01Executive Summary
One identity. One profile. Every layer.
Digital World gives every member one simple experience: create one Digital World identity, receive recovery words, receive a wallet, and immediately begin using Communication, Social, Payments, Marketplace, Storage, and Intelligence. No forced identity verification. No second sign-up. No second profile photo.
Verification is a later, optional step. A government program, bank, employer, school, or accredited verification provider issues credentials to the member-owned identity. Credentials add trust; they never create, replace, or control the identity.
This version (v3) aligns the specification to the published 12-layer LIFE stack, defines the repository strategy under gitlab.com/digitalworld, and specifies the machine-readable Layers Integration Module that feeds every public surface from this single source of truth.
Canonical endpoints
These four destinations are normative. Every layer page, doc, SDK, and repo link in this specification, on the public site, and in generated navigation resolves under one of them. Anything published elsewhere is a mirror, not a source.
| Surface | Canonical URL | Contains |
|---|---|---|
| Docs | https://docs.digitalworld.earth/ | Product and developer documentation, guides, spec extracts, per-layer landing pages. |
| Layers | https://www.digitalworld.earth/layers | The public 12-layer LIFE stack, rendered from the same manifest as Section 3. |
| SDKs | https://docs.digitalworld.market/ | SDK downloads and guides plus API references and machine-readable specs per layer. |
| Code | https://gitlab.com/digitalworld | All layer, application, and specification repositories, fully open source. |
02Core Principles
Every engineering decision in this document traces back to one of these.
03The 12-Layer LIFE Stack
The engineering spine of this document maps one-to-one to the public stack at digitalworld.earth/layers. Each layer below links to its branded repository, its documentation on docs.digitalworld.earth, and its SDK and API references on docs.digitalworld.market. This section is rendered from the same layers.json manifest defined in Section 18, so the spec, the marketing site, the docs, and the SDK portal can never drift apart.
Repository convention: gitlab.com/digitalworld/dw-<layer> · Docs: docs.digitalworld.earth/<layer> · SDK and API: docs.digitalworld.market/<layer> · Public anchor: digitalworld.earth/layers#<layer>. Payments, wallet, DUSD, credit, and exchange live in Layer 06 and are available to every member from onboarding forward.
04Identity Spine
How one root identity powers every layer without ever being exposed.
Self-certifying identifier with a verifiable key event log. Held by the member, recoverable by words, rotatable without loss of history. Never used directly as a public handle or endpoint.
Avery DW8X...7K3D · handle 9kwjkbso
| Layer group | Purpose | Owner |
|---|---|---|
| Identity and Resolution (05, 04) | Root identity, recovery, derived keys, rotation, delegation, LIFE namespace, discovery. | Member |
| Profile and Trust | Shared display name, photo, username, bio; credentials and endorsements from issuers. | Member (issuers attest, never own) |
| Personas | Personal, Professional, Family, Dating, Research, and future contexts as views over the root. | Member |
| Data (08, 07) | Vault, health records, imports, portability requests, graph data. | Member |
| Applications (06, 09, 10, 12) | Finance, Communication, Social, Marketplace, Experience surfaces. | Member authorizes apps |
| Infrastructure (01, 02, 03) | Governance, network, and nodes. Decentralized foundation for trust and scale. | Jurisdictional and member governed |
- Communication account equals endpoint.
- Social handle equals endpoint.
- Root identity equals ownership.
- Shared profile equals presentation.
- Derived keys equal service-specific authority.
05Onboarding: Words, Wallet, Go
Delayed verification is the default path, not an edge case.
- Member installs Digital World.
- Member selects Create Identity (or Restore with recovery words).
- System generates the root identity and inception key event on device.
- Member receives and confirms recovery words.
- Wallet is created automatically; the member can send and receive payments immediately.
- Communication, Social, and core services are provisioned with derived service identities.
- Member sets the shared profile once: display name, photo, username, bio.
- Verification is offered later, in context, when an action requires a credential.
06Shared Profile Service
The single source of truth for how a member appears, everywhere.
