INOPAY
Back to developers

Ed25519 portable KYC specification

An Inopay KYC attestation is a JSON object signed with Ed25519. It is offline-verifiable by any integrator with no third-party call required.

JSON schema

Required fields and types. Canonicalisation follows RFC 8785 (JSON Canonicalization Scheme) before signing.

{
  "$schema": "https://schemas.getinopay.com/kyc-attestation/v1.json",
  "type": "object",
  "required": ["sub", "iss", "iat", "exp", "level", "jurisdictions", "sig"],
  "properties": {
    "sub":           { "type": "string", "description": "Subject pseudonymous ID" },
    "iss":           { "type": "string", "const": "inopay.kyc.v1" },
    "iat":           { "type": "string", "format": "date-time" },
    "exp":           { "type": "string", "format": "date-time" },
    "level":         { "type": "string", "enum": ["tier_1", "tier_2", "tier_3"] },
    "jurisdictions": { "type": "array",  "items": { "enum": ["UEMOA", "CEMAC", "GHANA"] } },
    "sig":           { "type": "string", "description": "Ed25519 signature, base64url" }
  }
}

Signed example

Tier_2 attestation issued for the UEMOA zone. The issuing public key is exposed via the .well-known endpoint.

{
  "sub":           "ino_4XK9RZ...",
  "iss":           "inopay.kyc.v1",
  "iat":           "2026-04-25T08:00:00Z",
  "exp":           "2027-04-25T08:00:00Z",
  "level":         "tier_2",
  "jurisdictions": ["UEMOA"],
  "sig":           "MEUCIQDk...base64url..."
}

# Public verification key (offline verifiable)
inopay_pubkey_ed25519 = "[À CONFIGURER]"  // base64-url Ed25519 public key

Offline verification

Standard verification procedure on the SGI or integrator side. No network call required after fetching the public key.

# Offline verification — no network call required.
1. Fetch the Inopay attestation public key once
   from /.well-known/inopay (cache locally with rotation hints).
2. Canonicalise the attestation JSON (RFC 8785 / JCS).
3. Verify Ed25519 signature against canonical bytes.
4. Reject if exp < now or jurisdiction not in your scope.
5. Match attestation.sub against your local subject map.

.well-known/inopay endpoint

Exposes the current public key, capabilities and contacts. Updates signalled by explicit rotation.

GET https://www.getinopay.com/.well-known/inopay

Revocation policy

An attestation can be revoked at any time. The revocation list is published signed and synchronisable. Post-revocation grace period is 24 hours.