Identity
Overview
Identity is at the core of Polymesh. All network participants must have an on-chain identity to interact with the blockchain and its assets.
Each identity:
- Is created through a Customer Due Diligence (CDD) process
- Is referenced by a pseudo-anonymous decentralized identifier (DID), e.g.,
0xfc0d2fc058d02c0a89c2cc2ff11726971dd39886a0b80ecfaa80fa3f196d65ce
- Can hold assets in associated portfolios, claims, and permissioned roles
- Is controlled by a primary key and optional secondary keys
Key Concepts
Identity Creation & Verification
Identities are created through permissioned CDD service providers who verify user information, create an on-chain DID and issue CDD claims required for network access.
Asset Management
Native assets (excluding POLYX) held by users are associated with their identities and can be organized into portfolios. Each identity can hold multiple assets and manage them through different portfolios. Identities may also be granted agent permissions to perform specific operations on behalf of asset issuers.
Claims & Compliance
Identities can receive claims from other identities, which are used to enforce on-chain compliance rules for assets. Claims have specific scopes and can be used to represent various attributes, such as KYC status or accreditation.
Key Management
Each identity has:
- A single primary key with full control
- Optional secondary keys with configurable permissions
- Support for multisig keys as either primary or secondary keys
- Support for smart contracts as either primary or secondary keys
- The ability to create child identities
Keys can also enter into a subsidized relationship with another key, allowing the subsidizer to pay transaction fees on its behalf.
Access Control
Polymesh provides robust authorization and permission frameworks to manage access between identities and their keys.
Identity Diagrams
The following diagrams help visualize and clarify the relationships between key aspects of on-chain identities in Polymesh. Each diagram focuses on a specific concept, such as Customer Due Diligence (CDD), primary and secondary keys, portfolios, custody, claims and compliance, agent permissions, subsidized accounts, and secondary key permissions. For more details, see the linked documentation pages for each topic.
Identity Onboarding & CDD
This diagram shows how a user is onboarded to Polymesh through a CDD (Customer Due Diligence) provider, resulting in the creation of an on-chain identity and issuance of a CDD claim.
Keys & Accounts
This diagram shows how an identity (DID) is controlled by signing keys. Both the primary key and any number of optional secondary keys are grouped in a "Signing Keys" subgraph. Each key can be a standard signing key (SR25519, ED25519, or ECDSA), a multisig, or a smart contract.
Secondary Key Permissions
Secondary keys can be granted fine-grained permissions, allowing them to perform only specific actions or access certain resources. Permissions can be scoped to:
- Assets: Restrict which assets the key can interact with (e.g., only certain tokens).
- Portfolios: Restrict which portfolios the key can access or manage.
- Transactions: Restrict which types of transactions the key can sign (e.g., transfers, settlements, etc.).
The diagram below illustrates how secondary key permissions can be configured:
Portfolios & Asset Management
This diagram demonstrates how an identity can have multiple portfolios (default, user, custodial) to organize and manage assets, including both fungible and non-fungible tokens.
Custody & Portfolio Control
This diagram shows how portfolio control/custody can be assigned to another identity (the custodian), who then controls the portfolio's assets.
Claims & Compliance
This diagram illustrates how claims (such as KYC or accreditation) are issued to an identity by a claim issuer (e.g., a CDD provider or another identity), and how they are used for compliance purposes. Multiple claims from different issuers can be attached to a single identity and may be scoped to specific assets, identities or custom identifiers.
Agent Permissions
This diagram shows how an identity can grant agent permissions to another identity, allowing the agent to act on behalf of the original identity for specific assets or operations. The asset issuer is an agent for its own asset by default.
Relayer & Subsidized Keys
This diagram shows how a relayer can subsidize transaction fees for a signing key (not directly for an identity), allowing another key (owned by a relayer identity) to pay fees on behalf of a key. The relayer's key may be under a different identity than the subsidized key.
Identity Structure: Primary & Sub-Identities
This diagram illustrates the relationship between a primary on-chain identity and its sub-identities (child identities), including inheritance of CDD claims.