The Shared Profile Service prevents the classic failure where a member is "Bob" with one photo on one service and "Robert" with another photo somewhere else, and cannot remember which is which. Enter it once; every layer inherits it.
| Field | Description | Default visibility |
|---|---|---|
display_name | Member selected display name. | Service dependent |
profile_image | Member selected photo or avatar, content-addressed in the vault. | Service dependent |
preferred_username | Global username reserved once in the LIFE namespace (Layer 04). | Public where used |
bio | Short description. | Optional |
identity_display | First name plus derived key fragment, e.g. Avery DW8X...7K3D, shown wherever cryptographic identity matters. | Contextual |
profile_version | Monotonic version counter for synchronization. | Internal |
- Every service subscribes to the shared profile by default.
- Changes publish a
profile.updatedevent; subscribed services converge within seconds. - Services may support per-service overrides, but the UI must clearly show when an override is active.
- Members can remove an override at any time and return to the shared profile.
- Persona activation switches the presented profile atomically across participating services.
07Derived Service Identities
Independent keys per layer. One compromise never becomes twelve.
Each layer receives its own derived identity and key set from the root, using deterministic, member-recoverable derivation. This avoids one private key being reused everywhere and lets any single layer rotate or be replaced without touching the others.
| Layer | Derived identity | Reason |
|---|---|---|
| 09 Communication | Communication identifier and device keys | Messaging, room membership, endpoint authentication, session encryption. |
| 10 Social | Social identifier and keys | Posts, follows, communities, public handle, portable reputation. |
| 06 Finance | Wallet signing keys | Payments, DUSD, asset signing on Digital World Chain, recovery isolation. |
| 10 Social / Market feed | Marketplace identifier and keys | Listings, transactions, buyer and seller reputation. |
| 07 Health | Health record keys | Consent-gated records, provider sharing, disclosure isolation. |
| 08 Storage | Vault encryption keys | Personal vault, sharded backup, per-persona data scopes. |
| 11 Intelligence | Agent identifiers with scoped keys | Member-authorized agents, delegated and revocable authority, auditable actions. |
keys.rotated event on any derived identity affects that service only. Root rotation re-anchors all derivations through the key event log without changing any public handle or endpoint.08Communication and Social
Two layers, two derived identities, one member, one profile.
The existing Communication platform (Layer 09) is already live with its own identifier system, as shown in the current member identity screens. That identifier is hereby classified as a communication endpoint, not the root identity. The Social platform (Layer 10) receives its own derived identity but inherits the shared profile, so activating Social never asks the member to pick a second name or upload a second photo.
preferred_username in the LIFE namespace, so it matches the member's identity everywhere.When a member who already has a Communication account activates Social, provisioning is silent: derive the Social identity, subscribe it to the shared profile, reserve the username if not yet reserved, done. The migration procedure for existing accounts is defined in Section 22.
09Verification and Credentials
Verification is credential issuance, never identity creation. Verifiable credential context
When trust is needed, the member verifies with an issuer and receives a chained verifiable credential bound to the root identity. The credential travels with the member, supports native partial attribute disclosure (prove "over 18" without revealing a birthdate), and can be revoked by the issuer without affecting the identity itself.
Issuer classes
- State and government identity programs (see SEDI, Section 16).
- Banks and financial institutions (verify by logging into an existing account).
- Accredited third-party verification providers, operated as OEM installations under Digital World branding.
- Employers, schools and universities, professional licensing organizations.
| Credential | Unlocks |
|---|---|
| Verified Human | Fraud and bot reduction across Social and Marketplace. |
| Verified Adult | Age-restricted content, products, and transactions. |
| Verified Bank Customer | Higher-trust financial actions, fiat ramps, credit (Layer 06). |
| Verified Business Owner | Marketplace seller tier and organizational authority. |
| Verified Employee / Student / Licensee | Enterprise access, endorsements, professional persona proof. |
Credentials compose into endorsements: an issuer or a trusted member can endorse an attribute of another member's credential, building a trust network (Layer 05) without any central authority owning it.
10Personas
Different contexts, different resources, one root, zero confusion.
