Loading...
private.me Docs
Get xID
PRIVATE.ME · Technical White Paper

xID: Unlinkable Digital Identity

Per-verifier ephemeral DIDs derived from XorIDA-split master seeds via HKDF-SHA256. Information-theoretically secure. Self-converging K-of-N identity that never exists at rest. ~50 microsecond presentation pipeline. ISO 24745 cancelable biometrics. eIDAS 2.0 unlinkability that the ARF cannot deliver. Zero npm dependencies.

v0.2.0 289 tests (13 files, 3453 LOC) 108 enterprise tests 0 npm deps ~50µs seed exposure ISO 24745 compliant
Section 01

Executive Summary

xID gives every user an unlinkable digital identity wallet. Per-verifier ephemeral DIDs ensure that a pharmacy, a bar, and a bank all see completely different identities from the same holder. Self-converging identity means the master seed never exists at rest — it reconverges from K-of-N independent signals only when needed, exists for ~50 microseconds, then is purged.

The world mandated digital identity wallets. The frameworks they built are broken. A 2025 formal privacy evaluation confirmed that eIDAS 2.0's Architecture Reference Framework fails to achieve unlinkability — the single most important privacy property for 450 million citizens. SD-JWT leaks static vct claims. BBS+ anchors to persistent issuer signatures. Every revocation status check reveals which credential is being verified. Static seeds stored in keychains are permanent compromise targets.

xID fixes all four correlation vectors. Ephemeral identity derives per-verifier, per-epoch DIDs from an HKDF-SHA256 derivation tree. Self-converging identity ensures the master seed is never stored — it exists only as K-of-N XorIDA shares distributed across independent signal channels (biometric, device, credential, knowledge, hardware token, push auth, behavioral, location). Any K-1 shares reveal zero information (information-theoretic security, not computational). The seed reconverges in volatile memory for ~50 microseconds per presentation, derives the ephemeral DID, and is immediately purged.

Zero configuration out of the box. Zero npm runtime dependencies. Runs anywhere the Web Crypto API is available — Node.js, Deno, Bun, Cloudflare Workers, browsers.

Section 02

Developer Experience

xID provides real-time progress tracking and 50+ structured error codes to help developers build reliable, privacy-preserving identity systems.

Progress Callbacks

All long-running operations (unlinkablePresent, backupWallet, restoreWallet) support onProgress callbacks for tracking multi-step pipelines, especially useful for self-convergence where K-of-N signal channels must respond before the seed reconverges.

Progress tracking example
const result = await unlinkablePresent({
  masterSeed,
  credentialShares,
  requestedAttributes: ['dateOfBirth', 'nationality'],
  context: { verifierId, scope, epoch },
  consentCallback: async () => userApproved,
  onProgress: async (event) => {
    switch (event.stage) {
      case 'reconstructing':
        console.log('Reconstructing master seed...');
        break;
      case 'deriving':
        console.log('Deriving ephemeral DID...');
        break;
      case 'signing':
        console.log('Signing with ephemeral key...');
        break;
      case 'purging':
        console.log('Purging key material...');
        break;
      case 'complete':
        console.log('Presentation ready');
        break;
    }
  }
});

Structured Error Handling

xID uses a Result<T, E> pattern with detailed error structures. Every error includes a machine-readable code, human-readable message, actionable hint, and documentation URL.

Error detail structure
interface ErrorDetail {
  code: string;         // e.g., 'INVALID_CONTEXT'
  message: string;      // Human-readable description
  hint?: string;        // Actionable suggestion
  field?: string;       // Field that caused the error
  docs?: string;        // Documentation URL
}

Error Categories

xID organizes 50+ error codes across 8 categories, making it easy to handle errors systematically:

Category Example Codes When
Wallet WALLET_INVALID, CREDENTIAL_NOT_FOUND Wallet creation, credential import/removal
Ephemeral DERIVATION_FAILED, EPOCH_INVALID DID derivation, HKDF operations, epoch computation
Convergence INSUFFICIENT_SIGNALS, DIVERSITY_FAILED K-of-N threshold, signal diversity, atomic pipeline
Presentation CONSENT_DENIED, ATTRIBUTE_NOT_FOUND Credential presentation, selective disclosure
Backup/Restore BACKUP_FAILED, RESTORE_FAILED, HMAC_MISMATCH XorIDA splitting, reconstruction, HMAC verification
Compliance EIDAS_ASSESSMENT_FAILED eIDAS 2.0 compliance evaluation
Import IMPORT_FAILED, SIGNATURE_INVALID Credential import, verification, validation
Lifecycle STATUS_EXPIRED, STATUS_REVOKED Credential lifecycle status checks
Developer-Friendly Errors
All xID errors include field attribution (which parameter failed), hints (what to fix), and documentation links (where to learn more). Example: INSUFFICIENT_SIGNALS error includes hint "Need at least 2 signals, received 1. Add another signal channel."
Section 03

Fast Onboarding: 3 Acceleration Levels

Traditional identity setups require manual DID generation, key management, and trust registry configuration. xID collapses this to 15 seconds with zero-click accept, one-line CLI, and one-click deploy buttons.

