Privacy by Design: How InsumerAPI
Verifies Without Exposing

The first question developers ask when evaluating a blockchain API: what data do you return? Most on-chain APIs hand back raw token balances, full transaction histories, and wallet addresses. InsumerAPI was designed to do the opposite. It verifies ownership and returns a yes or no. The balance itself never leaves the server.

The problem with raw balance APIs

Blockchain data is public, but that does not mean every application needs to see all of it. When a shopping agent checks whether a user holds enough UNI tokens to qualify for a 10% discount, the agent does not need to know that the wallet holds exactly 5,420.37 UNI. It only needs to know: does this wallet qualify?

Returning raw balances creates problems that developers would rather avoid:

• Liability. If your application stores or logs balance data, you are holding financial information about your users. Under GDPR, that makes you a data controller for financial data, with obligations around breach notification, right to erasure, and data portability. That is a compliance burden you did not need to take on.
• Over-collection. The European Data Protection Board's Guidelines 02/2025, adopted in April 2025, explicitly require data minimization for blockchain applications. Compliance gating with on-chain credentials addresses this directly. If your feature is "check if wallet qualifies for a discount," collecting the exact balance violates that principle.
• Leakage surface. Every piece of data your system handles is a piece of data that could appear in logs, error reports, analytics pipelines, or third-party integrations. Less data in means less data that can leak out.
• Identity linking. When a user connects their wallet to your application, you now have a link between a real person and their on-chain activity. If you also store their balance, you have a financial profile. Traditional token gating creates this link permanently. A privacy-first approach breaks it.

Developers building token-gated features need verification, not surveillance. That is the design principle behind InsumerAPI.

Boolean attestations: yes or no, nothing more

The flagship endpoint is POST /v1/attest. You submit up to 10 conditions ("Does this wallet hold at least 1,000 USDC on Ethereum? Does it own an NFT from this collection on Polygon?") and get back a true or false for each one, signed with an ECDSA P-256 key.

Here is what the response looks like:

{
  "ok": true,
  "data": {
    "attestation": {
      "id": "ATST-A9D2E6B7C8F01234",
      "pass": false,
      "results": [
        { "condition": 0, "label": "USDC >= 1000", "type": "token_balance", "chainId": 1, "met": true,
          "evaluatedCondition": { "type": "token_balance", "chainId": 1, "contractAddress": "0xA0b8...eB48", "operator": "gte", "threshold": 1000, "decimals": 6 },
          "conditionHash": "0x3a7f...", "blockNumber": "0x12f4a80", "blockTimestamp": "2026-02-24T12:00:00.000Z" },
        { "condition": 1, "label": "Pudgy Penguin holder", "type": "nft_ownership", "chainId": 1, "met": false,
          "evaluatedCondition": { "type": "nft_ownership", "chainId": 1, "contractAddress": "0xBd35...7233", "operator": "gt", "threshold": 0 },
          "conditionHash": "0x9b2e...", "blockNumber": "0x12f4a80", "blockTimestamp": "2026-02-24T12:00:00.000Z" }
      ],
      "passCount": 1,
      "failCount": 1,
      "attestedAt": "2026-02-24T12:00:00.000Z",
      "expiresAt": "2026-02-24T12:30:00.000Z"
    },
    "sig": "MEUCIQC...",
    "kid": "insumer-attest-v1"
  },
  "meta": { "creditsRemaining": 98, "creditsCharged": 1, "version": "1.0", "timestamp": "2026-02-24T12:00:01.000Z" }
}

No balance field. No wallet address echoed back. No transaction history. Just the boolean result you asked for, signed so you can verify it cryptographically.

This covers the use cases developers are actively building right now. Token-gated game arenas where players prove they hold enough tokens to enter. Freelance platforms where premium features unlock at a holding threshold. NFT verification endpoints for payment processors. Holder badge systems with Bronze, Silver, and Gold tiers. Token-gated lotteries that verify holdings at entry and again at draw time. Agent identity verification where one AI agent proves its on-chain credentials to another. All of these are yes/no questions at their core.

For implementation details on POST /v1/attest and the privacy guarantees built into every response, see the AI Agent Verification API overview and the verification developer guide.

Tier-only discount responses

The discount endpoints (GET /v1/discount/check and POST /v1/verify) return the tier name and discount percentage for each token a merchant accepts. If a merchant has configured Gold at 10,000 tokens for 15% off and Silver at 1,000 tokens for 5% off, the API tells you which tier the wallet qualifies for. It does not tell you how far above or below the threshold the wallet sits.

{
  "ok": true,
  "data": {
    "discount": 15,
    "breakdown": [
      {
        "symbol": "UNI",
        "tier": "Gold",
        "discount": 15,
        "chain": 1
      }
    ]
  }
}

A merchant sees "Gold tier, 15% discount." They do not see that the customer holds 47,000 UNI. The customer gets their discount. The merchant gets their sale. Nobody handles data they did not need.

What does not get stored

Privacy is not just about what the API returns. It is also about what happens on the server side. Here is what InsumerAPI does not persist:

• Full wallet addresses. Scan records contain only a truncated snippet (e.g., 0x1234...abcd) that cannot be used to look up a wallet on a block explorer.
• Token balances. Blockchain queries are transient. The server verifies the on-chain condition and records only whether it was met. No balance amount is ever written to a database or included in any log.
• Verification request bodies. API request logs track endpoint, timestamp, and credit usage. They do not store the wallet addresses or conditions from the request.

This is a design guarantee, not a configuration setting. The fields do not exist in the database schema. There is no admin toggle to turn them on. The data is architecturally absent. This architectural approach to privacy is also what informed the credential we never built.

