Cr3dentials is a cryptographically secure verification platform that allows you to verify identity, income, and employment from any web-based account using real-time data and zero knowledge proofs. Our system transforms dashboards and payment records into verifiable credentials without exposing the underlying data. We never see or store user credentials, and never share sensitive data.

All verifications happen locally and are proven through zero knowledge circuits. Only the user can access their raw data, and only the result of the proof is shared with the verifier.

Lenders and platforms can choose their preferred level of data visibility. You can:

View the full proof output including raw values Receive only specific data points relevant to your decision Or see nothing beyond a pass or fail threshold such as income above a certain amount

Cr3dentials supports a wide range of data sources including social platforms like YouTube, e-commerce stores like Shopify, payroll tools like Deel, accounting software, and more. If it starts with HTTPS, we can verify it. You can view our coverage here: Platform Coverage

This documentation will guide you through using Cr3dentials, sending verification requests, and integrating our API. Whether you are a lender, fintech platform, or credit scoring provider, Cr3dentials helps you onboard and underwrite digital workers with privacy, speed, and trust.

Cr3dentials uses zkTLS to facilitate private, tamper-proof verifications directly from web-based platforms. zkTLS stands for zero knowledge Transport Layer Security. It allows users to generate a proof of what they see during a secure HTTPS session without revealing the full content of that session.

This means users can prove facts like revenue, activity, or account ownership from dashboards like YouTube Studio or Shopify Admin without exposing their login credentials or sharing raw data.

The verification process consists of three core parties:

1. Verifier

   1. The verifier is the organization requesting the verification. This could be a lender, fintech platform, marketplace, or any service that needs to validate user claims before providing access to capital, services, or opportunities.

      The verifier defines:

      • What needs to be proven such as revenue, payout consistency, or account age

      • Which platforms are acceptable

      • How much data they want to see, using Cr3dentials’ selective disclosure feature:

        • Full details (e.g. exact income values and payout history)
2. Applicant

   1. The applicant is the person being verified. They receive a secure link to complete the verification. From there, they choose a supported platform, connect their account, and approve the session. Cr3dentials runs locally in their browser and handles everything without routing data through centralized servers. Users never share login credentials with Cr3dentials. They remain in full control of what is verified and can optionally store encrypted access tokens for future sessions.

3. Data Sources

   1. Data sources are the platforms the applicant connects to such as social media accounts, ecommerce & accounting, payroll, and banking . Cr3dentials loads these dashboards in a secure browser environment and extracts the required data using zkTLS.

      Instead of returning the raw data, Cr3dentials generates a zero knowledge proof that the information on the page satisfies the verifier’s conditions.

User Flows

The user journeys are very simple

1. The reviewer initiates a verification request and shares a unique link with the applicant.

2. The applicant clicks the link and is redirected to the Cr3dentials appclip or mobile app.

3. The applicant selects the platform they want to verify, logs in, and authorizes data access.

4. Cr3dentials fetches the required data in a secure zkTLS session and generates a proof.

Verifier Flow:

Applicant Flow:

Welcome to the official documentation for Cr3dentials, a platform that makes it easy to verify income work history and reputation from any web based online account. If it starts with https, we can verify it. If you're building for creators, freelancers, or online businesses, Cr3dentials gives you cryptographically secure, privacy-preserving proofs you can trust. This guide will walk you through using our dashboard, understanding the user flow, and integrating Cr3dentials into your product through our API.

Jump right in

Cr3dentials gives you two simple ways to start verifying users:

• No-Code via the Cr3dentials dashboard

• API-based for full integration into your product or platform

Dashboard Integration (No Code)

1. Sign Up

   • Contact [email protected] to approve your email for a partner account

   • Sign up on the platform at app.cr3dentials.xyz

2. Configure data sources

Partner API Integration

Use this method if you're integration Cr3dentials into your product flow or backend systems.

1. Get Your API Key

   1. Contact [email protected] to approve your email for a partner account

   2. Log into the dashboard

   3. Navigate to Partner section → Create a Team

1. What is Cr3dentials? Cr3dentials is a verification platform that helps you confidently underwrite creators, freelancers, and online earners by generating privacy-preserving proofs of income, activity, or engagement from any HTTPS-based platform

2. How does it work? The user securely logs into their platform account like YouTube, Upwork, or a bank. Cr3dentials captures key information directly from the page, like earnings or payouts, and generates it into a cryptographic proof, shared with you as a verifiable credential.