Level 1: Zero-Click Accept
15 seconds — Auto-accept invite from env var. No manual DID setup, no trust registry config.
Node.js/Deno/Bun
// .env file
XID_INVITE_CODE=XID-abc123

// Auto-accept on first use
import { deriveContextDid } from '@private.me/xid';

const ephemeral = await deriveContextDid(
  masterSeed,
  { verifierId, scope, epoch }
);
//  Invite auto-accepted, ready to use
Level 3: One-Line CLI
30 seconds — Generates master seed, saves to .env, creates ephemeral DID.
CLI
# Install and initialize
npx @private.me/xid init

# Output:
#  Master seed generated
#  Saved to .env (XID_MASTER_SEED)
#  Ready to derive ephemeral DIDs

# Use immediately
const ephemeral = await deriveContextDid(
  masterSeed,
  { verifierId, scope, epoch }
);
Level 5: Deploy Buttons
15 seconds — One-click deployment to Vercel, Netlify, or Railway. Zero manual config.
Vercel: 100GB bandwidth/month free
Netlify: 100GB bandwidth/month free
Railway: $5 credit/month free
Templates Included
# Node.js TypeScript starter
packages/xid/templates/node-typescript/

# Vercel Edge Function
packages/xid/templates/vercel/

# Multi-platform starter
packages/xid/templates/github-starter/

Setup Time Comparison

Method Traditional xID Speedup
Manual DID setup ~5-10 min 15 sec 20-40×
Trust registry config ~3-5 min 0 sec
Master seed generation ~2-3 min 30 sec 4-6×
Total ~10-18 min 15-30 sec 20-72×

Example: Zero-Click Accept

Set invite code in environment, derive ephemeral DID on first use. No manual setup required.

Zero-Click Accept Example
// 1. Set environment variable
// .env file:
XID_INVITE_CODE=https://xid.private.me/invite/XID-abc123

// 2. Derive ephemeral DID (auto-accepts invite)
import { deriveContextDid } from '@private.me/xid';

const masterSeed = new Uint8Array(32);
crypto.getRandomValues(masterSeed);

const result = await deriveContextDid(
  masterSeed,
  {
    verifierId: 'did:key:z6Mk...',
    scope: 'login',
    epoch: 0,
  }
);

if (result.ok) {
  console.log('Ephemeral DID:', result.value.did);
  //  Invite auto-accepted in background
  //  Ready to use immediately
}

// CRITICAL: Purge master seed after use
masterSeed.fill(0);

Templates

All three templates included in packages/xid/templates/:

  • node-typescript/ — Node.js/Deno/Bun TypeScript starter with zero-click accept
  • vercel/ — Vercel Edge Function with ephemeral DID API endpoints
  • github-starter/ — Multi-platform starter with deploy buttons for Vercel/Netlify/Railway
Viral Loop
Fast onboarding reduces setup friction by 20-72×. A developer who would have spent 15 minutes on manual setup now spends 15 seconds. Lower friction → higher conversion → faster viral growth. Every invite accepted creates a new potential inviter. Viral coefficient: 2.5+.
Section 04

Identity Architecture: Where xID Fits

xID is Layer 2 (unlinkability) in a three-layer identity architecture. Layer 1 (Xlink) provides the authenticated communication foundation. Layer 2 (xID) adds ephemeral, per-verifier identity. Layer 3 (Xfuse) adds high-assurance K-of-N convergence from multiple identity signals.

Three-Layer Stack

Digital identity requires three distinct capabilities: secure communication, unlinkable presentation, and high-assurance verification. Each layer builds on the one below it.

Layer 1: Xlink
Foundation
Authenticated agent-to-agent communication
DID-based message signing
XorIDA threshold splitting
Every message integrity-protected
Layer 2: xID
Unlinkability
Ephemeral per-verifier DIDs
HKDF-derived identity scoping
Temporal epoch rotation
~50µs seed exposure
Layer 3: Xfuse
High Assurance
K-of-N identity convergence
8 signal channel types
IAL1/2/3 assurance levels
Continuous refresh pipeline

When to Use xID vs Xlink-Only

Many applications need authenticated communication but do not require unlinkable identity. The table below clarifies when to add xID on top of Xlink.

Scenario Layer 1 (Xlink Only) Layer 2 (+ xID) Layer 3 (+ Xfuse)
API authentication Sufficient — DID-based auth Not needed Not needed
IoT device identity Sufficient — per-device DID Not needed Not needed
Internal enterprise comms Sufficient — single trust domain Not needed Not needed
Healthcare: prescription verification Foundation Required — unlinkable pharmacies Optional — for controlled substances
Finance: cross-institution payments Foundation Required — per-bank identity Recommended — anti-fraud
Government: citizen services Foundation Required — eIDAS 2.0 unlinkability Required — IAL2/3 for benefits
Defense: classified access Foundation Required — compartmentalization Required — NIST AAL3
Composition Pattern
Xlink is always required. It provides the authenticated communication layer. xID adds ephemeral identity on top of Xlink's DID foundation. Xfuse adds multi-factor convergence on top of xID's ephemeral DIDs. Each layer is optional beyond Layer 1, chosen based on privacy and assurance requirements.

xID + Xlink Integration Example

Below is a complete healthcare prescription verification flow showing how xID's ephemeral DIDs compose with Xlink's authenticated messaging.

Ephemeral identity with authenticated messaging
import { Agent } from '@private.me/xlink';
import { unlinkablePresent } from '@private.me/xid';

// Layer 1: Create authenticated Xlink agent (pharmacy)
const pharmacyAgent = await Agent.fromSeed(pharmacySeed);

// Layer 2: Derive ephemeral DID for this specific pharmacy
const ephemeralDID = await unlinkablePresent({
  masterSeed: patientMasterSeed,
  credentialShares,
  requestedAttributes: ['dateOfBirth', 'prescriptionID'],
  context: {
    verifierId: pharmacyAgent.did,  // Scoped to pharmacy's DID
    scope: 'rx-verification',
    epoch: getCurrentEpoch()       // Rotates daily
  },
  consentCallback: async () => true
});

// Layer 1: Send credential presentation via Xlink's authenticated channel
const result = await pharmacyAgent.sendSecure({
  recipientDID: prescribingDoctorDID,
  payload: {
    ephemeralDID: ephemeralDID.did,       // Pharmacy-specific DID
    presentation: ephemeralDID.presentation,
    signature: ephemeralDID.signature
  }
});

// Result: Doctor sees patient's ephemeral DID for THIS pharmacy only.
// Different pharmacy = different DID. Tomorrow's epoch = new DID.
// Xlink ensures the message's integrity and authenticity.

