer that reduces friction for users while providing developers with a reliable compliance primitive.

prerequisites

BUILDING A KYC SERVICE

Prerequisites and Tech Stack

Before writing a line of code, you need to establish the core technical and operational foundation for your non-custodial KYC service. This involves selecting the right blockchain, identity protocols, and off-chain infrastructure.

The primary prerequisite is choosing a blockchain platform that supports the necessary functionality. You need a network with robust smart contract capabilities for managing verification states and permissions. Ethereum, Polygon, and other EVM-compatible chains are common choices due to their mature tooling and large developer ecosystem. For higher throughput and lower fees, consider Layer 2 solutions like Arbitrum or Optimism. The chain must also support the cryptographic primitives required for zero-knowledge proofs or secure signature verification if you plan to implement advanced privacy features.

Your tech stack's identity layer is critical. You will integrate with established decentralized identity (DID) standards and verifiable credential (VC) protocols. The W3C's DID specification provides a framework for creating self-sovereign identifiers, while VCs allow you to issue tamper-proof attestations. Common implementations include the Ethereum Attestation Service (EAS) for on-chain attestations or the Veramo framework for a modular, multi-protocol approach. You must decide whether attestations will be stored fully on-chain, in a decentralized storage network like IPFS or Arweave, or in a hybrid model.

For the actual KYC verification process, you need secure off-chain infrastructure. This typically involves a backend service (e.g., built with Node.js, Python, or Go) that integrates with identity verification providers like Sumsub, Onfido, or Jumio via their APIs. This service performs the document checks, liveness detection, and sanction screening, then cryptographically signs the result to issue a verifiable credential. It must be deployed in a secure, audited environment, as it handles sensitive personal data (PII) before it is transformed into a private credential.

Your application's frontend, likely a web app built with React or Vue, must securely interact with user wallets. You will use libraries like wagmi, ethers.js, or web3.js to request signatures, connect to smart contracts, and manage wallet states. The frontend guides the user through the flow: connecting a wallet, submitting documents to your verification service, and finally receiving and storing their credential, perhaps in a digital wallet like MetaMask or Spruce ID's Sign-In with Ethereum kit.

Finally, operational and security prerequisites are non-negotiable. You must design a gas-efficient smart contract architecture to minimize user costs for claim issuance and verification. Conduct thorough smart contract audits with firms like OpenZeppelin or CertiK. Legally, you need a clear privacy policy and terms of service that explain your data handling practices, especially regarding the PII processed during the initial verification. Establishing these components correctly from the start is essential for building a trustworthy, compliant, and scalable service.

architecture-overview

SYSTEM ARCHITECTURE AND DATA FLOW

Launching a Non-Custodial KYC Verification Service

A technical overview of the core components and secure data pathways for a self-sovereign identity verification system.

A non-custodial KYC service shifts the paradigm of identity verification. Instead of a central database holding user data, the system issues verifiable credentials (VCs) to the user's own digital wallet. The core architectural principle is data minimization; the service never stores the raw, personally identifiable information (PII) it verifies. Key components include a credential issuer (your service), a verifier (the dApp requiring KYC), and the holder (the end-user) with their wallet, such as MetaMask or Rainbow. This architecture aligns with the W3C Verifiable Credentials data model and decentralized identity (DID) standards.

The data flow begins when a user initiates verification through your service's frontend. They submit PII documents, which are processed by a secure backend. This backend typically integrates with specialized identity verification providers like Persona, Sumsub, or Onfido via API. The provider performs the actual document checks, liveness detection, and sanction screening. Crucially, your backend acts as a conduit; upon successful verification, it does not store the PII. Instead, it uses the verification result to mint a zero-knowledge proof (ZKP) credential or a signed attestation.

This credential is then issued to the user's wallet address. For Ethereum-based systems, this is often an ERC-721 or ERC-1155 NFT, or a SBT (Soulbound Token), representing the attestation. The credential contains only the necessary claims (e.g., isKYCVerified: true, country: US, tier: 2) and is cryptographically signed by the issuer's private key. The user fully controls this token in their wallet. When interacting with a dApp (the verifier), the user presents this credential. The dApp's smart contract or backend can verify the issuer's signature on-chain or off-chain to grant access without ever seeing the user's underlying PII.