3. How can I trust the proof is real? Our system ensures that the information was captured from a live, authenticated session from a real platform over a secure connection. It’s like getting a notarized screenshot, only encrypted, private, and impossible to fake.

4. Why not just use Plaid or API integrations Cr3dentials does not rely on APIs or platform permissions. We can verify any HTTPS-based website, including those without official public apis. This gives you access to long-tail platforms and global users who earn outside traditional systems.

​

5. What platforms are supported? Any HTTPS-based website. This includes YouTube, Shopify, Upwork, Fiverr, Patreon, OnlyFans, traditional banks, and more. View our supported data sources here:

​

6. What data can be verified? We can verify income history, payout amounts, job completion, engagement metrics, or any account data displayed on the page. You choose what matters for your underwriting.

​

7. Is this information secure and compliant? Yes. Cr3dentials is designed to protect user privacy. We never store login credentials or raw data. All verifications are cryptographic, user-consented, and privacy-preserving by default.

​

8. How can this help my underwriting process? You get reliable, real-time signals on borrower income and activity without waiting for bank statements, PDFs, or API tokens. This lets you approve high-potential borrowers faster, even if they earn from unconventional platforms.

​

9. How do I integrate Cr3dentials into my workflow? You can start with our dashboard for manual review or integrate our API for automated workflows. No technical lift is needed to get started.

​

10. Can I use Cr3dentials for pre-qualification or ongoing monitoring? Yes. Our system can support both one-time verifications and continuous updates, depending on your needs.

1. What's the difference between Cr3dentials and screen-scraping?

Screen-scraping requires storing user credentials and automatically logging into their accounts, often without their active involvement. Cr3dentials is fully user-initiated and never stores credentials. Users generate cryptographic proofs directly from their data, ensuring privacy, control, and security.

Overview

Cr3dentials is a privacy-first credential verification platform that leverages zero-knowledge proofs and cryptographic attestations to verify credentials without ever storing or accessing sensitive user data. Our architecture ensures that we see nothing, store nothing, and know nothing about your private information while still enabling cryptographically verifiable proofs.

Privacy-First Design

Core Privacy Principles

• Cr3dentials never sees your credentials - All verification happens through zero-knowledge proofs

• Zero access to sensitive data - Our system only receives cryptographic proofs, not raw data

• You control what gets disclosed - Choose exactly what information to reveal and what to keep private

Zero-Knowledge Proof Integration

Our system uses advanced cryptographic techniques to verify information without ever accessing the underlying data:

How It Works:

1. Local Proof Generation: Zero-knowledge proofs are generated on your device

2. Cryptographic Verification: We only receive mathematical proofs, never raw data

3. Public Attestation: Verifiable claims are created without exposing private information

Selective Disclosure Control

Cr3dentials gives you granular control over what information to expose or hide:

Privacy Modes:

• Full Privacy Mode: Generate proofs that only confirm "yes/no" requirements

  • Example: "Income > $50k" without revealing exact amount

  • Bank account ownership without showing balance details

• Selective Disclosure Mode: Choose specific data points to reveal

System Architecture

High-Level Components

Client Layer

• Web Application (React/Next.js)

• Mobile Application

• User's Wallet Integration

Privacy Gateway

• Zero-Knowledge Proof Validator

• Privacy Filter Layer

• No PII Processing Zone

CR3Dentials Backend

• Authentication (Privy Integration)

• Verification Module (Data Blind)

• Attestation Service

• Queue System for Async Processing

External Integrations

• Reclaim Protocol (Zero-Knowledge Engine)

• Ethereum Attestation Service (EAS)

• Blockchain Networks (Ethereum, L2s)

