How it works
Five things happen on chain. The rest happens off.
Schemas, credential definitions, status, governance, and verification live on the EVM chain of your choice. Wallets, issuer services, and proof generation stay off-chain.
Two ways to present
Mode A · AnonCreds VDR
Standard AnonCreds + on-chain status.
The wallet generates a vanilla AnonCreds presentation. After verifyProof succeeds, the verifier reads the disclosed kanonCredId and looks up the on-chain AnonCredsStatusRegistry. Both checks must pass.
walletvanilla Credo + anoncreds-rs, no changes
presentationstandard AnonCreds CL proof
revocation checksingle eth_call after verifyProof
use whendrivers' license, KYC, employment, education
Drop-in for Credo agents. No changes to @credo-ts/anoncreds or anoncreds-rs. The Kanon plugin registers a wrapped AnonCredsVerifierService that ANDs the on-chain status lookup with the standard verifyProof result. Schemas must include a kanonCredId attribute.
Governance
Suspension is a switch, not a cleanup job.
Suspending an organization instantly stops it issuing or revoking. Existing presentations still verify against in-window roots; the org simply can’t act. Reactivation restores it.
What you don’t see on chain
off-chain
Holder wallets
Credentials and secrets live with the holder. The chain only ever sees commitments.
off-chain
Issuer services
Signing keys and credential minting run in the org's own infrastructure.
off-chain
Proof generation
ZK proofs are built in the holder's browser or device, then verified.