Security and privacy are enforced at each layer. The frontend-to-backend communication must use HTTPS and secure API keys. The backend must run in a secure, isolated environment (e.g., using AWS Secrets Manager, GCP Secret Manager) to protect provider API keys and signing keys. The signing key for credential issuance is paramount; it should be managed via a hardware security module (HSM) or a cloud KMS like AWS KMS or GCP Cloud KMS. This ensures the private key never leaves a secured hardware boundary, making the issued credentials tamper-proof and trustworthy.

A critical implementation detail is the revocation mechanism. Since credentials are non-custodial, traditional database revocation lists are insufficient. Common patterns include using an on-chain revocation registry (e.g., a smart contract mapping), status list credentials (a W3C standard), or time-bound credentials with expiry timestamps. The verifier must check this status during validation. Furthermore, to prevent Sybil attacks, the system often binds the credential to a specific wallet address or a DID unique to the user, ensuring one verified identity cannot mint multiple credentials for different wallets.

In practice, launching this service requires careful stack selection. A reference stack might include: Next.js for the frontend, Node.js/Express or Python/FastAPI for the backend, PostgreSQL for logging audit trails (not PII), IPFS or Arweave for optional credential metadata storage, and Ethereum or Polygon for credential anchoring. The entire system's design must be documented in a clear privacy policy and audited for security vulnerabilities, particularly in the credential signing and verification logic, to establish trust with both users and integrating platforms.

key-concepts

BUILDING BLOCKS

Core Concepts: DIDs, VCs, and ZKPs

These three technologies form the foundation for a privacy-preserving, user-centric identity system. Understanding them is essential for building a non-custodial KYC service.

Decentralized Identifiers (DIDs)

A Decentralized Identifier (DID) is a globally unique, cryptographically verifiable identifier controlled by the user, not a central authority. It is the core of self-sovereign identity.

Structure: A DID consists of a URI scheme (did:), a method (e.g., ethr, key), and a method-specific identifier.
DID Document: Each DID resolves to a document containing public keys, authentication mechanisms, and service endpoints.
User Control: The user holds the private keys, enabling them to prove control of their identity without asking for permission.

Example: did:ethr:0xabc123...

EXPLORE

Verifiable Credentials (VCs)

Verifiable Credentials are tamper-evident digital claims issued by an authority (like a KYC provider) to a user's DID. They are the digital equivalent of physical credentials like a passport.

Structure: A VC contains claims (e.g., "over 18"), metadata, and a cryptographic proof from the issuer.
W3C Standard: The data model is standardized, ensuring interoperability across platforms.
Selective Disclosure: Users can present specific claims from a credential without revealing the entire document.

This allows a user to prove they are KYC-verified without exposing their full personal data to every service.

EXPLORE

Zero-Knowledge Proofs (ZKPs)

Zero-Knowledge Proofs allow one party (the prover) to prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself.

Core Property: Completeness, Soundness, and Zero-Knowledge.
Application to KYC: A user can generate a ZKP that they hold a valid VC with a specific claim (e.g., "country of residence is X") without showing the VC itself.
Key Technologies: zk-SNARKs (e.g., in Zcash, Mina) and zk-STARKs (e.g., StarkEx) are common cryptographic constructions used to generate these proofs efficiently on-chain.

EXPLORE

The Trust Triangle: Issuer, Holder, Verifier

This model defines the roles in a Verifiable Credentials ecosystem, crucial for architecting your service.

Issuer: Your KYC service. You verify a user's identity and issue a signed VC to their DID.
Holder: The end-user. They receive and store the VC in their digital wallet, controlling who can access it.
Verifier: A dApp or DeFi protocol. They request proof of a specific claim (like KYC status) from the user.

Your service operates as the Issuer. The user (Holder) presents proof to a Verifier, who can cryptographically verify your signature without contacting you directly, enabling seamless, privacy-preserving compliance.

Choosing a DID Method & Wallet Integration

Selecting a DID method determines how identifiers are created, resolved, and updated on a specific blockchain or network.

did:ethr: Uses Ethereum addresses and smart contracts (ERC-1056/ERC-1495). Managed by the Ethereum Foundation's Identity team.
did:key: A simple method using a public key directly, good for testing and off-chain use.
did:web: Resolves DIDs over HTTPS, useful for centralized issuers in hybrid models.