Data Flow

1. User Initiates Verification: Request sent through encrypted channels

2. Zero-Knowledge Proof Generation: Happens locally on user's device

3. Proof Validation: Cr3dentials validates cryptographic proofs only

4. Attestation Creation: Public, verifiable claims created on blockchain

Technology Stack

Backend Infrastructure

Framework: NestJS with Fastify

• High-performance TypeScript framework

• Built-in validation and security features

• Comprehensive module system

Database: PostgreSQL with Prisma ORM

• No sensitive data storage

• Only verification metadata and proofs

• Automatic migrations and type safety

Authentication: Privy Web3 Authentication

• Wallet-based authentication

• Traditional auth fallback

• JWT token management

Caching: Redis

• Session management

• Temporary proof storage

• Queue processing

Frontend Applications

Web Application: React with Next.js

• Server-side rendering

• Progressive Web App capabilities

• Responsive design

Mobile Application: React Native

• Cross-platform compatibility

• Native performance

• Biometric authentication

Privacy Technologies

Zero-Knowledge Proofs

• Mathematical privacy guarantees

• Cryptographic verification without data exposure

• Scalable proof systems

Reclaim Protocol Integration

• Secure credential verification from external sources

• TLS witnessing for data authenticity

• No raw data transmission to CR3Dentials

Ethereum Attestation Service (EAS)

• On-chain attestation creation

• Public verifiability

• Composable credential system

Privacy Guarantees

What We Never See

What We Can Verify

Security Architecture

Cryptographic Security

Transport Security

• TLS 1.3 encryption for all communications

• Certificate pinning for API endpoints

• Perfect forward secrecy

Proof Security

• zk-SNARKs for zero-knowledge proofs

• Digital signatures for authenticity

• Cryptographic hashing for integrity

Blockchain Security

• Ethereum network security

• Audited smart contracts

• Immutable attestation records

Attack Resistance

Privacy Attacks: Prevented by zero-knowledge cryptography Data Breaches: Nothing to breach - no sensitive data stored Man-in-the-Middle: TLS encryption + certificate pinning Replay Attacks: Cryptographic nonces and timestamps Impersonation: Digital signature verification required

Integration Guides

For Developers

Creating a Privacy-First Verification

Generating Zero-Knowledge Proofs

API Endpoints

Authentication

Verification Sessions

Proof Management

Compliance & Regulations

GDPR Compliance

Right to be Forgotten: User controls all data - nothing stored centrally Data Minimization: Only necessary proofs processed Consent Management: Granular permission controls Data Portability: Users own all their proofs

Financial Regulations

Privacy Protection: No storage of financial account data AML Compliance: Verified attestations for anti-money laundering KYC Requirements: Identity verification without data retention Banking Regulations: Compliance with financial privacy laws

Deployment Architecture

Production Environment

Load Balancing: Caddy reverse proxy with SSL termination Application Tier: Multiple API servers for redundancy Background Services: Queue workers for async processing Database Tier: PostgreSQL with read replicas Caching Layer: Redis cluster for session management Monitoring: Centralized logging and metrics collection

Scaling Considerations

Horizontal Scaling: Stateless API servers Database Scaling: Read replicas and connection pooling Cache Optimization: Distributed caching with Redis Queue Processing: Parallel worker processes CDN Integration: Static asset delivery

Monitoring & Observability

Metrics Collection

Application Metrics: Request latency, error rates, throughput Privacy Metrics: Proof generation success rates, verification times Infrastructure Metrics: CPU, memory, disk usage Business Metrics: Verification completion rates, user adoption

Logging Strategy

Security Logs: Authentication attempts, access patterns Privacy Logs: Proof validation events (no sensitive data) Error Logs: Application errors and exceptions Audit Logs: Verification requests and attestation creation

Roadmap & Future Enhancements

Advanced Privacy Features

Multi-Party Computation: Complex verifications across multiple parties Recursive Proofs: Improved scalability for large verification sets Quantum Resistance: Preparation for post-quantum cryptography

Enhanced Selective Disclosure

Attribute-Based Credentials: Fine-grained attribute control Anonymous Credentials: Zero-knowledge identity systems Privacy-Preserving ML: Machine learning on encrypted attestations

Cross-Chain Compatibility

Universal Attestations: Verification across multiple blockchains Interoperable Standards: Cross-platform privacy protocols Bridge Protocols: Secure attestation transfer between chains

Overview

The Partner Portal provides comprehensive tools for managing your team and API keys. This guide will walk you through the essential features to help you get started quickly and securely.

