Verification Workflows
Institutions use the Document Vault to verify user-submitted documents as part of compliance, onboarding, and service delivery workflows. This guide covers the available verification patterns.
Verification Models
The vault supports two primary verification models:
1. Attestation Verification (Proof-Based)
The institution verifies that a document has been attested by a trusted verifier without accessing the document itself. This is the most privacy-preserving approach.
How it works:
- The institution queries the on-chain attestation record for the user's DID.
- The on-chain record confirms the document type, attestation provider, verification status, and timestamp.
- The institution accepts the on-chain attestation as proof of document validity.
When to use:
- Compliance checks that require proof of verification but not the underlying document.
- KYC pass-through where the institution trusts the attestation provider.
- Situations where data minimization regulations apply.
Institution ──> Cartesi Rollup ──> Read attestation record
(no document access needed)
2. Document Access Verification (Direct Access)
The institution requests direct access to view the document. The user must approve the request.
How it works:
- The institution submits an access request.
- The user reviews and approves the request in their vault.
- The institution retrieves and views the decrypted document.
- Access expires after the agreed duration.
When to use:
- Regulatory requirements that mandate document inspection (not just attestation).
- Manual review processes where a human reviewer must examine the document.
- Cross-border compliance where attestation alone is insufficient.
Institution ──> Request Access ──> User Approves ──> TEE Decrypts ──> Institution Views
Workflow: KYC Document Verification
The most common institutional workflow is KYC (Know Your Customer) document verification.
Flow
Step 1: Institution identifies user by wallet address or DID
│
v
Step 2: Institution queries on-chain attestation status
│
├── If attestation sufficient ──> Done (no document access needed)
│
v
Step 3: Institution requests document access (if needed)
│
v
Step 4: User receives request in vault UI
│
v
Step 5: User approves or denies
│
├── Denied ──> Institution notified, workflow ends
│
v
Step 6: Document is made accessible to institution via TEE
│
v
Step 7: Institution retrieves document
│
v
Step 8: Institution completes review
│
v
Step 9: Access expires or is revoked
Workflow: Financial Document Verification
For financial services compliance (bank account opening, loan applications):
- Institution requests access to financial documents (bank statements, tax returns).
- User selects which specific documents to share.
- Institution retrieves documents for review.
- Institution records the verification result in their own system.
- Access automatically expires.
Workflow: Education Credential Verification
For employment screening or academic program applications:
- Institution requests access to education documents (transcripts, diplomas).
- The request specifies the purpose (e.g., "Employment background check").
- User approves access to selected education documents.
- Institution verifies the credentials.
- Access expires after the specified duration.
Batch Verification
For institutions that need to verify multiple users:
- Each user must individually approve access requests. There is no bulk approval mechanism.
- Institutions can submit multiple access requests and track their statuses.
Verification Result Caching
Institutions should not cache decrypted documents beyond the access window. However, institutions may cache:
- Attestation verification results (on-chain data is public).
- The fact that a verification was completed (for their own compliance records).
- Timestamps and document types (non-PII metadata).