An Identity Hub is a decentralized off-chain data storage and relay mechanism that gives an identity owner sovereign control over their encrypted verifiable credentials and personal data. Operating as a personal data vault, it replicates state across multiple Decentralized Web Nodes (DWNs) to ensure availability while preventing any single infrastructure provider from holding custodial access to the plaintext identity information.
Glossary
Identity Hub

What is Identity Hub?
An Identity Hub is a decentralized personal data store enabling identity owners to securely manage, encrypt, and replicate verifiable credentials and identity data across multiple nodes without vendor lock-in.
Built on semantic data schemas and DIDComm Messaging protocols, the hub facilitates secure, asynchronous data synchronization and selective disclosure. It acts as the persistence layer for a Self-Sovereign Identity (SSI) architecture, allowing an entity to manage access grants, revoke permissions, and propagate encrypted state changes across a mesh of nodes without relying on a centralized cloud provider or a specific blockchain consensus mechanism.
Key Features of an Identity Hub
An Identity Hub is a decentralized personal data store that enables identity owners to securely manage, encrypt, and replicate their verifiable credentials and identity data across multiple nodes. The following architectural features define its core capabilities.
Semantic Data Modeling
Identity Hubs organize data using JSON-LD schemas and standardized vocabularies, ensuring interoperability across different decentralized identity ecosystems.
- Supports W3C Verifiable Credential data models natively
- Enables rich, machine-readable context through linked data
- Allows arbitrary JSON objects to coexist with structured credential formats
- Facilitates cross-platform data portability without vendor lock-in
Encrypted Personal Vault
All data stored within an Identity Hub is encrypted at rest using keys controlled exclusively by the identity owner, ensuring zero-access architecture.
- Implements AES-256-GCM symmetric encryption for stored objects
- Uses X25519 elliptic curve keys for asymmetric key exchange
- Supports per-object encryption granularity for selective sharing
- Prevents hub operators or cloud providers from inspecting plaintext data
Multi-Node Replication
Identity Hubs support eventual consistency replication across multiple decentralized nodes, ensuring data availability even if individual nodes go offline.
- Synchronizes encrypted state across Decentralized Web Nodes (DWNs)
- Uses conflict-free replicated data types (CRDTs) for merge resolution
- Enables geographic distribution for latency optimization
- Maintains data sovereignty by replicating only to owner-authorized nodes
Permissioned Access Control
Fine-grained capability-based authorization allows identity owners to grant and revoke access to specific data objects for verifiers, applications, or autonomous agents.
- Issues authorization tokens scoped to individual records or collections
- Supports time-bound access grants with automatic expiration
- Enables revocation of previously granted permissions without data re-encryption
- Provides audit logs of all access events for compliance verification
Protocol-Based Interfaces
Identity Hubs expose standardized DIDComm Messaging and HTTP REST endpoints, enabling secure, asynchronous communication between decentralized identity agents.
- Implements DIDComm v2 for encrypted peer-to-peer messaging
- Supports both mediated (relay-based) and direct transport modes
- Provides RESTful APIs for credential storage, query, and presentation
- Enables machine-to-machine interactions for AI Agent Identity use cases
Cryptographic Commitment Schemes
Identity Hubs leverage Merkle tree accumulators and commitment structures to enable efficient credential revocation without revealing underlying identity data.
- Integrates with Revocation Registries for real-time status checks
- Supports BBS+ selective disclosure proofs derived from stored credentials
- Enables non-correlatable presentations through zero-knowledge proof generation
- Maintains cryptographic integrity of stored credentials through signed hashes
Frequently Asked Questions
Technical answers to the most common architectural and security questions regarding decentralized personal data stores and the Identity Hub specification.
An Identity Hub is a decentralized personal data store that allows an identity owner to securely manage, encrypt, and replicate their verifiable credentials and identity data across multiple nodes. It functions as a semantic data lake controlled entirely by a Decentralized Identifier (DID) . Rather than storing data in a centralized cloud provider, the Hub replicates encrypted state across a mesh of Decentralized Web Nodes (DWNs) . When an identity owner wants to share a Verifiable Credential (VC) , they authorize a specific DID to query the Hub's interface. The Hub resolves the request against a local permissions matrix, decrypts the relevant data object using the owner's private key, and returns the result. This architecture ensures that the data remains physically distributed but logically centralized under the owner's cryptographic control, eliminating vendor lock-in and single points of failure.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
An Identity Hub operates within a broader decentralized identity architecture. These related concepts define the protocols, data formats, and cryptographic primitives that enable secure, user-controlled data storage and exchange.
Decentralized Web Node (DWN)
The foundational specification for a personal data store and relay node. A DWN enables an entity to securely store, discover, and share data without vendor lock-in. Identity Hubs are often implemented as DWNs.
- Provides standardized APIs for data replication
- Supports encrypted threads and sync protocols
- Eliminates reliance on centralized cloud storage
Verifiable Credential (VC)
A tamper-evident, cryptographically verifiable digital credential conforming to W3C standards. The Identity Hub stores these VCs, which represent claims issued by an authority about a subject.
- Encoded in JSON-LD or JWT formats
- Contains issuer signature and revocation metadata
- Enables zero-knowledge proofs when paired with BBS+ signatures
DIDComm Messaging
A secure, asynchronous, peer-to-peer messaging protocol designed for private communication between DID controllers. Identity Hubs leverage DIDComm for encrypted data relay.
- Uses end-to-end encryption based on decentralized keys
- Supports routing protocols to mediate between agents
- Enables verifiable credential exchange without a central broker
Selective Disclosure
The ability of a credential holder to reveal only specific attributes or claims from a verifiable credential to a verifier. The Identity Hub manages the cryptographic material required for this.
- Minimizes unnecessary data exposure
- Implemented via BBS+ Signatures or CL Signatures
- Prevents correlation by revealing only necessary fields (e.g., proving age > 21 without revealing birthdate)
Revocation Registry
A cryptographically secure data structure that records the revocation status of verifiable credentials without revealing the underlying data. The Identity Hub must check this registry before presenting a credential.
- Often implemented as a bitstring or cryptographic accumulator
- Allows issuers to revoke credentials instantly
- Maintains privacy by not exposing which specific credential was revoked
Digital Identity Wallet
A secure application, often mandated by regulatory frameworks like eIDAS 2.0, that stores a user's verifiable credentials and cryptographic keys. The Identity Hub serves as the backend storage and sync layer for these wallets.
- Compliant with ISO 18013-5 for mobile Driver's Licenses
- Manages key generation and backup via seed phrases
- Interfaces with verifiers through OpenID for Verifiable Credentials (OID4VC)

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us