Sovereign Policy Token Transactions

Authorization that follows
the human across every boundary.

Sovereign Policy Token Transactions (SPT-Txn) extends the IETF OAuth Transaction Tokens work with cryptographically scoped capability grants that propagate human-origin identity across delegation chains, without exposing PII.

CAT Verify once · Reusable CT Scoped · Delegated SPT-TXN Per-transaction COMPLIANCE → CAPABILITY → TRANSACTION
IETF Internet-Draft OAuth Transaction Tokens Zero-Knowledge FATF Travel Rule Offline Verification Post-Quantum Hybrid OpenBSD POC
IETF Draft -02 ↗ How It Works
The Big Picture

Where SPT-Txn sits: an independent layer.

Sovereign Policy Token Transactions (SPT-Txn) is not part of any chain, and not bolted onto any single Travel Rule transport. It is an independent authorization layer: a KYC provider or platform issues a compliance attestation once, and any VASP, wallet, or AI agent verifies it anywhere, offline, with no issuer contact and nothing to join. It binds into any Layer 1 or Layer 2 through a single adapter interface, yet depends on none. That independence is the deliberate design choice. It sidesteps the lock-in of building inside one chain, and the two-sided-adoption stall of bolting onto one transport.

SPT-Txn as an independent authorization layer SPT-Txn is a neutral layer between issuers (who issue once) and verifiers (who verify anywhere, offline). It sits above many Layer-1 and Layer-2 chains, binding into any via one adapter but depending on none. Shape 1 (built into one chain) and Shape 2 (bolted onto one transport) are rejected; Shape 3, the independent layer, is the chosen positioning. THE BIG PICTURE · SHAPE 3 — INDEPENDENT LAYER Issuers KYC providers · platforms · VASPs SPT-Txn independent authorization layer CAT → CT → SPT-Txn · humanAnchor eight-step offline verifier Verifiers VASPs · wallets · AI agents issue once verify offline no native token · neither side must join · blockchain-agnostic one adapter LEDGERS — integration targets, not dependencies L1 · XRPL · Hedera · Ethereum · Solana · Sui · Aptos · Cardano · NEAR · Polkadot · + more L2 · Arbitrum · Optimism · Base · Starknet · Morph · xLayer HOW WE POSITION IT ✗ Shape 1 built into one chain's stack → lock-in to one ecosystem ✗ Shape 2 bolted onto one Travel Rule transport → two-sided adoption stalls ✓ Shape 3 independent layer: issue once, verify anywhere, no token → this is SPT-Txn
The Gap

Bearer tokens were not built for regulated delegation chains.

Existing authorization frameworks enforce policy within a single trust domain. Cross-organizational, agentic, and regulated transaction chains need something stronger.

01
No scope continuity

A token issued at the edge of one organization carries no cryptographic guarantee that its scope was not widened before it reaches the next. Scope inflation is undetectable at the protocol layer.

02
Human origin is lost

AI agent chains execute on behalf of humans, but the human-origin signal dissolves within one or two delegation hops. Regulators and auditors cannot reconstruct who authorized what.

03
Offline verification impossible

Revocation checks require live issuer contact. In regulated cross-border transactions, latency, availability, and jurisdiction constraints make live verification operationally fragile.

04
No human-anchor under law

When a transaction is disputed, there is no privacy-preserving mechanism to produce the authorized human principal under lawful process without exposing PII to every intermediary in the chain.

Token Hierarchy

Three token types. One cryptographically bound chain.

Each token type operates at a different scope and lifetime. Scope can only narrow as the chain propagates, never widen. Every hop is verifiable offline.

Layer 1 · CAT
Compliance Attestation Token

The verify-once credential. Issued by a KYC / compliance provider after verifying the user: KYC level, jurisdiction, accredited-investor status. Holds zkDID-bound, selectively-disclosable compliance claims; the user reuses it across every platform without re-submitting documents. No PII on the wire.

Issued by a KYC provider · Reusable · SD-JWT
Layer 2 · CT
Capability Token

The scoped authorization. A platform evaluates a zero-knowledge proof of the CAT against its policy and, on a match, issues a CT (for example, "trade up to $50k/day until 2026-12"). A root CT sets the maximum scope; delegated CTs (to an AI agent) are strict subsets with bounded depth. Carries the humanAnchor forward.

Issued by the platform · Scope-attenuated · JWT / CWT
Layer 3 · SPT-Txn
SPT-Txn Token

Ephemeral, transaction-bound token minted at execution time. Binds the authorization to one transaction-context hash for ~30 seconds; the eight-step engine verifies the full chain here, and it carries the Travel Rule attestation. Auditable without PII exposure.

