PRIVATE.ME PLATFORM

xID: Unlinkable Digital Identity

The world mandated digital identity wallets. The frameworks they built are broken. A 2025 formal privacy evaluation confirmed that eIDAS 2.0's Architecture Reference Framework fails to achieve unlinkability — the single most important privacy property for 450 million citizens. xID fixes it with self-converging identity: per-verifier ephemeral DIDs derived from K-of-N threshold-reconverged master seeds that never exist at rest. ~50 microsecond presentation pipeline. Information-theoretically secure. Quantum-proof unconditionally.

v0.2.0 @private.me/xid PLATFORM ACI EPHEMERAL IDENTITY SELF-CONVERGING

NOW AVAILABLE

@private.me/xid is built and tested. 204 tests across 10 test files — including 46 ephemeral identity tests and 68 self-convergence tests. All passing. Wallet lifecycle, credential import with auto-detection, consent-based presentation, XorIDA-split backup/recovery, eIDAS 2.0 compliance assessment, full Ephemeral Identity (per-verifier HKDF-derived DIDs with epoch rotation and split-protected derivation schedules), and Self-Converging Identity (K-of-N threshold convergence with cancelable biometrics, signal diversity enforcement, and ~50µs seed exposure).

Enterprise toolkit shipped: @private.me/xid-cli — 26-endpoint management server, 3-role RBAC, Docker deployment. 108 enterprise tests. Part of the Enterprise CLI Suite — 21 self-hosted servers, Docker-ready, air-gapped capable.

Section 01

The Problem: Digital Identity's Privacy Paradox

eIDAS 2.0 mandates digital identity wallets for 450 million EU citizens by 2026. The regulation explicitly requires privacy-preserving presentations. The frameworks being built to deliver it cannot achieve this requirement.

A 2025 formal privacy evaluation of the eIDAS 2.0 Architecture Reference Framework (ARF) found what cryptographers suspected: "the ARF fails to achieve unlinkability due to linkable cryptographic metadata." An 80+ organization coalition has raised concerns. The gap is not a configuration issue — it is architectural.

Three Correlation Vectors

Current identity frameworks leak correlation through three independent channels. Each alone is sufficient for behavioral profiling at scale. Combined, they make unlinkability impossible.

1. Static DIDs. SD-JWT credentials carry a static vct (verifiable credential type) claim and bind to a persistent holder DID. Every verifier sees the same identifier. A pharmacy, a bar, and a bank can all correlate the same citizen from three independent presentations.

2. Persistent issuer signatures. BBS+ achieves selective disclosure of attributes but anchors every presentation to the same issuer signature. The cryptographic relationship between disclosed attributes and the base signature is a persistent correlation handle that colluding verifiers can exploit.

3. Revocation tracking. Revocation registries use static credential indices. Every revocation status check reveals which specific credential is being verified, creating a global tracking vector that is independent of the presentation itself.

4. Static identity seeds. Every existing identity wallet stores a master key or seed as a persistent artifact — in keychains, secure enclaves, or encrypted databases. A static seed is a static target. If the device is compromised at any point, the seed is compromised forever. The identity material should never exist at rest.

Competitive Failure Table

System	Unlinkable Holder?	Unlinkable Revocation?	Post-Quantum?	IT-Secure?	Trusted Setup?
SD-JWT	No — vct claim leaks	No — static cred ID	No	No	No
BBS+	Partial — DID static	No — accumulator	No (pairing curves)	No	No
mDL (ISO 18013-5)	No — device key	No	No	No	No
German eID	Partial — issuer-dependent	No	No	No	No
Phoenix	Yes	Unknown	Yes (lattice)	No	No
Crescent	Yes	Unknown	No (Groth16)	No	Yes
AnonCreds	Partial	No — accumulator	No	No	Yes
xID	Yes	Yes (blinded)	Yes (IT + PQ)	Yes	No

No production system ships unlinkable holder identity, unlinkable revocation, post-quantum security, and information-theoretic guarantees together. xID is the first.

