← All Articles

UCP Wallet Attestation: Crypto Identity Meets Traditional Commerce

A significant proposal has emerged in UCP that bridges two worlds: the cryptographic identity patterns of Web3 and the practical requirements of mainstream commerce. Issue #287 introduces wallet attestation as a first-class identity and eligibility mechanism — no OAuth redirects required.

Why This Matters

Currently, UCP's identity linking relies heavily on OAuth flows — redirect the user to Google, Apple, or another provider, get back a token, link it to the commerce session. This works well for traditional web users but creates friction for the growing crypto-native population where wallets are identity.

The proposal addresses two distinct surfaces:

1. Identity Mechanism: A new wallet_attestation type in UCP's mechanism registry, enabling wallet-based authentication as a first-class option alongside OAuth providers.
2. Eligibility Extension: An attestations map on Cart/Checkout objects for attaching cryptographically signed proofs alongside existing context.eligibility claims.

How It Works

Both surfaces share the same verification primitive:

1. A third-party attestation provider signs a payload (e.g., "this wallet holds NFT from collection X")
2. The attestation includes a kid (key identifier) referencing the provider's JWKS
3. The business fetches provider_jwks and verifies the signature offline
4. No OAuth redirect, no session handoff — pure cryptographic verification

Real-World Applications

Token-Gated Commerce

A brand offers exclusive pricing to NFT holders. With wallet attestation, the AI agent can prove NFT ownership without revealing the full wallet contents or requiring an OAuth dance:

{
  "attestations": {
    "nft_holder": {
      "provider": "https://attestation.example.com",
      "type": "nft_ownership",
      "collection": "0x1234...5678",
      "sig": "eyJ...",
      "kid": "key-2026-03"
    }
  }
}

Cross-Border Compliance

A crypto-native user shopping internationally can attach attestations proving KYC completion, sanctions screening, or accredited investor status — all without exposing underlying identity documents to the merchant.

DAO Membership Benefits

DAO members get discounts. The agent attests to governance token holdings; the business verifies via JWKS. No need to integrate with every DAO's specific membership system.

Technical Implications

This proposal builds on the mechanism registry pattern that landed last week. That breaking change replaced hardcoded OAuth providers with a discoverable registry — creating exactly the extension point this proposal needs.

Key technical considerations:

• Offline Verification: Businesses don't need to call the attestation provider in real-time. JWKS caching enables fast validation.
• Attestation Freshness: How long is a "you own this NFT" attestation valid? The proposal will need to address exp (expiration) semantics.
• Revocation: What happens when the underlying asset is sold? Attestation providers may need to publish revocation lists.
• Multi-Wallet: Users often have multiple wallets. The identity mechanism should support linking multiple wallet addresses.

What Happens Next

This is currently a proposal (Issue), not yet a PR with implementation. The community will likely discuss:

1. Attestation Schema: What fields are required vs. optional? How generic vs. specific should types be?
2. Provider Discovery: How do businesses discover which attestation providers to trust?
3. Privacy Considerations: Can attestations be zero-knowledge proofs (e.g., "holds >$1000 in tokens" without revealing exact balance)?

For commerce platforms exploring crypto-native customer segments, this proposal offers a path forward that doesn't require rebuilding identity infrastructure from scratch.

---

Source: Universal-Commerce-Protocol/ucp Issue #287
Related: UCP Identity Linking Mechanism Registry