Per transaction · ~30 seconds · JWT / SD-JWT
How It Works

From a verified human to a single bound transaction.

Attributes are evaluated once, at issuance; capability is enforced on every token afterward. Identity and PII never travel; only proofs do.

SPT-Txn token and delegation chain A KYC provider issues the user a Compliance Attestation Token (CAT). A platform checks a zero-knowledge proof of the CAT against policy and issues a root Capability Token with a maximum scope. Delegated Capability Tokens for an AI agent or microservice are strict subsets with bounded delegation depth. Each action mints an ephemeral, transaction-bound SPT-Txn token. The humanAnchor is carried immutably through every token and scope can only narrow. humanAnchor SCOPE NARROWS ↓ Human KYC issues CAT Compliance Attestation · reusable platform checks ZK proof vs policy CT · root Capability · max scope ≤ $50k/day CT · AI agent strict subset · depth-bounded CT · microservice strict subset · depth-bounded SPT-Txn token per transaction · ~30s · tx-bound
CAT → CT → SPT-Txn · the humanAnchor propagates unchanged · scope can only narrow
1 · Verify Once
Attributes proven in zero-knowledge. A KYC / compliance provider verifies the user: KYC level, jurisdiction, and accredited-investor status (durable), with AML-risk and sanctions kept live via a DID-anchored oracle. Raw values are never disclosed, only zkDID-backed proofs.
2 · CAT Issued
Compliance Attestation Token. The provider issues the CAT, the verify-once credential the user holds and reuses everywhere. It binds the zkDID and the selectively-disclosable compliance claims; documents are never submitted again.
3 · Policy Match
A representation-agnostic policy object. A platform's decision point evaluates a zero-knowledge proof of the CAT against composable, jurisdiction-aware policy (e.g. VARA ∧ MiCA ∧ Travel Rule). This is the ABAC → TBAC boundary, where policy is evaluated exactly once.
4 · CT Issued
Capability Token, scoped. On a match the platform mints a CT, the maximum authorized scope. Delegated CTs narrow it for a specific AI agent or microservice (strict subset, bounded depth), carrying the humanAnchor forward unchanged.
5 · Transact
SPT-Txn token, per transaction. At execution a 30-second, transaction-bound token is minted. Volatile attributes (AML-risk, sanctions) are re-proven here against the oracle's committed state under a max-proof-age, so access can be revoked in real time without re-issuing the CAT.
6 · Enforce
Eight-step engine, offline. Every hop is verified cryptographically: signature, issuer trust, temporal bounds, revocation, scope subset, delegation depth, humanAnchor consistency, and transaction-context binding. Each step fails closed.
Eight-Step Enforcement Engine

Every verification step is cryptographic, not policy-based.

The enforcement engine operates identically offline. It reads only the token and a locally cached Trust Registry snapshot. No issuer contact, no live registry or chain read in the hot path, no trust-on-first-use. Each step fails closed.

Measured, not asserted. On a modest 2012-era server (Intel Xeon E5-2630, OpenBSD, pure-Go, cgo-free), token verification completes in ~0.35 ms and the cached Trust Registry lookup in ~1.1 µs — the on-chain anchor root syncs out-of-band and never enters the transaction path. That is sub-millisecond authorization against multi-second on-chain settlement, on a conservative hardware floor. Post-quantum migration does not change this: the escrow key is hybrid X25519 + ML-KEM-768, but token signing stays classical, so hot-path latency and the ~759-byte token are unaffected — the PQ cost lands only on the escrow envelope, off the transaction path.

01
Signature Verification

Verify token signature against the issuer's registered public key. Algorithm resolved from the Trust Registry, not the token header, which makes it downgrade-resistant.

02
Issuer Trust

Confirm the issuer is registered in the Trust Registry (a locally cached, signed snapshot whose root is anchored on-chain), with the correct role and active status at the token's issued-at time.

03
Temporal Validity

Verify issued-at and expiry bounds. Clock skew tolerance bounded by deployment policy. Expired tokens fail unconditionally.

04
Revocation Check

Check revocation status against a cached revocation set. Staleness policy is deployment-configurable. Online check available but not required for core enforcement.

05
Scope Verification

Confirm the token's declared scope is a strict subset of its parent's scope. Scope widening at any hop is a hard failure. The attenuation graph is verified end-to-end.

06
Delegation Depth

Verify the delegation depth has not exceeded the maximum declared in the CAT. Prevents unbounded re-delegation chains in agentic contexts.

07
Human Anchor

Verify the humanAnchor commitment is consistent across the full token chain. The ZK commitment to the authorizing human propagates unchanged from CAT to SPT-Txn Token.

