This is the reference implementation of a custodial-web wallet for the peer-attestation protocol (per ADR-0017). It demonstrates that the protocol works for consumer flows that cannot ask users to install an app or browser extension. It is a privacy demonstration, not a production trust anchor.
High-risk-context guidance (spec §15.12.4)
This is a custodial-web wallet: your credentials and signing key live on this server, not on your device. A wallet operator that holds your credentials is a new entity in your threat model. If any of the following describes you, this wallet shape is not the right default for you, and you should use a device-bound wallet or wait for an EUDI-class wallet instead:
You are a source for journalists, protecting source identity.
You are a member of a dissident network under hostile-state surveillance.
You belong to a marginalized community (faith, identity, sexual orientation, immigration status) where membership disclosure carries safety risk.
You are an activist in a context where authentication-event logs at a custodial-web operator could be subpoenaed or compelled.
This is positioning guidance, not a hard restriction; the protocol cannot enforce wallet-shape choice.
What this wallet does
Authenticates you with a passkey (preferred) or email + password (fallback).
Will hold credentials and sign presentations on your behalf, after each disclosure is shown to you and confirmed. (Phase 2.)
Lets you export your credentials in their original wire form so you can move them to another wallet operator.
What this wallet does not do
It does not log the contents of presentations it signs (which credential, which claims, which relying party).
It does not correlate your presentations across users or sessions for analytics, advertising, or any third-party purpose.
It does not federate to a commercial identity provider for sign-in. The only authentication options are a passkey or email + password.
It does not load any third-party script, font, or analytics. There are no tracking pixels.
Get started
See the logging policy for what this operator records and for how long.