Self-Sovereign Identity and Portable KYC Infrastructure for the Stellar Ecosystem
StellarID is an open-source decentralized identity platform that lets users verify once and carry their credentials across any application built on Stellar. Instead of repeating KYC checks on every platform, users hold cryptographically signed attestations in their own wallet. Applications verify proofs on-chain through Soroban smart contracts — without ever touching the user's raw identity documents.
The goal is simple: make compliance a portable utility, not a per-platform tax.
Every financial application on Stellar — remittance platforms, lending protocols, crowdfunding tools, payroll systems — needs some form of identity verification. Today, each one runs its own KYC process independently. A user building on StellarRemit, SoroFund, and StellarPayroll would go through full verification three separate times. The data is siloed, the UX is broken, and smaller dApps can't afford to run KYC infrastructure at all.
There is no shared identity layer in the Stellar ecosystem. StellarID builds it.
StellarID follows the W3C Decentralized Identifiers (DID) and Verifiable Credentials (VC) standards, adapted for Stellar.
- User creates a DID — A
did:stellaridentifier is derived from the user's Stellar public key and anchored on-chain via a Soroban registry contract. - User completes verification — The user goes through a KYC flow with a trusted verifier (an anchor, a licensed identity provider, or StellarID's own verifier). The verifier issues a signed Verifiable Credential attesting to whatever was checked (e.g., age range, country of residence, accredited investor status).
- Credential is stored by the user — The credential is never stored on-chain in raw form. It lives in the user's wallet or an encrypted personal store. The on-chain registry holds only a credential hash and metadata.
- User presents a proof to an application — When a dApp needs to verify identity, the user submits a zero-knowledge proof derived from their credential. The Soroban verifier contract checks the proof against the on-chain registry without learning the underlying data.
- Application receives a pass/fail — The dApp gets a boolean result and an optional set of disclosed attributes (e.g., "resident of Nigeria: true"), nothing more.
┌─────────────────────────────────────────────────────────┐
│ Next.js Frontend │
│ Identity Dashboard · Credential Wallet · Proof Request │
└───────────────────┬─────────────────────────────────────┘
│ REST / WebSocket
┌───────────────────▼─────────────────────────────────────┐
│ NestJS API Server │
│ DID Management · Credential Issuance · Proof Engine │
│ Anchor Integration · Notification Service │
└──────────┬──────────────────────────┬───────────────────┘
│ TypeORM / PostgreSQL │ Stellar SDK
┌──────────▼──────────┐ ┌────────────▼────────────────────┐
│ PostgreSQL DB │ │ Soroban Smart Contracts │
│ User profiles │ │ DID Registry Contract │
│ Credential metadata │ │ Credential Verifier Contract │
│ Audit logs │ │ Consent Ledger Contract │
│ Verifier registry │ │ Revocation Registry Contract │
└─────────────────────┘ └─────────────────────────────────┘
DID Registry Contract The core identity anchor. Maps Stellar public keys to DID documents, stores credential hashes, and manages key rotation. Any dApp integrating StellarID calls this contract to resolve an identity.
pub fn register_did(env: Env, owner: Address, did_document_hash: BytesN<32>) -> Did;
pub fn resolve_did(env: Env, did: String) -> Option<DidDocument>;
pub fn rotate_key(env: Env, owner: Address, new_key: Address);
pub fn deactivate_did(env: Env, owner: Address);Credential Verifier Contract Accepts zero-knowledge proofs and verifies them against anchored credential hashes. Returns verification results to calling contracts without exposing raw credential data.
pub fn verify_credential(env: Env, holder: Address, proof: Bytes, credential_type: Symbol) -> VerificationResult;
pub fn issue_credential_hash(env: Env, issuer: Address, holder: Address, hash: BytesN<32>, credential_type: Symbol, expiry: u64);
pub fn is_credential_valid(env: Env, holder: Address, credential_type: Symbol) -> bool;Consent Ledger Contract Records which applications a user has granted access to which credential types, and when. Users can revoke consent at any time. Applications must call this contract before requesting a proof.
pub fn grant_consent(env: Env, holder: Address, app_id: String, credential_types: Vec<Symbol>);
pub fn revoke_consent(env: Env, holder: Address, app_id: String);
pub fn check_consent(env: Env, holder: Address, app_id: String, credential_type: Symbol) -> bool;Revocation Registry Contract Allows credential issuers to revoke credentials that have been superseded, or where the underlying verification is no longer valid.
pub fn revoke_credential(env: Env, issuer: Address, holder: Address, credential_type: Symbol);
pub fn is_revoked(env: Env, holder: Address, credential_type: Symbol) -> bool;Modules:
IdentityModule— DID creation, document management, key rotationCredentialModule— Credential issuance pipeline, verifier integrations, ZK proof generationAnchorModule— SEP-12 integration for anchor-based KYC flowsConsentModule— User consent management, dApp registry, access logsNotificationModule— Webhooks for dApps on credential events (issued, revoked, expired)
Key Integrations:
- SEP-12 (KYC API) for anchor-compatible identity data exchange
- Verifier adapters for third-party KYC providers
- BLS12-381 curve support (available in Soroban) for ZK proof verification
- Stellar Horizon for on-chain event indexing
Identity Dashboard — Manage your DID, view issued credentials, track expiry dates, revoke consent from connected applications.
Credential Wallet — View all held credentials in a privacy-preserving summary. No raw data is displayed, only credential type, issuer, and validity status.
Proof Request UI — When a dApp requests identity verification, users are redirected here to review the request, see exactly what will be disclosed, and approve or deny.
Developer Portal — For dApps integrating StellarID: register your application, configure required credential types, generate API keys, view verification logs.
StellarID supports multiple credential types out of the box, with a registry for community-defined types.
| Credential Type | What It Attests | Example Issuer |
|---|---|---|
kyc.basic |
Name, DOB, nationality verified | StellarID Verifier, Anchor |
kyc.enhanced |
Address, ID document, liveness check | Licensed KYC Provider |
aml.screened |
Passed sanctions and PEP screening | Compliance Provider |
age.18plus |
User is 18 or older (no exact age disclosed) | StellarID Verifier |
country.residence |
Country of residence verified | Anchor |
accredited.investor |
Meets accredited investor criteria | Financial Regulator API |
custom.* |
dApp-defined credential types | Any registered issuer |
Any project on Stellar can integrate StellarID with a few lines of code. The SDK wraps the Soroban contract calls and handles proof generation.
import { StellarID } from '@stellarid/sdk';
const stellarId = new StellarID({ network: 'mainnet' });
// Check if a user holds a valid KYC credential
const result = await stellarId.verify({
holder: userPublicKey,
credentialType: 'kyc.basic',
appId: 'your-app-id',
});
if (result.verified) {
// Proceed — user is verified
// result.attributes contains only what you requested
}The SDK is available for JavaScript/TypeScript. Python and Go adapters are on the roadmap.
- Node.js 20+
- Rust + Soroban CLI
- PostgreSQL 15+
- Stellar Testnet account
git clone https://github.com/your-org/stellarid.git
cd stellarid# Install backend dependencies
cd api && npm install
# Install frontend dependencies
cd ../web && npm installBuilt with support from the Stellar Development Foundation and the Drips Wave Program. StellarID is committed to growing the Stellar open-source ecosystem by providing foundational identity infrastructure that every project on Stellar can rely on.