Walletless Kit
@kirkelabs/walletless-kit is an open-source (MIT) toolkit for walletless commerce: onboard users with no wallet, prove what happened with receipts (not personal data), keep a tamper-evident audit trail and clean money trails, and run a prize draw anyone can recompute. Charity prize-draws are the flagship example; every module is reusable for any walletless flow.
Don't trust us — recompute it
Every result ships as a portable proof a skeptic can recompute independently — offline, with zero dependencies, against a published format. The widget below is that verifier, running entirely in your browser: it re-derives the Merkle commitment, re-runs the draw from its seed, and re-checks the bundle’s self-hash. Fairness here is real, not asserted.
Verify this draw
Picture a charity prize draw. When it ends, the organiser announces who won — and asks everyone to take their word for it. How would you know they didn’t just pick a friend? With walletless-kit you don’t have to trust them: the winners are something you can recompute for yourself.
The draw used a public seed and the published list of entrants. Re-run exactly that, here in your browser, and see whether the same winners come out — no server, no dependencies, nothing taken on trust.
What’s in the box
- onboarding — Tightly-scoped, round-relative auto-expiring custodial accounts; spending authority bounded by an oaa-agent-kit mandate.
- identity — Email/SMS OTP: CSPRNG codes, single-use, expiring, rate-limited, constant-time compare — storing only keyed (peppered) pseudonymous contact refs.
- receipt — Hash-chained, signed, non-PII order receipts; only the receipt hash goes on-chain. x402-charged actions supported.
- audit — Append-only hash-chained events plus an RFC 6962 Merkle root and consistency proofs (provably append-only between two anchors), periodically anchored on-chain.
- ledger — Three segregated append-only books (inflow / charity / escrow), integer-only money, immutable snapshots, a per-draw reconciliation sheet and conservation invariants.
- draw — Deterministic, recomputable winner selection (no Math.random), entrant “was my ticket counted?” inclusion proofs, and non-manipulable drand randomness.
- verify — A zero-dependency verifier (runs in a browser / offline) and a portable, self-verifying proof bundle. Don’t trust the producer — recompute it.
- drand-bls — Optional real BLS12-381 verification that a drand seed is a genuine League-of-Entropy threshold signature. Opt-in peer dependency.
- privacy — Keyed hashing and random, erasable references so erasure truly unlinks the subject; PII stays off-chain.
An open, checkable format
The on-the-wire formats are specified in SPEC.md (walletless-proof/v1) with frozen conformance vectors in test/vectors.json. Anything that reproduces them interoperates — and can verify a draw, trail, or receipt chain independently of this package. The verifier above is a second implementation held to exactly those vectors.
How it fits
This is the open-source toolkit behind the patterns Kirke Labs demonstrates on-site. See the consumer experience in the Walletless Onboarding demo, the agent-side control layer in Open Agent Access, and both end to end in Agent City. It builds on @kirkelabs/oaa-agent-kit for Algorand spend/identity and x402.
Honest caveats — read before real funds or real data
- EXPERIMENTAL · UNAUDITED. Get an independent audit before holding material value or processing real personal data.
- TestNet by default. MainNet is an explicit, cautioned opt-in.
- Custodial keys are server-held, tightly-scoped, and auto-expiring — and dev/TestNet-grade. Production custody needs your own KMS/HSM and an audit.
- Personal data stays off-chain; the chain holds only non-identifying references. Hashed contact refs are pseudonymous, not anonymous — still personal data.
- Draw fairness equals the seed — no more. Prefer a VRF / drand beacon for anything of value; don’t call a draw “provably fair” beyond what the seed guarantees.
- Prize draws are regulated; custodial money handling implies AML/custody duties; processing entrant data makes you a GDPR controller. This is transparency tooling, not legal compliance — you own licensing, the free-entry route, and age/geo gating.
Open-source (read, run, contribute): npmjs.com/package/@kirkelabs/walletless-kit · github.com/KirkeLabs/walletless-kit · LEGAL.md