v6 live · 74 tests · real Sumsub + ZK freshness

The default compliance layer for
regulated apps on HashKey Chain.

Verify once with a trusted issuer. Privately prove KYC, accreditation, or jurisdiction to any HashKey Chain dApp. Reveal nothing on-chain.

We're not replacing HashKey's compliance stack — we're making it reusable and private across the ecosystem.

Open the Policy Composer Get verified Live ZK freshness demo →

hskpassport.gudman.xyz/composer

live

Generates Solidity + React + tests in 30 seconds

Credential types

KYC · accredited · HK/SG/AE

Contracts live

HashKey testnet, v5 + IKycSBT + v6 freshness

Passing tests

security invariants + expiry + slashing + ZK freshness

Bytes PII on-chain

by design

Built on open standards — compatible with

W3C Verifiable Credentials·Semaphore v4·Groth16 ZK·Sumsub KYC·HashKey Chain·HashKey DID·OpenZeppelin Timelock

For developers

One require line.
Full compliance.

Paste one call into your contract. Users prove KYC, accreditation, or jurisdiction via zero-knowledge proofs that cost ~241k gas and reveal nothing.

Caller-bound proofs prevent front-running
Per-action nullifiers prevent sybil attacks
Revocable, expirable, governance-controlled

Read the quickstart Generate your policy →

MyRWAToken.sol

// Gate any function behind a ZK credential check
contract MyRWAToken {
    function mint(SemaphoreProof calldata proof) external {
        require(
            proof.message == uint256(uint160(msg.sender)),
            "proof must be bound to caller"
        );
        require(
            passport.verifyCredential(25, proof),
            "KYC required"
        );
        _mint(msg.sender, 100e18);
    }
}

What we actually shipped

Five primitives regulated dApps on HashKey Chain need. We built them all.

KYC provider wiring, a bridge to HashKey's own identity infrastructure, on-chain expiry enforcement, a policy-generation tool, and an installable SDK with governance baked in. Each one is live on testnet today.

Real Sumsub KYC, wired end-to-end

Same provider HashKey Exchange uses. HMAC-signed webhook with raw-body verification (hardened in audit Round 3). Auto-issuance on the GREEN callback.

Try the flow→

HashKey IKycSBT + .key DID bridges

Deployed adapter that reads HashKey's official IKycSBT soulbound-token interface byte-for-byte, plus a .key DID bridge that mints credentials from HashKey DID holders. Both live on testnet, 10 passing adapter tests.

See the bridge→

Policy Composer generates real code

Tick KYC, accredited, or jurisdiction {HK, SG, AE}. Get back a deployable Solidity contract, a React gate, and a Hardhat test. 30 seconds, zero boilerplate.

Generate a policy→

Per-prover ZK credential expiry (v6)

Custom Circom circuit + on-chain verifier. Prove your credential is fresh without revealing when it was issued. ~4.5s browser proof, real on-chain verify.

Run the live demo→

SDK on npm + 48h Timelock governance

hsk-passport-sdk v1.1.0 live (freshness module included). Every owner action gated through an OpenZeppelin TimelockController — issuer slashing, schema edits, validity periods.

Inspect governance→

Architecture

How it works

Issuer verifies off-chain

Sumsub (same KYC provider HashKey Exchange uses) runs iBeta-L2 liveness, document authenticity, and face dedup. On GREEN, the issuer wallet adds the user's Semaphore commitment to an on-chain group.

User proves in-browser

The user's browser generates a Groth16 ZK proof in WASM. The proof demonstrates group membership without revealing which member. Bound to msg.sender to prevent front-running.

dApp verifies on-chain

Any contract calls verifyCredential(). Returns true/false in ~241k gas. The dApp learns nothing beyond eligibility. Nullifiers are scoped per action for sybil resistance.

Ecosystem