CustID
MVP beta, GPLv3A mobile identity wallet and vault: a NIP-46 bunker, key manager and signer, with NFC and QR challenge/response and hardware-backed key storage. It is the sovereign key holder that the rest of the flow builds on.
Sovereign Interactions Stack for Trustless Relationships
Identity you actually own, even when you are offline.
SISTR is an open protocol built on top of Nostr. It lets you prove who you are, what you are allowed to do and what you hold, with a single tap or scan, without a central authority, without surveillance, and without ever handing over more than the fact you choose to reveal.
Built on Nostr keys you already control. Transport-agnostic. No trusted setup. Public domain (CC BY-SA 4.0).
The problem
Identity is being rebuilt around control, not around you.
Across the world, digital identity is converging on a single shape: a credential issued, held and verified through infrastructure you do not control. The European Union is mandating the EUDI Wallet. Switzerland is rolling out its state e-ID (SWIYU). Know-Your-Customer and so-called anti-money-laundering rules keep expanding into ordinary, everyday interactions.
Each of these systems is defensible on its own. Taken together they push the same direction: every proof of who you are routes through a central issuer or registry that can log it, correlate it, suspend it, or be compelled to hand it over. Convenience is real. So is the quiet accumulation of a complete, linkable record of where you go, what you join and what you are allowed to do.
Central points of failure
An issuer or registry that can verify you can also revoke, throttle or surveil you, and can be coerced into doing so.
Mandatory correlation
Every check leaks more than a yes or no: who asked, when, where, and tied to a stable identifier that follows you everywhere.
You are not the holder
Your "identity" lives in someone else's system. Access is granted to you, not held by you, and can be taken away.
Why Nostr
A sovereign identity needs a key that nobody can take from you.
Most "decentralized" identity still leans on something you do not ultimately control: a hosting instance, a registry, a resolver, a provider that can rename, suspend or de-list you. Nostr starts from the opposite premise. Your identity is a cryptographic keypair you generate and hold. No account, no issuer, no instance. Just a key, and the proofs you sign with it.
As Bitcoin is to money, Nostr can be to identity.
❌ Bound to a provider
- AT Protocol (
did:plc/did:web) ties your handle to a directory or a domain you must keep. - ActivityPub identity is an instance handle: lose the instance, lose the identity.
- W3C DID registries reintroduce resolvers and methods someone has to operate.
✅ Held by you
- A Nostr key is generated locally and never depends on a server to exist.
- The same key works across every app and relay, with no central account.
- Standard BIP-340 Schnorr signatures over secp256k1: boring, audited, portable.
What SISTR adds
Four things Nostr alone does not give you, built on the same key.
SISTR is not a competing stack and not a reinvention of cryptography. It is a thin, deliberately boring layer that turns the sovereign Nostr key into a practical identity tool for the situations where today's systems force you back into a central authority.
Offline, physical-world proofs
Prove your identity in person with an NFC tap or a QR scan using a challenge/response, with no network and no central identity provider in the loop.
Structured credentials with a real lifecycle
Issue, hold and verify credentials that can expire and be revoked, and that can be issued privately, rather than ad-hoc signed notes.
Privacy-preserving zero-knowledge proofs
Prove a fact about a credential (over 18, a member, holds a valid ticket) without revealing who you are or which credential you used.
Hybrid transports
One core that works across NFC, QR and Nostr-native gift-wrapped messages today, with room for BLE and other channels later.
How it works
One tap. Three steps. No one in the middle.
Under the hood it is a classic challenge/response, kept small enough to run on constrained hardware and simple enough to audit. The point is what is missing: no central identity provider, no online check, no stable identifier handed over.
- 01
Challenge
The verifier (a door, a turnstile, a website, a small venue's phone) emits a fresh, random challenge over NFC, QR or a Nostr message.
- 02
Prove
Your device signs the challenge with your Nostr key, or produces a zero-knowledge proof over a credential, revealing only the fact being asked for.
- 03
Verify
The verifier checks the response locally. No round-trip to a central server, no account lookup, nothing logged to a third party.
Use cases
Real situations where you should not have to trust a middleman.
These are not hypotheticals bolted onto a protocol. They are the scenarios that shaped SISTR's design: everyday interactions where the convenient option today quietly forces you to identify yourself to someone who did not need to know.
🎫 Anti-scalping ticketing, without KYC
Sell and check event tickets bound to a credential, resistant to scalping, settled over Nostr-native payments, with no identity document collected at the door.
🚪 Sovereign access control
Replace plastic RFID badges with a single offline tap. No central badge server, no provider that can silently log every door you open.
🥸 Anonymous web sign-in
Sign in to a site by proving a fact about a credential, without ever disclosing your public key or building a trackable account.
🪪 Proof of membership or eligibility
Prove you belong, qualify or are entitled, over 18, a member, a subscriber, without revealing who you are or which credential you hold.
🎟️ BLE | QR for small venues
No NFC hardware? A laptop as a BLE beacon or on-screen QR challenge runs the same offline flow with nothing more than a phone camera, or an hybrid route with just the verifier being online.
🎖️ NIP-58 badges!
Real-life uses for Nostr badges as eligibility / allowance / pass. Because SISTR is built to be compatible with existing Nostr scheme from day one.
Reference implementations
Working code, on real hardware, in the open.
SISTR is young and openly a work in progress. Rather than promise, we point at running reference implementations you can read, build and challenge today.
SISTR NFC Prototype
single-tap flow operationalA reference NFC reader built on a Raspberry Pi with Tinkerforge bricklets. The single-tap signature flow is operational end to end, showing the verifier side runs on constrained, off-the-shelf hardware, no proprietary terminal required.
Design principles
Boring on purpose. That is the point.
SISTR is not trying to be clever. It is trying to be small, auditable and impossible to quietly capture. Every principle below exists to remove a place where trust, or control, could creep back in.
Same key as Nostr
Reuses the existing BIP-340 Schnorr key over secp256k1. No new key material, no second identity to manage.
Transport-agnostic core
The protocol does not care whether bytes travel over NFC, QR or Nostr. New channels plug in without touching the core.
No trusted setup
Nothing depends on a ceremony, a coordinator or a privileged party to bootstrap. There is no one to trust by construction.
Runs on constrained hardware
Designed to be implementable on small verifiers (ESP32, STM32, Raspberry Pi), not just powerful phones and servers.
KISS
Deliberately small and boring. The less there is, the less there is to audit, to break, and to abuse.
Public domain (CC0)
The protocol and brand are released under CC0. No license friction, no gatekeeper, free to fork and build on.
Get involved
Read it, break it, build on it.
SISTR is open, and while some parts are already mature and tested, others, such as anonymous credentials and ZKPs generated on handled devices, are still in early R&D stage. The most useful thing you can do is read the protocol, poke holes in it, and tell us where it is wrong.
SISTR's protocol specification is released under CC BY-SA 4.0. Use the SISTR name and logo to refer to the protocol, not to imply endorsement.