Layer Benefits Summary

Layer 1
Xlink Foundation
Layer 2
xID Unlinkability
Layer 3
Xfuse High Assurance

Layer 1 (Xlink): Authenticated communication via DIDs, XorIDA threshold splitting, end-to-end integrity, multi-transport routing, nonce-based replay protection, trust registry, scope-based authorization.

Layer 2 (xID): Per-verifier ephemeral DIDs, HKDF-derived identity scoping, temporal epoch rotation, ~50µs seed exposure, self-converging K-of-N identity, ISO 24745 cancelable biometrics, eIDAS 2.0 unlinkability.

Layer 3 (Xfuse): K-of-N threshold identity convergence from 8 signal types (biometric, device, credential, knowledge, hardware token, push auth, behavioral, location), IAL1/2/3 assurance levels, continuous refresh, adaptive refinement, atomic pipeline, NIST AAL3 compliance.

Cross-References
Xlink white paper: Complete Layer 1 specification — DID-based authenticated messaging, XorIDA threshold splitting, multi-transport routing, trust registry, nonce store, scope graph.

Xfuse white paper: Complete Layer 3 specification — K-of-N identity fusion, 5-step atomic pipeline, signal diversity validation, IAL1/2/3 assurance levels, continuous refresh, MPC convergence.
Section 05

The Problem: Digital Identity's Privacy Paradox

eIDAS 2.0 mandates digital identity wallets for 450 million EU citizens by 2026. The regulation explicitly requires privacy-preserving presentations. The frameworks being built to deliver it cannot achieve this requirement.

A 2025 formal privacy evaluation of the eIDAS 2.0 Architecture Reference Framework (ARF) found what cryptographers suspected: "the ARF fails to achieve unlinkability due to linkable cryptographic metadata." An 80+ organization coalition has raised concerns. The gap is not a configuration issue — it is architectural.

Four Correlation Vectors

Current identity frameworks leak correlation through four independent channels. Each alone is sufficient for behavioral profiling at scale. Combined, they make unlinkability impossible.

1. Static DIDs. SD-JWT credentials carry a static vct (verifiable credential type) claim and bind to a persistent holder DID. Every verifier sees the same identifier. A pharmacy, a bar, and a bank can all correlate the same citizen from three independent presentations.

2. Persistent issuer signatures. BBS+ achieves selective disclosure of attributes but anchors every presentation to the same issuer signature. The cryptographic relationship between disclosed attributes and the base signature is a persistent correlation handle that colluding verifiers can exploit.

3. Revocation tracking. Revocation registries use static credential indices. Every revocation status check reveals which specific credential is being verified, creating a global tracking vector that is independent of the presentation itself.

4. Static identity seeds. Every existing identity wallet stores a master key or seed as a persistent artifact — in keychains, secure enclaves, or encrypted databases. A static seed is a static target. If the device is compromised at any point, the seed is compromised forever. The identity material should never exist at rest.

Competitive Failure Table

SystemUnlinkable Holder?Unlinkable Revocation?Post-Quantum?IT-Secure?Trusted Setup?
SD-JWTNo — vct claim leaksNo — static cred IDNoNoNo
BBS+Partial — DID staticNo — accumulatorNo (pairing curves)NoNo
mDL (ISO 18013-5)No — device keyNoNoNoNo
German eIDPartial — issuer-dependentNoNoNoNo
PhoenixYesUnknownYes (lattice)NoNo
CrescentYesUnknownNo (Groth16)NoYes
AnonCredsPartialNo — accumulatorNoNoYes
xIDYesYes (blinded)Yes (IT + PQ)YesNo

No production system ships unlinkable holder identity, unlinkable revocation, post-quantum security, and information-theoretic guarantees together. xID is the first.

Section 06

The Solution: Ephemeral Identity + Self-Convergence

xID derives per-verifier, per-epoch DIDs from a master seed that never exists at rest. The seed is split into K-of-N XorIDA shares bound to independent signal channels. When identity is needed, K signals reconverge the seed in volatile memory (~50µs), derive the ephemeral DID, and purge all key material.

Three Properties

Per-verifier identity (HKDF derivation). The master seed is reconstructed from threshold shares in volatile memory. HKDF-SHA256 derives a 32-byte seed scoped to the verifier's DID, a context string, and the current epoch. An Ed25519 keypair is generated from this seed. The resulting DID is cryptographically independent from all other derived DIDs — a pharmacy and a bank see completely different identities from the same holder.

Temporal unlinkability (epoch rotation). When the epoch advances, all derived DIDs rotate automatically. A verifier who saw DID-A in epoch 3 sees DID-B in epoch 4 for the same holder. The derivation is deterministic within an epoch (enabling session continuity) but unlinkable across epochs. Default epoch: 24 hours.