For a non-custodial service, you must ensure compatibility with popular identity wallets like MetaMask (via Snap), SpruceID, or Polygon ID that allow users to store VCs and generate ZKPs.

On-Chain vs. Off-Chain Verification

A key architectural decision is where verification logic and state are stored.

Off-Chain Verification: The Verifier checks the ZKP and VC signature off-chain using a library (e.g., veramo, did-jwt-vc). This is private and gas-free but requires the verifier to run code.
On-Chain Verification: The proof is verified by a smart contract. This is necessary for trustless, programmatic access (e.g., a lending protocol checking KYC status).

Example: Using Circom or SnarkJS to generate ZK circuits, and a verifier contract (like one from the iden3 library) to validate proofs on-chain. This adds gas costs but enables autonomous smart contract logic.

< $0.10

Avg. On-Chain Verify Cost

~200ms

Off-Chain Verify Time

implementation-steps

STEP-BY-STEP IMPLEMENTATION

Launching a Non-Custodial KYC Verification Service

This guide details the technical implementation of a non-custodial KYC service using zero-knowledge proofs and decentralized identity standards to verify user credentials without exposing personal data.

A non-custodial KYC service shifts the paradigm from centralized data silos to user-controlled verification. Instead of storing sensitive documents on your servers, the service issues a verifiable credential (VC)—a cryptographically signed attestation—to the user's digital wallet after they complete an initial check. Subsequent platforms can then request proof that the user holds a valid credential, verified via a zero-knowledge proof (ZKP). This proof confirms the credential's validity and any required attributes (e.g., "user is over 18") without revealing the underlying data, the issuer's identity, or creating a correlatable on-chain footprint.

The core architecture relies on three components: an issuer backend, a user wallet, and a verifier smart contract. The issuer backend is your off-chain service that performs the traditional identity check (using a provider like Synaps, Persona, or an in-house process). Upon success, it creates a W3C Verifiable Credential and signs it with the issuer's private key. This credential is sent to the user's wallet app, such as one built with the SpruceID SDK or Veramo. The wallet securely stores the credential and can generate ZK proofs when needed.

For the verification step, integrate a verifier smart contract on your target blockchain (e.g., Ethereum, Polygon). This contract contains the logic to verify a ZK proof. When a user wants to access a gated service, their wallet generates a proof using a ZK circuit (e.g., built with Circom or Halo2) that attests to the credential's validity and the required claims. The proof is sent to the verifier contract. A successful verification might mint a soulbound token (SBT) to the user's address or emit an event that your dApp's backend can listen for, granting access without ever handling personal data.

Implementing the issuer requires setting up a secure backend. Use a framework like Veramo to create and sign credentials. Your flow should: 1) Collect user data via a frontend, 2) Process it with your KYC provider, 3) Upon approval, create a VC with a JSON-LD or JWT format, and 4) Deliver it to the user's decentralized identifier (DID). Here's a simplified code snippet for creating a VC with Veramo:

typescript
import { createAgent } from '@veramo/core';
import { CredentialPlugin } from '@veramo/credential-w3c';
// Agent setup omitted for brevity
const credential = await agent.createVerifiableCredential({
  credential: {
    issuer: { id: 'did:ethr:0x123...' },
    credentialSubject: {
      id: userDid,
      kycStatus: true,
      countryOfResidence: 'US'
    },
  },
  proofFormat: 'jwt'
});

The user's wallet must support receiving VCs and generating proofs. For a web app, integrate the SpruceID Sign-In with Ethereum (SIWE) and Credential Kit libraries. The wallet stores the VC locally or in an encrypted cloud store. When proof is needed, use a ZK circuit to create a proof statement. For example, a Circom circuit would take the credential signature and user's secret as private inputs and output a proof that the signature is valid and a specific data field meets a condition. This proof is then verified on-chain by your contract, which uses a verifier library generated from the same circuit.