08
Scope Hash Binding

Verify the transaction context hash matches the scope hash committed in the token. The authorization is bound to this specific transaction, so it is not transferable or replayable.

Try it · runs entirely in your browser

Run the eight-step engine against a sample chain (CAT → CT → SPT-Txn) — the same check whether the holder is a VASP or an AI agent. Pick a tamper — a widened scope, an over-depth re-delegation, a broken human anchor — and watch it fail closed at the exact step. It's the containment guarantee for agents too: a compromised or prompt-injected agent cannot exceed or re-widen what it was granted. No backend, no data leaves your browser.

Adoption Model · Offline by Design

Issue once. Verify anywhere, offline.

SPT-Txn is a verifiable authorization format, not a protocol both sides must install. An issuer creates value the moment it issues: a provable compliance posture, a tamper-evident audit trail, and a privacy-preserving human anchor it can produce under lawful process, whether or not the counterparty does anything. Verifying is a cheap, optional, fully offline capability any party adopts unilaterally: drop in the verifier library, hold a cached snapshot of the Trust Registry, and check the token. No handshake, no shared registry to join, no synchronized rollout.

SPT-Txn: issue unilaterally versus verify offline An issuer (a VASP, AI-agent platform, or RWA issuer) unilaterally issues an SPT-Txn token (the CAT to CT to SPT-Txn chain, human-anchored and scope-bound) and attaches it to a transaction. The token travels with the transaction over any transport. Any verifier checks it offline using only an open-source verifier library and a locally cached snapshot of the Trust Registry (issuer keys and algorithm assignments); the eight-step engine confirms scope, humanAnchor and transaction binding with no contact to the issuer and no live registry or chain read. ISSUE · UNILATERAL VERIFY · OFFLINE Issuer VASP · AI-agent platform · RWA SPT-Txn token CAT → CT → SPT-Txn human-anchored · scope-bound + the transaction Issued alone, value without a counterparty: compliance posture · tamper-evident audit · lawful-process anchor travels with the txn · any transport (TRP / TRISA / none) verifier library open source · Go reference cached registry snapshot issuer keys · algorithms Eight-step engine runs locally · fails closed ✓ scope subset ✓ humanAnchor ✓ txn-bound no issuer contact · no live registry / chain read No handshake · no registry to join · no synchronized rollout ISSUING IS VALUABLE ALONE · VERIFYING IS CHEAP, OPTIONAL, OFFLINE · NEITHER SIDE MUST JOIN
The token travels with the transaction over any transport · verification needs only the token + a cached trust anchor, never the issuer
To issue
Unilateral, standalone value

Mint the CAT → CT → SPT-Txn chain, sign with your registered key, attach it to the transaction. You gain a provable compliance posture, a tamper-evident audit trail, and a lawful-process human anchor, with no PII on the wire and no dependency on the counterparty.

Issuer: VASP · AI-agent platform · RWA
To verify (offline)
Verifier library + cached registry

A verifier needs only the open-source verifier library and a locally cached Trust Registry snapshot (issuer keys + algorithm assignments). The eight-step engine confirms scope, humanAnchor, and transaction binding, with no issuer contact and no live registry or chain read in the hot path.

No handshake · no registry to join
Composable
Rides alongside, never replaces

SPT-Txn sits on top of whatever Travel Rule transport you already run (OpenVASP TRP, TRISA), or none. It removes the PII-leakage problem from the transport rather than competing with it, so adoption is one-sided and incremental.

Transport-agnostic · adopt unilaterally
Applied · FATF Travel Rule

Privacy-preserving Travel Rule, running today.

SPT-Txn carries a payload-level zero-knowledge attestation over the inter-VASP Travel Rule Protocol (TRP). Plain TRP and TRISA encrypt in transit, but still deliver the full originator/beneficiary PII to the counterparty to receive and store. SPT-Txn discloses only the FATF-required fields, proves the rest in zero knowledge, hides the exact amount, and exposes nothing on-ledger or to third parties.