Section 02

The Solution: Ephemeral Identity by Default

xID derives per-verifier, per-epoch DIDs from a XorIDA-split master identity seed via HKDF-SHA256. Each verifier sees a cryptographically independent identity. Each epoch rotates all identities automatically. The derivation schedule itself is split-protected.

Three Properties

Per-verifier identity (HKDF derivation). The master seed is reconstructed from threshold shares in volatile memory. HKDF-SHA256 derives a 32-byte seed scoped to the verifier's DID, a context string, and the current epoch. An Ed25519 keypair is generated from this seed. The resulting DID is cryptographically independent from all other derived DIDs — a pharmacy and a bank see completely different identities from the same holder.

Temporal unlinkability (epoch rotation). When the epoch advances, all derived DIDs rotate automatically. A verifier who saw DID-A in epoch 3 sees DID-B in epoch 4 for the same holder. The derivation is deterministic within an epoch (enabling session continuity) but unlinkable across epochs. Default epoch: 24 hours.

IT-secure seed protection (XorIDA). The master identity seed is never stored whole. It exists only as k-of-n XorIDA shares distributed across independent storage locations. Any k-1 shares reveal zero information about the seed — not probabilistically, but unconditionally. No quantum computer, no unbounded adversary, no future mathematical breakthrough can extract the seed from fewer than k shares.

Ephemeral Identity Pipeline

Three Guarantees

Same verifier + same epoch = same DID (session continuity). Different verifier = different DID (cross-verifier unlinkability). New epoch = new DID (temporal unlinkability). The master seed exists in reconstructed form for ~50 microseconds per presentation and is never written to persistent storage.

Consent-Gated

No credential is disclosed without explicit holder authorization. The ConsentCallback is invoked with the verifier's DID, requested attributes, and purpose description before any derivation occurs. Consent must return true. There is no bypass, no admin override, no silent mode.

Section 03

Architecture

Four pipelines define the xID architecture: Import (credential ingestion), Ephemeral Present (unlinkable disclosure), Backup/Restore (XorIDA-split recovery), and Derivation Schedule (split-protected verifier tracking).

Import Pipeline

Ephemeral Present Pipeline

Backup & Restore Pipeline

Split-Protected Derivation Schedule

The record of which verifiers a holder has interacted with is itself XorIDA-split. No single storage location reveals the user's relationship graph. The schedule tracks context hashes (SHA-256 of verifierId + scope), never raw verifier identifiers. On each presentation, the schedule is reconstructed, the context record is updated, and the schedule is re-split.

204

Tests (46 ephemeral + 68 convergence)

~50µs

Full pipeline

0 bits

Per-share leakage

4,096

Max verifier contexts

Section 03B

Self-Converging Identity

Your identity seed never exists at rest. Like Face ID's 30,000 IR dots converging into one recognition, xID reconverges your master seed from K-of-N independent signal channels every time identity is needed. Below threshold = zero information. Seed exists only during derivation (~50µs), then is purged. No seed at rest. Ever.

The Face ID Analogy

Apple's Face ID projects 30,000 infrared dots onto your face. Each dot alone is meaningless. Only when enough dots converge does identity emerge. xID works the same way: your master identity seed is split into N XorIDA shares, each bound to an independent verification channel — biometric, device, credential, knowledge, hardware token, push authentication, behavioral, or location. Only when K-of-N channels respond does the seed reconverge. K-1 shares reveal zero information (information-theoretic security, not computational).

8-Step Convergence Pipeline

Self-convergence is an atomic operation. Either all 8 steps succeed and produce a valid ephemeral identity, or the operation fails and the seed is purged with zero information leakage.

Signal Type Taxonomy

Eight independent signal types ensure that identity convergence draws from diverse verification channels. The more diverse the signals, the higher the assurance level.