Team Management

Introduction

Cr3dentials operates on a privacy-by-design architecture where protecting your sensitive information isn't just a feature—it's the fundamental principle that shapes every aspect of our platform. This page provides complete transparency about how we handle your data, what we collect, what we don't collect, and how we protect your privacy.

Core Privacy Philosophy

Zero-Knowledge Architecture

Our entire system is built around the principle that we cannot and do not access your sensitive personal information. This isn't just a policy choice—it's a technological impossibility built into our architecture.

Key Principles:

• Privacy by Design: Privacy protections are built into the technology, not added later

• Data Minimization: We collect only what's absolutely necessary for verification

• User Control: You decide what information to share and with whom

• Cryptographic Guarantees: Mathematical proofs ensure privacy, not just promises

What Data We Never Collect or See

Financial Information

CR3Dentials never has access to your financial data:

Personal Identifiable Information (PII)

We operate without accessing traditional PII:

*Phone numbers are only collected if you explicitly provide them for account recovery or communication preferences.

Employment & Professional Information

Your career details remain private:

*May be disclosed at user's discretion for specific verification types.

Health & Medical Information

We never process health data:

What Data We Do Collect

Account & Authentication Data

Required for Account Creation:

• Email Address: For account creation, recovery, and important notifications

  • Stored encrypted in our database

  • Used only for authentication and critical communications

  • Can be updated or removed when closing account

Optional Profile Information:

• Display Name: User-chosen identifier for attestations

  • Can be pseudonymous or anonymous

  • Used for attestation attribution

  • Changeable at any time

Verification Metadata

Request Information:

• Verification Type: What kind of verification was requested (income, employment, etc.)

• Requirements: Threshold amounts, time periods, criteria (e.g., "income > $50k")

• Request Timestamp: When verification was initiated

• Expiration Date: When verification request expires

Proof Validation Data:

• Cryptographic Proof Hashes: Mathematical representations of proofs (not original data)

• Validation Results: Whether proofs passed or failed verification

• Validation Timestamp: When proof validation occurred

• Proof Method: Which verification method was used (Reclaim, direct attestation, etc.)

Attestation References:

• Attestation UIDs: Unique identifiers for blockchain attestations

• Schema Information: Structure of attestation data

• Blockchain Network: Which network attestation was created on

• Public Keys: For attestation signature verification

Technical & System Data

API Usage Logs:

• Request Timestamps: When API calls were made

• Endpoint Access: Which API endpoints were called

• Response Codes: Success/failure status of requests

• IP Addresses: For security monitoring and fraud prevention

Error & Debugging Logs:

• Error Messages: Technical errors (never containing personal data)

• Stack Traces: For debugging (scrubbed of sensitive information)

• Performance Metrics: Response times, system load

• Usage Statistics: Anonymous, aggregated platform usage

Security Monitoring:

• Login Attempts: Successful and failed authentication attempts

• Suspicious Activity: Unusual access patterns or potential threats

• Rate Limiting: API usage patterns for abuse prevention

• Audit Trail: Record of sensitive operations (without personal data)

Data Processing Methods

Zero-Knowledge Proof Processing

Step 1: Local Proof Generation

• Raw credentials processed on your device only

• Zero-knowledge proofs generated locally

• CR3Dentials never receives raw data

Step 2: Proof Transmission

• Only cryptographic proofs sent to our servers

• Proofs contain no personal information

• Mathematical validation possible without data access

Step 3: Proof Validation

• We validate proof authenticity and correctness

• Verification against requested criteria

• No access to underlying data used in proof

Step 4: Result Processing

• Pass/fail result generated

• Attestation created with public claims only

• Personal data never included in final attestation

Reclaim Protocol Integration

Secure Data Sourcing:

• Reclaim connects directly to data sources (banks, employers, etc.)

