Anonymous credit tokens

An anonymous credit token is a bearer credential for metered access. A server issues you a token worth some number of credits. You spend from it in increments, and each spend carries a zero-knowledge proof that the token is genuine and the arithmetic is honest. The server can check all of that while learning nothing that links the spend to your issuance or to any of your other spends.

The trust runs both ways and both directions are cryptography, not policy. The issuer verifiably cannot connect your spends to each other or to you: the only value it ever sees twice is a one-time nullifier, and that only repeats if the same token is spent twice. You provably cannot spend more than you were issued: the balance is committed inside the token and a range proof rules out overdrafts. No account, no identifier, no cookie: the token is the entire relationship.

What runs here

This site operates two independent issuers over one shared nullifier store:

Issuance is metered by proof of work rather than payment: request a challenge, mine it, and the issuer signs you a token worth up to 1024 credits. A companion terminal wallet, act-wallet, mines, holds tokens for both schemes, and journals every operation so a dropped connection never destroys value.

Status, plainly

This deployment is experimental and unaudited, and its credits are worthless by design. The issuers' own parameter endpoints say so in machine-readable form:

experimental and unaudited; credits have no monetary value and may be erased at any time

Balances can be erased at any time by retiring the key epoch (currently e1). Treat everything here as a public working demonstration of a protocol, priced accordingly at zero.

Where to start