ks · foundry / identity
@kashscript/identity-sdkv1.0.0The Passport.
did:ks · Passkeys · Social Recovery · ZK-Proofs
overview
The Passport is the first artifact. Every account in the foundry — human, agent, or institution — is a `did:ks` resolved against a Personal Data Store the user controls. The Foundry defines the document shape, the resolver contract, and the verification rules. The data itself stays on the user's PDS.
Signing is bound to a non-extractable WebAuthn Passkey, so the daily-driver device can sign without ever exposing a private key to JavaScript. Social recovery via M-of-N guardian quorum replaces stolen-device escalation with a 72-hour window the legitimate user always wins.
capabilities
- Sovereign DID — keys live in the user's secure enclave; the Foundry never custodies.
- Passkey-bound signing — every Kash-Event is approved at the OS biometric prompt.
- M-of-N social recovery — guardians replace the key set without a custodian in the loop.
- Selective disclosure + ZK proofs — prove `age ≥ 18` without revealing the birthday.
install
Two routes — pick one.
The direct route is the primary path now that the packages are live on npmjs.org. The CLI route is for framework-aware scaffolding — it pulls the same tarballs.
Add the package directly from npm
One line in your project. Works in any framework that resolves npm packages — Next, Vite, Remix, Expo, Astro, SvelteKit, plain Node, Bun, edge runtimes.
@kashscript/identity-sdk
$ npm install @kashscript/identity-sdkScaffold with the kash CLI
kash add identity scans your stack, picks the right entry points, wires the SDK in, and writes a backup. Dry-run by default; --apply commits; kash rollback reverses any edit.
kash add identity --apply
$ npx @kashscript/kstack add identity --applyZero install. npx fetches @kashscript/kstack on demand, runs it, and exits.
deno · modern runtimes
Deno reads the same npm tarball through its npm: specifier resolver — no separate publish step, no separate package. Import directly:
// deno
import { generateKeyPair, deriveDid, createDidDocument } from "npm:@kashscript/identity-core";
import { KashAuthProvider } from "npm:@kashscript/identity-sdk";
const kp = await generateKeyPair();
const did = deriveDid(kp.publicKey);
console.log(did); // did:kash:<base58 pubkey>JSR mirror coming with v0.4 — track jsr.io/@kashscript for the launch. Until then, the npm: specifier is the canonical path.
For the CLI: deno run -A npm:@kashscript/kstack add identity --apply — the -A flag is the all-permissions shortcut. Once you know which permissions your project flow uses (--allow-read --allow-net), tighten to the minimal set.
setup
Wire it into your stack.
What ends up in node_modules, the peer deps you supply, framework-specific wiring, and the support- inbox-grade troubleshooting list.
packages you'll see in `node_modules`
@kashscript/identity-sdkrequiredReact provider + hooks + Tailwind UI components.
@kashscript/identity-coretransitiveZero-dependency Ed25519, did:kash, JCS canonicalisation.
@kashscript/identitytransitiveType-only protocol definitions (DID Document + PDS).
@kashscript/identity-zkpoptionalSelective disclosure + SNARK prover (the prover is Commercial).
peer dependencies · install in your project
react@^18.0.0 || ^19.0.0The SDK ships a React Context provider + hooks.requiredreact-dom@^18.0.0 || ^19.0.0Matches the React major you install.requiredtailwindcss@^3 || ^4Only required if you import from `@kashscript/identity-sdk/ui`. The headless API has no styling.optionalsnarkjs@^0.7Only required if you import the Commercial SNARK prover from `@kashscript/identity-zkp/prover`.optional
framework wiring
Next.js (App Router)
Wrap your root layout once. `KashAuthProvider` is a Client Component — keep it inside a `'use client'` boundary so the provider's `useEffect` can read `localStorage` after hydration.