Personas let one member operate in different contexts without creating separate root identities. Each persona is a named view that bundles a presentation, a data scope, credentials, and communication resources. Switching personas switches all of them atomically.
| Persona | Profile | Data scope | Communication resources |
|---|---|---|---|
| Personal | Personal name and photo. | Friends, family, photos. | Personal number, inbox, chat. |
| Professional | Work name, title, headshot. | Resume, work history, endorsements. | Business number, email, professional chat. |
| Family | Family name, photo or crest. | Lineage, relatives, stories, shared albums. | Family group chat, shared inbox. |
| Dating | Dating profile and selected photos. | Preferences and profile history. | Private masked number and inbox. |
| Research | Pseudonym or anonymous profile. | Limited disclosure data. | Temporary inbox, isolated messaging. |
- Persona resources (additional phone numbers, mailboxes, masked messaging channels) are provisioned through partner privacy APIs behind the Persona API; the partner is an implementation detail, never a member-facing brand.
- Each persona can pin its own credential set: the Professional persona presents Verified Employee, the Dating persona presents Verified Adult and nothing else.
- Persona separation is enforced at the data layer, not just the UI: vault scopes, graph partitions, and disclosure packages are persona-aware.
- Persona creation emits
persona.created, which provisions resources across Communication, Social, and Storage.
11Digital Choice Act Data Layer
Request, receive, import, use, delete. The member drives every step.
Digital World includes a Data Portability and Request Engine that operationalizes data rights legislation (Utah Digital Choice Act model, GDPR, CCPA, and successors). It helps members request their data from external providers, track the legal clock, receive and validate archives, import them into the vault, and optionally delete the raw source files after successful import.
| Mode | Description |
|---|---|
| Request Only | Generate, send, and track a formal provider data request with deadlines and escalation templates. |
| Request and Import | Request, receive, validate, normalize, and import into the member vault with persona mapping. |
| Request, Import, and Delete | Import structured data, confirm success with the member, then delete the raw source archive on the member's instruction. |
- Every request, receipt, import, and deletion is written to the member-visible audit log.
- Deadline tracking and provider response monitoring are handled by Intelligence (Section 15).
- Disclosure packages can be generated from imported data for specific use cases, with selective fields only.
12Import Framework
One adapter contract, many sources, persona-aware normalization.
Every import source implements the same adapter contract: detect → validate → extract → normalize → map → commit. Adapters live in gitlab.com/digitalworld/dw-import-adapters and are individually versioned against source archive formats.
| Source class | Example imported data | Persona mapping |
|---|---|---|
| Social networks | Friends, photos, posts, groups, comments. | Personal, Social, Family. |
| Professional networks | Work history, contacts, recommendations, skills. | Professional. |
| Dating platforms | Profile, photos, match history, preferences. | Dating. |
| Genealogy files and services | Family tree, relatives, dates, places, sources, media. | Family (feeds the Lineage graph, Section 14). |
| Banking and finance | Transactions, accounts, statements, verification signals. | Financial. |
| Healthcare | Records, providers, visits, prescriptions. | Health (Layer 07). |
| Email, contacts, calendars, drives | Messages, address books, events, documents, media. | Personal, Professional. |
- Raw archives are encrypted at rest in a quarantine area of the vault until normalization completes.
- Normalization produces typed records (contact, post, transaction, record, person, event) with provenance pointers back to the raw source.
- Duplicate detection and entity resolution across sources are performed by Intelligence with member confirmation.
13Member Data Vault
Layer 08: your data, encrypted, sharded, and yours to control.
The vault stores normalized member-owned data, credentials, graph data, documents, files, and persona-scoped resources. It is addressed by content, keyed to the member's derived storage identity, and sharded for backup across nodes the member chooses.
14Graphs and Lineage
Relationships are member data too.
| Graph | Contents | Use case |
|---|---|---|
| Social graph | Friends, followers, groups. | Rebuild networks after import; invite friends across layers. |
| Professional graph | Colleagues, companies, skills. | Professional persona and endorsements. |
| Lineage graph | Parents, children, ancestors, places, sources, stories. | Family persona, genealogy, shared memories, inheritance of family spaces. Maintained in dw-lineage. |
| Financial graph | Accounts, institutions, payments. | Budgeting, credit, reputation (member-consented only). |
| Health graph | Providers, records, events. | Health organization and consent-based disclosure. |
Graphs live in the graph vault, are queryable through the Graph API, and are partitioned by persona scope. No graph is ever readable by the platform for advertising or profiling; Intelligence queries run under the member's own agent identity.