Privacy-preserving Travel Rule: full disclosure to the counterparty vs SPT-Txn zero-knowledge Traditional TRP and TRISA deliver the full originator and beneficiary PII (name, account, amount) to the counterparty to receive and store. SPT-Txn instead carries a zero-knowledge attestation: the beneficiary verifies identity commitment, amount-over-threshold and VASP registration, and receives only the FATF-required identity fields (name, account, an identifier) selectively disclosed; the exact amount stays hidden and nothing is exposed on-ledger or to third parties. TRADITIONAL TRP SPT-TXN Originator Beneficiary FULL PII Name Account Amount Full PII exposed to the counterparty. Originator proving key Beneficiary verifying key only ZK ATTESTATION ✓ identity committed ✓ amount ≥ threshold ✓ VASP registered Disclosed: FATF set (name · account · ID) Hidden: exact amount · on-ledger · 3rd parties PII exposed zero-knowledge
Same compliance obligation · full PII to the counterparty today vs only the required set, the rest proven not disclosed
Data Model
IVMS101 + SD-JWT

Originator and beneficiary identity expressed in the interVASP IVMS101 standard and carried as a selectively-disclosable SD-JWT. It discloses exactly the FATF-required fields (name, account, an identifier) to the counterparty, nothing more and nothing on-ledger, and the exact amount stays hidden. IVMS101 is designed to travel within ISO 20022 cross-border and trade-finance messaging, so the attestation slots into existing institutional payment rails.

FATF Recommendation 16
Proofs
Three ZK predicates

Identity-commitment, amount-over-threshold (amount hidden), and beneficiary-VASP registration (which VASP hidden), each bound to the specific payment via its transaction-context hash.

Groth16 · BN254
Topology
Two-VASP, verify-only

Originator and beneficiary run as separate services; the beneficiary holds only the verifying key. Cleartext-only transfers are refused; privacy is mandatory, not optional.

OpenVASP TRP · TRISA bridge (designed)
Applied · Agentic authorization

Authorize an AI agent. Scope can only narrow.

When a person authorizes an AI agent, SPT-Txn issues the agent a strictly narrower, delegation-depth-bounded Capability Token carrying an immutable humanAnchor back to the accountable person. An agent can only attenuate what it holds, never widen it, and revoking a delegator's key denies its sub-agents while the delegator's own authority stands. Every check runs offline.

Least authority
Scope can only narrow

Each delegated Capability Token is a strict subset of its parent with a bounded delegation depth. An agent literally cannot exceed, or re-delegate beyond, what it was granted.

Accountability
Anchored to a person

An immutable humanAnchor, a zero-knowledge commitment to the authorizing person, threads every hop unchanged. It is producible under lawful process and never exposed to intermediaries.

Containment
Revoke once, cascade

Cut a delegator's key and every capability it handed downstream fails closed, offline, at the chain step, while its own authority is untouched.

POC-built and tested: multi-hop CT→CT delegation, an offline N-hop verifier, and a granular revocation cascade, and now provable in zero-knowledge: a Groth16 chain proof that verifies each hidden hop's registered-issuer signature in-circuit (Baby Jubjub EdDSA), with a live verify endpoint at :4446/agent/health. Complements agent-to-agent payment rails (e.g. x402): SPT-Txn governs what an agent may do and who is accountable, not how it pays.

Live · gates x402 agent payments on any chain

x402 is the HTTP-native agent-payment standard (Coinbase, and Google's AP2, build on it). x402 settles the payment; SPT-Txn gates it: before the agent pays, the gate checks it holds a human-anchored capability whose scope covers the spend, stamps a privacy-preserving humanAnchor into the on-ledger transaction, and the merchant re-runs the full eight-step verifier offline before delivering — trusting the authorization, not just that money arrived. No PII on-ledger; for regulated transfers it is Travel-Rule compliant. The complete loop — authorize → settle → verify → deliver, with an over-scope payment cryptographically DENied before anything is signed — runs end-to-end live on seven chains across three address families: XRPL (through mainnet), plus Hedera, Aptos, Ethereum, Base, Solana, and NEAR on their test networks. Same gate, same verifier, same attestation; only a ~200-line ledger submitter differs per chain.

Designed · SPT-Txn as the enforcement point inside an MCP server

Because MCP requires each server to drop the caller’s token and mint its own upstream — passthrough is forbidden to prevent confused-deputy attacks — the human-origin signal is lost at exactly the hop that matters. SPT-Txn restores it: an MCP server becomes the policy-enforcement point, running the full eight-step verifier offline before it executes any tools/call that moves value or touches a regulated action — checking that the caller holds a human-anchored capability whose scope covers the request, and that the immutable humanAnchor survives the very hop MCP’s own rules would otherwise sever. This is a proposed binding, not a standardized slot: the SPT-Txn token rides in the request _meta, an auth header on the Streamable HTTP transport, or tool arguments — none blessed by the spec today. It is distinct from agent-identity and agent-authorization work (OAuth 2.1 MCP auth, AAuth): SPT-Txn is the transaction- and jurisdiction-binding layer governing what a delegated agent may do and who stays accountable — which those layers structurally do not carry.

