Before starting, make sure you understand the CAK lifecycle overview.
Verifier responsibilities summary
| Responsibility | Description |
|---|---|
| CAK requirement configuration | Enable CAK requirement for verification programs in the Dashboard |
| Verification initialization | Call the platform’s initialization endpoint at the start of each verification flow |
| Private key secure handling | Receive the CAK private key from the SDK and use it in-memory only |
| Data decryption integration | Decrypt the semi-decrypted data package using the CAK private key |
| Data handling compliance | Handle, store, and destroy decrypted data per applicable regulations |
Step 1: Dashboard configuration
Require CAK for a verification program
In the Developer Dashboard, create or edit a verification program and enable the CAK requirement. When CAK is required:- Only CAK-encrypted credentials are accepted for verification
- The user consent flow is mandatory — the Verification SDK displays an authorization statement
- Only Issuers that have enabled CAK are available as partners when configuring the program
- Both CAK-encrypted and standard credentials are accepted
- The consent flow is not triggered, even for CAK-encrypted credentials
Select Issuers
If your verification program requires CAK, the system only shows Issuers that have the CAK feature enabled. Select the Issuers whose credentials you want to verify.Step 2: Initialize verification
At the start of each verification flow, your backend must call the platform’s initialization endpoint. This creates a callback record that tracks the authorization lifecycle.issuerDid of the Issuer whose credential is being verified. The platform creates a callback record with an initial NOT_SEND (-1) status.
Step 3: User consent and private key
The Verification SDK handles the consent flow automatically when it detects that the verification program requires CAK.What happens
- The SDK reads the verification program configuration and detects the CAK requirement
- The SDK displays a clear authorization statement to the user, requesting consent to share their encrypted data with your system
- The user makes a manual choice: Agree or Deny
On user consent
When the user grants consent:- The SDK generates the corresponding CAK private key locally by signing with the user’s identity wallet
- The SDK returns the private key to your backend via the verification callback
- The platform updates the callback record from
NOT_SEND(-1) toPENDING(0) and sends a notification to the Issuer
On user denial
When the user denies consent:- The verification process is aborted
- No private key is generated or returned
- The user’s encrypted data remains inaccessible
- The user may be unable to complete their business with your service
SDK integration
CallverifyCredential() as usual. When CAK is enabled and the verification is successful, the response includes a cakPrivateKey field.
| Field | Type | Description |
|---|---|---|
status | "Compliant" | Credential is valid and meets all verification requirements |
zkProofs | Record<string, string> | Zero-knowledge proofs generated for the verification |
transactionHash | string | On-chain transaction hash of the verification |
cakPrivateKey | string | CAK private key for decrypting the user’s encrypted data. Only present when CAK is enabled |
Step 4: Decrypt user data
After receiving the CAK private key, you can decrypt the user’s sensitive data through a two-stage process.Stage 1: Request semi-decrypted data
Call the Issuer’s (zkMe) Semi-Decrypted Data API to request the user’s encrypted data. This is not a direct download from dStorage — the Issuer partially decrypts the data using their managed key first. The Issuer:- Validates your request (identity, authorization relationship)
- Fetches the encrypted data from dStorage
- Performs initial decryption with their managed key to produce a semi-decrypted data package
- Returns the package via a signed, time-limited download URL
- Logs the request in the audit trail
Stage 2: Final decryption with CAK private key
Use the CAK private key to decrypt the semi-decrypted data package. This produces the user’s original raw information:- Full name, date of birth, document numbers
- Identity document images (ID cards, passports)
- Facial biometric photos
- Other structured identity fields
The two-stage decryption ensures that neither the Issuer alone nor the Verifier alone can access the plaintext data. Both must participate, and both stages require prior user consent.
Security best practices
Never persist the CAK private key
Never persist the CAK private key
The CAK private key must be used exclusively in-memory. Never write it to disk, database, logs, or any persistent storage. Discard it immediately after decryption is complete.
Minimize data retention
Minimize data retention
After using the decrypted data for your compliance process (account opening, eligibility check, etc.), destroy it according to your data retention policy. Only keep what your regulatory obligations specifically require.
Handle decrypted data per GDPR and applicable laws
Handle decrypted data per GDPR and applicable laws
The decrypted data is raw PII. Treat it with the highest level of data protection. Implement access controls, encryption at rest for any required storage, and data subject rights handling (access, deletion).
Implement secure transport
Implement secure transport
All communication between your systems and the AIR Credential platform must use HTTPS/TLS. The semi-decrypted data download URL is time-limited and pre-signed — use it immediately.
Audit all data access
Audit all data access
Log every instance of decryption, including the user ID, timestamp, purpose, and personnel involved. This audit trail is critical for regulatory compliance.
Verification flow diagram
Related pages
- CAK Overview — Architecture and lifecycle
- CAK Issuer Guide — Issuer-side integration
- Verifying Credentials — Standard verification SDK reference
- Compliance & Privacy FAQ — GDPR, CCPA, and data handling questions