Identity online is broken the way value and compute are: a hundred logins, leaked passwords, KYC re-run by
every service, and to prove one fact ("I'm over 18") you hand over your whole identity to a company that
then owns it and can lose it. SID is the layer where a key you control is your identity. Your Ed25519
keypair is your did:sid:<pubkey> — no account, no provider owns it. An issuer signs a credential over a
Merkle commitment of its fields, binding the whole set without revealing it. The paradigm move is
selective disclosure: you present only the one field you choose, each with a Merkle proof to the
issuer-signed root, so "prove I'm over 18" reveals a single bit and not your birth date, name, or document.
A verifier's nonce, signed by your identity key, gives passwordless, replay-safe proof-of-control. Anyone
verifies the whole presentation offline with just the issuer's public key and math — no central
database, no call home, no authority in the loop.
issuer signs {age_over_18, country, human, dob, name} → you present ONLY age_over_18 (+ merkle proof)
verifier checks: issuer sig ✓ · your nonce-signature ✓ · merkle proof ✓ → learns "18+", nothing else
git clone https://github.com/spektre-labs/sid && cd sid
pip install -e . # Ed25519 + SHA-256 Merkle via the cryptography lib
python3 sid.py # issue a credential, prove "18+" revealing nothing else → JSON
python3 -m pytest test_sid.py -q # 10 passed — disclosure soundness, proof-of-control, tamper/replay/expiryDoes: self-custody identity (your Ed25519 key, did:sid:…); issuer-signed verifiable claims over a
SHA-256 Merkle root; selective disclosure (reveal one field, prove it, hide the rest); passwordless,
replay-safe proof-of-control via nonce signature; offline, permissionless verification. σ-honest and
fail-closed: a forged disclosed value (broken Merkle proof), a bad issuer signature, a wrong/absent holder
signature, an untrusted issuer, or an expired credential is rejected — never "probably fine". A claim is
trusted only if the math proves it. No PII is stored; verification is real cryptography.
Does NOT: this is a standard + reference kernel, not a deployed identity network. Real adoption needs an issuer trust framework, credential revocation, and wallet UX. We ship the cryptographic primitive and the spec, σ-honestly.
git clone https://github.com/spektre-labs/sid && cd sid
pip install -e . # installs the `sid` console script + the cryptography dependencyRequires Python ≥ 3.10 and cryptography>=41.0. Pure-logic, offline, no network. Full protocol spec:
SID.md.
EMERGING — kernel + spec REAL and green; deployed identity network is VISION. CI green, 10/10 tests passing.
SID is one primitive in a five-part estate. Each routes one thing the legacy stack siloes:
- vrp — value routing (least-friction multi-hop settlement)
- crp — capability routing (route a task to the best AI substrate)
- vtc — verifiable transaction chain (signed value promises anyone verifies trustlessly)
- sid — sovereign identity (this repo)
- sigma-gate — deterministic trust verdict for AI/agent output
AGPL-3.0-or-later — free for all; commercial/closed-source embedders license commercially. See LICENSE.