The Wallet in Your Pocket Now Holds Your National Identity
Your national identity now sits beside your airline miles, and the next hand to present it will not be yours
In India, the Aadhaar app now adds Aadhaar to Google Wallet in a single tap. DigiLocker issues the driving licence, the PAN, and Aadhaar as verifiable credentials a checker can validate on the spot. This is not a roadmap; it has been the phone in hand since spring, and it arrived quietly. And on 15 July, at the third IndiaโEU Trade and Technology Council in Brussels, the two governments put the next step in writing. The joint statement commits both sides to โadvance dialogue on digital wallet interoperability, including business walletsโ, and to explore โa pilot linking the EU Digital Identity Wallet and the Indian DigiLockerโ for citizens and entities, on jointly agreed use cases, building on Januaryโs mutual-recognition arrangement for electronic signatures. The same movement, going international, now with treaty language behind it.
It is worth being precise about what has happened, because the mechanism is quiet and the consequence is not. A wallet people have used for years has been handed legal identity. It runs on the same issuance standard as Europeโs. And the next thing to present that identity will not be its owner.
Layer 8 read the blueprint behind this last week in Wrappers, Not Records, a close reading of the World Bankโs wallet policy series. This issue follows the design to where it has already arrived, and to the one feature of the arrangement that has stayed exactly the same at every stage, from the loyalty card to the border check.
The wallet you already carry
People have been using a credential wallet for years without calling it that.
Open the wallet app on a phone. It holds payment cards, a coffee-shop balance, a supermarket loyalty account, airline miles, a gift card, a concert ticket, a boarding pass. Each is, underneath, the same kind of object: a small signed claim some issuer stands behind. This card is valid. This account has 40,000 miles. This ticket admits one. The holder presents the claim; a verifier, a payment terminal, a gate, a check-in desk, reads it and acts.
That is the entire mechanic. An issuer who attests, a holder who keeps and presents, a verifier who checks and does something as a result. A clean, well-built set of roles, and it worked so smoothly for cards and coffee and miles that most people never noticed it hardening into infrastructure.
What changed is not the mechanic but the contents. The same wallet that holds the miles now holds a government identity credential. In India, the Aadhaar app issues Aadhaar as a verifiable credential and offers to add it to Google Wallet, under Googleโs partnership with UIDAI; DigiLocker issues the driving licence and PAN the same way. In Europe, the EU Digital Identity Wallet is being built to carry the same kind of credential, and commercial wallets can seek certification to hold it. The container did not change; the claim inside was upgraded from a coffee balance to who a person legally is.
There is one more fact that makes the IndiaโEU pilot possible at all. The Indian credential and the European one are issued on the same international standard, OpenID4VCI. One issuance standard now carries a coffee balance, a national ID, and a European identity attestation, interchangeably.
The gap, in something already in the pocket
Before this becomes about identity, notice something already true of the miles and the gift card.
When an airline devalues its miles overnight, and they do, who does the holder appeal to? When a balance is frozen, a gift card voided, a loyalty tier recalculated in the issuerโs favour, where do they go? To the issuer. On the issuerโs terms. The holder has the points and can spend them or not. But there is no place in the record, the evidence trail a presentation and its outcome leave behind, where the person the balance belongs to can dispute what the balance became. They hold the claim; they have no standing against the decision that changed it.
It is tempting to answer that the credential sits in the holderโs own wallet, on their own device, and that possession is protection. But look at what possession actually contains. The wallet holds the claim. The decision is made by the verifier, the gate, the terminal, the airlineโs system, and the record of that decision is written and kept in the verifierโs system, next to the consequence it produced.
The wallet can prove that a presentation happened. It cannot see what was decided, and it holds no seat where the deciding was done.
So the wallet gives the holder exactly one power: present, or decline to present. It gives no power to contest what presenting decides, to compel anyone to re-examine a number a system produced, or to carry a correction to the next verifier. People have lived with this omission comfortably because airline miles were harmless. The design was fine because the stakes were trivial.
Hold that shape, the holder who can present but cannot contest, because the claim in the wallet is no longer miles.
The same wrapper, much higher stakes
This exact design is now being carried in two directions at once.