Composes with the standards you already use

SPT-Txn extends the IETF OAuth Transaction Tokens line and fills the gap its own authorization spec admits: OAuth 2.1 bearer tokens carry no delegation chain, no holder-side scope attenuation, and no provenance binding — and MCP requires every server to drop the caller’s token and mint its own upstream (passthrough is forbidden by design, to prevent confused-deputy attacks) — a sound audience boundary that also severs the human-origin chain at every server hop.

SPT-Txn is the drop-in layer that adds verifiable, attenuating, human-anchored delegation across MCP and A2A hops — offline-verifiable, with no central authorization server. It reuses SD-JWT, DPoP and Token Exchange where they exist, and adds what they don’t: zero-knowledge selective disclosure, holder-side attenuation, a propagating human anchor, and cross-ledger binding.

Architecture

Layered trust with no single controllable chokepoint.

Each layer is independently auditable. The enforcement engine operates at the top; cryptographic roots anchor trust at the bottom.

Applications
Wallets, AI agents, regulated services, IoT networks. Consume SPT-Txn Tokens. Present capability scopes. Operate within enforced delegation bounds. Never see raw identity data.
Authorization Layer
SPT-Txn Framework. Token issuance, the eight-step enforcement engine, scope attenuation, humanAnchor propagation, offline verification, and audit trail. Extends the OAuth Transaction Tokens work (draft-ietf-oauth-transaction-tokens) and aligns with the OAuth 2.0 Security BCP (RFC 9700).
Escrow Layer
Human-anchor escrow (Section 9.6). Threshold-shared deanonymization under lawful process only. t-of-n custody across distinct legal entities and jurisdictions. The human identity is never in the authorization path; it is only available to lawful process with quorum consent.
Trust Registry
Issuer-signed registry, cached locally for offline verify; root optionally anchored on-chain. The authoritative registry of issuer keys, roles, and algorithm assignments is a signed snapshot; verifiers hold it locally and read it at verify time, so the eight-step check never makes a synchronous issuer or chain call. For tamper-evidence the registry and audit-trail Merkle roots can be anchored to a chain's native ordering service (for example, the Hedera Consensus Service or the SPL Memo program on Solana), but that anchor is optional integrity plumbing, never read in the hot path, and the anchor chain is an implementation choice independent of where any transaction settles. Algorithm selection is registry-governed, not token-header-governed, which provides downgrade resistance. Multi-chain transaction-binding (implemented and tested): XRPL, Hedera, Solana, Stellar, Ethereum, Starknet, Aptos, XDC, Algorand.
Cryptographic Root
ZK circuits, key generation, randomness. Groth16 over BN254 for proof generation, with ZK-friendly hashing on Poseidon2 (migrated from MiMC). Ed25519 for signing (ML-DSA / Dilithium migration path defined), with issuer signing PKCS#11/HSM-capable — keys can be held non-extractable in a token (validated with SoftHSM2 on the reference host; a hardware or cloud HSM such as AWS/GCP KMS is a config swap). X25519 + ML-KEM-768 hybrid KEM for escrow encapsulation (implemented and tested), so stored human-anchor envelopes resist harvest-now-decrypt-later attacks and stay secure if either primitive holds. Transport TLS 1.3 at the network edge negotiates the X25519MLKEM768 post-quantum hybrid group (LibreSSL 4.3.0 on OpenBSD 7.9), with classical X25519 fallback so pre-quantum clients are never blocked. Key generation per NIST SP 800-133. Identity anchored via zkDID commitments; policy bound as a representation-agnostic policy object, instantiable on-chain. Naming and discovery move to zkDNS, a capture-resistant, decentralised name→key root (no ICANN dependency, no single seizure point) with private resolution.
Scale & Deployment

No central runtime. It scales like JWT verification.

SPT-Txn verifies offline, in the adopter's own infrastructure. A VASP, wallet, chain, or agent embeds the open-source verifier library plus a locally-cached Trust Registry snapshot, and verifies in-process — no call back to any SPT-Txn server, and nothing of ours in the transaction path. The reference host on this domain is an issuer and a demo, not the runtime. Because each verification is a stateless pure function, throughput scales horizontally with cores — the same profile as the JWT checks large platforms already run at scale.

Cleartext verify
~62k / sec

Full three-hop delegation-chain verifications per second on a 10-core laptop, scaling linearly with cores. Each check is signature + hash, and fails closed.

Token minting
~394k / sec

Ed25519 action-token issuance per second (10 cores). Minting is per-participant — each adopter issues from its own infrastructure, never through ours.

Privacy path · ZK
~1.5 ms / verify

Groth16 N-hop proof verification (~6.7k/sec on 10 cores). Proof generation (~159 ms) happens once per delegation chain and amortizes over every action — never a per-action cost.

