Chain-agnostic Passport root
Sui-native Abraxas Passport specification. Same 52-byte logical state on Sui Move objects. zkLogin (Google OAuth) derives holder addresses; documents stay off-chain. only stamp bitmask + authority + lifecycle fields are on-chain.
Status
Sui-native verification. zkLogin (Google) derives your holder address. Move module is live on devnet; mainnet follows after sponsor wallet + stamp issuance API.
GET /api/passport/spec β52-byte fixed layout (52 bytes LE)
Signing domain for Type 0 proofs: abraxas-passport-v1 prepended to serialized root. TypeScript reference: lib/passport/serialize.ts
Stamp bitmask (10 gates)
| Bit | ID | Label |
|---|---|---|
| 0 | identity | Identity Verified |
| 1 | biometric | Biometrics Confirmed |
| 2 | business | Business Verified |
| 3 | owner | Asset Owner Verified |
| 4 | royalty | Royalty Rights Verified |
| 5 | property | Property Owner Verified |
| 6 | tribal | Tribal Partner Verified |
| 7 | compliance | Screening Outcome Recorded |
| 8 | lending | Lending Eligible |
| 9 | social | Social Verified (deprecated. not used) |
Verification rules (pure function)
- revoked == 0
- expires_at == 0 OR current_timestamp < expires_at
- (passport.stamps & required_stamps) == required_stamps
- Proof validates against authority + current nonce (Type 0 or Type 1)
Proof types
Sign domain || serialized_52_byte_root with issuance authority key. Lowest complexity; works off-chain with no gas.
Proves holder controls a valid zkLogin-derived address linked to passport root without revealing OAuth credentials.
Chain implementations
Sui devnet (live)
Abraxas Passport Move module deployed on Sui devnet. Query any Passport object ID or load the demo bootstrap passport.
Sui zkLogin integration (roadmap)
Sui zkLogin lets users derive a Sui address from OAuth (Google, Apple, etc.) without linking identity on-chain. Abraxas uses it for low-friction onboarding while keeping the Passport root chain-agnostic.
- App generates ephemeral key pair; embeds public key in OAuth nonce
- User completes OAuth; JWT returned with nonce
- Proving service generates ZK proof (identity not revealed on-chain)
- Sui address derived from sub + iss + aud + user_salt via jwtToAddress
- Off-chain review completes β issue_stamps on Sui Passport object
- Optional: mirror same stamp bitmask to Sui Passport object
- Presentation: Type 0 Ed25519 signature (gas-free personal message) or Type 1 ZK proof
- signPersonalMessage. off-chain intent scope PersonalMessage (3,0,0), no gas
- Gasless USDC transfers on Sui. allowlisted stablecoins only, not general Move calls
- Sponsored transactions. sponsor pays gas for full on-chain passport updates
Recommended implementation order
- zkLogin sign-in on /passport (Google OAuth β Sui address)
- Veriff off-chain review β W3C credential with did:sui
- issue_stamps on Sui Passport object after each approved stamp
- Sponsored transactions + proving service for user-initiated on-chain updates
- Mainnet deployment + public verify API for integrators