Polygon ID — rebranded as Privado ID — is a self-sovereign, ZK-based identity stack built on the iden3 protocol and Circom circuits. Issuers sign W3C Verifiable Credentials to user-controlled wallets; verifiers request zero-knowledge proofs of claims (age >= 18, country in allowlist, KYC tier) without seeing the credential itself. Communication uses iden3comm, and proofs can be verified on-chain (EVM) or off-chain via the verifier library.
- 01ZK KYC / age gating without revealing PII
- 02compliant DeFi access (proof of accreditation, country)
- 03sovereign identity wallets (mobile + browser)
- 04credential-gated DAOs and communities
- 05reusable identity across many dapps
- pnpm add @0xpolygonid/js-sdk
- pnpm add @iden3/js-iden3-auth
| Variable | Scope | Description |
|---|---|---|
| POLYGON_ID_RPC_URL | Server | EVM RPC used by the verifier to read the iden3 state contract for issuer / user state validation. |
| POLYGON_ID_VERIFIER_DID | Client | Verifier DID (did:polygonid:... or did:iden3:...) used to address auth requests to the wallet. |
| POLYGON_ID_IPFS_GATEWAY | Server | IPFS gateway URL for resolving JSON-LD schemas referenced in credentials. |
Use Polygon ID / Privado ID to verify ZK proofs of W3C credentials. On the server, build an auth request with `@iden3/js-iden3-auth`: `const request = auth.createAuthorizationRequest('age check', VERIFIER_DID, callbackUrl); request.body.scope = [{ id: 1, circuitId: 'credentialAtomicQuerySigV2', query: { allowedIssuers: ['*'], type: 'KYCAgeCredential', context: 'ipfs://...', credentialSubject: { birthday: { $lt: 20060101 } } } }]`. Render it as a QR code; the user scans with the Privado ID wallet, generates the ZK proof locally, and POSTs it back. Verify on the server with `new auth.Verifier({ stateContract, ipfsGateway, packageManager }).verifyAuthResponse(response, request)` — this checks the proof, the issuer's on-chain state, and revocation status. For on-chain verification, deploy a Circom verifier contract and call `verifyZKPRequest` from the Privado verification library.
- ⚑Issuer state and user identity state are stored on-chain; if your verifier RPC is stale or pointed at the wrong network, valid proofs will fail with confusing 'invalid state' errors. Always pin the state contract address per chain.
- ⚑Revocation is via on-chain revocation tree (RHS — Reverse Hash Service) — a user can present a proof for a credential that was revoked seconds ago; verify against the latest published state, not the credential's issuance state, when revocation matters.
- ⚑Sig-based credentials (`credentialAtomicQuerySigV2`) and MTP-based credentials (`credentialAtomicQueryMTPV2`) have different trust models: Sig is faster but trusts a single issuer key; MTP requires the issuer to publish state and is censorship-resistant. Don't mix circuits without thinking.
- ⚑PII handling: the credential sits in the user's wallet, not your server — but if you over-specify the query (e.g. ask for full date instead of `$lt: 20060101`), the proof leaks more than needed. Always design queries with selective disclosure.
- ⚑Browser proof generation pulls multi-MB Circom artifacts and is slow on mobile; prefer the mobile wallet for user-side proofs and only do verifier-side work in the browser.
- ⚑Sybil bypass: Polygon ID is a credentialing system, not a personhood system. A single human can hold many DIDs. Combine with World ID / BrightID / Civic for uniqueness on top of attribute proofs.
- ⚑Branding: 'Polygon ID' is being phased out in favor of 'Privado ID' as the protocol forks toward Billions Network — pin SDK versions and watch for package renames in 2026 releases.