For businesses
Anonymous verification of humanity, age, and residence.
Confirm a visitor is a real human, an adult, or a resident of a specific country — without ever seeing their passport, date of birth, or address. The user keeps the data; you keep the proof.
Three traits, cryptographically attested.
Adult
The user is 18 or over.
Human
A real person, not a bot.
Resident
Resides in a specific country.
What we never see.
Trust is asymmetric: a verifier should learn nothing beyond yes/no.
No biometrics
No iris, face, or fingerprint capture. No camera-roll uploads. The phone's biometric sensor is used locally to unlock the user's own keys, never to identify them to us.
No raw documents on our servers
Bills, IDs, rentals, signatures — they all live encrypted on the user's device. We see ciphertext or nothing. Vouch is computed locally; only the verdict crosses the network.
No PII in the credential
A presentation says: "this person is over 18" — and nothing else. Not their name, not their birthday, not their address.
No cross-site linkability
Each verification mints a fresh, single-use presentation. Two sites that both verify the same user can't correlate them through Firmas.
How we know you're real.
Without biometrics, the trust signal has to come from somewhere. Ours: a graph of in-person, cryptographically-signed handshakes.
Anchored in real human-to-human exchanges.
Every contract a Firmas user co-signs in person — a rental, a freelance gig, a sublet, a small loan — produces an ECDSA P-256 signature pair: their device key and the counterparty's. We treat each unique counterparty pubkey as the strongest pro-human signal we can record without intruding. Two real handshakes plus one verified bill is enough to cross the threshold.
Documents alone can't cross the line.
A determined attacker could forge a portfolio of plausible PDFs in someone's name and ride OCR matches to the threshold. Our formula caps the document-only path below the 75% bar — to be vouched, the user must have at least one bilateral, signed handshake on file. Forging documents is cheap; forging real in-person interactions is not.
No volume hacks.
Same counterparty signing five deals collapses to one unit of credit. Self-signing (the user as their own counterparty) is filtered out. Diminishing returns on the curve cap how far a small ring of mutual-vouchers can boost each other.
Time honestly spent.
A small bonus rewards handshakes spread across weeks, not minutes. A burst of five sign-ups in one afternoon at one café earns less than two interactions a fortnight apart.
A forger's portfolio vs a real user's.
Documents only — bulk-forged PDFs
65%
Capped: cannot pass the 75% threshold.
Two real handshakes + one verified bill
92%
Crosses the threshold organically.
How a verification flows.
1
Visitor proves a trait.
Inside the Firmas app, the user picks the trait they want to share (e.g. Adult). Their device generates a fresh 60-second presentation, signed by the device key and our issuer key.
2
A short-lived QR is shown.
The QR encodes a URL of the form firmas.io/verify/<short_id>. Screenshots stop working within ~60 seconds because the underlying presentation expires.
3
Your site verifies.
Read the short_id, ask our verifier endpoint for a verdict — or verify the signature chain locally against our public JWKS. Either path returns a clean trait + traitValue + expiresAt.
Trust details.
All Firmas verifications are signed with ECDSA P-256. Our public keys live at /.well-known/firmas-vouch-jwks.json — fetch them, cache them, verify against them. Each presentation contains two signatures: one by the user's device key (proves freshness, only the user can mint a fresh presentation) and one by our issuer key (proves we vouched for the trait). The chain is verifiable in every major language; the JWKS endpoint serves a standard RFC 7517 keyset.
Ready to integrate?
Four integration shapes — from a two-line widget to local JWKS verification. Pick whichever fits your stack.
Read the integration docs →Or email us: firmasfb@rindogatan.com