Prerequisites
This document lists what is required to deploy a zkIdentity instance, including hardware, software, KYC provider accounts, and blockchain infrastructure access.
Hardware Requirements
TEE-Capable Server
The attestor requires a server with Trusted Execution Environment support. TEE platforms such as Intel SGX, Intel TDX, AMD SEV-SNP, or AWS Nitro Enclaves can be used.
General server requirements:
- CPU with TEE support enabled in BIOS/firmware
- Sufficient RAM for enclave use (consult team for recommended sizing)
- SSD storage for attestor binaries, sealed storage, and logs
- Stable internet connection with low latency to KYC provider APIs
Cloud Providers
Major cloud providers offer TEE-capable instances, including Azure (confidential VMs), GCP (confidential VMs), and AWS (Nitro Enclaves). Consult your cloud provider's documentation for available TEE instance types.
Development Environment (Non-TEE)
For development and testing, the attestor can run in simulation mode without a real TEE:
- Any modern x86_64 CPU is sufficient.
- No special BIOS settings required.
- Proof generation still works, but TEE attestation reports are simulated (not verifiable by third parties).
Simulation mode must never be used in production. Attestations generated in simulation mode are distinguishable from genuine TEE attestations and will be rejected by the production Cartesi rollup.
Software Dependencies
The attestor and frontend require Node.js and standard web development tooling. Docker is recommended for containerized deployment.
TEE-specific software (SDK, drivers, library OS) will depend on the chosen TEE platform. Consult the platform vendor's documentation for setup instructions.
KYC Provider Accounts
You need active accounts with at least one KYC provider.
Smile ID
- Account type: Business/Enterprise
- Required credentials: Partner ID, API Key, Signature Key (for webhook verification)
- Onboarding: Contact Smile ID sales team or sign up at smileidentity.com
- Sandbox available: Yes (for testing without real document verification)
Plaid
- Account type: Developer or Production
- Required credentials: Client ID, Secret Key (per environment)
- Onboarding: Sign up at dashboard.plaid.com
- Sandbox available: Yes (with simulated bank accounts and identity data)
Blockchain Infrastructure
Cartesi Rollup
- Access to a Cartesi rollup node (either self-hosted or a hosted endpoint)
- The zkIdentity Cartesi DApp must be deployed and registered
Arbitrum
- Access to an Arbitrum L2 RPC endpoint (public or private)
- An Ethereum wallet funded with ETH on Arbitrum for rollup input submissions
IPFS
- A Pinata account for IPFS pinning: pinata.cloud
- Required credentials: API Key, API Secret
Network Requirements
The attestor requires outbound HTTPS access to:
- KYC provider APIs (Smile ID, Plaid)
- IPFS pinning service (Pinata)
- Arbitrum RPC endpoint
- Cartesi rollup endpoint
The attestor also requires inbound HTTPS access for webhook reception from KYC providers.
Ensure your firewall and security groups allow these connections.
Domain and TLS
- A domain or subdomain for the attestor's webhook endpoint.
- A valid TLS certificate for the webhook domain.
- DNS records pointing the domain to the attestor server.
Pre-Deployment Checklist
Before proceeding to Configuration, verify the following:
- TEE-capable server provisioned and TEE enabled
- Required runtime software installed
- Smile ID and/or Plaid accounts created with API credentials obtained
- Pinata account created with API credentials
- Arbitrum RPC endpoint accessible
- Cartesi rollup DApp deployed
- Attestor wallet created and funded on Arbitrum
- Domain name configured with TLS certificate
- Firewall rules allow required inbound and outbound traffic
Next Steps
- Configuration -- Set up environment variables and configure the attestor.
- Provider Setup -- Configure KYC provider integrations.
- Testing -- Verify the deployment with sandbox providers.