Hold a credential
An issuer signs your KYC status, age, investor type and jurisdiction into one Merkle-committed credential while roots commit to sanctions and revocation lists.
BLS12-381 Groth16 · Stellar testnet
AnchorShield is a reusable zero-knowledge access layer for Stellar. Holders prove KYC, sanctions and revocation non-membership, age and jurisdiction from a single credential. Payments and real-world assets are gated on-chain without raw identity touching the ledger.
how it works
A holder receives a single issuer-signed credential, then proves only what a policy needs — nothing else leaves the browser.
An issuer signs your KYC status, age, investor type and jurisdiction into one Merkle-committed credential while roots commit to sanctions and revocation lists.
snarkjs generates a Groth16 proof over BLS12-381 entirely client-side. The credential and its secrets never leave your device.
A Soroban contract verifies the proof on-chain, checks the nullifier for replay, and only then releases a payment or mints an asset.
two gates, one primitive
The same circuit and credential root drive two live testnet gates. Try either one in the proof console.
Proves the sender is KYC-cleared, absent from committed sanctions and revocation roots, and within corridor limits before value moves over a Stellar SAC.
Authorizes an exact OpenZeppelin SEP-57 mint with a one-time proof-bound attestation consumed by the compliance adapter.
why it matters
Raw identity never touches the ledger. Proof signals, action data, committed roots and a nullifier are public.
One circuit, many policies. Add a gate without re-issuing credentials.
Soroban verifies every proof and rejects replays — eligibility is a hard precondition for value.
A regulator with the view key can confirm a payment's disclosure packet — and nothing more.