How KYC Verification Works
A detailed look at the KYC Anchor — what happens when you verify your Discord identity, how certificates are created, and how your privacy is protected throughout the process.
How KYC Verification Works
The KYC Anchor is the identity layer of KeetaHub. It links your Discord account to your Keeta wallet by issuing a cryptographic certificate — a tamper-proof, on-chain proof that you control both accounts. This guide walks through the full verification flow, from start to finish, and explains what happens behind the scenes at each step.
Before You Start
You need two things:
- A Keeta wallet
- A Discord account that you can authorize through OAuth2
Quick Start
If you just want to get verified, here's the short version:
- Add the resolver — In your Keeta wallet, go to Settings → Advanced → Third-Party Resolvers → Add. Paste the resolver address shown on kyc.keetahub.com and select KYC operations.
- Request a certificate — Go to the Certificates section in your wallet. Tap + Add, choose any region, select the KeetaHub KYC anchor, and tap Continue to start the verification process.
- Link your Discord — Follow the instructions to authorize your Discord account. This links your wallet to your Discord profile.
That's it. Your wallet now holds a valid KYC certificate. Read on if you want to understand what happens under the hood at each step.
The Verification Flow (Detailed)
Step 1: Add the Resolver Address
In your Keeta wallet, navigate to Settings → Advanced → Third-Party Resolvers → Add. Enter the resolver address shown on kyc.keetahub.com and select KYC operations. This tells your wallet where to find the KYC Anchor service.
Behind the scenes, the resolver address points to an on-chain account that holds the anchor's service metadata. Your wallet reads this metadata to discover the anchor's endpoints, its name, and the CA certificate it uses to sign KYC certificates. This is the same mechanism all anchors on the Keeta Network use — your wallet doesn't need to trust a hardcoded URL.
Step 2: Request a Certificate
Go to the Certificates section in your wallet. Tap + Add, choose any region, and select the KeetaHub KYC anchor from the list. Tap Continue.
Your wallet sends a request to the anchor's createVerification endpoint with your wallet's public key. The anchor creates a verification session and responds with a unique link to Discord's authorization page.
At this point, the anchor knows your wallet address but nothing about your Discord identity. The session is temporary and expires automatically after one hour if not completed.
Step 3: Link Your Discord
Your browser opens Discord's OAuth2 authorization page. You see a prompt asking whether you want to grant the KeetaHub Verify application access to your Discord identity (username and user ID). No other permissions are requested — the anchor doesn't read your messages, servers, or friend list.
When you click "Authorize", Discord redirects back to the anchor with a one-time authorization code.
Step 4: Certificate Issuance
This is where the core work happens. The anchor exchanges the authorization code for a temporary access token, fetches your Discord user ID and username from Discord's API, and then builds your KYC certificate.
The certificate contains:
- Subject: Your wallet's public key — this identifies who the certificate belongs to
- Issuer: The anchor's Certificate Authority (CA), a self-signed root that all KYC certificates are issued under
- Validity: One year from the moment of issuance
- Encrypted Discord ID: Your Discord user ID, encrypted with your wallet's public key
That last point is critical. Your Discord ID is stored as a sensitive attribute — it's encrypted so that only the holder of the wallet's private key can decrypt it. Anyone can see that the certificate exists on-chain, but they can't read the Discord ID inside it.
The anchor signs the certificate with its CA key and sends it back to your wallet along with the CA certificate as an intermediate. Your wallet installs both on-chain.
Step 5: Done
Your wallet now holds a valid KYC certificate. The browser tab closes automatically (or shows a success page if your browser blocks the auto-close). The temporary verification session is cleaned up.
From this point on, other services on the Keeta Network — like Sentinel for token-gated roles — can verify that your wallet has a valid KYC certificate without learning your Discord identity.
The Certificate Authority
Every KYC Anchor operates its own Certificate Authority (CA). The CA is a self-signed root certificate that acts as the trust anchor for all certificates the service issues.
KeetaHub's CA is derived deterministically from a BIP39 mnemonic. The same mnemonic always produces the same CA certificate, byte for byte. This means the anchor can restart without invalidating previously issued certificates — the CA never changes unless the mnemonic changes.
The CA certificate is published on-chain as part of the anchor's service metadata. When your wallet retrieves the resolver address, it also gets the CA, which it uses to verify that any KYC certificate it encounters was genuinely issued by this anchor.
How Your Privacy Is Protected
The KYC Anchor is designed to prove identity without exposing it:
- No plaintext identity on-chain. Your Discord ID is encrypted inside the certificate. The certificate's visible fields contain only your wallet public key and the issuer name — no personal information.
- Only you can decrypt it. The Discord ID is encrypted with your wallet's public key. Without your private key, it's unreadable.
- No password storage. The anchor never sees or stores your Discord password. Authentication happens entirely through Discord's OAuth2 flow, using a temporary access token that's discarded after fetching your user info.
- Selective disclosure. Because the Discord ID is a sensitive attribute, you can generate cryptographic proofs that reveal it to specific parties without exposing it publicly. You stay in control of who knows your identity.
Certificate Lifecycle
KYC certificates are valid for one year. After expiration, you can re-verify to get a new certificate. The process is the same — authorize with Discord, receive a new certificate.
If you verify a wallet that was previously linked to a different Discord account, the anchor records the ownership change. The new certificate replaces the old one.
What Happens If the Anchor Goes Down?
Your certificate lives on-chain, not on the anchor's server. If the anchor goes offline, existing certificates remain valid and verifiable — other services can still check them using the CA certificate that's also stored on-chain. You only need the anchor to be running when you want to issue or renew a certificate.