• TLS witnessing ensures data authenticity

• CR3Dentials never sees the source data

Proof Generation Process:

• Raw data processed by Reclaim's zero-knowledge engine

• Cryptographic proofs generated meeting your requirements

• Only mathematical proofs transmitted to CR3Dentials

Privacy Guarantees:

• Source data never leaves Reclaim's secure environment

• CR3Dentials receives only proof validation results

• Full audit trail without personal data exposure

Data Storage & Security

Encryption Standards

Data at Rest:

• AES-256 Encryption: All stored data encrypted with industry-standard encryption

• Key Rotation: Encryption keys rotated every 90 days

• Separate Key Management: Encryption keys stored separately from data

• Hardware Security Modules: Keys protected by HSMs in production

Data in Transit:

• TLS 1.3: Latest transport layer security for all communications

• Certificate Pinning: Prevents man-in-the-middle attacks

• Perfect Forward Secrecy: Each session uses unique encryption keys

• End-to-End Encryption: Sensitive operations encrypted client-to-server

Data Sharing & Third-Party Access

What We Never Share

Prohibited Sharing:

• Raw Personal Data: Never shared, as we don't collect it

• Financial Information: Never accessed or shared

• Identity Documents: Never collected or shared

• Private Communications: User messages or personal interactions

Limited Sharing Scenarios

Authorized Verification Results:

• Cryptographic Proof Results: Shared only with parties you authorize

• Attestation References: Public blockchain references (contain no personal data)

• Verification Status: Pass/fail results for authorized verifiers

• Compliance Claims: Regulatory compliance status when required

Legal Requirements:

• Law Enforcement Requests: Limited to proof metadata, never raw credentials

• Court Orders: Compliance with valid legal process

• Regulatory Audits: Anonymized data for compliance verification

• National Security: As required by law (we'll fight overreach)

Service Providers:

• Infrastructure Partners: Hosting, security, and monitoring services (with strict DPAs)

• Blockchain Networks: Public attestation data only

• Email Service: For account communications (encrypted)

• Security Services: Threat detection and prevention (anonymized data)

Third-Party Service Agreements

Data Processing Agreements (DPAs):

• All service providers sign comprehensive DPAs

• Strict limitations on data use and processing

• Regular audits of third-party compliance

• Right to terminate for privacy violations

Service Provider Categories:

• Infrastructure: AWS, Google Cloud (encrypted data only)

• Security: Threat detection services (anonymized logs)

• Communication: Email delivery services (minimal data)

• Monitoring: Performance and uptime monitoring (no personal data)

User Rights & Controls

Data Access Rights

View Your Data:

• Account Dashboard: See all data we have about you

• Verification History: Complete record of your verifications

• Attestation Registry: All attestations created for you

• Data Export: Download your data in JSON format

Data Portability:

• Instant Export: Download your verification history and attestations

• Standardized Format: JSON export compatible with other systems

• Cryptographic Proofs: Export proof metadata for independent verification

• Attestation References: Blockchain UIDs for public verification

Privacy Controls

Verification Privacy Settings:

• Disclosure Level: Choose how much information to reveal per verification

• Verifier Authorization: Control who can request verifications from you

• Attestation Visibility: Public, private, or semi-private attestations

• Expiration Settings: Set automatic expiration for sensitive attestations

Communication Controls:

• Notification Preferences: Choose what communications you receive

• Contact Methods: Select preferred communication channels

• Marketing Opt-Out: No marketing communications (we don't do marketing anyway)

• Emergency Contacts: Optional emergency notification settings

Account Management

Profile Controls:

• Pseudonymous Operation: Use fake names or identifiers if preferred

• Multiple Identities: Create separate verification identities

• Identity Switching: Switch between professional and personal identities

• Anonymous Verification: Option for completely anonymous attestations

Security Settings:

• Two-Factor Authentication: Required for sensitive operations

• Login Notifications: Alerts for new device access

• Suspicious Activity: Automatic alerts for unusual account activity

• Session Management: View and terminate active sessions

Overview

Our API implements rate limiting to ensure fair usage and optimal performance for all partners. Rate limits help protect the service from abuse while providing reliable access to our verification services.

Overview

Webhooks allow you to receive real-time notifications when verifications are completed. Instead of polling our API for status updates, we'll automatically send verification results to your specified URL endpoint as soon as they're available.