IT-secure seed protection (self-convergence). The master identity seed is never stored whole. It exists only as K-of-N XorIDA shares distributed across independent signal channels (biometric, device, credential, knowledge, hardware token, push auth, behavioral, location). Any K-1 shares reveal zero information about the seed — not probabilistically, but unconditionally. No quantum computer, no unbounded adversary, no future mathematical breakthrough can extract the seed from fewer than K shares.

Ephemeral Identity Pipeline

EPHEMERAL IDENTITY PIPELINE (~50 MICROSECONDS) Reconstruct ~35µs HKDF Derive ~5µs Ed25519 Keygen ~8µs Sign ~2µs Purge ~1µs Ephemeral DID
Three Guarantees
Same verifier + same epoch = same DID (session continuity). Different verifier = different DID (cross-verifier unlinkability). New epoch = new DID (temporal unlinkability). The master seed exists in reconstructed form for ~50 microseconds per presentation and is never written to persistent storage.
Consent-Gated
No credential is disclosed without explicit holder authorization. The ConsentCallback is invoked with the verifier's DID, requested attributes, and purpose description before any derivation occurs. Consent must return true. There is no bypass, no admin override, no silent mode.
Section 07

Architecture

Three pipelines define the xID architecture: Ephemeral Present (unlinkable disclosure), Self-Convergence (K-of-N seed reconvergence), and Wallet Lifecycle (backup/restore).

Ephemeral Present Pipeline

EPHEMERAL PRESENT PIPELINE Request Consent Reconstruct Seed HKDF Derive Select Attrs Sign Ephemeral Purge Keys Presentation

Self-Convergence Pipeline

Your identity seed never exists at rest. Like Face ID's 30,000 IR dots converging into one recognition, xID reconverges your master seed from K-of-N independent signal channels every time identity is needed. Below threshold = zero information. Seed exists only during derivation (~50µs), then is purged.

SELF-CONVERGENCE PIPELINE 1. Consent 2. Count K 3. Window 4. Diversity 5. Validate 6. XorIDA 7. HMAC 8. Unpad HKDF Derive Ephemeral DID Purge Seed ← finally block (always runs)
IMPLEMENTATION VERIFIED
Self-converging identity is fully implemented with 68 comprehensive tests across convergence pipeline, signal diversity validation, IAL compliance, continuous refresh, and fault tolerance. ISO 24745 cancelable biometric templates tested with transform seed unlinkability. Atomic pipeline enforces all-or-nothing convergence — partial failure purges seed and returns error with zero information leakage. ~50µs measured seed exposure from XorIDA reconstruction to final purge.

Signal Type Taxonomy

Signal TypeExampleBinding
BiometricFace, fingerprint, iris, voiceISO 24745 cancelable template
DeviceTPM attestation, secure enclaveHardware-bound share
CredentialPassport, driving license VCIssuer-signed share
KnowledgePIN, passphrase, security questionKDF-derived share
Hardware TokenFIDO2 key, smart cardChallenge-response share
Push Auth1-tap mobile confirmationSigned approval share
BehavioralTyping cadence, gait patternContinuous template share
LocationGeofenced zone, network contextContext-gated share

Identity Assurance Levels

LevelRequirementsTypical Configuration
IAL1 (Basic)K ≥ 2 signals, any types2-of-3 (device + knowledge)
IAL2 (Strong)K ≥ 3 signals, ≥ 2 distinct types3-of-5 (device + credential + knowledge)
IAL3 (Very Strong)K ≥ 4 signals, ≥ 3 distinct types, biometric required4-of-7 (biometric + device + credential + hardware token)

Wallet Lifecycle

BACKUP / RESTORE PIPELINE BACKUP JSON.stringify PKCS7 Pad HMAC-SHA256 XorIDA Split RESTORE Reconstruct HMAC Verify Unpad JSON.parse
289
Tests (13 files, 3,453 LOC)
~50µs
Seed exposure time
0 bits
Per-share leakage (IT-secure)
8
Signal types
Section 08

Identity

xID uses did:key for all identity representations. Ephemeral DIDs are Ed25519-based. Self-convergence signals can use any cryptographic binding appropriate to the channel type.

DID Method

All xID identities use the did:key method. For ephemeral DIDs derived from Ed25519 keys, the format is did:key:z6Mk... (multicodec 0xed for Ed25519). This ensures maximum interoperability with existing verifiable credential ecosystems while maintaining unlinkability through per-verifier derivation.

Derivation Tree

The ephemeral DID derivation uses a three-level HKDF tree:

Level 1 (Master): XorIDA-reconstructed master seed (32 bytes, never persisted).

Level 2 (Context): HKDF-SHA256 with info = verifierId || scope || epoch. Produces a 32-byte context seed.

Level 3 (Keypair): Ed25519 keypair generation from context seed via standard RFC 8032 derivation.

Derivation example
import { deriveContextDid, computeCurrentEpoch } from '@private.me/xid';

// Compute current epoch (24-hour rotation by default)
const epoch = computeCurrentEpoch(86_400_000);

// Derive ephemeral DID for specific verifier + scope + epoch
const result = await deriveContextDid(masterSeed, {
  verifierId: 'did:key:z6MkVerifier123...',
  scope: 'age-verification',
  epoch,
});

if (result.ok) {
  console.log(result.value.did); // did:key:z6MkEphemeral456...
  console.log(result.value.expiresAt); // End of current epoch
}
Section 09

Complete Flow

From wallet creation to unlinkable presentation, here is the full xID lifecycle.

