Passport specification

Chain-agnostic Passport root

Sui-native Abraxas Passport specification. Same 52-byte logical state on Sui Move objects. zkLogin (Google OAuth) derives holder addresses; documents stay off-chain. only stamp bitmask + authority + lifecycle fields are on-chain.

Status

Sui-native verification. zkLogin (Google) derives your holder address. Move module is live on devnet; mainnet follows after sponsor wallet + stamp issuance API.

GET /api/passport/spec β†’

52-byte fixed layout (52 bytes LE)

versionu8. start at 1
stampsu16 bitmask. 10 verification gates (bits 0–9)
authority32 bytes. issuance authority pubkey/address
expires_atu64 unix seconds. 0 = no expiration
revokedu8. 0 active, 1 irreversible revoke
nonceu64. increments on each issuance update

Signing domain for Type 0 proofs: abraxas-passport-v1 prepended to serialized root. TypeScript reference: lib/passport/serialize.ts

Stamp bitmask (10 gates)

BitIDLabel
0identityIdentity Verified
1biometricBiometrics Confirmed
2businessBusiness Verified
3ownerAsset Owner Verified
4royaltyRoyalty Rights Verified
5propertyProperty Owner Verified
6tribalTribal Partner Verified
7complianceScreening Outcome Recorded
8lendingLending Eligible
9socialSocial Verified (deprecated. not used)

Verification rules (pure function)

  • revoked == 0
  • expires_at == 0 OR current_timestamp < expires_at
  • (passport.stamps & required_stamps) == required_stamps
  • Proof validates against authority + current nonce (Type 0 or Type 1)

Proof types

0. Ed25519 signature SPEC READY

Sign domain || serialized_52_byte_root with issuance authority key. Lowest complexity; works off-chain with no gas.

1. ZK presentation (zkLogin) ROADMAP

Proves holder controls a valid zkLogin-derived address linked to passport root without revealing OAuth credentials.

Chain implementations

TypeScriptlib/passport/. serialize, verify, stamp bits
SolanaLegacy. not used for verification (deprecated)
Sui Movesui/abraxas_passport/. primary verification anchor (devnet live)
Primary chainSui (zkLogin holder + Move Passport object)
Sign-inGoogle OAuth β†’ zkLogin Sui address

Sui devnet (live)

Sui devnet Β· live object
View devnet passport

Abraxas Passport Move module deployed on Sui devnet. Query any Passport object ID or load the demo bootstrap passport.

GET /api/sui/passport β†’
Package 0xb8e6537b…c520f37a Β· publish tx β†— Β· bootstrap tx β†—

Sui zkLogin integration (roadmap)

Sui zkLogin lets users derive a Sui address from OAuth (Google, Apple, etc.) without linking identity on-chain. Abraxas uses it for low-friction onboarding while keeping the Passport root chain-agnostic.

Integration flow
  • App generates ephemeral key pair; embeds public key in OAuth nonce
  • User completes OAuth; JWT returned with nonce
  • Proving service generates ZK proof (identity not revealed on-chain)
  • Sui address derived from sub + iss + aud + user_salt via jwtToAddress
  • Off-chain review completes β†’ issue_stamps on Sui Passport object
  • Optional: mirror same stamp bitmask to Sui Passport object
  • Presentation: Type 0 Ed25519 signature (gas-free personal message) or Type 1 ZK proof
Gas & signing notes
  • signPersonalMessage. off-chain intent scope PersonalMessage (3,0,0), no gas
  • Gasless USDC transfers on Sui. allowlisted stablecoins only, not general Move calls
  • Sponsored transactions. sponsor pays gas for full on-chain passport updates

Recommended implementation order

  • zkLogin sign-in on /passport (Google OAuth β†’ Sui address)
  • Veriff off-chain review β†’ W3C credential with did:sui
  • issue_stamps on Sui Passport object after each approved stamp
  • Sponsored transactions + proving service for user-initiated on-chain updates
  • Mainnet deployment + public verify API for integrators

Related