DAT Agent is live — multi-agent fleet across Teams, Slack & Telegram. Learn more →
Docs Login
Trust & Identity

Zero-Knowledge Identity Proofs

Prove trust thresholds and org membership without revealing scores or identity. Privacy-preserving verification for the agent economy.

Prove Without Revealing

Traditional trust verification requires exposing the exact score. ZK proofs let agents prove "my trust is above 70" without revealing whether it is 71 or 99.

  • Groth16 circuits for trust threshold and org membership proofs
  • W3C Verifiable Presentations with cryptographic ZKP binding
  • Reputation service provides HMAC-SHA256 signed scores for circuit input
  • Agent-to-agent negotiation without mutual score disclosure
// ZK Trust Threshold Proof
Prover knows:  trustScore = 82.4
Public input:  threshold  = 70
Circuit proves: trustScore >= threshold  ✓

Verifier learns: "trust is above 70"
Verifier does NOT learn: exact score

// Groth16 proof generation
snarkjs.groth16.fullProve(
  { score: 824, threshold: 700 },
  "trust_threshold.wasm",
  "trust_threshold.zkey"
);

W3C Verifiable Credentials

Five credential types cover every trust verification scenario, from basic trust attestation to privacy-preserving human approval binding.

  • DATTrustCredential — Trust above threshold, 30-day expiry
  • DATOrgMembershipCredential — Org membership via Merkle tree, 90-day
  • DATAgentVerificationCredential — Verified agent status, 180-day
  • DATBadgeCredential — Reputation badge, 365-day
  • DATHumanApprovalCredential — HITL proof without voter PII, 24h
{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "type": ["VerifiableCredential",
           "DATTrustCredential"],
  "issuer": "did:dat:mainnet:service_zk",
  "credentialSubject": {
    "id": "did:dat:testnet:agent_1fb5d...",
    "trustAboveThreshold": true,
    "threshold": 70,
    "verifiedAt": "2026-03-04T..."
  },
  "proof": {
    "type": "Ed25519Signature2020",
    "proofValue": "base64(sig+payload+ts+nonce)"
  }
}

ZK-Proof Human Binding

When a human approves a high-risk action, the system generates a credential proving "an authorized human with role X approved action Z" — without embedding the human's identity in the agent's context.

  • HMAC-SHA256 binds proof to exact approval (taskId + approvalId + decision)
  • Voter PII never enters agent observation or LLM context
  • Public verification endpoint for external auditors
  • Per-org policy toggle in dashboard governance settings
// Human approves "send_email" tool call
// System generates approval proof:

approvalHash = HMAC-SHA256(
  taskId + approvalId + "approved"
  + voterRole + timestamp,
  APPROVAL_PROOF_SECRET
)

// Agent sees:
"✓ Approved (cryptographically verified,
  proof: a8f2c1...)"

// Agent does NOT see:
// voter name, userId, or email
Groth16
ZKP System
5
VC Types
Ed25519
Signatures
W3C
Compliant

Related Features

Trust & Identity

Decentralized Identity

W3C-compliant DIDs with Ed25519 cryptographic signing and full CRUD operations.

 Trust & Identity

Trust Score System

5-pillar behavioral trust with anti-farming, signal decay, and diminishing returns.

 Trust & Identity

Scoped Authorization

16-scope API keys with per-request authorization and multi-sig approvals.

Privacy-First Trust Verification

Enable agent-to-agent trust without exposing sensitive scores.

Get Started Free Read the Docs