Legacy Identity Providers (LIDP)
A Legacy Identity Provider (LIDP) is any traditional Web2 or telecommunications service that an Identity Authority queries to verify user identity.
In the Zapf ecosystem, LIDPs allow external users (senders) to address Lightning payments to recognizable, human-readable strings rather than 64-character hex public keys or long Lightning addresses.
Supported LIDPs
The official Zapf IA currently supports:
| LIDP | Identifier Format | Verification Method |
|---|---|---|
| Discord | discord_id (Snowflake) | OAuth 2.0 |
| X | @handle | OAuth 1.0a/2.0 |
user@example.com | One-Time Password (OTP) | |
| Phone | +1234567890 | RCS One-Time Password (OTP) |
The Privacy Model
Binding a Nostr public key to a real-world identity introduces privacy considerations. Zapf limits data leakage through two primary models:
1. The Hashed Privacy Model (High Privacy)
For sensitive identifiers like Phone Numbers and Email Addresses, Zapf relies on strict cryptographic hashing.
- The raw identifier is never published to the Nostr network.
- The
dtag (the Connection Key) is dynamically generated asSHA256(lidp_name + ":" + identifier). - Senders resolve these identities by locally hashing the target email/phone and querying the network for the resulting hash.
2. The Public Model (Social Discovery)
For inherently public profiles like X handles and Discord IDs, the identifier is often directly visible or easily reversible. This enables global search and social discovery features on clients like zapf.app.
Verification: OAuth vs. OTP
LIDPs generally fall into two verification flows:
OAuth Identity Providers (Discord, X):
The IA redirects the user to the provider, receives an access token, and queries the user's profile. Crucially, the IA can wrap this token in an encrypted evidence payload, meaning the robust proof of ownership can be securely shared with other IAs.
OTP Providers (Email, Phone via RCS): The IA sends a one-time code directly to the user's inbox or device. Because there is no persistent "access token" returned by an external authority, there is no portable evidence payload. If a user wants to prove their Email addresses to a different IA, that IA must natively send its own OTP to verify ownership.