How Webhooks Work

The Webhook Flow

1. Setup: You configure a webhook URL in the Partner Portal

2. Verification Process: A user completes their verification

3. Automatic Notification: We immediately send the verification results to your webhook URL

4. Processing: Your application receives and processes the verification data

Benefits of Using Webhooks

• Real-time Updates: Get notified instantly when verifications complete

• Reduced API Calls: No need to continuously poll for status updates

• Better User Experience: Process results immediately and update your application

• Reliable Delivery: Automatic retry mechanism ensures delivery

Creating a Webhook in the Partner Portal

Step-by-Step Setup

1. Navigate to Webhook Management

1. Log into the Partner Portal

   • Go to your partner dashboard

   • Navigate to the main menu

2. Access Webhook Settings

2. Create Your First Webhook

1. Start Webhook Creation

   • Click the "Create Webhook" button

   • This opens the webhook configuration form

2. Configure Basic Settings

3. Advanced Configuration (Optional)

Webhook Authentication Header

• Enter a key/value header verification

• We'll add that header to each webhook request

4. Save Your Webhook

1. Review Settings

   • Double-check your webhook URL

   • Ensure all settings are correct

2. Create Webhook

Example Webhook Configuration

Managing Your Webhooks

Viewing Webhook Details

In the Webhooks section, you can see:

• Webhook URL: The endpoint we're sending notifications to

• Status: Active/Inactive status

• Created Date: When the webhook was set up

• Last Delivery: Timestamp of the most recent notification

Webhook Actions

For each webhook, you can:

• Edit: Modify the URL, secret, or payload template

• Test: Send a test notification to verify your endpoint

• View Logs: See delivery history and any errors

• Deactivate: Temporarily disable notifications

Monitoring Webhook Health

1. Delivery Status

   • Green: Webhook is delivering successfully

   • Yellow: Some delivery issues (temporary failures)

   • Red: Multiple delivery failures

Understanding Webhook Notifications

When Webhooks Are Triggered

We send webhook notifications when:

• ✅ A verification is successfully completed

• ✅ A verification fails

• ✅ A verification expires

• ✅ Manual review is completed

Default Webhook Payload

When a verification completes, your webhook will receive:

Payload Fields Explained

Implementing Your Webhook Endpoint

Basic Webhook Handler Example

Security Best Practices

1. Verify Webhook Signatures

2. Handle Duplicate Deliveries

Webhook Best Practices

Response Requirements

Your webhook endpoint must:

✅ Do:

• Respond with a 2xx status code (200, 201, 204)

• Respond within 10 seconds

• Handle duplicate deliveries gracefully

• Verify webhook signatures when using secrets

❌ Don't:

• Return 3xx, 4xx, or 5xx status codes

• Take longer than 10 seconds to respond

• Process webhooks synchronously if they involve heavy operations

Error Handling and Retries

Our Retry Policy:

• We automatically retry failed deliveries

• Exponential backoff: 1s, 2s, 4s, 8s, 16s intervals

• After 5 failed attempts, the webhook is marked as inactive

• You can reactivate it once the issue is resolved

Monitoring Delivery Issues:

1. Check webhook logs in the Partner Portal

2. Look for patterns in failed deliveries

3. Verify your endpoint is responding correctly

4. Test your webhook with the built-in test feature

Performance Optimization

Testing Your Webhook

Using the Test Feature

1. Access Test Function

   • Go to your webhook in the Partner Portal

   • Click "Test Webhook"

2. Send Test Notification

Manual Testing

Troubleshooting Common Issues

Webhook Not Receiving Notifications

Check:

• [ ] Webhook URL is correct and accessible

• [ ] Webhook status is "Active"

• [ ] Your server is running and responding

• [ ] Firewall allows incoming HTTPS requests

Delivery Failures

Common Causes:

• Endpoint returns non-2xx status codes

• Server timeout (>10 seconds response time)

• SSL/TLS certificate issues

• Firewall blocking requests

Solutions:

1. Check webhook logs for specific error messages

2. Test your endpoint manually

3. Verify SSL certificate validity

4. Ensure quick response times

Security Issues

If webhook signatures don't match:

• Verify you're using the correct secret

• Check signature calculation algorithm

• Ensure you're signing the exact payload we send

Overview

The Partner API provides endpoints for managing verification sessions and steps for partner integrations. This API allows partners to create and manage verification sessions, handle data sources, and process verification steps.

