# Verifying Zipwire's Merkle Root Attestations for Developers

## Overview

This guide explains how to verify Merkle root attestations issued by Zipwire's master address (see [Zipwire's Master Attester Wallet Address and Public Key](/fundamentals/security/attestations/zipwires-master-attester-wallet-address-and-public-key.md)). Developers can verify these attestations to ensure a wallet holder's identity is trustworthy. This page guides you through validating a user-supplied, signed, and dated Merkle proof document to confirm it matches the attested Merkle root, check the signature, and assess the proof's age.

## Prerequisites

* Familiarity with Ethereum, Merkle trees, and cryptographic signatures.
* Access to Zipwire's master attester details: Zipwire's Master Attester Wallet Address and Public Key (./master-attester).
* Tools: A blockchain explorer (e.g., EAS Scan: <https://base.easscan.org/>) and a library for hash verification (e.g., Web3.js or ethers.js).

## Verification Steps

To trust a Zipwire attestation with a Merkle root hash, follow these steps:

### 1. Obtain the User's Merkle Proof Document

Ask the user to:

* **Sign in with Ethereum**: Prompt the user to authenticate using their Ethereum wallet (via a browser extension or a mobile wallet via WalletConnect) to prove they control the attested wallet address. This involves signing a message (e.g., a nonce or timestamp) using standards like EIP-191 or EIP-712. For smart wallets, verification should follow the EIP-1271 standard.
* **Provide the Merkle Proof Document**: The user submits a Zipwire-signed, dated Merkle proof document, which includes:
  * **Proof Data**: The specific identity attribute (e.g., name or passport number), its hash, and intermediate hashes linking to the Merkle root.
  * **Signature**: A cryptographic signature from Zipwire (using its master attester key) verifying the proof's authenticity.
  * **Date**: The issuance date of the proof to assess its freshness.

### 2. Verify the Merkle Proof

Ensure the proof's hashes match the attested Merkle root:

* Retrieve the Merkle root from the attestation on the Base blockchain using EAS Scan. Search for the user's wallet address and locate the attestation issued by Zipwire's master address (see [Zipwire's Master Attester Wallet Address and Public Key](/fundamentals/security/attestations/zipwires-master-attester-wallet-address-and-public-key.md)).
* Compute the hash of the provided attribute (e.g., SHA-256 of "Alice Smith").
* Use the intermediate hashes in the proof to reconstruct the Merkle root. Libraries like merkletreejs (JavaScript) can automate this.
* Compare the reconstructed root with the on-chain Merkle root. A match confirms the attribute belongs to the attested dataset.

### 3. Validate Zipwire's Signature

* Confirm the proof document's authenticity:
  * Extract the public key from Zipwire's signature using a library like ethers.js.
  * Verify the signature was created by Zipwire's master attester address (see [Zipwire's Master Attester Wallet Address and Public Key](/fundamentals/security/attestations/zipwires-master-attester-wallet-address-and-public-key.md)). For example, use `ethers.verifyMessage(message, signature)` to check the signed proof, ensuring it includes the proof data and date.
  * Confirm the signature matches Zipwire's public key, available at [Zipwire's GitHub](https://github.com/zipwireapp/zipwireapp/blob/master/PUBLICKEYS.md).

### 4. Check the Proof's Date

Assess the proof's age to ensure it's recent:

* Review the date in the proof document. A proof older than your application's threshold (e.g., 30 days) may indicate a stale or compromised wallet.
* Optionally, check the attestation's timestamp on EAS Scan to confirm it aligns with the proof's date.

### 5. Cross-Verify the Attester

Confirm the attestation comes from Zipwire:

* Verify the attester's address matches the official address (see [Zipwire's Master Attester Wallet Address and Public Key](/fundamentals/security/attestations/zipwires-master-attester-wallet-address-and-public-key.md)).
* Cross-check details on Zipwire's GitHub: <https://github.com/zipwireapp/zipwireapp/blob/master/PUBLICKEYS.md>.

## Best Practices

* **Security**: Always validate signatures and hashes to prevent forged proofs.
* **Freshness**: Set a maximum age for proofs (e.g., 7-30 days) based on your use case.
* **Error Handling**: Gracefully handle invalid proofs or mismatches, prompting users to resubmit.
* **Privacy**: Avoid storing sensitive proof data; verify and discard.

## Why It Matters

By verifying Zipwire's Merkle root attestations, developers can trust user identities without compromising privacy, enabling secure dApp interactions, bot prevention, and compliance. For broader verification strategies, see [Holistic Evaluation of Ethereum Wallets](/fundamentals/security/wallet-verification-guide/holistic-evaluation-of-ethereum-wallets.md).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.zipwire.io/fundamentals/security/wallet-verification-guide/verifying-zipwires-merkle-root-attestations-for-developers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.