You run
Violet Sky — off the hot path. Publish the open-source verifier library, a signed Trust Registry snapshot (distributed like JWKS), and the spec. Nothing here is called during a transaction.
Issuers run
KYC provider & platform — per participant. Each mints its own Compliance Attestation and Capability Tokens from its own infrastructure. There is no central issuer to bottleneck.
Verifiers run
VASP, wallet, chain, or agent — the transaction path lives entirely here. Embed the library, cache the registry snapshot, verify offline and in-process across N stateless replicas. Optionally anchor the registry root on-chain for tamper-evidence — a periodic write, never read in the hot path.

Deployment is portable, and FIPS-ready. The reference host is hardened OpenBSD (pledge/unveil, privilege separation) — a security-by-design choice, not a requirement. The same Go binary runs in a FIPS 140-3 environment for regulated buyers: enable Go's native FIPS mode on a FIPS-validated Linux (RHEL / AlmaLinux / Rocky) so the classical cryptography runs through the CMVP-validated Go Cryptographic Module (certificate #5247), or route issuer keys to a FIPS 140-3 HSM over PKCS#11 — signing already goes through a standard crypto.Signer interface, so it is a configuration swap. The zero-knowledge predicate layer sits outside FIPS by nature and stays a distinct, opt-in component.

Measured on a 10-core Apple-silicon laptop, no hardware acceleration. These are per-core costs; production throughput is those costs × horizontal replicas, because verification holds no shared state. Method and full table are in the open-source repository.

Publications & Standards

Open research. Standards-track engagement.

All publications are open access. The IETF Internet-Draft is an individual submission presented to the OAuth Working Group for technical review.

IETF Internet-Draft · Revision -02
Sovereign Policy Token Transactions (SPT-Txn)

Individual Internet-Draft extending the OAuth Transaction Tokens work and aligning with the OAuth 2.0 Security BCP (RFC 9700). Presented to the OAuth Working Group for technical review. Revision -02 adds Section 11: Algorithm Agility and Post-Quantum Migration.

IETF Datatracker ↗
Formal Theory · Zenodo Preprint
Transaction Binding Security for Policy-Bound Authorization Tokens

Formal security model. Defines transaction binding (TB), EUF-CCA, and unlinkability (UNL) game-based notions. Proves TB strictly implies EUF-CCA. Tight reduction, no rewinding. DOI 10.5281/zenodo.19299787.

Zenodo ↗
Working Paper (v2) · Zenodo Preprint
Sovereign Policy Token Transactions (SPT-Txn): A Privacy-Preserving, Crypto-Agile Authorization Framework for Regulated and Agentic Systems

The comprehensive framework paper. Token chain, zkDID and zkDNS, the measured cryptographic design (Poseidon2, BN254 vs BLS12-381, Groth16 vs PLONK), a lifetime-triaged post-quantum migration plan, the privacy-preserving FATF Travel Rule deployment, and a CycloneDX CBOM aligned to US EO 14409. Supersedes the v1 framework preprint (zenodo.18917439). DOI 10.5281/zenodo.20870193.

Zenodo ↗
NIST Public Comments · June 2026
Comments on SP 800-133r3: Distributed Key Generation and Per-Key PQ Migration Urgency

Two technical comments submitted to NIST's public comment period for SP 800-133r3 (Recommendation for Cryptographic Key Generation). Addresses threshold DKG scope and heterogeneous HNDL exposure within a single trust domain.

NIST CSRC ↗
Reference Implementation · Source
SPT-Txn Proof of Concept (Go / OpenBSD)

The reference implementation in Go on a hardened OpenBSD host: the token chain, eight-step verifier, ZK circuits, and the live privacy-preserving Travel Rule services.

GitHub ↗
Proof of Concept

Reference implementation. OpenBSD. Go. Security by design.

The POC validates the protocol architecture end-to-end. Classical cryptography with algorithm-agility dispatch. Pledge and unveil sandbox. File-backed persistent Trust Registry. Two-domain cross-organizational demo. A single ledger-adapter interface binds the authorization to a transaction across twenty ledgers, and the agentic layer adds multi-hop CT→CT delegation with an offline N-hop verifier, now also provable in zero-knowledge.