// app/providers.tsx
"use client";
import { KashAuthProvider } from "@kashscript/identity-sdk/provider";
export function Providers({ children }: { children: React.ReactNode }) {
return <KashAuthProvider>{children}</KashAuthProvider>;
}
// app/layout.tsx
import { Providers } from "./providers";
export default function RootLayout({ children }) {
return <html><body><Providers>{children}</Providers></body></html>;
}Vite + React
Drop the provider directly in `main.tsx`. Vite resolves the `.tsx` source from the package and transpiles inline — no extra config.
import { KashAuthProvider } from "@kashscript/identity-sdk/provider";
import { KashConnect } from "@kashscript/identity-sdk/ui";
createRoot(document.getElementById("root")!).render(
<KashAuthProvider>
<App />
<KashConnect variant="outline" />
</KashAuthProvider>
);Remix
Wrap inside `root.tsx` body. The provider only touches the DOM on the client; on the server it returns the loading fallback.
Deno
Use the `npm:` specifier. WebAuthn is browser-only, so server-side Deno code can only use `@kashscript/identity-core` for signing/verifying — not the SDK provider.
import { generateKeyPair, deriveDid } from "npm:@kashscript/identity-core";troubleshooting · the support inbox
▸ Tailwind classes from `@kashscript/identity-sdk/ui` don't apply.
Add the SDK's source to your Tailwind `content` glob: `content: ['./node_modules/@kashscript/identity-sdk/**/*.{ts,tsx}', ...]`. Tailwind only scans your own files by default.
▸ `window is not defined` during Next.js build / SSR.
You're importing from `/ui` outside a Client Component. Either move the import into a `'use client'` module or render it lazily via `next/dynamic({ ssr: false })`.
▸ WebAuthn passkey ceremony never prompts.
Passkeys require a Secure Context. Either run on HTTPS (Vercel preview URLs work) or on `localhost`. `http://` IPs and non-secure custom hostnames are rejected by every modern browser.
▸ Identity persists across reloads in dev, never in production.
The default storage is `localStorage`. Browsers running in private mode (or with strict cookie policies) block it silently. Swap to `@kashscript/identity-sdk/storage`'s `IndexedDbStorage` adapter if you need stronger durability.
▸ `No KashAuthProvider in tree` thrown from a hook.
A child component is rendering above the provider. Move `<KashAuthProvider>` higher in the tree, typically into `app/layout.tsx` (Next) or `main.tsx` (Vite).
example
First call.
// ts
import { KashAuthProvider, useSigner } from "@kashscript/identity-sdk";
import { SignTransactionModal } from "@kashscript/identity-sdk/ui";
// Wrap your app once, then sign Kash-Events anywhere.
function Publish({ header, body }) {
const { sign } = useSigner();
return <button onClick={() => sign(header, body)}>Publish</button>;
}principles
How it's built.
Sovereign by default
The user holds the keys. The PDS is theirs to host or move. Foundry never custodies.
Portable across solutions
The same DID powers Indusland, Duedale, Oreoasis — and any silo built later.
Verifiable credentials
Attestors are opt-in. Every credential carries proof anyone can check.
Recovery without custodians
Lose a device, keep the identity — guardians restore the key set with no Foundry middleman.
licensing · permissive
Free, forever. Apache-2.0.
Sovereign identity is not something the Foundry will ever charge for. The entire Passport SDK is permissive under SSLA Schedule A — no seat, no licence key, no `kash login` required to install.
Included
- Unlimited production use of @kashscript/identity-sdk and @kashscript/identity-core.
- Self-hosted resolver, self-hosted PDS, self-hosted witnesses.
- Modification, redistribution, and white-label use under Apache-2.0.
- Selective-disclosure layer of @kashscript/identity-zkp (Merkle commitments) is also free.
Not included
- Hosted Registry mirror with SLA — paid hosted-service add-on.
- Hosted PDS with backup quorum + replication — paid hosted-service add-on.
- SNARK prover (range / membership proofs) — Commercial under @kashscript/identity-zkp.