1. Wallet Initialization

Create wallet
import { createWallet } from '@private.me/xid';

const result = createWallet({
  ownerDid: 'did:key:z6MkOwner...',
  name: 'Personal Identity Wallet',
});

if (result.ok) {
  const wallet = result.value;
  console.log(wallet.credentials.length); // 0 (empty)
}

2. Import Credential

Import with auto-detection
import { importCredential } from '@private.me/xid';

const result = await importCredential(
  wallet,
  credentialData, // Raw credential payload
  verifySignature, // Issuer signature verification function
);

if (result.ok) {
  console.log(result.value.category); // Auto-detected: 'government', 'education', etc.
}

3. Ephemeral Presentation

Full unlinkable presentation flow
import { unlinkablePresent, computeCurrentEpoch } from '@private.me/xid';

const epoch = computeCurrentEpoch(86_400_000);

const result = await unlinkablePresent(
  masterSeed,
  credentialShares,
  ['dateOfBirth', 'nationality'], // Requested attributes
  {
    verifierId: 'did:key:z6MkVerifier...',
    scope: 'age-check',
    epoch,
  },
  async (req) => {
    // Consent callback — show UI to user
    return await showConsentDialog(req);
  },
);

if (result.ok) {
  const { presentation, ephemeralDid, derivationProof } = result.value;
  // Send presentation to verifier
  // ephemeralDid is unique to this verifier + epoch
}

4. Wallet Backup

XorIDA-split backup (2-of-3 default)
import { backupWallet } from '@private.me/xid';

const result = await backupWallet(wallet, { k: 2, n: 3 });

if (result.ok) {
  const [share0, share1, share2] = result.value;
  // Store shares independently (cloud, device, paper)
  // Any 2 shares can restore the wallet
}

5. Wallet Restore

Reconstruct from k shares
import { restoreWallet } from '@private.me/xid';

const result = await restoreWallet([share0, share2]);

if (result.ok) {
  const restoredWallet = result.value;
  // Byte-identical to original
  // HMAC-verified before reconstruction
}
Section 10

Integration

xID integrates with existing verifiable credential ecosystems through standard interfaces. Ephemeral identity is an opt-in enhancement that requires no changes to verifiers.

Credential Formats

xID supports multiple credential formats through auto-detection during import:

  • SD-JWT (RFC 7519 + selective disclosure)
  • W3C Verifiable Credentials (JSON-LD with proof)
  • ISO mDL (18013-5 mobile driving license)
  • Custom formats (user-provided parser + verifier)

Presentation Protocols

xID presentations are compatible with:

  • OpenID4VP (presentation request/response)
  • DIDComm (encrypted message transport)
  • CHAPI (Credential Handler API for web browsers)

Verifier Requirements

To accept ephemeral identity presentations, verifiers need:

1. DID resolution — Ability to resolve did:key to Ed25519 public key.

2. Signature verification — Standard Ed25519 signature verification.

3. Derivation proof validation (optional) — Verify HMAC derivation proof if binding to master identity is required.

Backward Compatibility
xID wallets can present credentials to any verifier — ephemeral identity is transparent to legacy systems. The verifier sees a valid Ed25519 signature on a W3C VC presentation. Only verifiers that explicitly request derivation proofs gain the ability to link ephemeral DIDs back to a master identity anchor (with holder consent).
Section 11

Use Cases

Five verticals where unlinkable identity transforms regulatory compliance from a liability into a competitive advantage.

EU CITIZEN IDENTITY
eIDAS 2.0 Compliant Wallets

450 million citizens need digital identity wallets by 2026. The ARF requires pseudonymous authentication (Article 5a) but cannot deliver it. xID's ephemeral DIDs satisfy Article 5a by construction: every verifier sees a different identity, epoch rotation prevents temporal correlation, and the derivation schedule is split-protected.

eIDAS 2.0 Art. 5a
FINANCIAL SERVICES
GDPR-Compliant KYC

Banks must verify customer identity without retaining biometric data or creating persistent tracking vectors. xID's cancelable biometric templates (ISO 24745) enable facial recognition that can be revoked per institution. Cross-bank unlinkability prevents surveillance capitalism through credential correlation.

GDPR Art. 9
HEALTHCARE
HIPAA-Safe Patient Credentials

Healthcare providers need to verify patient identity without creating correlation handles between pharmacies, labs, and hospitals. Ephemeral DIDs ensure that a patient presenting insurance credentials at CVS, Quest, and Kaiser sees three completely different identifiers — preventing cross-provider behavioral profiling.

HIPAA Privacy Rule
GOVERNMENT
Classified Personnel Access

Defense contractors need high-assurance identity without persistent credential IDs. xID's self-converging IAL3 configuration (4-of-7 with biometric, device, credential, hardware token) achieves NIST 800-63A Very Strong while ensuring that cleared personnel present unlinkable identities across compartmented programs.

NIST 800-63A IAL3
Section 12

Benchmarks

The ephemeral identity pipeline completes in approximately 50 microseconds. Every step is measured. No other production system achieves unlinkable presentations at this latency.

Pipeline Breakdown

StepOperationLatency
1Reconstruct master seed from k-of-n shares (XorIDA)~35µs
2HKDF-SHA256 derivation (verifier + scope + epoch)~5µs
3Ed25519 keypair generation from derived seed~8µs
4Sign presentation payload with ephemeral key~2µs
5Purge master seed + derived key material from memory~1µs
Total pipeline~51µs

Competitor Comparison

SystemUnlinkable Presentation LatencyProof SizeSetup Required?
Phoenix (lattice-based)~500ms~80 KBNo
BBS+ selective disclosure~2–5ms~320 bytesNo
Crescent (Groth16 SNARK)~100–500ms~128 bytesYes (trusted)
AnonCreds (CL signatures)~50–200ms~2 KBYes
xID (ephemeral DID)~50µs~200 bytesNo

xID is 10,000x faster than Phoenix and 40–100x faster than BBS+ for unlinkable presentations. The performance advantage comes from not requiring pairing-based cryptography, lattice operations, or zero-knowledge proof generation. XorIDA reconstruction is a GF(2) XOR operation — the fastest possible mathematical operation on binary data.

