NMKR Identity

Overview

NMKR Identity helps Cardano NFT projects and real-world asset (RWA) issuers establish cryptographically verifiable identity. Projects prove who they are using Atala PRISM DIDs and W3C Verifiable Credentials instead of screenshots or social media posts.

The platform produces signed CIP-725 metadata for on-chain submission, linking your token policy to a verified identity. Any third party can independently verify the entire chain of trust without contacting us.

Problems Solved

Project impersonation — DIDs provide cryptographic proof of identity tied to a keypair you control.
Unverifiable claims — Verifiable Credentials are signed and tamper-evident.
No on-chain identity link — 725 metadata embeds your DID and credential URLs directly in token metadata.
RWA compliance — Attach jurisdiction, registration numbers, and asset types to credentials.

Core Concepts

Four building blocks make up the identity and verification system.

Identity

DID (Decentralized Identifier)

A globally unique identifier (did:prism:...) tied to a cryptographic keypair you control. Contains your public key, company info, and social accounts.

Credential

Verifiable Credential

A W3C-standard JSON document asserting facts about your project (policy ID, asset name, RWA details). Signed by your DID key, verifiable by anyone.

On-Chain

725 Token Metadata

CIP-725 on-chain identity metadata referencing your DID and credential URLs, signed by your DID key. Readable by wallets and marketplaces.

Trust

Platform Attestation

After KYC review, the platform issues a signed VC attesting to your DID. A second trust layer: your DID is self-signed, and we independently vouch for you.

How It Works

From registration to on-chain metadata in six steps.

1

Create Your DID

Enter your company name, website, and social accounts. The platform generates a DID Document with a fresh secp256k1 keypair.

2

Download Your Key

Your private key is encrypted (PBKDF2 + Fernet). Download it immediately — shown only once. You need this to sign credentials and metadata.

3

Upload KYC Documents

Upload company registration, proof of identity, or supporting files. Reviewed by an admin, never shared publicly.

4

Admin Review & Attestation

An admin reviews your documents. On approval, the platform issues a signed VC (attestation) referencing your DID.

5

Issue Credentials

For each Cardano policy or asset, create a VC signed by your DID key. Each credential gets a unique public URL and QR code.

6

Generate 725 Metadata

Generate signed CIP-725 metadata for any credential. Submit on-chain alongside your token transaction.

Verification Chain

Anyone can verify a project's identity by checking independent signatures. No account or API key needed.

Step 1

DID Document

→

Step 2

Credential

→

Step 3

Attestation

→

Step 4

Status Check

Step-by-Step

Fetch the VC — Call the credential's public URL. Read issuer to get the DID.
Fetch the DID Document — Call the public DID endpoint. Extract the public key from verificationMethod[0].publicKeyJwk.
Verify the DID Document — The proof.signatureValue is a secp256k1 signature over the canonicalized payload.
Verify the VC — Remove proof, canonicalize, verify proof.jws against the DID's public key.
Verify the Attestation — Contains the platform's public key (verifierJwk). Verify its signature.
Check Status — Call credentialStatus.id to confirm active (not revoked).

Tip: On any credential page, the "Verify" button performs all steps automatically and shows a pass/fail report.

Signature Details

Document	Signed By	Message	Signature Field
DID Document	Project DID key	`JSON.stringify(payload, sorted)`	`proof.signatureValue`
Credential (VC)	Project DID key	`JSON.stringify(vc_without_proof, sorted)`	`proof.jws`
Attestation	Platform verifier	`JSON.stringify(att_without_proof, sorted)`	`proof.signatureValue`
725 Metadata	Project DID key	Metadata payload (policy scoped)	`proof.signatureValue`

Public API

All public endpoints require no authentication. Responses are JSON.

GET /api/credentials/{id} Fetch a Verifiable Credential

Returns the full W3C Verifiable Credential JSON.

{
  "@context": ["https://www.w3.org/2018/credentials/v1"],
  "type": ["VerifiableCredential", "TokenProjectVerification"],
  "issuer": { "id": "did:prism:abc123..." },
  "credentialSubject": { "policyID": "a1b2c3...", "label": "Main Collection" },
  "proof": { "type": "EcdsaSecp256k1Signature2019", "jws": "..." }
}

GET /api/credentials/{id}/status Check credential status

Returns active or revoked.

{ "status": "active" }

GET /api/dids/{id}/public Fetch DID Document + attestations

Returns the DID Document, platform attestations, and KYC status.