Authentication

Table of Contents

• Getting Your API Key

• Quick Start

• Platform Identifiers

• Login & Capture Data

• Verify Specific Transactions

• Manual Verification (ZK Proof Model)

• Extract Custom Data

• Configuration

• Error Handling

• Best Practices

• Complete Examples

Getting Your API Key

Before using the SDK, you need API keys from Cr3dentials and Google AI:

Partner API Key (Cr3dentials)

1. Sign up / Log in to Cr3dentials at: https://app.cr3dentials.xyz

2. Navigate to Dashboard: Go to the Partner API section

3. Generate API Key: Click "Generate New API Key" or copy your existing key

4. Save Securely: Store the API key in your .env

Google API Key (for Gemini AI)

1. Visit: https://aistudio.google.com/app/apikey

2. Click "Create API Key"

3. Copy and add to your .env file

Environment Setup

Quick Start

Install the SDK:

Basic usage (example with Providus Bank):

Platform Identifiers

Each platform you integrate needs a unique identifier (e.g., "providus_bank", "your_bank", "your_platform").

Available Platform Strategies:

• providus_bank - Providus Bank (Nigeria) with transaction capture

Adding Your Own Platform: You can use the SDK with any platform by:

1. Choosing a unique platform identifier

2. Using that identifier in universalLogin()

3. The SDK will discover and cache the login flow automatically

Login & Capture Data

The SDK automatically logs into any platform and captures relevant data.

Example: Providus Bank (Transaction Data)

Providus Bank automatically captures transaction data during login:

Transaction Data Structure

Using with Other Platforms

The same pattern works for any platform:

Verify Specific Transactions (Providus Bank)

Note: Transaction verification via platformConfig is a Providus Bank-specific feature. Other platforms may have different platformConfig options based on their capabilities.

For Providus Bank, you can automatically verify if a specific transaction exists during login:

Verification options:

• desc - Transaction description (partial match)

• recipient - Recipient name (partial match)

• orderRef - Order reference (include "order:" prefix)

All criteria use AND logic (all must match).

Manual Verification (ZK Proof Model)

If you don't want the SDK to automatically log in on behalf of users, you can use the manual verification workflow (similar to zkp2p). In this model:

• Users manually log into their bank/platform themselves

• The SDK provides a verification session and monitors for proof

• No credentials are shared with your application

• Users maintain full control and privacy

This approach is ideal for:

• Privacy-focused applications

• Compliance requirements where credential sharing is restricted

• User-controlled verification flows

• Zero-knowledge proof architectures

Using the API-Only Client

For manual verification workflows, use Cr3dentialsApiClient instead of the full SDK:

Note: The API-only client is lightweight and doesn't require browser automation dependencies.

Step 1: Get Available Verification Types

First, discover what types of verification are available:

Step 2: Get Sources for a Verification Type

Get available platforms/sources for a specific verification type:

Step 3: Create a Verification Session

Create a session where the user will manually verify:

Step 4: Direct User to Verification URL

Present the verification URL to your user:

Step 5: Poll for Verification Status

Monitor the verification session for completion:

Step 6: Handle Verification Results

Once the verification is complete, process the results:

Complete Manual Verification Example

Using Webhooks (Recommended for Production)

Instead of polling, configure webhooks to receive real-time updates:

Session Status Reference

• PENDING - Session created, waiting for user action

• PROCESSING - User is completing verification steps

• COMPLETED - Verification successful, data available

Extract Custom Data

After login, you can perform additional actions and extract custom data from any platform using natural language.

Example: Providus Bank

Using with Any Platform

The same approach works for any platform - just change the platform identifier and extraction logic:

Configuration

SDK Configuration

Note: The sourceName should match the platform identifier you use in universalLogin(). This enables flow caching for faster subsequent logins.

Environment Variables

Error Handling

Best Practices

1. Always Use Try-Finally

2. Use Environment Variables

3. Development vs Production

4. Monitor Live Sessions

5. Reuse SDK Instance

Complete Examples

All examples below use Providus Bank as the platform. To use with other platforms, simply change the platform identifier and adjust the data extraction logic for your platform's data structure.

Example 1: Basic Login & Data Capture

Example 2: Transaction Verification

Example 3: Custom Data Extraction