For digital identity wallets
Paphwey is the execution layer that connects wallet-held user consent with real-time merchant decisions. Users see who is asking, why they are asking, and exactly what is being shared before they approve.
Regulated Action Gateway
The trust layer for agent-powered commerce and digital identity wallets.
Paphwey turns high-risk agent actions into one secure flow: challenge, wallet step-up, attestation token, decision, and receipt. Merchants get policy-grade assurance. Users keep consent and data minimization in their wallet.
2-5 min
Short IAT validity
1 tap
Wallet approval UX
End-to-end
Auditable receipts
Why It Matters
Agents can move money and identity context faster than legacy trust flows can keep up.
Existing identity checks were designed for human-first web journeys. In agent-driven journeys, they break at checkout, onboarding, account recovery, and high-risk actions. Paphwey gives the market a reusable trust substrate: strong proof, clean UX, and measurable control.
For relying parties and SaaS buyers
Integrate once through APIs and SDKs, enforce policy by action type, and get cryptographic attestation with receipt-grade evidence for compliance, dispute handling, and risk reporting.
How It Works
A single product loop from challenge to outcome.
Built for SaaS delivery: the platform handles orchestration, policy enforcement, tokenization, and audit output while your mobile wallet app keeps the user in control.
Challenge API
Create AGE, PRESENCE, VERIFIED, or advanced identity challenges with audience and nonce binding.
Risk + Policy
Define minimum assurance level, required claims, freshness windows, and jurisdictional constraints.
Wallet Notification
Push request to the companion app with clear request purpose and data disclosure preview.
User Approval
User confirms request intent. Biometric step-up binds the action to that exact request context.
IAT Token
Issue a short-lived signed attestation token with aud, nonce, assurance and issuer provenance.
Verification + Receipt
Verifier returns ALLOW, DENY, or STEP_UP and stores a tamper-evident receipt for trust operations.
WebSDK
Install once. Trigger verification only when agent activity and policy require it.
Paphwey provides a separate WebSDK for customer integration. It supports agent-context detection, challenge orchestration, approval polling, and attestation handoff while keeping API keys on the server.
Implementation instructions
- Install `@paphwey/web-sdk` in your application stack.
- Create backend adapter routes that call Paphwey using your server-side API key.
- Use the browser SDK to detect likely agent sessions and trigger challenge flow.
- Poll challenge status, issue attestation when approved, then verify server-side.
Why separate WebSDK + Server Client
Browser code should never hold RP credentials. The WebSDK handles client orchestration and UX timing, while the server client performs authenticated calls to create challenges and verify attestations.
This architecture is SaaS-ready for merchants, marketplaces, and agent-enabled apps because it preserves trust boundaries and supports consistent implementation across channels.
Try Adapter API Live
This uses the exact adapter routes. You can edit the principal email below to switch between devices.
Ready to run. Click "Run Live Demo" to create a challenge and approval session.
1) Install
npm install @paphwey/web-sdk2) Server Adapter (Node)
import { PaphweyServerClient } from "@paphwey/web-sdk/server";
const paphwey = new PaphweyServerClient({
baseUrl: process.env.PAPHWEY_BASE_URL,
apiKey: process.env.PAPHWEY_API_KEY
});
app.post("/paphwey/adapter/challenges", async (req, res) => {
const challenge = await paphwey.createChallenge(req.body);
res.json(challenge);
});3) Browser Flow
import { PaphweyWebSDK } from "@paphwey/web-sdk/web";
const sdk = new PaphweyWebSDK({
endpoints: {
createChallenge: "/paphwey/adapter/challenges",
startApproval: (id) => `/paphwey/adapter/challenges/${id}/approval-session`,
challengeStatus: (id) => `/paphwey/adapter/challenges/${id}`,
issueAttestation: (id) => `/paphwey/adapter/challenges/${id}/issue-attestation`
},
alwaysTriggerFor: ["AGE_REQUIRED", "PRINCIPAL_PRESENCE_REQUIRED"]
});
const result = await sdk.startVerification({
principalId: user.principalId,
challengeType: "AGE_REQUIRED",
riskLevel: "high"
});4) Verify Attestation
if (result.status === "verified") {
const verify = await paphwey.verifyAttestation(
result.token,
"merchant.example.com"
);
// ALLOW / DENY / STEP_UP workflow follows here
}
Know Your Agent
KYA processing is the next trust boundary for autonomous transactions.
Know Your Agent is about proving which agent acted, under what authority, and with what user-approved limits. Paphwey links this to wallet consent so organizations can scale agent autonomy without dropping assurance.
Agent provenance
Bind every regulated action to an accountable actor chain: principal, agent context, relying party, and challenge session.
Intent-bound consent
Approval is attached to a specific request and audience, not a generic consent state that can be replayed elsewhere.
Policy-grade outcomes
Outcomes become operational controls in your SaaS workflows, from checkout risk to KYC and account recovery gates.
Build the default trust fabric for digital identity wallets in the agent era.
Paphwey is not just a verification endpoint. It is the trust control plane for AI-enabled commerce and services: one platform that unifies wallet UX, regulated action orchestration, and cryptographic proof delivery as a SaaS product. As ecosystems mature, issuer routing can expand to external wallets and verifiable credential networks without changing merchant integration.