Signal Type	Example	Binding
Biometric	Face, fingerprint, iris, voice	ISO 24745 cancelable template
Device	TPM attestation, secure enclave	Hardware-bound share
Credential	Passport, driving license VC	Issuer-signed share
Knowledge	PIN, passphrase, security question	KDF-derived share
Hardware Token	FIDO2 key, smart card	Challenge-response share
Push Auth	1-tap mobile confirmation	Signed approval share
Behavioral	Typing cadence, gait pattern	Continuous template share
Location	Geofenced zone, network context	Context-gated share

Identity Assurance Levels

Self-convergence maps directly to NIST SP 800-63A Identity Assurance Levels based on how many diverse signals participate.

Level	Requirements	Typical Configuration
IAL1 (Basic)	K ≥ 2 signals, any types	2-of-3 (device + knowledge)
IAL2 (Strong)	K ≥ 3 signals, ≥ 2 distinct types	3-of-5 (device + credential + knowledge)
IAL3 (Very Strong)	K ≥ 4 signals, ≥ 3 distinct types, biometric required	4-of-7 (biometric + device + credential + hardware token)

Cancelable Biometric Templates

When biometric signals are configured, xID uses ISO 24745 cancelable biometric templates. Raw biometric data is never stored. Instead, an HMAC-SHA256 non-invertible transform produces a 32-byte template. Same biometric, different transform seed = different template (cross-binding unlinkability). On compromise: generate a new transform seed, re-transform, increment version. The old template becomes cryptographically useless.

Continuous Refresh

Self-convergence supports periodic reconvergence via an opt-in refresh loop. At each configurable interval, xID collects fresh signal responses, performs atomic convergence, derives a new ephemeral DID, and purges the seed. Each refresh produces a fresh identifier uncorrelated with previous iterations. Session continuity is maintained through the same verifier-scope-epoch derivation parameters.

Static Seed vs Self-Converging

Property	Static Seed (Traditional)	Self-Converging (xID)
Seed at rest	Always stored (keychain, enclave, DB)	Never stored — reconverged on demand
Compromise window	Permanent (device lifetime)	~50µs per convergence event
Security model	Computational (AES, RSA, lattice)	Information-theoretic (K-1 = 0 bits)
Key rotation	Manual or certificate-driven	Automatic via epoch + convergence
Biometric binding	Platform-specific (Face ID, Touch ID)	Platform-independent cancelable templates
Multi-factor	Bolt-on MFA (separate from key)	Built-in — factors ARE the key
Adaptive strength	Static key size	Progressive — add signals, upgrade threshold

~50µs

Seed exposure per convergence

Signal types

IAL levels (NIST 800-63A)

0 bits

K-1 share leakage

Section 04

Benchmarks

The ephemeral identity pipeline completes in approximately 50 microseconds. Every step is measured. No other production system achieves unlinkable presentations at this latency.

Pipeline Breakdown

Step	Operation	Latency
1	Reconstruct master seed from k-of-n shares (XorIDA)	~35µs
2	HKDF-SHA256 derivation (verifier + scope + epoch)	~5µs
3	Ed25519 keypair generation from derived seed	~8µs
4	Sign presentation payload with ephemeral key	~2µs
5	Purge master seed + derived key material from memory	~1µs
	Total pipeline	~51µs

Competitor Comparison

System	Unlinkable Presentation Latency	Proof Size	Setup Required?
Phoenix (lattice-based)	~500ms	~80 KB	No
BBS+ selective disclosure	~2–5ms	~320 bytes	No
Crescent (Groth16 SNARK)	~100–500ms	~128 bytes	Yes (trusted)
AnonCreds (CL signatures)	~50–200ms	~2 KB	Yes
xID (ephemeral DID)	~50µs	~200 bytes	No

xID is 10,000x faster than Phoenix and 40–100x faster than BBS+ for unlinkable presentations. The performance advantage comes from not requiring pairing-based cryptography, lattice operations, or zero-knowledge proof generation. XorIDA reconstruction is a GF(2) XOR operation — the fastest possible mathematical operation on binary data.

