Quick Start
Get up and running with StellarID in 4 steps. Connect wallet → Get credential → Generate ZK proof → Verify anywhere.
Install Freighter wallet extension and connect to StellarID
# 1. Install Freighter from https://www.freighter.app/
# 2. Create or import a Stellar testnet wallet
# 3. Fund it via Stellar Friendbot:
curl https://friendbot.stellar.org?addr=YOUR_WALLET_ADDRESSLink GitHub or LinkedIn to receive a verifiable on-chain credential NFT
# GitHub OAuth flow
GET https://stellarid-api.onrender.com/api/v1/github-issuer/auth?stellarAddress=YOUR_STELLAR_ADDRESS
# LinkedIn OAuth flow
GET https://stellarid-api.onrender.com/api/v1/linkedin-issuer/auth?stellarAddress=YOUR_STELLAR_ADDRESS
# Both flows return a JWT token and mint an NFT credentialGenerate a zero-knowledge proof to prove a claim without revealing your data
# POST to create a shareable proof
POST https://stellarid-api.onrender.com/api/v1/proofs
Authorization: Bearer YOUR_JWT_TOKEN
{
"credentialId": "your-credential-id",
"circuitType": "age_check",
"publicInputs": { "threshold": 18 }
}
# Response includes a public share link + PDF downloadAny platform can verify a StellarID proof using the public endpoint
# Public verification — no auth required
GET https://stellarid-api.onrender.com/verify/YOUR_PROOF_TOKEN
# Or via API
POST https://stellarid-api.onrender.com/api/v1/verify
{
"token": "YOUR_PROOF_TOKEN"
}Core Concepts
Zero-Knowledge Proofs
Groth16 ZK-SNARKs via Circom. Proofs generated client-side — your data never leaves your device.
NFT Credentials
Non-transferable NFTs on Stellar containing cryptographic commitments (Poseidon hash), not raw data.
Selective Disclosure
Prove specific claims (age 18+, income bracket) without revealing underlying identity data.
Privacy by Design
Zero personal data stored on-chain. All credentials encrypted client-side. Blockchain stores only hashed commitments.
Fee Sponsorship
Gasless transactions — users never pay XLM gas fees. StellarID sponsors all credential minting costs via fee bump.
Multi-Signature Approval
High-value credentials require N-of-M signer approval. Full audit trail recorded on-chain for enterprise trust.
Architecture
StellarID uses a three-layer architecture separating client-side ZK operations, REST API logic, and blockchain interactions.
- Next.js 14 Frontend
- Zustand State
- snarkjs Proof Generation
- Freighter Wallet
- Express.js REST API
- JWT + API Key Auth
- Rate Limiting (Helmet)
- GitHub & LinkedIn OAuth
- PostgreSQL 15 + Indexes
- Redis 7 Cache
- Pinata IPFS Storage
- Stellar Horizon API
OAuth Issuers
StellarID supports OAuth-based credential issuance. Users authenticate with a 3rd party and receive a verifiable NFT credential.
Credential type: github_developer
- GitHub username verified
- Public repo count
- Verified primary email
- Account age & followers
Credential type: linkedin_professional
- Full name verified
- Professional email
- Profile picture
- LinkedIn member ID
// GitHub credential claim data (stored on IPFS, never raw on-chain)
{
"github_username": "iamomm-hack",
"public_repos_count": 42,
"account_created_year": 2020,
"verified_email": true,
"followers": 150
}
// LinkedIn credential claim data
{
"linkedin_name": "Om Kumar",
"linkedin_email": "user@example.com",
"linkedin_email_verified": true,
"linkedin_sub": "xAbCDef12345",
"verified_at": "2026-03-30T00:00:00Z"
}Advanced Features
Users never pay XLM gas fees. StellarID's sponsor account covers all transaction costs using Stellar's Fee Bump mechanism.
0.01 XLM
Max fee/tx
Fee Bump TX
Mechanism
0 XLM
User XLM needed
# Check sponsor status
GET https://stellarid-api.onrender.com/api/v1/fee-sponsor/status
# Response:
{
"sponsor": {
"address": "G...",
"balance": "100 XLM",
"canSponsor": true,
"transactionsRemaining": 10000
}
}High-value credentials require N-of-M signers to approve before issuance.