M0
Host & TLS — OpenBSD 7.9 · relayd TLS termination · certbot · httpd backend · service users and directory tree provisioned.
Complete
M1
Trust Registry Service — Go HTTP service · file-backed persistent registry · pledge/unveil sandbox · Unix socket · relayd /tr/* route.
Complete
M2
Capability Token (CT) Issuance — Ed25519 signing · humanAnchor ZK commitment · holder binding · Trust Registry lookup.
Complete
M3
Capability Token & Scope Attenuation — Strict scope-subset enforcement · delegation depth counter · cross-domain issuance.
Complete
M4
SPT-Txn Token — Ephemeral transaction token · ~30s TTL · transaction context hash binding · scope hash commitment.
Complete
M5
Eight-Step Verifier — Full enforcement engine · offline verification · all eight steps integrated and tested.
Complete
M6
Audit & Merkle Trail — Append-only audit log · Merkle root commitment · tamper-evidence without PII.
Complete
M7
Escrow Envelope — X25519+ML-KEM-768 hybrid envelope · t-of-n threshold custody stub · deanonymization interface.
Complete
M8
End-to-End Demo — Two-domain cross-organizational transaction · combined human wallet + AI agent · full chain audit.
Complete
Live Endpoints
TRP
Travel Rule API — beneficiary VASP health & inbound TRP transfer, live over relayd TLS
https://foss.violetskysecurity.com:4445/travel/health ↗
AGT
Agentic verify API — offline N-hop delegation verifier, live over relayd TLS
https://foss.violetskysecurity.com:4446/agent/health ↗
INT
Trust Registry & CAT issuer — internal, socket-only by design. The mutating issuance endpoints are never edge-exposed (verified by the security audit).
Ledger-agnostic · demonstrated across chains

SPT-Txn binds an authorization to a specific transaction without depending on any chain. The binding is implemented and tested behind one Go adapter interface for twenty ledgers (a single EVM adapter serves the EVM chains), and the attestation-anchor footprint is live on six public testnets. Chains are integration targets, never dependencies; the authorization verifies offline with no chain at all.

Reading the live on-chain anchor…

LAYER 1
Ethereum XRPL Hedera Solana Stellar Aptos Sui Avalanche Algorand XDC Polkadot Cardano NEAR BSC
LAYER 2 · Ethereum rollups
Arbitrum Optimism Base Starknet Morph xLayer

transaction-binding implemented & tested · one adapter interface

Live · zero-knowledge verified on-chain

A selective-disclosure proof (amount ≥ threshold, with the amount itself hidden) is verified on Ethereum mainnet (and on Ethereum + Arbitrum Sepolia) by a gnark Groth16 verifier (BN254), and the attestation is anchored only if the proof checks out. A tampered proof reverts and anchors nothing. Verify a predicate without revealing the data, enforced on-chain.

verifier 0x311612…95ef ↗  ·  verified-anchor tx ↗

Beyond on-chain proofs, the agentic delegation chain is itself provable in zero-knowledge: a Groth16 proof that every hidden hop carries a registered issuer's signature over its scope, verified in-circuit (Baby Jubjub EdDSA), so an AI agent proves its authority chain is valid without revealing the intermediate scopes.

The same primitive gates real-world-asset compliance: a permissioned, ERC-3643-aligned token whose transfers succeed only between holders who proved eligibility in zero knowledge — no PII on-chain. Eligibility is bound to the holder's address and to a trusted claim issuer's signature verified in-circuit (the ERC-3643 trusted-issuer role, made privacy-preserving), so a stolen proof replayed from another address is rejected on-chain (ProofInvalid) — demonstrated end-to-end on Ethereum Sepolia.

L1
Ethereum mainnet — the on-chain ZK verifier live on L1: a real selective-disclosure proof verified and the token-derived context hash anchored (tx status 1), a genuine mainnet footprint
verified-anchor tx 0x7273f7…ca731 ↗  ·  verifier 0xb64e24…46Ab01 ↗
RWA
Compliance-gated RWA token — replay-safe, issuer-bound — an ERC-3643-aligned permissioned token whose transfers succeed only between holders who proved eligibility in zero knowledge (no PII on-chain). V2 binds the proof to msg.sender and verifies a trusted issuer's EdDSA signature over the holder's address in-circuit, so a proof cannot be replayed by another address. On Ethereum Sepolia: two holders registered via issuer-bound proofs, a compliant transfer confirmed, a replayed proof rejected ProofInvalid, and a transfer to an unproven address reverted NotEligible
tokenV2 0x26a9Ff…a0cFD ↗  ·  compliant transfer tx ↗
ETH
Ethereum Sepolia — attestation-anchor contract (Solidity), live; same bytecode deploys on every EVM L2
0x3fC3bE…57089 ↗
ARB
Arbitrum Sepolia — attestation-anchor + the on-chain ZK verifier, live (same Solidity as Ethereum, a second L2)
verifier 0x349edc…13D8 ↗
STRK
Starknet Sepolia — attestation-anchor contract (Cairo), live with anchored roots
0x0620fe…53de1 ↗
APT
Aptos testnet — attestation-anchor module (Move), live with anchored roots
0x0b1f35…0aa2 ↗
SUI
Sui testnet — attestation-anchor module (Move, shared object), live with a real token-derived root anchored
AnchorBook 0xa21fa5…6c8c ↗
HBAR
Hedera testnet — a real token-derived context hash anchored to a Hedera Consensus Service topic; verifiable keyless on the public mirror node (milestone A1)
topic 0.0.9357269 ↗
DID
Hedera testnet · did:hedera — an issuer DID document with the bound humanAnchor, published over HCS and resolved keyless from the mirror node (milestone A2)
topic 0.0.9357387 ↗
SOL
Solana devnet — attestation roots anchored via SPL memo
BeWdnf…opVi4 ↗