XorIDA API Payload Benchmarks

At typical credential sizes (<1 KB), XorIDA splitting is 2–11x faster than AES-256-GCM. 64 bytes: 14µs vs 160µs (11.4x). 256 bytes: 35µs vs 122µs (3.5x). 1 KB: 58µs vs 140µs (2.4x). Crossover is ~1–2 KB — credentials almost always fall below this threshold.

Self-Convergence Overhead

The 8-step convergence pipeline adds pre-reconstruction validation (consent, count, window, diversity) and post-reconstruction verification (HMAC, unpad). The overhead is sub-millisecond — dominated by the XorIDA reconstruction itself. The full atomic self-convergence pipeline (converge → derive ephemeral DID → purge) completes in under 100µs including all validation steps.

Section 05

ACI Surface

Ephemeral identity first, then wallet lifecycle. Every function returns a Result<T, E> — no thrown exceptions.

Ephemeral Identity

deriveContextDid(masterSeed: Uint8Array, context: EphemeralContext, config?: Partial<EphemeralConfig>): Promise<Result<EphemeralDid, EphemeralDerivationError>>

Derives a per-verifier, per-epoch Ed25519 DID from the master seed via HKDF-SHA256. Deterministic: same (verifierId, scope, epoch) always produce the same DID. Validates inputs, derives ephemeral seed, generates keypair, computes did:key, sets expiry from rotation config. Purges intermediate key material after derivation.

unlinkablePresent(masterSeed, credentialShares, requestedAttributes, context, consentCallback, config?): Promise<Result<UnlinkablePresentation, UnlinkablePresentationError>>

Full ephemeral presentation pipeline. Derives context DID, invokes consent callback (must return true), builds selective-disclosure payload, signs with ephemeral key, generates HMAC derivation proof, purges all intermediate material. Returns the presentation, ephemeral DID, and derivation proof.

computeCurrentEpoch(rotationPeriodMs: number, referenceTime?: number): number

Returns the current epoch index based on rotation period. Used by deriveContextDid to ensure temporal unlinkability. Default rotation: 24 hours (86,400,000 ms). Returns 0 if rotation is disabled.

rotateContextDid(masterSeed, context, config?): Promise<Result<EphemeralDid, EphemeralRotationError>>

Manually rotates to the next epoch for a given context. Increments epoch by 1 and derives a new DID. Used when forced rotation is needed (e.g., suspected compromise, policy change).

createDerivationSchedule(config): DerivationSchedule

Creates a derivation schedule for tracking verifier contexts. The schedule itself is XorIDA-split — no single share reveals the rotation pattern or relationship graph.

Wallet Lifecycle

createWallet(config: WalletCreateConfig): Result<XidWallet, WalletError>

Creates an empty wallet anchored to an owner DID. The wallet is metadata-only: it stores credential entries (ID, schema, issuer, category, status), not credential content or shares.

importCredential(wallet, input, verifyFn): Promise<Result<ImportResult, ImportError>>

Verifies credential signature, validates fields, auto-detects category (government, education, professional, health, financial, other), checks lifecycle status, adds entry. Returns new wallet — immutable by design.

handlePresentationRequest(params: PresentRequest): Promise<Result<PresentResult, PresentError>>

Standard presentation (non-ephemeral). Checks presentability, invokes ConsentCallback, creates signed selective-disclosure presentation. For ephemeral presentations, use unlinkablePresent instead.

backupWallet(wallet, config?): Promise<Result<WalletBackupShare[], BackupError>>

Serializes wallet to JSON, PKCS7-pads, HMAC-SHA256 authenticates, XorIDA-splits into k-of-n shares (default 2-of-3). No single share reconstructs the wallet.

restoreWallet(shares: WalletBackupShare[]): Promise<Result<XidWallet, RestoreError>>

Reconstructs from k shares. HMAC-SHA256 verified before reconstruction. Byte-identical to the original. Tampered shares rejected before wallet restoration.

assessEidasCompliance(wallet, credentialId): Result<EidasAssessment, AssessError>

Evaluates a credential against eIDAS 2.0 requirements: Level of Assurance (Low, Substantial, High), Qualified Electronic Signatures (QES) detection, issuer trust list membership.