Finally, design the verifier contract and integrate it with your dApp. Deploy a verifier contract for your specific ZK circuit using tools like snarkjs for Circom or arkworks for Halo2. Your gated service should check for a valid proof submission or the presence of an SBT. This approach minimizes liability, enhances user privacy, and creates interoperable KYC status across the Web3 ecosystem. Always audit your ZK circuits and smart contracts, and consider using established identity frameworks like Polygon ID or Disco.xyz to accelerate development.

IMPLEMENTATION GUIDES

Code Examples by Component

Core Verification Smart Contract

This contract defines the rules for KYC status and manages attestations. It uses a merkle tree for efficient proof verification without storing user data on-chain.

solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.19;

import "@openzeppelin/contracts/utils/cryptography/MerkleProof.sol";

contract KYCVerification {
    bytes32 public merkleRoot;
    address public admin;
    mapping(address => bool) public isVerified;

    constructor(bytes32 _merkleRoot) {
        merkleRoot = _merkleRoot;
        admin = msg.sender;
    }

    function verifyUser(
        bytes32[] calldata proof,
        address user,
        uint256 expiryTimestamp
    ) external {
        bytes32 leaf = keccak256(abi.encodePacked(user, expiryTimestamp));
        require(MerkleProof.verify(proof, merkleRoot, leaf), "Invalid proof");
        require(expiryTimestamp > block.timestamp, "Proof expired");
        
        isVerified[user] = true;
        emit UserVerified(user, block.timestamp);
    }

    function revokeVerification(address user) external onlyAdmin {
        isVerified[user] = false;
        emit UserRevoked(user, block.timestamp);
    }
}

Key Components:

merkleRoot: The root hash of the off-chain KYC data tree.
verifyUser: Function that accepts a merkle proof to grant verification status.
revokeVerification: Admin function to revoke a user's status.

This pattern ensures user privacy (no PII on-chain) and gas efficiency.

TECHNICAL FOUNDATIONS

Comparison of Verifiable Credential Standards

Key technical and ecosystem differences between the primary standards for issuing and verifying digital credentials.

Feature / Metric	W3C Verifiable Credentials (VC)	Decentralized Identifiers (DIDs)	Soulbound Tokens (SBTs)
Core Data Model	JSON-LD with Linked Data Proofs	DID Document (JSON)	ERC-721/ERC-1155 Token Metadata
Primary Use Case	Portable, vendor-neutral credentials	Cryptographic identifier resolution	Non-transferable on-chain reputation
Revocation Mechanism	Status List 2021, selective disclosure	DID Document deactivation	Burn function, issuer blacklist
Privacy Features	Zero-knowledge proofs, selective disclosure	Pairwise DIDs, service endpoints	Pseudo-anonymous on-chain addresses
Typical Issuance Cost	$0.01 - $0.10 (gas/cloud)	$0.50 - $5.00 (on-chain DID registry)	$2.00 - $50.00 (mainnet gas)
Interoperability Focus	W3C standard, cross-industry	W3C standard, cross-chain identifiers	Ethereum ecosystem, EVM chains
Off-Chain Verifiability
Native On-Chain Storage

compliance-considerations

BUILDING A KYC SERVICE

Regulatory and Compliance Considerations

Launching a non-custodial KYC service requires navigating a complex web of global regulations. This guide covers the essential frameworks, technical standards, and operational best practices.

Understanding Global KYC/AML Frameworks

Compliance starts with jurisdiction. Key regulations include:

Financial Action Task Force (FATF) Recommendations: The global AML/CFT standard, including the Travel Rule for VASPs.
EU's Markets in Crypto-Assets (MiCA) Regulation: Sets comprehensive rules for crypto-asset service providers, including KYC/AML obligations.
US Bank Secrecy Act (BSA) & FinCEN Guidance: Requires financial institutions to verify customer identity and report suspicious activity.
5AMLD/6AMLD in Europe: Extends AML rules to custodian wallet providers and exchanges. A non-custodial service must map its user onboarding and transaction monitoring to these overlapping requirements.

Technical Standards: Decentralized Identity & Verifiable Credentials

Non-custodial KYC relies on privacy-preserving standards to avoid holding raw user data.