These footprints demonstrate three distinct on-chain capabilities, not one: attestation anchoring per chain; on-chain ZK verification of a selective-disclosure proof (live on Ethereum mainnet); and compliance-gated RWA transfers — a replay-safe, issuer-bound eligibility gate proven end-to-end on Sepolia. Broader mainnet anchoring and chain-native compliance bindings (for example, complementing confidential-transfer standards with the cross-VASP Travel Rule) are per-chain integration work.

Standards Alignment

An extension of IETF OAuth Transaction Tokens — not a competing framework.

OAuth Transaction Tokens preserve authorization context across hops; Identity Chaining carries it across domains; SD-JWT minimizes disclosure. SPT-Txn is the profile that adds the three things none of them do — zero-knowledge predicates, offline decentralized verification, and cross-ledger context binding — with a human anchor threaded through all of it. It reuses roughly ten OAuth primitives unchanged, and innovates only in the gaps.

Reuse · credibility bought for free
~10 OAuth primitives, unchanged
Transaction Tokens — the base context model we extend · draft-ietf-oauth-transaction-tokens
SD-JWT & SD-JWT VC — the selective-disclosure format, kept as-is
DPoP — sender-constraining / key binding · RFC 9449
Token Exchange — mint / exchange mechanic · RFC 8693
Identity Chaining — the cross-trust-domain path
Token Status List — revocation snapshots
Rich Authorization Requests — fine-grained scope · RFC 9396
Security BCP / OAuth 2.1 — conformance posture · RFC 9700
A profile & binding layer — not a new silo
Extend · the defensible moat
5 gaps the WG doesn't fill
Zero-knowledge predicate proofs — prove "amount ≥ threshold" or "VASP registered" over hidden claims. SD-JWT reveals subsets; it cannot prove computation over hidden values.
Holder-side attenuation across N hops — capability narrowing with no round-trip to an authority.
Offline verification — an eight-step engine against a cached trust registry, no live authorization server; edge, cross-org, air-gapped.
Human anchor as a ZK commitment — privacy-preserving proof-of-human-origin, propagated unchanged across hops.
Cross-ledger context binding — bind the authorization to a transaction-context hash across heterogeneous chains.
Where OAuth's charter & expertise point away
Live · identity-provider integration

Reuse is not theoretical. An existing identity provider issues SPT-Txn credentials over standard OAuth 2.0 Token Exchange (RFC 8693) — no rip-and-replace. Demonstrated end-to-end against both Keycloak (open-source) and Auth0 (commercial), differing only by one configuration value: an IdP-authenticated identity (including a machine / M2M client identity) is exchanged into a human-anchored capability that then verifies offline — with no identity-provider contact — and delegates to an AI agent with attenuating, revocable authority. The same OIDC + Token-Exchange flow targets Okta and Ping unchanged. A reference integration (internal/oidc, cmd/idp-bridge), not a proprietary connector.

SPT-Txn extends the Transaction Tokens line (Tulshibagwale et al., 2023) and is contemporaneous with the 2025–26 agent-context drafts, but is the first to add zero-knowledge selective disclosure, offline capability attenuation, a human anchor, and cross-ledger binding to that line. It does not claim to have originated transaction tokens, agent context, or selective disclosure — it extends an established line of work and contributes a specific new layer back as open source. That is the honest position, and it is security-by-design in practice: peer-reviewed primitives, verifiable claims, no proprietary black boxes.

W3C Verifiable Credentials W3C DID Core SD-JWT VC OAuth Transaction Tokens DPoP · RFC 9449 Token Exchange · RFC 8693 RAR · RFC 9396 OAuth 2.0 Security BCP · RFC 9700 NIST SP 800-207 NIST SP 800-162 ABAC FIPS 203 · 204 FATF R.16 · IVMS101

Read the SPT-Txn Internet-Draft ↗

Build the general primitive. Sell the specific painkiller.