15Digital World Intelligence
Layer 11 serves the member. It is never a surveillance system for the platform.
- Summarize imported data and surface what matters.
- Detect duplicate contacts and records across sources; propose merges for member confirmation.
- Build and maintain relationship graphs, including the Lineage graph.
- Recommend persona organization ("these 214 contacts look professional; move to Professional?").
- Prepare formal data requests and track provider responses and legal deadlines.
- Generate disclosure packages with the minimum fields for a stated purpose.
- Operate only through scoped agent identities with member-granted, revocable, auditable authority.
16SEDI Reference Installation
State-Endorsed Digital Identity, demonstrated in production shape.
Digital World maintains a reference implementation for State-Endorsed Digital Identity concepts and a Digital Bill of Rights reference installation in Utah. It maps every legislative requirement to a shipping product flow, giving public sector, private sector, and member-owned trust a shared developer model.
| Requirement theme | Digital World implementation |
|---|---|
| Right to create and own a digital identity | Root identity created on device, owned by the member (Sections 4, 5). |
| Right to control data and likeness | Vault ownership, persona scopes, profile control (Sections 6, 13). |
| Right to request data from providers | Data Portability and Request Engine (Section 11). |
| Right to import and reuse member-owned data | Import Framework and normalization (Section 12). |
| Right to selective disclosure | Native partial attribute disclosure on credentials (Section 9). |
| Right to persona separation | Persona architecture with enforced data scoping (Section 10). |
| Right to recovery and portability | Recovery words, key event log continuity, exportable vault (Sections 5, 21). |
The SEDI reference ships with example screens, reference APIs, and developer notes at docs.digitalworld.earth, with SDK and API references at docs.digitalworld.market.
17Repository and Branding Strategy
One namespace, one brand, upstream discipline.
Each layer is built on the strongest open source foundation available for its domain. Those upstream projects are forked into gitlab.com/digitalworld, rebranded under Digital World naming, and maintained with a documented upstream sync policy. Member-facing surfaces, marketing, and documentation reference only Digital World names.
| Repo | Layer | Contents |
|---|---|---|
dw-governance | 01 | Protocol governance, standards council tooling, treasury, dispute resolution. |
dw-network | 02 | Compute, storage, validation, routing networks, P2P overlay. |
dw-node | 03 | Home, edge, cloud, mobile, enterprise, and validator node builds. |
dw-resolution | 04 | LIFE namespace, identifier resolution, service discovery, endpoint map. |
dw-identity | 05 | Root identity, key event logs, derived identities, credentials, recovery, trust network. |
dw-finance | 06 | Payments, wallet, DUSD, credit, and Digital World Chain, Exchange, and Explorer integration. |
dw-health | 07 | Health records, care network, consent, history. |
dw-storage | 08 | Personal vault, file storage, sharded backup, sync, data markets. |
dw-comms | 09 | Messaging, voice, video, presence, rooms, broadcast. |
dw-social | 10 | Social graph, communities, content, reputation, market feed, events. |
dw-intelligence | 11 | Personal AI, agent framework, memory layer, model network, skills. |
dw-experience | 12 | Mobile, desktop, web, voice, XR, and wearable clients. |
dw-lineage | App | Family and genealogy application over the Lineage graph. |
dw-import-adapters | App | Versioned import adapters for the Import Framework. |
dwes | Spec | This specification, the layers manifest, diagrams, and API contracts. |
Fork policy
- Brand at the edge, sync at the core. Rebranding is confined to naming, theming, and configuration layers so upstream security patches merge cleanly.
- Upstream names never surface. Package names, UI strings, docs, and public APIs use Digital World naming only. Upstream attribution and licenses are preserved in each repo per license requirements.
- Everything stays open. All forks and all Digital World original code remain fully open source. Nothing is described or licensed as proprietary.
- One CI convention. Every repo ships the same pipeline stages: build, test, license-check, brand-lint (fails on upstream name leakage into member-facing strings), and spec-sync against
dwes.
18Layers Integration Module
One manifest feeds the spec, the site, and the docs portal.
