Unpopular opinion — attestations are the most important primitive in Web3 that almost nobody actually understands properly.
Not at a vague level. At a "how does this actually work" level.
Let me break it down.
What an attestation actually is
A structured, signed statement made by one party about another.
Format: I, [issuer], claim that [subject] has [property/status], as of [timestamp], under [authority/schema].
Real examples:
"This wallet passed KYC" — signed by a compliance provider
"This contract passed security audit" — signed by Ottersec
"This company cleared AML screening" — signed by a compliance provider
Simple structure. But the implications compound fast.
Two primitives — schema and attestation
Schemas are the template. You define fields, data types, validation rules — before a single attestation gets issued. Schema versioning matters here: when regulations change, old attestations still reference the schema version that was in effect. An audit from two years ago stays verifiable.
Attestations are the signed instance. A filled-out schema, signed by the issuer's private key. Binds data to an identity, a timestamp, and a ruleset. Can't be faked. Can't be altered after the fact.
Three privacy modes
Not everything should be public. Sign handles three cases:
Public — fully on-chain, anyone can verify. Used for audit certificates, compliance declarations.
Private — data is off-chain, but a cryptographic hash is anchored on-chain. Proves the data existed and hasn't changed. Content stays restricted.
ZK — prove a claim without revealing the underlying data. Prove you're KYC-verified without exposing your documents. Prove eligibility without disclosing personal details.
And that's actually the harder problem most attestation projects haven't solved cleanly.
How you query them
SignScan aggregates attestations across all supported chains. REST, GraphQL, TypeScript SDK. Cross-chain by default — builders don't need to know which chain an attestation lives on.
Attestations only matter if you can find and verify them fast. SignScan handles that.
What's live today
ngl — the fact that production integrations are already running says more than any roadmap ever could.
Ottersec — Proof of Audit issued on-chain for every security review.
Sumsub — KYC-gated contract calls. Smart contracts that only execute for verified wallets.
Aspecta — developer reputation built from on-chain attestation history.
Not demos. Not testnet. Production.
One primitive. Many applications. That's what happens when the base layer is right.