- Corporate ID: HR + Manager (2-of-2)
- University degree: Dean + Department (2-of-3)
- Professional license: Board + Examiner (3-of-5)
- Financial credential: Bank + Compliance (2-of-2)
# Create multi-sig request
POST https://stellarid-api.onrender.com/api/v1/multisig/request
Authorization: Bearer YOUR_JWT
{
"credentialType": "corporate_identity",
"ownerAddress": "G...",
"requiredSigners": ["G...HR", "G...MANAGER"],
"threshold": 2
}
# Signer adds their signature
POST https://stellarid-api.onrender.com/api/v1/multisig/sign/:requestId
{
"signerPublicKey": "G...HR",
"signature": "..."
}API Reference
Base URL: https://stellarid-api.onrender.com/api/v1
Auth: Authorization: Bearer YOUR_JWT_TOKEN
Auth
| POST | /auth/connect | Connect wallet & get JWT token | Public |
| GET | /auth/me | Get current user profile | JWT |
Credentials
| POST | /credentials | Issue a new credential | JWT |
| GET | /credentials/my | List your credentials | JWT |
| DELETE | /credentials/:id | Delete (unlink) a credential | JWT |
Proofs
| POST | /proofs | Create shareable ZK proof record | JWT |
| GET | /proofs/:token | Public proof verification | Public |
| GET | /proofs/:token/pdf | Download PDF certificate | Public |
Issuers
| GET | /issuers | List all trusted issuers | Public |
OAuth
| GET | /github-issuer/auth | Start GitHub OAuth flow | Public |
| GET | /github-issuer/callback | GitHub OAuth callback (auto) | Public |
| GET | /linkedin-issuer/auth | Start LinkedIn OAuth flow | Public |
| GET | /linkedin-issuer/callback | LinkedIn OAuth callback (auto) | Public |
Fee Sponsorship
| GET | /fee-sponsor/info | Fee sponsorship feature info | Public |
| GET | /fee-sponsor/status | Sponsor account balance & status | Public |
| POST | /fee-sponsor/request | Request gasless transaction | JWT |
Multi-Signature
| GET | /multisig/info | Multi-sig feature info | Public |
| POST | /multisig/request | Create multi-sig credential request | JWT |
| POST | /multisig/sign/:id | Add signature to request | JWT |
| GET | /multisig/request/:id | Check multi-sig request status | JWT |
| GET | /multisig/pending | List your pending requests | JWT |
Admin
| GET | /admin/stats | Platform-wide analytics | JWT |
| GET | /admin/activity | Last 24h activity feed | JWT |
| GET | /admin/chart-data | 30-day trend chart data | JWT |
| GET | /admin/top-issuers | Top issuers by volume | JWT |
Verify
| POST | /verify | Verify a ZK proof (platform API) | Public |
ZK Circuits
StellarID includes 4 pre-built Circom circuits. All circuits use Poseidon hashing and Groth16 proving.
Proves age ≥ threshold without revealing birthdate
Inputs: birthYear, currentYear, threshold
Proves income in range without revealing exact amount
Inputs: income, minIncome, maxIncome
Proves residency in a country without revealing address
Inputs: countryCode, allowedCountries[]
Proves group membership without revealing identity
Inputs: memberSecret, merkleProof, groupRoot
# Compile a circuit
cd zk-circuits
circom age_check.circom --r1cs --wasm --sym -o build/
# Generate proving key (Groth16)
snarkjs groth16 setup build/age_check.r1cs pot12_final.ptau age_check_0000.zkey
# Export verification key
snarkjs zkey export verificationkey age_check_0000.zkey verification_key.json
# Generate proof (client-side in browser via snarkjs WASM)
const { proof, publicSignals } = await snarkjs.groth16.fullProve(
{ birthYear: 2000, currentYear: 2026, threshold: 18 },
"age_check.wasm",
"age_check_final.zkey"
);Security
StellarID was built with security-first principles. See the full SECURITY.md checklist →
JWT Authentication
7-day expiring tokens. All private endpoints protected.
Helmet.js (HTTP Headers)
XSS, clickjacking, MIME-type sniffing protection.
Rate Limiting
20 req/min on auth, 100 req/min on verify endpoints.
SQL Injection Prevention
All queries use parameterized inputs via pg library.
No Secrets in Code
All keys in environment variables, never committed.
HTTPS Enforced
Render + Vercel enforce HTTPS on all production traffic.