Security & Architecture

How HumanLayer works.
No secrets. No shortcuts.

HumanLayer verifies real humans without collecting personal information. Here is the complete technical and trust architecture — what we do, what we don't do, and what we assume.

Core principles

What we never do.

No biometrics. Ever.

HumanLayer never collects fingerprints, face scans, iris data, or any physical biometric. Verification is based entirely on behavioral signals, on-chain history, and cryptographic proofs.

No KYC. No personal data.

We never ask for your name, passport, phone number, or email. Your wallet address is the only identifier. Nothing else is stored, processed, or shared.

Zero-knowledge proofs.

Verification uses ZK circuits built on UltraPlonk and verified on-chain via zkVerify. You prove you meet a threshold without revealing your underlying score or personal signals.

Soulbound credentials.

Your identity credential is a non-transferable soulbound NFT on Base L2. It cannot be sold, transferred, or replicated. One human, one credential — enforced mathematically.

Architecture

How verification works.

Four steps. Fully on-chain. Mathematically enforced.

01

Signal collection

Your wallet's public on-chain history, GitHub activity (via Reclaim Protocol), and behavioral patterns are scored. No OAuth. No login. No stored data.

02

ZK proof generation

A zero-knowledge proof is generated client-side using UltraPlonk circuits. The proof confirms you meet a human threshold without revealing the underlying signals.

03

On-chain verification

The ZK proof is verified on-chain via zkVerify on Base L2. A Poseidon nullifier hash ensures the same identity cannot mint multiple credentials.

04

Soulbound credential issued

A non-transferable soulbound NFT is minted to your wallet. This credential is your portable proof of humanity — readable by any integrated platform, everywhere.

Data storage

What we store. What we don't.

We store
Wallet address (public on-chain data)
Human Score (computed, not raw signals)
Soulbound NFT token ID
Verification timestamp
Nullifier hash (prevents duplicates)
We never store
Name, email, or phone number
Biometric data of any kind
Raw GitHub username or activity
IP addresses or device fingerprints
Private keys or seed phrases
Any government-issued ID

Trust model

What we assume.

We believe in radical transparency. Here are the trust assumptions HumanLayer relies on.

GitHub signal accuracy
We trust GitHub activity as a proxy for human history. Accounts with long contribution histories are unlikely to be bots.
Reclaim Protocol
We use Reclaim Protocol for private GitHub verification. We trust their ZK proof system for data integrity.
zkVerify
On-chain proof verification is handled by zkVerify. We trust their verification contracts on Base L2.
Base L2
Credentials are minted on Base L2. We trust Coinbase's Base chain for settlement security.
Nullifier uniqueness
Duplicate prevention relies on Poseidon hash nullifiers. We trust that nullifier collision resistance holds.

Technology stack

Built on proven infrastructure.

Base L2Credential settlement

Coinbase's EVM L2 for soulbound NFT issuance and nullifier registry.

zkVerifyProof verification

On-chain ZK proof verification layer for identity claims.

UltraPlonkZK circuit

Zero-knowledge proof system for private score threshold proofs.

Reclaim ProtocolGitHub verification

Privacy-preserving web proof system for off-chain data.

Poseidon HashNullifier

ZK-friendly hash function for duplicate prevention.

ERC-5192Soulbound standard

Minimal soulbound NFT interface — locked, non-transferable.

Security contact

Found a vulnerability? Please disclose responsibly. We take all reports seriously.

security@humanlayer.network
Privacy PolicyTerms of ServiceGitHub