PoC Walkthrough

A step-by-step demonstration of consent-based digital identity in action

Overview

This proof of concept demonstrates how a consent-first digital identity system could operate in an Australian financial services context. The walkthrough covers five key stages — from identity setup through to verified data sharing and audit trail review.

Click through every screen of the HR Onboarding & IP Proof journey in a mobile-app preview.

1

Identity Setup & Credential Issuance

The DoF Candidate is sent an invitation for their specific job offer and to commence the process via myID Consent link. This link lands at the appropriate Government branded MyID Consent overview page with instructions to download the app or access the webservice.

  • User downloads or accesses an identity wallet application
  • Identity documents are verified by an accredited issuer
  • W3C-compliant Verifiable Credentials are issued to the wallet
  • Credentials are cryptographically signed and tamper-evident
W3C VC Standard DID Method Issuer Trust Framework
2

Consent Request Initiated

A API screening/vetting party — such as for Security screening, Police check, Right to Work or HR systems — requests access to specific identity attributes. The user receives a clear, plain-language consent request related to the specific job pack or where they have opted in for other shared services use.

  • HR system sends a structured consent request based on Job role and Screening requirement.
  • Request specifies exactly which attributes are needed
  • User sees a plain-language summary before deciding
  • User can accept, decline, or partially approve the request
Consent Management Selective Disclosure CDR Aligned
3

Selective Disclosure & Data Sharing

Upon consent, only the approved attributes are shared — nothing more. Zero-knowledge proof techniques can verify claims without revealing underlying data.

  • Only consented attributes are released to the relying party
  • Zero-knowledge proofs enable verification without full disclosure
  • Data is shared via encrypted, standards-based protocols
  • No centralised data store — data remains with the user
Zero-Knowledge Proof Selective Disclosure Solid Protocol
4

Verification & Trust Confirmation

The relying party verifies the credential's authenticity against the issuer's public key — without contacting the issuer directly. Trust is established cryptographically.

  • Credential signature is verified against issuer's DID
  • Revocation status is checked in real time
  • No issuer contact required — fully decentralised verification
  • Result: verified identity attribute with full audit trail
Cryptographic Verification DID Resolution Revocation Registry
5

Audit Trail & Consent Withdrawal

Every consent event is logged in an immutable audit trail. The user retains the right to withdraw consent at any time, immediately revoking the relying party's access.

  • Full audit log of all consent events is maintained
  • User can review who has accessed their data and when
  • Consent can be withdrawn instantly via the wallet
  • Withdrawal triggers immediate access revocation
Audit Log Right to Withdraw Privacy Act Aligned

Technical Architecture

The PoC is built on open, interoperable standards — ensuring no vendor lock-in and full alignment with international best practice.

🪪

Decentralised Identifiers (DIDs)

W3C DID standard enables self-sovereign identity — users control their own identifiers without relying on any central authority.

📜

Verifiable Credentials

W3C VC standard enables tamper-evident, cryptographically signed credentials that can be verified by any party without contacting the issuer.

🫙

Solid Pods

Personal Online Datastores (Pods) give users a secure, private data store they control — granting and revoking access on their own terms.

🔏

Zero-Knowledge Proofs

Prove a claim is true — such as "over 18" or "Australian resident" — without revealing the underlying personal data.

Regulatory Alignment

This PoC is designed with Australian regulatory requirements at its core — not as an afterthought.

🏛️ Digital Identity Act 2024

Consent-first design, accredited issuer framework, and interoperability requirements are all addressed within this PoC architecture.

📊 Consumer Data Right (CDR)

Selective disclosure and granular consent management align directly with CDR's data minimisation and purpose limitation principles.

🔒 Privacy Act 1988

Immutable audit trails, consent withdrawal rights, and data minimisation support compliance with Australian Privacy Principles.

🌐 GDPR Alignment

For organisations operating across jurisdictions, the architecture supports GDPR's right to erasure and data portability requirements.

Explore the Vendor Solutions

See how Affinidi and Inrupt each approach the technical challenges outlined in this walkthrough.

Affinidi Brief → Inrupt Brief →