Ephemeral Presentation Flow

import { deriveContextDid, unlinkablePresent, computeCurrentEpoch } from '@private.me/xid';

// Derive an ephemeral DID for a specific verifier
const epoch = computeCurrentEpoch(86_400_000); // 24-hour rotation
const did = await deriveContextDid(masterSeed, {
  verifierId: 'did:key:z6MkVerifier...',
  scope: 'age-verification',
  epoch,
});
// did.value.did → unique DID for this verifier + epoch

// Full unlinkable presentation with consent
const result = await unlinkablePresent(
  masterSeed,
  credentialShares,
  ['dateOfBirth', 'nationality'],
  { verifierId: 'did:key:z6MkVerifier...', scope: 'age-check', epoch },
  async () => userApproved,
);
// result.value.ephemeralDid → cryptographically independent from all other DIDs

Section 06

Use Cases

Five verticals where ephemeral identity transforms regulatory compliance from a liability into a competitive advantage.

🌍

EU CITIZEN IDENTITY

eIDAS 2.0 Compliant Wallets

450 million citizens need digital identity wallets by 2026. The ARF requires pseudonymous authentication (Article 5a) but the reference architecture cannot deliver it. xID's ephemeral DIDs satisfy Article 5a by construction: every verifier sees a different identity, epoch rotation prevents temporal correlation, and the derivation schedule is split-protected. Member states deploying xID-based wallets achieve the unlinkability the regulation demands without custom cryptographic engineering.

eIDAS 2.0 Art. 5a

🏥

HEALTHCARE

Unlinkable Patient Credentials

A patient presents vaccination records to a pharmacist and insurance credentials to a clinic. Under current systems, both verifiers can correlate the same patient via a static DID — creating a complete medical history graph without consent. xID ensures the pharmacist and clinic see cryptographically independent identities. The patient controls which attributes each verifier sees. HIPAA data minimization is achieved at the cryptographic layer, not the policy layer. 42 CFR Part 2 substance abuse protections are enforced by default.

HIPAA + 42 CFR Part 2

💳

FINANCIAL SERVICES

Privacy-Preserving KYC

Know Your Customer checks currently create a centralized identity graph across every financial institution a person uses. DORA (Digital Operational Resilience Act) requires operational resilience, but existing identity infrastructure concentrates risk. xID enables KYC where each bank sees a different ephemeral DID. The bank can verify identity attributes (name, DOB, nationality) without gaining a cross-institution correlation handle. Revocation is blinded — revoking a credential does not reveal which institutions the holder has relationships with.

DORA + KYC/AML

💼

ENTERPRISE

Job-Seeker Privacy

A job candidate applies to five companies. Current credential systems let all five companies correlate the same candidate via a persistent DID or issuer signature. This enables unauthorized reference-checking and hiring blacklists. With xID, each employer sees a different ephemeral DID. The candidate's degree, certifications, and work history can be verified without creating a cross-employer tracking vector. Epoch rotation means the same employer sees a fresh identity each hiring cycle.

Privacy-by-Design

🛡

GOVERNMENT & DEFENSE

Classified Compartmented Access

Defense and intelligence agencies require compartmented access where knowledge of a person's clearance at Agency A must not leak to Agency B. Current identity systems fail this requirement by design — persistent DIDs create cross-agency correlation. xID's per-verifier derivation ensures that Agency A's identity for an operator is cryptographically independent from Agency B's. The derivation schedule is split-protected, so even a compromised storage node cannot reveal the operator's relationship graph. Offline pre-derivation enables air-gapped environments: derive ephemeral DIDs in advance for disconnected field operations.

