Logo
My Crypto News AI

AIR Kit Brings Zero-Knowledge Identity to Web3: Why Portable Credentials Matter

AIR Kit treats login and wallets as an on-ramp to something bigger: portable, verifiable identity credentials that users earn once and prove anywhere across Web3 and Web2 platforms. Built by Moca Network, the team behind one of the world's largest identity networks, AIR Kit ships as a Web SDK (JavaScript) and Flutter SDK, splitting authentication and wallet services from a more powerful credential layer that uses zero-knowledge proofs (ZK proofs) to let users prove facts about themselves without exposing raw personal data.

The timing matters. Web3 onboarding infrastructure just consolidated dramatically. Privy went to Stripe in June 2025. Web3Auth folded into Consensys and MetaMask. Dynamic landed inside Fireblocks. Sequence went to Polygon Labs. Every wallet-as-a-service startup from 2023 became a feature inside someone else's platform. AIR Kit is the odd one out, treating identity as the destination rather than just a login mechanism.

How Does AIR Kit's Zero-Knowledge Credential System Work?

The system splits into two independently adoptable services. Account Services handles authentication and wallets through a hosted widget supporting email, social login, or existing wallet connections. Behind the scenes, AIR Kit creates or fetches an embedded smart-contract account with session keys and gas sponsorship, so a user's first transaction can be gasless. The service also includes built-in swap and on-ramp UI, eliminating the need to assemble that infrastructure from multiple vendors.

Credential Services is where zero-knowledge proofs enter the picture. An issuer attests to a fact about a user, such as "KYC passed," "age 18 or older," or "completed 50 ranked matches." The user holds that credential in their AIR account. Any verifier can later check a predicate on it and receive only a binary answer: Compliant or Non-Compliant, plus a transaction hash. The raw data never moves.

  • Issuance: Your backend calls issueCredential with schema-typed claims, and the Identity Oracle anchors a hash of the credential to Moca Chain's EVM layer, providing tamper-evidence without exposing the data itself.
  • Storage: The encrypted payload goes to MCSP decentralized storage (Moca Chain Storage Providers), decryptable only by user-held keys, so the chain holds commitments while the storage layer holds ciphertext and only the user holds plaintext.
  • Verification: A verifier calls verifyCredential against a dashboard-configured program, the user's client generates a zero-knowledge proof over the credential, and the system returns Compliant or Non-Compliant status with a transaction hash.

The architecture diagram from the documentation maps the full stack and clarifies the trust model. Your frontend talks to Account and Credential Services through the SDK. Your backend authenticates to Credential Services with a Partner JWT, a token you sign with a private key whose public half you publish at a JWKS endpoint registered in the Developer Dashboard. Every issuance and verification is validated against keys you control, eliminating bearer API keys that could leak.

Why Does This Need Its Own Blockchain?

Moca Chain provides four primitives that generic Layer 1 blockchains do not ship natively. First, a cross-chain identity oracle that is relayer-compatible, so credentials anchored on Moca Chain can be verified from 25 or more other chains. A dApp on Base or Polygon can gate access on an AIR credential without users bridging anything.

Second, zkTLS (web-proof generation) converts Web2 activity into Web3 credentials. A user can prove facts about data behind a TLS session, such as a bank balance range, a follower count, or a purchase history, without the platform's cooperation and without revealing the session contents. This is how the portable reputation thesis escapes the crypto bubble and reaches mainstream Web2 users.

Third, decentralized identity storage through the MCSP layer with user-held keys ensures that users control their own data. Fourth, native zero-knowledge proof verification at approximately one-second block times via CometBFT consensus and an EVMOS-based EVM-compatible architecture enables fast credential checks.

The economics are straightforward. MOCA is the gas token, validator stake unit, and fee unit for storage, oracle, data generation, and verification. Issuers can monetize when their credentials are verified elsewhere. Testnet (ID 222888) is live, and mainnet (ID 2288) transitions through 2026, alongside the consumer-facing MocaProof verification app that beta-launched in December 2025.

What Does Integration Look Like for Developers?

Login is a genuine 30-minute integration. A developer initializes the AirService, calls air.login() to render a hosted login UI, and receives a session plus an EIP-1193 wallet provider that existing wagmi or viem code can consume. React teams can skip even this boilerplate via the official wagmi connector, @mocanetwork/airkit-connector.

Credentials cost an afternoon to set up by design. Nothing issues or verifies until your JWKS endpoint is live, public over HTTPS, and registered in the dashboard. Localhost is unreachable from AIR's servers, so local development requires an ngrok or cloudflared tunnel. It is the right security architecture and the wrong first-hour experience for teams accustomed to simpler onboarding flows.

Two field notes stand out. The Developer Dashboard itself is wallet-gated; you connect a wallet to manage credential programs, which is coherent with the self-sovereign identity thesis but adds friction for Web2 teams the product courts. The Sandbox environment defaulted to Moca Chain Testnet at version 1.8.0-beta, breaking from Devnet (ID 5151), so developers must re-issue test credentials on Testnet rather than reusing Devnet credentials.

The parts that impressed observers include the Issue-on-Behalf REST API for event-driven backend issuance. A KYC webhook fires, a credential lands without requiring a user session, and the developer polls until the credential status shows ONCHAIN. This pattern eliminates the need to coordinate user sessions with backend issuance, a common friction point in identity systems.

AIR Kit's addressable market spans 700 million or more users across Animoca's 600-plus portfolio companies and partners like SK Planet's OK Cashbag (28 million KYC'd users), OneFootball (200 million or more users), Ubisoft, Magic Eden, and SK Telecom. The system treats portable, verifiable identity as a public good that users own and control, not a feature locked inside a single platform.