ONCHAINID is a self-sovereign identity smart contract framework at the core of the ERC-3643 (T-REX) standard for regulated security tokens. Rather than treating blockchain addresses as identities, ONCHAINID creates a persistent on-chain identity layer that links verified legal identities to wallet addresses. This decoupling is fundamental to how regulated Real-World Assets (RWAs) can operate on public blockchains while maintaining compliance with KYC, AML, and securities regulations.

The framework solves a critical architectural problem: in traditional ERC-20 whitelisting, if a user's wallet is compromised, the issuer must re-verify the user's identity and update every whitelist contract that references the old address. With ONCHAINID, the user retains their verified identity and simply rotates the wallet key linked to it.

Architecture and Key Management

Each ONCHAINID contract functions as an identity hub with a hierarchical key structure. The identity contract maintains two categories of keys that serve distinct purposes within the system.

Management keys have the highest privilege level and can add or remove other keys, including other management keys. These are analogous to root access and should be stored with the highest security standards, ideally in cold storage or hardware security modules. Management keys enable recovery scenarios: if an operational wallet is compromised, the management key can revoke the compromised key and link a new wallet address to the same verified identity.

Action keys (also called claim signer keys) are authorized to perform specific operations on behalf of the identity, such as signing transactions or interacting with DeFi protocols. These keys handle day-to-day operations and carry less risk if compromised because they can be revoked by management keys without affecting the underlying identity.

This separation of concerns mirrors enterprise access control patterns where administrative access is segregated from operational access. For institutional RWA platforms, this means a fund manager can have multiple operational wallets linked to a single verified identity, with centralized key management and decentralized execution.

Identity Claims and Verification

ONCHAINID stores identity attributes as cryptographic claims issued by trusted third parties known as Claim Issuers. A claim might attest that "this identity has passed KYC verification" or "this identity is a resident of jurisdiction X" without revealing the underlying personal data on-chain.

The claim structure follows a standard format where each claim contains a topic identifier (e.g., KYC status, country of residence, accredited investor status), the claim data (typically a hash or encrypted reference), and the Claim Issuer's signature. The Identity Registry contract maintains the mapping between wallet addresses and their ONCHAINID contracts, while compliance modules query these claims during transfer validation through the compliance hook pattern.

This architecture enables privacy-preserving compliance: the blockchain verifies that required claims exist and are signed by trusted issuers, but the actual identity documents remain off-chain. Regulators or auditors can request the underlying data through legal channels without it being publicly visible on the blockchain.

Key Rotation and Recovery

One of the most significant advantages of ONCHAINID over simple whitelist-based systems is the key rotation capability. In regulated markets, the inability to recover from key compromise is a serious liability issue.

When a wallet is compromised, the identity owner uses their management key to execute a key rotation: the compromised wallet address is unlinked from the ONCHAINID contract, and a new wallet address is linked in its place. All existing claims, verification status, and compliance attributes transfer automatically because they are bound to the identity contract, not the wallet address. The issuer does not need to re-verify the user, and no whitelist migrations are required across the ecosystem of contracts that reference the identity.

For issuers managing thousands of investors across multiple token contracts, this dramatically reduces operational overhead. A single key rotation on the ONCHAINID contract propagates the change everywhere that identity is referenced, rather than requiring manual updates to each token's whitelist.

Integration with ERC-3643 Compliance

Within the ERC-3643 framework, ONCHAINID serves as the trust anchor for all compliance decisions. Every token transfer triggers a verification check through the Identity Registry, which looks up the sender's and receiver's ONCHAINID contracts and validates that their claims satisfy the token's compliance requirements.

This creates a clean separation between identity management and compliance logic. The ONCHAINID contract handles who someone is, while the modular compliance contracts handle what they are allowed to do. If regulations change, new compliance modules can be deployed that query the same ONCHAINID claims differently, without requiring users to re-verify or obtain new identity contracts.

The ONCHAINID open-source implementation provides reference contracts for identity management, claim issuance, and key management that can be customized for specific regulatory environments.