RWA ID — Technical Overview & Reference Implementation (v2)

RWA ID — Technical Overview & Reference Implementation

v2 · Ethereum Mainnet · February 2026

1. What RWA ID Does

RWA ID lets RWA platforms verify client wallets across every chain without exposing internal identity or KYC systems. Platforms issue human-readable ENS subdomains to their verified clients, who use them to send and receive RWAs and crypto across the entire ecosystem.

alice.yourplatform.rwa-id.eth

Any smart contract on any chain can verify that a wallet belongs to a KYC’d client of a given platform, with a single on-chain Merkle proof check. The platform’s compliance data stays private. The verification is public.

2. Core Architecture

2.1 System Components

RWA ID v2 consists of four components that work together:

RWAIDv2 Contract — The main registry deployed on Ethereum mainnet. Handles project creation, Merkle-based allowlists, USDC claim fees with 70/30 revenue splitting, ERC-721 identity minting (soulbound or transferable), namespace reservation, and identity revocation. Owned by a Safe multisig.
RwaIdWildcardResolverV2 — An ENSIP-10 wildcard resolver that implements EIP-3668 CCIP-Read. When any wallet or dApp resolves name.platform.rwa-id.eth, ENS hits this resolver, which redirects to the off-chain gateway for lookup, then verifies the response signature on-chain before returning the address.
CCIP-Read Gateway — A server at gateway.rwa-id.com that receives resolution requests from the wildcard resolver. It looks up the nodeToTokenId mapping and calls ownerOf on the RWAIDv2 contract to find the current owner of a claimed identity, then returns the address with a cryptographic signature that the resolver verifies on-chain.
Platform Console & Claim Portal — The web application at rwa-id.com where platforms create projects, upload CSVs, and manage allowlists. The claim portal at rwa-id.com/claim/[projectId]/[cid] is where clients connect their wallet, approve USDC, and mint their identity.

2.2 Resolution Flow

┌─────────────────┐
│  Wallet / dApp   │
│  resolves name   │
└────────┬────────┘
         │  alice.securitize.rwa-id.eth
         ▼
┌─────────────────┐
│  ENS Registry    │
│  (Ethereum L1)   │
└────────┬────────┘
         │  Finds wildcard resolver for rwa-id.eth
         │  Resolver: 0x765FB675AC33a85ccb455d4cb0b5Fb1f2D345eb1
         ▼
┌─────────────────┐
│  Wildcard        │
│  Resolver v2     │──── EIP-3668: "go ask the gateway"
└────────┬────────┘
         │  CCIP-Read redirect
         ▼
┌─────────────────┐
│  CCIP-Read       │
│  Gateway         │
│  gateway.rwa-id  │
│  .com            │
└────────┬────────┘
         │  1. Compute ENS namehash for alice.securitize.rwa-id.eth
         │  2. Look up nodeToTokenId(namehash) on RWAIDv2
         │  3. Call ownerOf(tokenId) to get current wallet
         │  4. Sign (node, address, hash) with trusted signer key
         ▼
┌─────────────────┐
│  Resolver        │
│  resolveWithProof│
│  verifies sig    │──── Returns wallet address to ENS
└─────────────────┘
         │
         ▼
┌─────────────────┐
│  Wallet displays │
│  ✓ alice.securit │
│  ize.rwa-id.eth  │
│  → 0x742d...     │
└─────────────────┘

2.3 Why CCIP-Read (EIP-3668)

ENS wildcard resolution with CCIP-Read means identity data doesn’t need to be stored redundantly on every chain. The identity is minted as an ERC-721 on Ethereum mainnet, but resolution works from any chain because wallets and dApps follow the EIP-3668 standard to query the off-chain gateway and verify the result on-chain. This gives us cross-chain resolution without cross-chain bridges or L2 deployments.

3. Smart Contracts

3.1 RWAIDv2

Address: 0xD0B565C7134bDB16Fc3b8A9Cb5fdA003C37930c2 (Ethereum Mainnet)