Cryptographic proof, not trust

Every attestation response includes an ECDSA P-256 signature over the result and timestamp. This means a downstream system can verify the result offline using the public key. No second API call needed. No trust in a middleman.

For agent-to-agent workflows, this matters. An AI agent requests an attestation, receives a signed result, and passes it to another agent or service. The receiving party verifies the signature and knows the result came from InsumerAPI, was not tampered with, and was issued at a specific time. All without contacting the API again.

The timestamp is part of the signed payload. Verifications are point-in-time snapshots. A result from an hour ago proves what was true an hour ago, not what is true now. This is intentional. On-chain state changes with every block. The signature anchors the result to a specific moment.

What developers are building with this

Across GitHub, developers are opening issues for the same set of problems. They want to verify token ownership without managing RPC connections, contract ABIs, and chain-specific logic. Here are the patterns we see most often:

• Token-gated access. A freelance platform needs to verify that a user holds enough project tokens to unlock premium features. A game engine needs to verify a player meets the entry requirement before letting them into a token-gated arena. A creative platform wants to gate video content by NFT ownership. In each case, the developer needs a yes/no answer, not a balance dump.
• Tiered holder benefits. NFT projects want Bronze, Silver, Gold, and Diamond badges based on how many tokens a wallet holds. The tiers matter. The exact number does not. A verification API that returns the tier directly saves the developer from building their own threshold logic on top of raw balance data.
• Multi-chain verification. A payment processor wants to verify NFT ownership, but the NFT could be on Ethereum, Polygon, Base, or any of a dozen other chains. Managing separate RPC providers per chain is operational overhead that has nothing to do with the product the developer is building.
• Agent-to-agent trust. AI agent frameworks like LangChain need a way for one agent to prove on-chain credentials to another. A signed boolean result is the cleanest primitive for this. No balance data leaking into agent context windows, no financial profiles accumulating across sessions.

How this compares to other approaches

Developers evaluating on-chain verification have several options. Here is how they differ on privacy:

• Raw balance APIs (third-party providers) return full balances, all NFTs, complete transaction histories. The developer must build their own privacy layer on top. Most do not.
• Token gating tools (Collab.Land, Guild.xyz) verify holdings for Discord and Telegram communities. They pledge not to share wallet data, but the data exists on their servers. The privacy is a policy, not an architecture.
• Attestation services (Ethereum Attestation Service) provide flexible schema-based attestations, but they are general-purpose. You need to design your own schema, and the attestation contents are readable by default. EAS is also Ethereum-centric.
• ZK proofs (Zupass, zkVerify) are the theoretical gold standard for privacy. A zero-knowledge proof lets you prove a statement without revealing the underlying data. But ZK circuits add complexity: proving time, browser compatibility issues, and infrastructure overhead that most commerce use cases do not need.

InsumerAPI sits in a specific spot: practical data minimization without ZK complexity. Boolean results, ECDSA signatures, 33 chains, REST API. No circuit design, no specialized infrastructure, no schema definition. One HTTP call, one signed answer.

Built for AI agents

The AI agent ecosystem is growing fast. MCP servers, LangChain tools, OpenAI GPT Actions, and direct REST integrations are how agents connect to external services. InsumerAPI ships all four:

• MCP server (npm): 26 typed tools for Claude Desktop, Cursor, Windsurf, and any MCP-compatible framework.
• LangChain toolkit (PyPI): 26 tools for Python agents built on LangChain or LangGraph.
• OpenAI GPT: Full OpenAPI 3.1 spec for GPT Actions, with a pre-built GPT in the GPT Store.
• Direct REST: Any language, any framework, any HTTP client.

By default, every tool returns boolean results or discount tiers, not raw balances. An agent using InsumerAPI in standard mode cannot accidentally accumulate financial data about users. Callers who need trustless verification can explicitly opt in to Merkle storage proofs, which include raw balance data for independent on-chain verification. The privacy default is enforced at the API level, not left to the agent developer to implement.

Why developers choose this approach

The developers building on InsumerAPI tend to share a few priorities:

• Minimum viable data. They want to verify a condition, not build a wallet analytics dashboard. The less data their application touches, the simpler their compliance story.
• No data controller burden. Under GDPR, handling raw balance data makes you a data controller for financial information. Using an API that only returns booleans and tier names means you never take on that classification. You are a verification consumer, not a data processor.
• Agent-friendly design. AI agents operating autonomously should not be accumulating financial data about users. Boolean results keep the agent's context clean and focused on the task: does this user qualify?
• User trust. Token holders are more willing to connect their wallets when the verification service explicitly does not store their balances. "Ownership verified, privacy preserved" is not a tagline. It is the API contract.

33 chains, same privacy model

InsumerAPI verifies across 32 blockchains: Ethereum, Base, Polygon, Arbitrum, Optimism, BNB Chain, Avalanche, Solana, and 24 more. The privacy model is identical on every chain. Whether you are checking an ERC-20 balance on Ethereum or an SPL token on Solana, the response format is the same. Boolean result, tier name, discount percentage. No balance, no address, no chain-specific data leakage.

This consistency matters for developers building multi-chain applications. One integration, one response format, one privacy guarantee across every supported network. For how the API surface was designed for composability across verification, compliance, and commerce, see the architecture deep dive.

Try it yourself

Create a free API key on the developer portal. You get 10 verification credits to test the attestation endpoint across all 33 chains. Run a few calls and look at what comes back. You will see booleans, tiers, and signatures. You will not see balances.

That is the point.