XorIDA API Payload Benchmarks
At typical credential sizes (<1 KB), XorIDA splitting is 2–11x faster than AES-256-GCM. 64 bytes: 14µs vs 160µs (11.4x). 256 bytes: 35µs vs 122µs (3.5x). 1 KB: 58µs vs 140µs (2.4x). Crossover is ~1–2 KB — credentials almost always fall below this threshold.
COMPREHENSIVE TEST COVERAGE
289 tests across 13 test files (3,453 lines of code) validate all xID functionality. Core wallet lifecycle (22 tests), credential import auto-detection (18 tests), selective disclosure (14 tests), XorIDA backup/restore (16 tests), eIDAS compliance (12 tests), ephemeral identity (46 tests) including ~50µs measured seed exposure, per-verifier unlinkability, epoch rotation, HKDF derivation. Self-convergence (68 tests) including K-of-N threshold validation, 8-step atomic pipeline, signal diversity enforcement, IAL mapping, ISO 24745 cancelable biometrics, continuous refresh, and fault tolerance. Error handling (24 tests). All tests passing.
Section 13

Limitations

xID achieves unlinkability through ephemeral DIDs and information-theoretic seed protection. These guarantees come with honest constraints.

What xID Does NOT Provide

1. Unlinkable Credential Issuance

xID does not obscure the relationship between holder and issuer at credential issuance time. The issuer knows which holder received the credential. Blinded issuance protocols (e.g., Privacy Pass, RSA blind signatures) are orthogonal to xID and can be layered on top.

2. Attribute-Level Unlinkability Across Presentations

If two presentations to different verifiers disclose identical rare attributes (e.g., "born 1987-03-14, nationality: Liechtenstein"), those presentations may be correlatable even with different ephemeral DIDs. The holder must use selective disclosure strategically to avoid leaking unique identifying information.

3. Protection Against Verifier Collusion

If verifiers collude and share disclosed attribute sets, they can correlate presentations through attribute intersection even with ephemeral DIDs. xID prevents passive surveillance but does not prevent active conspiracy. Defense: minimize attribute disclosure, use derived credentials where possible.

4. Protection Against Biometric Replay

Cancelable biometric templates (ISO 24745) protect against cross-context correlation but do not prevent replay attacks where an attacker captures a biometric sample and replays it to the same verifier. Liveness detection and challenge-response protocols are required at the signal collection layer.

5. Protection Against Device Compromise During Presentation

If an attacker compromises the device (malware, physical access) during the ~50µs window when the master seed is in volatile memory, the seed can be exfiltrated. The ~50µs exposure window is 7 orders of magnitude smaller than static seed storage, but it is not zero.

Deployment Considerations

Epoch Rotation Trade-Off

Shorter epochs (e.g., 1 hour) increase temporal unlinkability but break session continuity for long-lived interactions. Longer epochs (e.g., 7 days) improve session continuity but reduce temporal unlinkability. Default 24 hours balances both. The optimal epoch length depends on the use case.

Signal Channel Reliability

Self-convergence requires K-of-N signal channels to respond within the convergence window (default 30 seconds). Unreliable signals (e.g., network-dependent location checks, slow biometric scanners) can cause convergence failures. The system degrades to lower assurance levels if fewer signals respond, but requires minimum K to succeed.

Revocation Unlinkability Is Probabilistic

xID uses blinded revocation status checks where the holder queries a revocation registry with a salted hash of their credential ID rather than the ID itself. This achieves unlinkability against honest-but-curious revocation servers. A malicious revocation server that logs all queries and brute-forces credential IDs can still correlate. Full unlinkability requires cryptographic accumulators or zero-knowledge set membership proofs (future work).

Honest Assessment
xID is not a magic privacy bullet. It eliminates static DID correlation, static seed compromise, and passive verifier surveillance. It does NOT eliminate attribute-based correlation, active verifier collusion, or device-level compromise. Deploy with realistic threat model expectations.
Section 14

Regulatory Compliance

xID maps directly to three major regulatory frameworks: eIDAS 2.0 (EU digital identity), GDPR Article 9 (special category data), and NIST SP 800-63A (digital identity guidelines).

eIDAS 2.0 Architecture Reference Framework

The eIDAS 2.0 regulation (EU 2024/1183) requires Member States to offer digital identity wallets to all citizens by 2026. Article 5a explicitly mandates that wallets must enable "pseudonymous authentication where the user can be authenticated without the authentication necessarily entailing the identification of the user."

The Architecture Reference Framework (ARF) published by the European Commission provides technical guidance. However, a 2025 formal privacy evaluation by academic researchers found that "the ARF fails to achieve unlinkability due to linkable cryptographic metadata." The static vct claims in SD-JWT credentials, the persistent issuer signatures in BBS+ proofs, and the static credential indices in revocation registries all create correlation vectors.

xID fills the gap. Ephemeral DIDs provide the pseudonymous authentication that Article 5a requires. A citizen presenting their driver's license to a pharmacy, a bar, and a bank uses three cryptographically independent identities. Epoch rotation ensures temporal unlinkability. The derivation schedule (which verifiers the holder has interacted with) is XorIDA-split to prevent surveillance of the holder's relationship graph.

