What is the proof-of-human standard?

The Proof-of-Human-Fulfillment (PoHF) credential is an open, cryptographically signed token (JWT, ES256/P-256) asserting that a real, unique, attentive human performed a specific action. Anyone verifies it against a public JWKS with any standard library — no issuer software and no trust in the issuer required. It also has a W3C Verifiable Credentials profile.

How fast is verifying a PoHF credential?

Verification is local and offline. Measured per-credential verification with cached keys is about 0.09 ms median and 0.56 ms at p99, fast enough for transaction-time authorization decisions under 100 ms. Issuance is a separate one-time step.

Is PoHF compatible with W3C Verifiable Credentials?

Yes. The compact JWS is the wire format, and the spec defines an equivalent W3C Verifiable Credentials (Data Model 2.0) presentation with a ProofOfHumanFulfillment type, so it plugs into wallet and identity ecosystems.

The Proof-of-Human standard · PoHF v1.0

One open standard for
proving a human did it.

The Proof-of-Human-Fulfillment (PoHF) credential: a signed, independently verifiable token that a real, unique, attentive human performed a specific action — built on published standards (JWS · ES256 · JWKS), with a W3C Verifiable Credentials profile. Verify it with any library; trust no one.

Verify a credential → Public JWKS

ES256P-256 signed JWT, verified via public JWKS — RFC 7515/7519

<1msper-credential verification (p50 0.09ms · p99 0.56ms) — fast enough for payment-auth

W3C VCVerifiable Credentials 2.0 profile — plugs into wallet + identity rails

THE CREDENTIAL

What's in a PoHF credential

Claim	Meaning
`iss`	Issuer (e.g. `https://5arz.com`)
`vct`	Type: `…/proof-of-human-fulfillment`
`verified`	Must be `true` — a real human did it
`sub_hash`	Hashed subject — no raw PII, ever
`session_id` · `task_type` · `work_kind`	The specific action attested
`device`	Device attestation + assurance tier (App Attest / Play Integrity / WebAuthn)
`iat` · `exp` · `jti`	Issued-at, expiry, unique id
`cnf`	Optional holder key-binding (RFC 7800)

Verify it — no 5arz software, no trust required

import { jwtVerify, createRemoteJWKSet } from "jose";

const JWKS = createRemoteJWKSet(
  new URL("https://api.5arz.com/.well-known/jwks.json")
);

// throws if it isn't a valid, unexpired 5arz credential
const { payload } = await jwtVerify(token, JWKS);
// payload.verified === true, payload.device?.assurance, ...

Local + offline. Measured p50 0.09 ms / p99 0.56 ms with cached keys — built for transaction-time authorization decisions under 100 ms.

Assurance tiers

none

No device attestation bound — human + action only.

basic

Device-integrity token received and nonce-bound.

hardware

Full Apple App Attest / Google Play Integrity / WebAuthn verification. Require it for high-risk decisions.

Build on the standard.

The credential format is open and free to verify and implement against.

Read the docs → Contact us

One open standard forproving a human did it.