{
  "did": "did:prism:abc123...",
  "didDocument": { ... },
  "attestations": [ ... ],
  "kycStatus": "approved"
}

GET /api/credentials/{id}/qr.png QR code image

Returns a PNG QR code encoding the public credential URL.

GET /healthz Health check

{ "status": "ok" }

Authenticated API

Requires a Bearer token (generated in Settings) or an active session.

GET /api/dids/{id} Fetch DID (owner only)

Same as the public endpoint but requires authentication.

Authorization: Bearer your_api_token_here

Integration Guide

For Token Projects

Register and create a DID for your company/project.
Complete KYC and wait for admin approval.
Create a credential for each Cardano policy.
Generate 725 metadata for the credential.
Submit metadata on-chain as part of your minting transaction.
Share your credential URL with marketplaces and community.

For Wallets & Marketplaces

Read 725 metadata from on-chain transactions (key: 725).
Extract the DID and credential URL from the files array.
Fetch and verify using the public API endpoints.
Display verification status in your UI.

725 Metadata Structure

{
  "725": {
    "1.0": {
      "{policy_id}": {
        "{collection}": {
          "type": "JsonWebKey2020",
          "files": [
            { "src": "did:prism:abc...", "name": "Token-Identity" },
            { "src": "https://identity.nmkr.io/api/credentials/1", "name": "Verification-Credential" }
          ],
          "proof": { "type": "EcdsaSecp256k1Signature2019", "signatureValue": "..." }
        }
      }
    }
  }
}

Verification in Code

# 1. Fetch the credential
vc = GET /api/credentials/{id}

# 2. Fetch the DID
did_info = GET /api/dids/{did_id}/public
pubkey = did_info.didDocument.verificationMethod[0].publicKeyJwk

# 3. Verify DID Document signature
verify_secp256k1(pubkey, canonicalize(payload), proof.signatureValue)

# 4. Verify VC signature
verify_secp256k1(pubkey, canonicalize(vc_without_proof), proof.jws)

# 5. Check status
status = GET /api/credentials/{id}/status
assert status.status == "active"

Important: Always canonicalize JSON before verification (sorted keys, no extra whitespace). The platform uses json.dumps(obj, sort_keys=True).

Standards & Cryptography

Standard	Usage	Reference
W3C DID Core	DID Document structure and resolution	w3.org/TR/did-core
W3C Verifiable Credentials	Credential format and verification	w3.org/TR/vc-data-model
Atala PRISM	DID method (`did:prism`)	atalaprism.io
CIP-725	On-chain token identity metadata	Cardano Improvement Proposal
secp256k1 / ECDSA	Elliptic curve signatures (RFC 6979)	Bitcoin / Cardano curve
JsonWebKey2020	Public key representation in DIDs	w3.org/TR/did-spec-registries
PBKDF2 + Fernet	Private key encryption (200k iterations)	NIST SP 800-132

Design Decisions

Self-signed DIDs — No external authority needed to create or validate.
Issuer is a DID — Credential issuers are identified by DID, not a centralized account.
Attestation as VC — The platform's endorsement is a standard W3C VC.
Canonical JSON — Signatures computed over sorted-key JSON for stability.
No blockchain writes — The platform generates metadata; you publish on-chain.
Key never stored in plaintext — Encrypted immediately; passphrase shown once.

FAQ

What is a DID?

A Decentralized Identifier — a globally unique identifier you control, tied to a cryptographic keypair. No central authority can revoke or modify it.

What if I lose my key?

Your private key is downloadable only once. If lost, you cannot sign credentials for that DID and would need to create a new one. Back up your key file securely.

Can I have multiple DIDs?

Yes. Each DID represents a company or project with its own keypair and KYC process.

Can I have multiple credentials per DID?

Yes. Each credential is scoped to a Cardano policy ID and optionally an asset name.

What is 725 metadata for?

CIP-725 metadata is submitted on-chain alongside Cardano transactions. It references your DID and credential, signed by your key. CIP-725-aware wallets can display verified identity.

Can anyone verify my credentials?

Yes. All data is accessible via public API. No account needed. The platform also provides a built-in "Verify" button on each credential page.

What documents are needed for KYC?

Typically: company registration certificates, proof of address, and ID of authorized representatives. Accepted formats: PDF, PNG, JPG, WEBP (max 25 MB).

What curve is used for signatures?

secp256k1 with deterministic ECDSA (RFC 6979) — the same curve used by Bitcoin and Cardano.

How do I revoke a credential?

Use the "Revoke" button on the credential page. The status endpoint immediately reflects the revocation.

What is RWA support?

Real-World Asset credentials include asset type, jurisdiction, and registration number in the credentialSubject.

Documentation