4.3.3 PXP-102 - Identity Pass

Purpose

Prove possession of a valid identity attestation issued by a trusted provider without revealing personal data and without linking the user’s wallet publicly.

Mainnet deployment

• IdentityPass contract: 0x2b8899B3ACDe63Fd5ABefa0D75d5982622665498

Canonical interface behavior (as described)

• issuer → Merkle root mapping:

  • getCurrentRoot(bytes32 issuer) → uint256

• nullifier tracking:

  • isNullifierUsed(bytes32 nullifierHash) → bool

• proof consumption:

  • proveIdentity(...) expecting pubSignals = [root, issuerHash, nullifierHash]

• event:

  • IdentityPassUsed(address caller, bytes32 nullifier, bytes32 issuer, uint256 root)

PXP-102 architecture: issuer-root binding + nullifier anti-replay

Key security invariant:

• A proof must match the current root for the specified issuer,

• A nullifier can only be used once.

PXP-102 sequence (issuer workflow)

Status API (reference deployment)

The Status API exists to make PXP-102 integrations easier for Web2 backends:

• Base URL: https://identitypass-api.privacyx.tech

• Endpoints:

  • GET /health

  • GET /pxp-102/status/default

  • GET /pxp-102/status?issuer=...&nullifier=...

Security model: the API should run behind integrator infrastructure, with x-api-key, and RPC secrets never shipped to frontend.