Classified + Air-Gapped

Section 07

Regulatory Compliance

Ephemeral identity directly satisfies four regulatory frameworks. Each maps to a specific xID capability — not a configuration option, but a structural guarantee.

Regulation	Requirement	xID Capability
eIDAS 2.0 Art. 5a	Right to pseudonymous authentication	Per-verifier ephemeral DIDs — every presentation uses a unique identity
GDPR Art. 5(1)(c)	Data minimization	Selective disclosure — verifiers receive only requested attributes, bound to an ephemeral DID that cannot be correlated
GDPR Pseudonym Rights	Users interact under pseudonyms	Cryptographically independent identities per verifier — pseudonymous by construction
DORA Art. 9	ICT risk management for financial entities	XorIDA-split seed — no single compromise exposes identity. Blinded revocation prevents correlation via status checks
EU AI Act Art. 10	Data quality & bias prevention	Unlinkable presentations prevent training data that correlates individuals across services
HIPAA Minimum Necessary	Disclose only minimum data for purpose	Attribute-level selective disclosure with consent gate

Section 08

Cross-ACI Composition

xID composes with four ACIs to form a complete identity infrastructure stack. Each integration is additive — xID works standalone, and each composition unlocks new capabilities.

XWALLET + XID

xWallet is the credential engine that makes ephemeral identity possible. When xID derives an ephemeral DID, xWallet is the infrastructure that reconstructs, discloses, and verifies — all within the ~50 microsecond window. xWallet handles the credential crypto pipeline (issue, serialize, split, reconstruct, present). xID handles the identity layer (ephemeral derivation, consent, wallet UX, compliance). Together they form a complete identity wallet stack — xWallet is the engine, xID is the car.

XLOCK + XID

xLock provides push-based one-tap authentication. Combined with xID's ConsentCallback, every credential presentation requires two-factor authorization: the user must consent in the xID wallet AND approve via xLock push notification. Two independent gates before any attribute is disclosed.

XSTORE + XID

xID backup shares and derivation schedule shares are stored via xStore's pluggable backend interface. Multi-cloud, multi-jurisdiction backup with zero changes to wallet code. Store Share 1 in the EU, Share 2 in the US, Share 3 on an air-gapped volume. xStore handles where. xID handles what.

XPROVE + XID

eIDAS compliance assessments and ephemeral derivation proofs feed into xProve audit trails. Prove that a credential was valid at the time of presentation, that consent was granted, that only the requested attributes were disclosed, and that the ephemeral DID was correctly derived — without revealing the credential or the master seed. Cryptographic proof of correct identity operations.

Section 09

Security Properties

xID enforces ten security properties by construction — six from the base wallet and four from ephemeral identity. Every property is tested and verifiable.

Core Guarantees

Property	Mechanism	Guarantee
Confidentiality	XorIDA backup + metadata-only wallet	No single location holds enough to reconstruct wallet or credentials
Consent	ConsentCallback gates every disclosure	No attributes disclosed without explicit user approval
Import Integrity	Signature verification before entry	Only cryptographically valid credentials enter the wallet
Backup Integrity	HMAC-SHA256 before reconstruction	Tampered backup shares rejected before wallet restoration
Immutability	All mutations return new objects	Every wallet state is independently auditable
Lifecycle	Status check before presentation	Expired and revoked credentials cannot be presented

Ephemeral Identity Properties

Property	Mechanism	Guarantee
Cross-Verifier Unlinkability	HKDF derivation with verifier-specific info	Different verifiers always see cryptographically independent DIDs
Temporal Unlinkability	Epoch counter in HKDF derivation	New epoch = new DID. Same verifier cannot correlate across epochs
Relationship Graph Protection	Split-protected derivation schedule	No single share reveals which verifiers a holder has interacted with
Minimal Exposure	~50µs reconstruct-derive-sign-purge pipeline	Master seed exists in memory for microseconds, never persisted