The first direction is upward, from credentials to assets: a land title, a fund unit, a deposit, a carbon credit, represented as a signed claim on a programmable ledger, held and transferred the way a credential is presented. Bank-grade forecasts size that market anywhere from roughly two trillion dollars to sixteen trillion by 2030, the eightfold gap a matter of definition, not direction. The token records the asset, the owner, and the logic that moves it, nothing more. From the loyalty point to the national-ID credential to the tokenised title, the roles never change: issuer, holder, verifier; owner, transfer.
So the asymmetry shrugged off for miles rides all the way up. On a ledger built for permanence, a wrong entry is not a devalued balance to grumble about. It is a fact expensive or impossible to unmake, and the record still has no place for the person that fact falls on. The training-wheels version of the gap was the miles. The full-speed version is the title, or an identity credential wrongly refused at a counter.
The step that changes who is holding the wallet
The second direction is nearer: the holder stops being a person.
The point of a wallet is convenience, and the next increment of convenience is not tapping to present but not tapping at all. An agent attached to the wallet presents on the holderโs behalf, approving routine disclosures so a person does not have to. Once a national-ID credential sits in a consumer wallet next to the boarding pass, the agent that already wants to check in the flight will present the identity credential the same way, at machine speed, while the holder sleeps.
Here the two problems meet. The walletโs single power, present or decline, moves from the person to the agent; the consequence stays with the person. The verifier, meanwhile, receives a presentation cryptographically identical to one a human made, and reads it as evidence that a person saw the disclosure and approved it. Nothing in the record separates โthe holder decidedโ from โthe holderโs agent decidedโ. For teams shipping agentic wallet flows this is a liability seam and a fraud seam before it is anything abstract: the signature attests key control, not human approval, and the record cannot say which happened. Possession makes this worse, not better. Because the credential lives on the personโs own device and signs with their own key, the agentโs presentation is indistinguishable from theirs by design, and the misattribution arrives looking airtight.
Step back and the structural change underneath all of this can be said plainly: automation separates presentation from consequence. A protocol event now produces a legally or economically consequential outcome with no human decision-maker in between, which means whatever evidence survives the decision is whatever the protocol chose to preserve. The protocol is no longer only proving a claim. It is participating in a state change.
The participant every wallet architecture omits
Here is what is common to the miles, the national-ID credential, the tokenised title, and the agent presentation.
Verification answers whether a credential is authentic. Whether the consequence of using it can still be attributed, reviewed, and corrected depends on what evidence the protocol preserved.
Every case above is strong on the first question and silent on the second.
Every wallet credential names a subject, the person the credential is about. But there is a second party these systems act upon: the person a decision is about, the one a consequence lands on. Usually the two are the same person, present your own credential, be decided about, everything works. The identity community has even started sensing the seam: the W3C model deliberately keeps โHolderโ abstract, and the World Bankโs own wallet note quietly splits that role into user and wallet application, because the abstraction was hiding a distinction that matters. The abstraction was a reasonable choice; autonomous agents are precisely what now exposes it.
The two parties come apart the moment the holder is not the person the decision falls on. An employer presents an employeeโs credentials. A guardian presents for a child. An agent presents for a citizen who is not in the room. And in India, wallet-based Aadhaar checks on delivery and gig workers at housing-society gates are among the announced launch uses: the resident or platform holds and runs the check, the worker at the gate is the one the decision is about, and if the check goes wrong the worker is turned away with no presence in the record of the decision. In every case, that person enters the record as the credentialโs subject and exits it entirely.
Call that party the decision subject: the person a decision is about, as distinct from the person a credential describes; more generally, the principal a consequence falls on, a person here, but equally an organisation or any other legal subject. For airline miles, the decision subject with no seat is you, and it costs some points. At the gate, it is a worker who cannot ask why. On a tokenised registry, it is a title.
To see the parties plainly, take the phone in your own hand, with Aadhaar in the wallet, and walk three steps.
Present it yourself at a counter, and every role coincides: the credential is about you, you hold it, the decision lands on you. Nothing is missing, which is exactly why the gap stays invisible in the ordinary case, and why nobody built the field.
Authorise an agent, and the first separation appears. The decision still lands on you, but the verifierโs record shows only your keyโs valid signature; it cannot say whether you pressed present or the agent did at three in the morning. The missing fact is who operated.