GDPR Article 9 — Special Category Data

GDPR Article 9 prohibits processing of biometric data unless explicit consent is given or a legal basis exists. Traditional identity systems store biometric templates as persistent identifiers — a single breach compromises the biometric for life.

xID's ISO 24745 cancelable biometric templates address this. The raw biometric is never stored. An HMAC-SHA256 non-invertible transform with a context-specific transform seed produces a 32-byte template. Same biometric, different context = different template. On compromise: generate a new transform seed, re-transform, increment version. The old template becomes cryptographically useless. This satisfies GDPR's requirement for data minimization and the right to erasure.

NIST SP 800-63A — Identity Assurance Levels

NIST Special Publication 800-63A defines three Identity Assurance Levels (IAL) based on the evidence collected and verified during identity proofing:

  • IAL1 (Self-asserted) — No identity verification required.
  • IAL2 (Remote or in-person) — Evidence supports real-world identity. Remote verification allowed.
  • IAL3 (In-person or supervised remote) — Physical presence before trained operator. Biometric collection.

xID's self-convergence architecture maps IAL levels to signal diversity requirements. IAL1 = 2-of-3 (device + knowledge). IAL2 = 3-of-5 (device + credential + knowledge, 2 distinct types). IAL3 = 4-of-7 (biometric + device + credential + hardware token, 3 distinct types, biometric required). Higher assurance = more signals, greater diversity.

Built-In Compliance Assessment
xID includes an assessEidasCompliance() function that evaluates a credential against eIDAS 2.0 requirements: Level of Assurance (Low, Substantial, High), Qualified Electronic Signatures (QES) detection, issuer trust list membership. Returns structured compliance report.
Section 15

Cross-ACI Integration

xID is a platform building block. It composes with other ACIs to deliver complete solutions.

Xlink (Secure M2M)

xID provides unlinkable holder identity. Xlink (@private.me/xlink) provides cryptographic agent identity and encrypted message transport. Together: ephemeral identity agents that present credentials over XorIDA-split channels. Use case: IoT devices presenting device credentials to cloud services with per-service unlinkable DIDs.

Xprove (Verifiable Computation)

xID ensures unlinkable presentations. Xprove (@private.me/xprove) proves that a presentation was computed correctly without revealing the computation inputs. Together: unlinkable presentations with cryptographic proof of policy compliance. Use case: proving "age ≥ 21" without revealing exact birthdate, with zero-knowledge proof that the age calculation was performed correctly.

Xwallet (Verifiable Credentials)

Xwallet (@private.me/xwallet) provides schema registry, issuance workflows, and selective disclosure for verifiable credentials. xID adds ephemeral identity and self-convergence to Xwallet. Together: complete credential lifecycle with unlinkability by default. Use case: enterprise credential issuance where employees present credentials to external verifiers with ephemeral DIDs.

Xfuse (Threshold Identity Fusion)

Xfuse (@private.me/xfuse) orchestrates K-of-N threshold operations across multiple ACIs with atomic execution pipelines. xID's self-convergence is built on Xfuse's convergence primitives. Together: multi-ACI identity workflows with all-or-nothing execution guarantees. Use case: high-assurance authentication that requires 3-of-5 signals (Xid biometric + Xlock push auth + Xpass credential) to converge before granting access.

Building Block Composability
xID + Xlink + Xprove + Xwallet + Xfuse = complete privacy-preserving identity infrastructure. Each ACI has zero npm dependencies. Each has information-theoretic security options. Each composes via standard Result<T,E> interfaces.
Advanced Topics

Error Hierarchy & Error Taxonomy

xID organizes 50+ error codes across 8 categories. Every error includes machine-readable code, human message, actionable hint, field attribution, and documentation URL.

Error Hierarchy

All xID operations return Result<T, E>. Errors implement a standard ErrorDetail interface:

ErrorDetail structure
interface ErrorDetail {
  code: string;         // Machine-readable error code
  message: string;      // Human-readable description
  hint?: string;        // Actionable suggestion for resolution
  field?: string;       // Which field/parameter caused the error
  docs?: string;        // Documentation URL for this error
}

// Example error
{
  code: 'INSUFFICIENT_SIGNALS',
  message: 'Need at least 2 signals for convergence, received 1',
  hint: 'Add another signal channel (biometric, device, or credential)',
  field: 'signals',
  docs: 'https://private.me/docs/xid#errors'
}

Error Taxonomy

50+ error codes across 8 categories. Representative examples:

Wallet Errors

CodeCategoryWhen
WALLET_INVALIDWALLETWallet structure validation failed
CREDENTIAL_NOT_FOUNDWALLETRequested credential ID not in wallet
DUPLICATE_CREDENTIALWALLETCredential with same ID already exists

Ephemeral Identity Errors

CodeCategoryWhen
DERIVATION_FAILEDEPHEMERALHKDF derivation failed
INVALID_CONTEXTEPHEMERALContext validation failed (verifierId, scope, epoch)
EPOCH_INVALIDEPHEMERALEpoch computation failed

Self-Convergence Errors

CodeCategoryWhen
INSUFFICIENT_SIGNALSCONVERGENCEK-of-N threshold not met
DIVERSITY_FAILEDCONVERGENCESignal diversity requirement not satisfied
ATOMIC_PIPELINE_FAILEDCONVERGENCE8-step pipeline partial failure, seed purged

Presentation Errors

CodeCategoryWhen
CONSENT_DENIEDPRESENTATIONConsentCallback returned false
ATTRIBUTE_NOT_FOUNDPRESENTATIONRequested attribute not in credential
SIGNATURE_FAILEDPRESENTATIONEd25519 signature generation failed

Backup/Restore Errors

CodeCategoryWhen
BACKUP_FAILEDBACKUPXorIDA split operation failed
RESTORE_FAILEDRESTOREXorIDA reconstruction failed
HMAC_MISMATCHRESTOREHMAC verification failed, shares tampered

Full ACI Surface

Complete function inventory. All return Result<T, E>.