W3C Verifiable Credentials (VCs): A standard format for cryptographically signed, tamper-evident credentials. Users hold credentials in a digital wallet.
Decentralized Identifiers (DIDs): A new type of identifier for verifiable, self-sovereign digital identity, controlled by the user (e.g., did:ethr:0x...).
Zero-Knowledge Proofs (ZKPs): Allow users to prove they are verified (e.g., over 18, not on a sanctions list) without revealing the underlying data. Protocols like Semaphore or zkSNARKs enable this. Implementing these standards is key to a compliant, user-centric service.

Data Privacy: GDPR, CCPA, and Data Minimization

Handling personal data triggers strict privacy laws. Core principles for a non-custodial architecture:

Data Minimization: Only collect and process data strictly necessary for verification. Store zero-knowledge proofs or hashes instead of raw PII where possible.
User Consent & Control: Under GDPR and CCPA, users must have clear consent mechanisms and rights to access or delete their data.
Data Localization: Some jurisdictions (e.g., India, Russia) require data to be stored within national borders. Architect your oracle network or attestation storage accordingly.
Purpose Limitation: Data collected for KYC cannot be repurposed for marketing without explicit additional consent.

Operational Compliance: Risk Assessment & Audit Trails

Beyond technology, regulators expect documented processes.

Risk-Based Approach (RBA): Tiers of verification (e.g., simplified vs. enhanced due diligence) based on transaction risk, volume, and user geography.
Sanctions Screening: Real-time checks against global lists like OFAC's SDN List, EU consolidated list, and UN sanctions.
Transaction Monitoring: Algorithms to flag unusual patterns for reporting via Suspicious Activity Reports (SARs).
Immutable Audit Trails: Maintain cryptographically verifiable logs of all verification events and consent receipts, often stored on a permissioned ledger or secure database for regulator inspection.

Integrating with On-Chain Compliance Oracles

Smart contracts need to query verified KYC status without exposing private data. This is achieved via oracles.

Compliance Oracle Services: Projects like Chainlink Proof of Reserves or API3 can provide decentralized oracle networks to feed attestations to dApps.
Attestation Protocols: Use frameworks like Ethereum Attestation Service (EAS) or Verax to create on-chain, schema-based records of verifications that can be queried.
Gatekeeper Contracts: Implement smart contract functions that check for a valid, non-expired attestation from a trusted issuer before allowing a user to mint tokens or access a service. This creates a verifiable link between off-chain compliance and on-chain activity.

EXPLORE

Key Tools & Resources for Developers

Practical resources to start building:

Open-Source Identity Stacks: Spruce ID's toolkit (DIDKit, Credible), Microsoft's ION for DIDs on Bitcoin, walt.id's suite.
Compliance Data APIs: Sumsub, Onfido, or Veriff for identity verification flows; ComplyAdvantage or Elliptic for sanctions and transaction screening.
Regulatory Sandboxes: Test your service in controlled environments like the UK FCA Sandbox or MAS FinTech Sandbox in Singapore.
Industry Groups: Join the Decentralized Identity Foundation (DIF) or W3C Credentials Community Group to stay updated on standards. Always consult with legal counsel specializing in fintech regulation in your target markets.

EXPLORE

business-model

BUSINESS MODEL AND MONETIZATION

Launching a Non-Custodial KYC Verification Service

A guide to building a sustainable business around decentralized identity verification, balancing user privacy with enterprise compliance needs.

A non-custodial KYC service allows users to prove their identity or credentials without surrendering control of their personal data. Unlike traditional providers like Jumio or Onfido, which store sensitive documents centrally, a non-custodial model leverages zero-knowledge proofs (ZKPs) or verifiable credentials (VCs). Users store proofs in their own wallet (e.g., a browser extension or mobile app), and services request specific attestations (e.g., "is over 18") without seeing the underlying document. This architecture shifts the value proposition from data aggregation to trust-minimized verification, appealing to privacy-conscious users and protocols facing regulatory scrutiny.

Monetization for this model typically follows a B2B2C SaaS structure. You charge decentralized applications (dApps) a fee per verification, a monthly subscription for API access, or a custom enterprise contract. For example, a DeFi protocol requiring accredited investor checks might pay $5-20 per ZK proof verification. Key revenue streams include: - Pay-per-Verification API calls - Tiered subscription plans for high-volume dApps - Enterprise integration fees for custom compliance workflows. Pricing must compete with traditional KYC (often $1.50-$5 per check) while accounting for the higher technical cost of generating and validating cryptographic proofs.