The stack in Section 3, the public page at digitalworld.earth/layers, the docs at docs.digitalworld.earth, and the SDK and API portal at docs.digitalworld.market all render from a single machine-readable manifest, layers.json, published from gitlab.com/digitalworld/dwes. Changing a layer's name, chips, or links in the manifest updates every surface on the next deploy.
Manifest shape
{
"standard": "LIFE",
"version": "3.0",
"endpoints": {
"docs": "https://docs.digitalworld.earth",
"layers": "https://www.digitalworld.earth/layers",
"sdks": "https://docs.digitalworld.market",
"code": "https://gitlab.com/digitalworld"
},
"layers": [
{
"number": 6,
"id": "finance",
"name": "Finance Layer",
"tagline": "Payments, assets, and value that you own.",
"chips": ["Payments", "Wallet", "Assets", "DUSD", "Credit", "Exchange"],
"repo": "https://gitlab.com/digitalworld/dw-finance",
"docs": "https://docs.digitalworld.earth/finance",
"sdk": "https://docs.digitalworld.market/finance/sdk",
"api": "https://docs.digitalworld.market/finance/api",
"anchor": "https://www.digitalworld.earth/layers#finance",
"derivedIdentity": true,
"availableUnverified": true
}
]
}
Consumption contract
- digitalworld.earth/layers renders the 12 rows (number, name, tagline, chips) plus Code, Docs, SDK, and API buttons from the manifest, exactly as this document does in Section 3.
- docs.digitalworld.earth generates its top-level navigation and per-layer landing pages from the same manifest; each layer page hosts the guides and spec extracts for that layer at
/<id>. - docs.digitalworld.market hosts the SDK downloads, SDK guides, and API references per layer at
/<id>/sdkand/<id>/api, generated from the same manifest. - URL conventions are fixed:
/layers#<id>on the site,docs.digitalworld.earth/<id>for docs,docs.digitalworld.market/<id>/sdkand/<id>/apifor developer references,dw-<id>in the code namespace. - Validation: CI in
dwesvalidates the manifest against a published JSON Schema and checks every URL resolves before deploy. - The manifest is served with CORS enabled so partner sites and the staging environment at staging.digitalworld.earth can embed the stack directly.
19API Surface
Every API is documented at docs.digitalworld.earth, with SDK and API references at docs.digitalworld.market, and versioned in its layer repo.
| API | Layer | Core responsibilities |
|---|---|---|
| Identity API | 05 | Create, restore, rotate, delegate; key event log queries. |
| Profile API | 05 | Shared profile read and write, subscriptions, overrides. |
| Derived Identity API | 05 | Provision and rotate per-service identities. |
| Credential API | 05 | Issuance, presentation, partial disclosure, revocation, endorsements. |
| Persona API | 05/08 | Persona lifecycle, resource provisioning, scope enforcement. |
| Resolution API | 04 | Namespace reservation, identifier resolution, discovery. |
| Data Request API | 08 | Provider requests, deadline tracking, receipt validation. |
| Import API | 08 | Adapter execution, normalization, quarantine, commit. |
| Vault API | 08 | Encrypted storage, retrieval, retention, deletion. |
| Graph API | 08 | Graph queries and mutations, persona partitions. |
| Communication API | 09 | Messaging, rooms, presence, voice, video. |
| Social API | 10 | Posts, follows, communities, reputation, market feed. |
| Finance API | 06 | Payments, wallet, DUSD, exchange operations. |
| Intelligence API | 11 | Agent lifecycle, scoped queries, summaries, recommendations. |
| Audit API | cross | Member-visible logs for every disclosure and agent action. |
20Events and Synchronization
A small event vocabulary keeps twelve layers in agreement.
| Event | Subscribers | Purpose |
|---|---|---|
profile.updated | Communication, Social, Finance, Marketplace, Experience | Converge member presentation everywhere. |
persona.created / persona.switched | Persona, Communication, Social, Storage | Provision resources; switch presentation and scopes atomically. |
credential.issued / credential.revoked | Wallet, Trust, Persona | Enable or withdraw credential-gated actions. |
data_request.created / data_request.responded | Data Request Engine, Intelligence | Track provider requests and deadlines. |
import.completed | Vault, Graph, Intelligence | Trigger normalization, graph updates, dedupe proposals. |
keys.rotated | Target service only | Contain rotation; prevent cross-service impact. |
agent.granted / agent.revoked | Intelligence, Audit | Scope and instantly revoke agent authority. |
- Events are signed by the emitting derived identity and ordered per member.