Traditional Wallet vs. xID

Dimension	Traditional Wallet	xID Identity Wallet
Holder Identity	Static DID across all verifiers	Per-verifier ephemeral DID via HKDF derivation
Revocation	Static credential index — trackable	Blinded revocation — no correlation vector
Quantum Resistance	Key-dependent — harvest-now-decrypt-later	Information-theoretic — unconditionally secure
Seed Protection	Encrypted at rest with one key	XorIDA k-of-n split — no single share reveals anything
Relationship Graph	Stored in plaintext or encrypted with one key	Split-protected derivation schedule — no single share reveals verifier history
Exposure Window	Key in memory for session duration	~50µs per presentation — purged immediately

VERIFIED BY XPROVE

Verifiable Identity Operations

Every xID operation — import, present, backup, restore, ephemeral derivation — produces integrity artifacts that xProve can chain into a verifiable audit trail. Prove that credentials were handled correctly without revealing the credentials themselves.

XPROVE IDENTITY AUDIT

xID's consent records, eIDAS compliance assessments, ephemeral derivation proofs, and backup HMAC tags feed directly into xProve's verification pipeline. For regulated identity use cases (eIDAS, healthcare credentialing, financial KYC, professional licensing), this provides cryptographic proof of correct credential handling — proof that consent was obtained, that the credential was valid at presentation time, that only requested attributes were disclosed, and that the ephemeral DID was correctly derived from the split master seed. Upgrade to zero-knowledge proofs when auditors need public verification without data disclosure.

Read the xProve white paper →

Section 10

Limitations

Honest engineering requires honest documentation. Five known limitations with their mitigations.

Limitation	Impact	Mitigation
Ed25519 is not post-quantum	Ephemeral signing keys are classically secure, not PQ-secure. A sufficiently powerful quantum computer could forge a signature during the ~50µs window.	ML-DSA-65 dual signatures available via xLink (opt-in `postQuantumSig: true`). The master seed itself is IT-secure regardless.
HKDF determinism requires epoch sync	If two parties disagree on the current epoch (clock skew), they will derive different DIDs for the same context.	Epoch granularity defaults to 24 hours — clock skew of minutes is irrelevant. Applications with shorter epochs should use NTP synchronization.
Offline pre-derivation risk	Pre-derived ephemeral DIDs for air-gapped use create a batch of key material that must be securely stored until use.	Pre-derived batches are XorIDA-split. Each DID in the batch is independently purged after use. Batch size is configurable.
Predicate proofs are HMAC-only	Current predicate proofs (e.g., "age > 18") use HMAC chain verification, not zero-knowledge proofs. The verifier receives a proof of correct computation but must trust the prover's execution environment.	xProve Tier 4 (KKW MPC-in-the-Head) provides zero-knowledge proofs for predicate evaluation. Integration path exists via xProve Tier 4.
No TEE integration yet	The ~50µs exposure window relies on software memory management. A sufficiently privileged attacker with memory access could extract the master seed during reconstruction.	TEE-isolated reconstruction is planned. Implementation requires platform-specific TEE bindings (SGX, TrustZone, SEV-SNP).
Self-convergence requires enrolled signals	Self-converging identity requires at least K enrolled signal channels responding correctly. A user with only one signal source cannot self-converge.	Minimum configuration is 2-of-3 (IAL1). Signal enrollment is progressive — users start with device + knowledge and add biometric/hardware as available. Traditional seed-based derivation remains available as a fallback.

Section 11

Enterprise CLI

@private.me/xid-cli is a self-hosted identity wallet management server — Docker-ready, air-gapped capable, with three-role RBAC, ephemeral identity management, self-convergence endpoints, and append-only audit logging.