The technical stack is critical to cost structure. Core components include an issuer backend for trusted entities to sign credentials, a verifier SDK for dApps, and a user wallet for credential management. Using frameworks like iden3's circom for ZK circuits or SpruceID's Kepler for credential storage can reduce development time. A major cost driver is the gas fee for on-chain verification, which can be mitigated by using optimistic proofs or L2 solutions like Polygon ID. Your architecture must decide what is on-chain (e.g., a registry of trusted issuers) versus off-chain to control operational expenses.

Acquiring the first trusted issuers is a primary go-to-market challenge. You need established entities (banks, government agencies, notaries) to cryptographically sign credentials that your system will recognize. Partnerships are essential. Simultaneously, you must onboard verifiers (dApps). A effective strategy is to focus on a niche with acute compliance needs, such as Real World Asset (RWA) tokenization platforms or regulated DeFi pools. Offering a seamless SDK and clear regulatory guidance can be a stronger sell than price alone. Building a public registry of verified issuers enhances the network's trust and becomes a defensible moat.

Long-term sustainability depends on network effects and regulatory alignment. As more issuers and verifiers join, the utility of holding a verifiable credential in your ecosystem increases. Future revenue could expand to credential renewal fees, staking services for issuers, or data analytics on aggregate proof statistics (without compromising privacy). It's crucial to monitor evolving regulations like the EU's eIDAS 2.0 framework, which may define standards for digital identity wallets. Aligning your protocol with such standards early can position your service as the compliant, privacy-preserving infrastructure for the next generation of web3 applications.

resource-links

DEVELOPER GUIDE

Essential Tools and Resources

Key protocols, libraries, and standards required to launch a non-custodial KYC verification service where users retain control of identity data while applications receive cryptographic compliance guarantees.

Decentralized Identity (DID) Standards

Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) form the foundation of non-custodial KYC.

They allow issuers to attest to user attributes without storing personal data on-chain.

Key components:

W3C DID Core: Identifier format resolving to public keys and service endpoints
Verifiable Credentials: Signed claims such as "KYC passed" or "Over 18"
Selective disclosure: Users reveal only required attributes

In practice, a KYC provider issues a VC after off-chain checks. Users present zero-knowledge proofs of that credential to dApps. No PII is shared with the verifier or stored by the application.

Most production systems combine DIDs with ZK proofs to meet regulatory requirements while minimizing data exposure.

EXPLORE

Polygon ID (ZK-Based Identity Stack)

Polygon ID is an open-source identity framework built on zero-knowledge proofs for non-custodial compliance.

It supports:

ZK credential issuance using W3C Verifiable Credentials
On-chain and off-chain verification via Circom circuits
Selective disclosure without revealing raw identity data

Typical flow:

User completes KYC with an issuer
Issuer mints a ZK credential to the user's wallet
Smart contracts verify proofs such as "KYC valid" or "Country not restricted"

Polygon ID is production-ready and used in DeFi and enterprise pilots. It integrates with Ethereum, Polygon PoS, and EVM-compatible chains using on-chain verifiers.

EXPLORE

zkPass and Web2-to-Web3 ZK Proofs

zkPass enables users to generate zero-knowledge proofs from Web2 data sources without revealing credentials or raw data.

Relevant capabilities for non-custodial KYC:

Prove attributes derived from government portals, exchanges, or banks
Client-side proof generation, no data custody
Attest facts like residency, account age, or verification status

This approach reduces reliance on traditional KYC databases while still enabling compliance signals. zkPass is often used where regulatory data exists in Web2 systems but must be bridged into Web3 with minimal trust.

Developers integrate zkPass proofs into smart contracts or backend verifiers to enforce access control without collecting personal information.

EXPLORE

Semaphore for Anonymous Credentials

Semaphore is a zero-knowledge protocol for proving group membership without revealing identity.

While not a full KYC system, it is useful for:

Proving a user belongs to a verified KYC set
Preventing double usage via nullifiers
Enabling anonymous yet compliant interactions

Architecture details:

Merkle tree of approved identities
ZK proofs generated client-side
On-chain verification with Solidity contracts

Many non-custodial KYC designs combine Semaphore with off-chain identity checks. The KYC provider adds users to a verified group, and applications only verify membership proofs, never personal data.