- Consumers are idempotent; replaying an event stream reconstructs service state.
- Offline devices converge through the sync service in Layer 08.
21Security and Privacy
Defaults a member never has to configure.
- The root identity is never exposed as a public social handle or communication endpoint.
- Derived service keys are isolated; compromise of one layer never crosses into another.
- Public usernames reveal nothing about the root identity; identity display uses the first name plus derived key fragment convention, e.g. Avery DW8X...7K3D.
- Credentials support native partial attribute disclosure; full documents are never presented when a single attribute suffices.
- Personas prevent unintended cross-context leakage at the data layer, not just in the UI.
- Raw import files are encrypted in quarantine and deletable after normalization.
- All communication is end-to-end encrypted by default; vault content is encrypted with member-held keys.
- Every disclosure and every agent action is auditable by the member through the Audit API.
- Recovery words restore the root identity, the key event log restores derivations, and the sharded backup restores the vault.
22Communication Account Migration
Existing members upgrade in place; nothing breaks, nothing re-registers.
- Identify the existing Communication account and its current identifier.
- Create or restore the member root identity.
- Map the existing identifier as the Communication endpoint under the root.
- Provision the Communication derived identity and bind existing sessions to it.
- Adopt the existing display name and image as the candidate shared profile.
- If conflicts exist across devices or services, ask the member once which name and image become the shared profile.
- Provision Social with its own derived identity, inheriting the confirmed shared profile.
- Reserve
preferred_usernamein the LIFE namespace if not already reserved.
23Roadmap
Seven phases, each shippable on its own.
| Phase | Name | Deliverables |
|---|---|---|
| 1 | Identity and Wallet | Root identity, recovery words, automatic wallet, payments live, shared profile. |
| 2 | Communication and Social | Derived service identities, profile sync, endpoint mapping for existing accounts, Social activation, username reservation. |
| 3 | Verification and Credentials | Issuer integrations (government, bank, OEM verification provider), credential vault, endorsements, Seal Gold credential UI. |
| 4 | Personas | Personal, Professional, Family, Dating, Research personas; partner privacy APIs for numbers, inboxes, and masked messaging. |
| 5 | Data Portability | Digital Choice Act request engine, import adapters, normalization, retention controls, audit surface. |
| 6 | Digital Intelligence | Agent identities, graph building, Lineage graph, summarization, persona recommendations, compliance tracking. |
| 7 | SEDI Reference | Digital Bill of Rights reference installation, Utah SEDI implementation mapping, public developer model. |
24Engineering Acceptance Criteria
The build is done when every line below is demonstrably true.
- A member can create a Digital World identity without any verification, legal name, phone number, or email.
- A wallet is created automatically during onboarding and can send and receive payments immediately.
- The member receives recovery words and can restore identity, derivations, and vault from them.
- Communication and Social use separate derived keys and inherit the shared profile by default.
- A shared profile update syncs to all participating services within seconds.
- A member can create a persona with its own presentation, credential set, and communication resources.
- A member can request external data from a provider and track the response deadline.
- Imported data is normalized, persona-mapped, and committed to the vault with provenance.
- Raw imports can be deleted after successful import on the member's instruction.
- Credential issuance never replaces or controls the root identity, and revocation never damages it.
- A credential can prove a single attribute without disclosing the rest of the document.
- Social key rotation does not impact Communication, and vice versa.
- Replacing the Communication layer does not require root identity migration.
- The
layers.jsonmanifest validates in CI and renders identically in this spec, on digitalworld.earth/layers, and on docs.digitalworld.market. - Brand-lint passes: no upstream project name appears in any member-facing string, package name, or public API.
Digital World Engineering Specification v3 · Fully open source · Founding services providers: ClearSoftware, ClearCenter, Digital World, ClearFoundation · staging.digitalworld.earth