Overview
Pubky is Synonym’s self-sovereign identity protocol: keys are published as pkarr records on the Mainline DHT, and homeservers hold your data. Pubky Ring is its key manager and authenticator. This proof of concept brings that key ring onto Passport Prime, so your pubky stays sealed to the device and every sign-in or authorization is approved on the device screen.
A working proof of concept on dev hardware. The Prime app pairs with the Pubky Ring phone app over QuantumLink, Prime’s encrypted Bluetooth channel (the same transport it uses to sign Bitcoin with Envoy), then creates or imports a pubky, chooses a homeserver, and manages the key ring on the device. A QR code only bootstraps the Bluetooth pairing; there is no QR data path. Pairing, the auth round-trip, and pubkyauth:// sign-in are all working on-device, with combined sign-in QA the remaining step.
What it does
- Holds your Pubky (pkarr) identity keys sealed to Passport Prime.
- Pairs with the Pubky Ring phone app over QuantumLink, Prime’s encrypted Bluetooth.
- Approves homeserver sign-ins and pubkyauth:// requests on the device screen.
- Each pubky is an ed25519 identity derived from the device seed; imported keys stay sealed to the secure element.
Technical breakdown
How the proof-of-concept is built, for developers evaluating the platform.
Keys on the device
Each pubky is an independent ed25519 identity, seed-derived from the device master seed at m/44’/0’/<index>’ (compatible with the pubky ecosystem, with no secret at rest). Imported keys are sealed under the per-app secure-element seed with XSalsa20Poly1305, so the pubky signs auth and homeserver requests without ever leaving the hardware.
Sealed transport
Requests travel over QuantumLink as Gordian Envelope / dCBOR, GSTP-sealed with X25519 plus signatures, an ARID replay cache, and a 60-second expiry. Identities are post-quantum XIDs (MLDSA44 / MLKEM512). Envoy is not involved; QuantumLink is only the shared encrypted transport.
Status
Pairing (M1) is validated on dev hardware; the auth round-trip (M2) and the pubky list plus pubkyauth:// sign-in routed through Prime (M3) are code-complete, with combined on-device sign-in QA the last step.
Dig into the source
README, architecture notes, and the wire protocol live in the repo.