EXPLORE

SpruceID and Sign-In With Ethereum

SpruceID provides identity tooling built around Sign-In With Ethereum (SIWE) and decentralized credentials.

For non-custodial KYC services, it offers:

Wallet-based authentication without usernames or passwords
DID-based identity management
Compatibility with VC issuance workflows

SIWE is commonly used as the authentication layer before issuing KYC credentials. Users prove wallet ownership, complete verification, and receive attestations tied to their DID.

SpruceID is widely used in DAO tooling and Web3 applications where minimizing data retention and attack surface is a priority.

EXPLORE

DEVELOPER FAQ

Frequently Asked Questions

Common technical questions and troubleshooting for developers building on-chain KYC verification systems.

A non-custodial KYC service verifies a user's identity without the service provider ever holding or storing the user's raw personal data. It uses cryptographic proofs, such as zero-knowledge proofs (ZKPs) or attestations from trusted verifiers, to confirm a user meets specific criteria (e.g., "is over 18," "is not on a sanctions list") without revealing the underlying data.

Key differences from traditional KYC:

Data Custody: Traditional providers store PII in centralized databases. Non-custodial systems store only the proof or a commitment on-chain.
User Control: Users can generate reusable proofs for multiple dApps, controlling where their verification is used.
On-Chain Integration: Verification status is represented as a token (like a Soulbound Token or verifiable credential) or a state in a smart contract, enabling programmable compliance logic.
Privacy: Minimizes data exposure and reduces single points of failure for data breaches.

conclusion

IMPLEMENTATION SUMMARY

Conclusion and Next Steps

You have now built the core components of a non-custodial KYC service. This guide covered the foundational architecture, smart contract logic, and integration patterns.

A non-custodial KYC service, as implemented, shifts the paradigm of identity verification. Instead of a central database, it uses zero-knowledge proofs (ZKPs) and on-chain attestations to allow users to prove credentials like citizenship or age without revealing the underlying data. The core smart contract acts as a verifiable registry, storing only the public commitment (a hash) of a user's verified credential and the issuer's signature. This model enhances user privacy and data sovereignty while providing the necessary trust layer for regulated DeFi, NFT gating, and institutional on-ramps.

The technical stack typically involves a backend verifier (using frameworks like SnarkJS or Circom), a frontend SDK for proof generation, and smart contracts on a cost-effective L2 like Polygon or Arbitrum. Key steps include: - Designing the credential schema (e.g., isAbove18). - Having a trusted issuer sign the credential hash off-chain. - Guiding the user's wallet to generate a ZK proof locally. - Verifying the proof and the issuer's signature on-chain. This flow ensures the user's raw data never leaves their device, adhering to the non-custodial principle.

For production deployment, several critical next steps are required. First, audit your smart contracts with a reputable firm like OpenZeppelin or Trail of Bits. Second, implement a robust issuer onboarding and key management system, potentially using multi-sig wallets or dedicated hardware security modules (HSMs). Third, consider integrating with identity standards like Verifiable Credentials (W3C VC) or Ethereum's EIP-712 for signing to ensure interoperability. Finally, plan for user revocation mechanisms, which can be handled via expiry timestamps, revocable registries, or accumulator-based systems like those used in Semaphore.

To extend functionality, explore advanced patterns. You could implement tiered access levels, where different proofs grant different permissions within a dApp. Cross-chain attestation using protocols like LayerZero or Wormhole can make a user's KYC status portable across ecosystems. For scalability, look into proof batching or proof aggregation (e.g., using Plonk or Nova) to reduce on-chain verification costs for high-volume applications. Monitoring tools like Tenderly or OpenZeppelin Defender are essential for tracking attestation events and contract health.

The landscape of decentralized identity is evolving rapidly. Keep abreast of developments in zk-proof standards (e.g., EIP-7212 for account abstraction), privacy-preserving attestation networks like Sismo, and regulatory guidance from bodies like the Travel Rule compliance (TRUST) in the US or MiCA in the EU. Engaging with communities such as the Decentralized Identity Foundation (DIF) or the W3C Credentials Community Group can provide valuable insights and collaboration opportunities for refining your service.