REST endpoints

RBAC roles

108

Enterprise tests

4700

Default port

Endpoints

Method	Path	Permission	Description
GET	/health	—	Health check
POST	/wallets	wallet:create	Create a wallet
GET	/wallets	wallet:list	List wallets
GET	/wallets/:id	wallet:open	Open wallet
POST	/wallets/:id/credentials	credential:import	Import credential metadata
GET	/wallets/:id/credentials	credential:list	List credentials
GET	/wallets/:id/credentials/:credId	credential:get	Get credential
DELETE	/wallets/:id/credentials/:credId	credential:remove	Remove credential
GET	/wallets/:id/categories	credential:categories	Category counts
POST	/wallets/:id/present	present:request	Presentation request
GET	/wallets/:id/credentials/:credId/presentable	present:check	Check presentability
GET	/wallets/:id/lifecycle/status	lifecycle:status	Credential statuses
GET	/wallets/:id/lifecycle/expiring	lifecycle:expiring	Expiring credentials
GET	/wallets/:id/lifecycle/expired	lifecycle:expired	Expired credentials
POST	/wallets/:id/backup	backup:create	Create backup
GET	/wallets/:id/backups	backup:list	List backups
POST	/eidas/assess	eidas:assess	eIDAS compliance assessment
GET	/eidas/loa/:level	eidas:check	LoA requirements
POST	/ephemeral/derive	ephemeral:derive	Derive ephemeral DID
POST	/ephemeral/rotate	ephemeral:rotate	Rotate ephemeral DID
GET	/audit	audit:read	Audit log entries
POST	/convergence/profiles	convergence:create	Create convergence profile
GET	/convergence/profiles/:id	convergence:read	Get convergence profile
POST	/convergence/execute	convergence:execute	Self-converge (atomic)
POST	/convergence/profiles/:id/signals	signal:enroll	Enroll signal
DELETE	/convergence/profiles/:id/signals/:signalId	signal:revoke	Revoke signal

RBAC Roles

Admin — full access: wallets, credentials, presentations, lifecycle, backups, eIDAS, ephemeral, API keys, audit.
Operator — wallets, credentials (import/list/get), presentations, lifecycle, backups, eIDAS, ephemeral.
Auditor — read-only: wallet list, credentials, lifecycle, backup list, eIDAS checks, audit logs.

MASTER SEEDS NEVER STORED

For ephemeral identity derivation and rotation, master seeds come from the request body per-call. The server never stores master seeds. Only derivation metadata (context hash, epoch, timestamps) is persisted.

Docker Deployment

docker build -t xid-cli -f packages/xid-cli/Dockerfile .
docker run -d --name xid -p 4700:4700 \
  -v xid-data:/data \
  -e XID_ADMIN_KEY=your-secret-key \
  xid-cli

Section 12

Get Started

Install xID, derive your first ephemeral identity, and present credentials unlinkably — all in a few lines of code.

Install

npm install @private.me/xid

Quick Start — Ephemeral Identity

import {
  createWallet,
  importCredential,
  deriveContextDid,
  unlinkablePresent,
  computeCurrentEpoch,
  backupWallet,
} from '@private.me/xid';

// 1. Create a wallet
const wallet = createWallet({ ownerDid: 'did:key:z6Mk...' });

// 2. Import a credential (auto-categorized)
const withCred = await importCredential(
  wallet.value,
  { credential: passportVC, shares },
  verifySignature
);

// 3. Derive an ephemeral DID for a specific verifier
const epoch = computeCurrentEpoch(86_400_000);
const ephemeral = await deriveContextDid(masterSeed, {
  verifierId: 'did:key:z6MkBank...',
  scope: 'kyc-check',
  epoch,
});

// 4. Present unlinkably (consent required)
const presentation = await unlinkablePresent(
  masterSeed, credentialShares,
  ['fullName', 'dateOfBirth'],
  { verifierId: 'did:key:z6MkBank...', scope: 'kyc-check', epoch },
  async () => promptUser(),
);

// 5. Backup wallet (2-of-3 XorIDA split)
const backupShares = await backupWallet(withCred.value);

GET STARTED

Ready to deploy xID?

Talk to Sol, our AI platform engineer, or book a live demo with our team.

Book a Demo