Now let someone elseโs system check your credential, as at the gate above. The holder and the operator are them; the decision lands on you; and their record of that decision, the only place the refusal exists, has no field for you. The missing fact is who it was about.
Two separations, two missing facts: who acted, and who bears it. Those are the only two facts everything below will ask the record to carry.
To be exact about the criticism: unlike issuer, holder, and verifier, the decision subject is not a participant in the credential exchange at all, which is why exchange-focused models generally do not represent it as a first-class participant. Nothing in todayโs cryptography prevents representing this party. The omission is architectural rather than technical, in that wallet protocols simply do not model the principal who bears the consequence as a first-class part of the record, the record here meaning the interoperable evidence a presentation and its outcome generate.
And the omission went unnoticed for a reason: presentation and consequence used to happen together, one person, one counter, one moment. Delegated presentation and autonomous agents separate those two events for the first time at scale.
Why cross-border scale is the tipping point
Inside one country this gap has a cushion: a national complaints process, a regulator, a court, wrapped around the system even when absent from the record. The institutions exist; they are simply not represented in the interoperable infrastructure itself.
The IndiaโEU pilot removes the cushion. When a credential from one system is denied or misread in the other, the two recourse processes sit in different legal orders, and there is no shared path by which the person a cross-border decision was about can query the record that decided, reach someone obliged to re-examine it, and carry a correction to the next verifier. The next counter is now in another country. Mutual recognition of a signature is being extended across the border, and at every assurance level below the very top, the burden of disputing that signature falls on the person contesting it. The convenience travels. The recourse does not. Interoperability without addressability scales verification faster than it scales accountability.
What a standard could adopt, without a new paradigm
The argument is not that wallets should adjudicate disputes, and not that Google Wallet or any wallet creates this gap by storing credentials; wallet ecosystems normalise an interaction model whose only protocol operation is presentation. Protocols need not adjudicate anything. They only need to preserve enough information that institutions can connect a consequence back to the party it fell on. The division of labour is clean: protocols identify who a decision was about and who operated; institutions decide how disputes are handled; deployments decide what obligations follow. Consent flows already cover the moment before an action; this concerns the moment after, a different lifecycle stage.
The protocol change required is deliberately scoped: it is intended for consequential, interoperable decision flows, not for every presentation everywhere. It alters nothing about issuance, signatures, or verification; it makes two previously implicit facts explicit and gives delegation a visible end. Three schema properties, each testable by a certification body:
The record can name the decision subject, when that party is not the holder presenting, by a pseudonymous, purpose-bound reference that is never a plaintext identifier, never used for verification, and never an input to the decision itself. Addressability is not visibility; the World Bankโs own guidance for excluded populations already recommends recording nothing legible and routing checks through governed back-end attributes.
The record marks who operated, so an agent-driven presentation is distinguishable from a human one, closing the seam above.
Decay is a visible event, so every credential and delegated session ends in a way the subject can see, and reissue is a new act, never a silent one.
The first two have been drafted for standards discussion as exactly that: two minimal, descriptive claims that distinguish who operated from who bears the consequence, one naming the decision subject, one marking the operator. They are deliberately narrow: representation and legibility only, with the contest mechanism left where it belongs, in law and deployment. They are linked in the Layer 8 piece for anyone who wants to read or challenge the actual text.
The question to carry into procurement
For a CPTO wiring wallets into a product, a certification body writing conformance tests, or a policymaker adopting this pilot, the argument compresses to three verbs. When a system decides something about a person, can they query the record that decided, contest it to someone obliged to evaluate and answer, and rely on the outcome holding at the next counter, or do all three paths end in a complaints inbox? A system that can be inspected but not contested is an open loop. People have lived with a benign one for years, every time an airline moved their miles. The same open loop now holds a national identity, is being wired across a border, is heading toward ledgers whose entries do not reverse, and is about to be operated by an agent, and the record still cannot name the person the decision falls on.
The identity question, who are you, has been answered exhaustively. The accountability question, who bears this decision, and can they still be reached once the protocol has finished, is the one now standing at the gate.
Layer 8 examines the decisions hidden inside technology. This issue follows Wrappers, Not Records, a close reading of the World Bankโs 2026 Digital Wallet Policy Note Series.