Ephemeral Identity

deriveContextDid(masterSeed, context, config?): Promise<Result<EphemeralDid, EphemeralDerivationError>>
Derives per-verifier, per-epoch Ed25519 DID from master seed via HKDF-SHA256. Deterministic within epoch. Purges intermediate material.
unlinkablePresent(masterSeed, credentialShares, requestedAttributes, context, consentCallback, config?): Promise<Result<UnlinkablePresentation, UnlinkablePresentationError>>
Full ephemeral presentation pipeline. Derives context DID, invokes consent callback, builds selective-disclosure payload, signs with ephemeral key, purges all intermediate material.
computeCurrentEpoch(rotationPeriodMs, referenceTime?): number
Returns current epoch index based on rotation period. Default 24 hours (86,400,000 ms). Returns 0 if rotation disabled.
rotateContextDid(masterSeed, context, config?): Promise<Result<EphemeralDid, EphemeralRotationError>>
Manually rotates to next epoch for given context. Increments epoch by 1 and derives new DID. Used for forced rotation (e.g., suspected compromise).

Wallet Lifecycle

createWallet(config): Result<XidWallet, WalletError>
Creates empty wallet anchored to owner DID. Metadata-only: stores credential entries (ID, schema, issuer, category, status), not content or shares.
importCredential(wallet, input, verifyFn): Promise<Result<ImportResult, ImportError>>
Verifies signature, validates fields, auto-detects category (government, education, professional, health, financial), checks lifecycle status, adds entry.
handlePresentationRequest(params): Promise<Result<PresentResult, PresentError>>
Standard presentation (non-ephemeral). Checks presentability, invokes ConsentCallback, creates signed selective-disclosure presentation.
backupWallet(wallet, config?): Promise<Result<WalletBackupShare[], BackupError>>
Serializes wallet to JSON, PKCS7-pads, HMAC-SHA256 authenticates, XorIDA-splits into k-of-n shares (default 2-of-3).
restoreWallet(shares): Promise<Result<XidWallet, RestoreError>>
Reconstructs from k shares. HMAC-SHA256 verified before reconstruction. Byte-identical to original. Tampered shares rejected.
assessEidasCompliance(wallet, credentialId): Result<EidasAssessment, AssessError>
Evaluates credential against eIDAS 2.0 requirements: Level of Assurance (Low, Substantial, High), QES detection, issuer trust list membership.

Enterprise CLI

@private.me/xid-cli — 26-endpoint management server for enterprise xID deployments. Docker-ready, air-gapped capable.

Capabilities

  • Ephemeral DID derivation — Server-side HKDF pipeline with HSM integration
  • Self-convergence orchestration — K-of-N signal collection across enterprise signal providers
  • Wallet lifecycle management — Backup/restore with enterprise key escrow
  • Compliance assessment — Automated eIDAS/NIST/GDPR compliance reporting
  • Audit logging — Append-only audit trail for all identity operations
  • 3-role RBAC — Admin, Operator, Auditor with least-privilege enforcement

Deployment

Docker deployment
# Pull image
docker pull private.me/xid-cli:latest

# Run server (port 4700)
docker run -p 4700:4700 \
  -e XID_ADMIN_DID="did:key:z6Mk..." \
  -e XID_AUDIT_LOG_PATH="/var/log/xid" \
  -v /data/xid:/var/lib/xid \
  private.me/xid-cli:latest
108 Enterprise Tests
The xid-cli package includes 108 enterprise-specific tests covering RBAC enforcement, HSM integration, audit log integrity, compliance report generation, and air-gapped backup/restore workflows. Part of the Enterprise CLI Suite — 21 self-hosted servers, all Docker-ready.

Codebase Stats

xID implementation metrics.

289
Tests (13 files)
3,453
Test LOC
108
Enterprise CLI tests
26
CLI endpoints
50+
Error codes
8
Error categories
0
npm deps
100%
TypeScript strict

Test Coverage by Category

CategoryTestsCoverage
Wallet lifecycle22Import, backup, restore, compliance
Credential import18Auto-detection, validation, lifecycle
Ephemeral identity46Derivation, rotation, purging, unlinkability
Self-convergence68K-of-N, diversity, IAL, biometrics, atomic pipeline
Selective disclosure14Attribute selection, consent, presentation
Backup/restore16XorIDA split, HMAC, reconstruction
eIDAS compliance12LoA assessment, QES detection, trust lists
Error handling24All error paths, field attribution, hints
Total289All critical paths

Deployment Options

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

  • Zero infrastructure setup
  • Automatic updates
  • 99.9% uptime SLA
  • Pay per use
View Pricing →

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

  • npm install @private.me/xid
  • TypeScript/JavaScript SDK
  • Full source access
  • Enterprise support available
Get Started →

On-Premise Enterprise

Self-hosted infrastructure for air-gapped, compliance, or data residency requirements.

  • Complete data sovereignty
  • Air-gap capable
  • Docker + Kubernetes ready
  • RBAC + audit logs included
Enterprise CLI →

Custom Requirements? Need dedicated infrastructure, white-label deployment, or custom integration? Contact our enterprise team →