SSI for organizations

An AnonCreds VDR organizations can govern.

Kanon is a W3C-compliant AnonCreds VDR that runs on any EVM chain. Drop it into Credo — your wallets and verifiers work unmodified. Add zero-knowledge presentations where you need them.

Read the docsSee the architecture
did:kanon:besu:Z9K6sLp2VqXr3T7nA1cBd4

Organizations, not just keys

Issuers move through a real governance lifecycle on-chain — registered, approved, suspended, reactivated. Identity with a chain of custody.

See governance →

Drop-in AnonCreds VDR

Credo agents and anoncreds-rs wallets work unmodified. Issuance and revocation are tracked on-chain; the verifier looks status up after the standard verifyProof.

How presentation works →

Optional zero-knowledge

When unlinkability matters — age proofs, anonymous voting — switch the same credential to a Groth16 SNARK presentation. Verifier learns nothing else.

Standards & interop →
The shape of it

Issue, present, revoke — most of it happens off-chain.

01 · Issuance

Credentials are signed off-chain, status lives on-chain.

An approved org registers a schema and credential definition, then issues AnonCreds credentials the normal way. A Credo event listener writes one status entry per credential into AnonCredsStatusRegistry. The credential body never touches the chain.

02 · Presentation

Standard AnonCreds — plus an on-chain status check.

The wallet sends a vanilla AnonCreds presentation. The verifier runs verifyProof via anoncreds-rs, extracts the disclosed kanonCredId, then calls isRevoked on AnonCredsStatusRegistry. Both must pass. Mode B swaps the AnonCreds proof for a Groth16 SNARK when unlinkability matters.

Compare the two modes →
03 · Revocation

One transaction. Verifiers see it on the next call.

An org member calls revokeCredential(credDefId, credIdHash) on AnonCredsStatusRegistry. The status flips to Revoked, an event is emitted, and every verifier's next isRevoked check returns true. No tails files, no accumulator updates, no witness math.

For developers

A typed SDK, from registration to verification.

The @credo-ts/kanon plugin wraps the AnonCreds VDR interface, subscribes to issuance events, and AND-gates the verifier with an on-chain status check. Point it at any EVM RPC.

Run the quickstart →
agent.tscopy
import { KanonModule } from "@credo-ts/kanon";

// Drop Kanon into a Credo agent as the AnonCreds VDR
const agent = new Agent({
  modules: {
    anoncreds: new AnonCredsModule({ registries: [kanonRegistry] }),
    kanon: new KanonModule({
      networks: [{ network: "besu", rpcUrl, privateKey }], // or any EVM RPC
      anonCredsStatusRegistryAddress: "0x…",
    }),
  },
});

// verifyProof now ANDs the on-chain isRevoked check
For decision-makers

Built for regulated issuance.

01
Governance lifecycle
Suspending an org instantly stops it issuing or revoking. Reactivation restores it. Enforced at the contract level.
02
Timelocked upgrades
No admin action is instantaneous. Every governance or upgrade call is proposed, delayed, then executed — or cancelled.
03
Audit trail
Every state-changing action emits an indexed event. The full history is reconstructable from the chain.

How Kanon compares

An honest, side-by-side read — we’re generous to the alternatives.

AnonCreds VDR
KanonYes — drop-in for Credo
did:cheqdYes — resource registry
did:indyYes — native
Org governance
KanonOn-chain lifecycle + RBAC
did:cheqdDID-level
did:indyLedger trustee model
Revocation
KanonOn-chain status, no SNARK in wallet
did:cheqdCKS accumulator + tails file
did:indyCKS accumulator + tails file
Optional ZK mode
KanonGroth16 (BN254) on EVM
did:cheqd
did:indy
Read the full comparison →

Start with the quickstart.

Read the docsTalk to the team