Verifiable Cities is an applied research initiative exploring how open digital infrastructure can improve coordination, resource allocation, and trust in municipal operations and public service delivery. In Q1 of 2026, a discovery process was conducted to identify opportunities to strengthen state and civic capacity through transparent digital systems. These discussions, spanning North America, Europe, and Asia-Pacific and through conversation with municipal governments, startups, public sector innovation funders, and civic technology organizations, surfaced a set of common pain points and levers. The concepts that follow synthesize these insights into six areas of focus.
An initiative of the Ethereum Foundation, a nonprofit that develops open-source cryptographic infrastructure used by communities, governments, financial institutions, and enterprises worldwide.
Open to city governments and teams across the broader public interest ecosystem, the DPI Pilot Programme will select up to five participating projects in Summer 2026. Projects may build on the areas outlined below or propose a new pilot concept. The Verifiable Cities initiative will work with teams to provide the following support:
Technical support will be available to co-design and scope, architect, and build out pilots. Bespoke support, such as funding, may also be explored on a case-by-case basis, with opportunities for follow-on support. No financial commitment is required from pilot teams.
Outputs will be open-source where possible, contributing to a growing commons of public infrastructure tools. There are no procurement obligations or required integrations and expansions post-completion of the pilot.
The underlying technology will be abstracted where possible for simple and practical user interfaces. All outputs will be developed with end users in mind, whether residents, city staff, or vendors.
Pilot teams join a cohort of leading initatives tackling similar challenges, with opportunities to showcase results, shape emerging digital public infrastructure best practices, and exchange insights.
Each pilot requires a named project team, agency or department willing to engage operationally during the agreed upon timeline.
Teams must have a specific pain point/opportunity they would like to explore. Pilots can be existing, new or co-designed with the Verifiable Cities team as part of the selection process.
If you have questions, an existing project, or an idea not reflected in the concepts below, we encourage you to get in touch over email or schedule a call.
The following six concepts represent the strongest patterns from our conversations with cities and municipal innovation initiatives. Each addresses a different challenge applicable across municipal processes and systems, from climate resilience to housing.
Concepts can be considered individually or combined: for example, Programmable Policy (Concept #1) and Privacy-Preserving Digital IDs (Concept #3) together enable an automated policy flow where deliberative input from verified residents is embedded directly into the system's logic. Combining these two concepts addresses a gap frequently described by cities and related actors where participatory processes run separately from the policies and programs they're meant to shape.
Cities produce a significant amount of policy and programme guidance that never fully reaches the people it is meant to serve. Not because it is poorly designed, but because the gap between writing a policy and implementing it consistently is wide and largely invisible. Whether a rule is applied depends on who is working that day, how they read the relevant document, and whether they have access to the right information at the right time. The same policy can be applied differently across districts, departments, or teams with no mechanism for the city to know. By the time the inconsistency surfaces, through a resident complaint, an audit, or press coverage, the people the policy was written for have already missed out.
Policy and programme logic is made explicit: written out as structured, human-readable rules that both staff and systems can read, test, and verify. When a defined condition is met, the corresponding response is initiated and every action is timestamped and logged. This is not autonomous decision-making. Staff retain full oversight and the ability to intervene at any point, and decisions that require human judgement remain with humans. What changes is that the routine, rule-based layer of implementation no longer depends on the right person being available or interpreting the document correctly. Because the logic is explicit, it can be tested before a policy goes live, audited after the fact, and updated with confidence when policy changes. The implementation gap becomes visible and manageable for the first time.
A city has a policy entitling residents in certain postcodes to additional support services when a defined set of environmental or social conditions are met. The policy exists in writing. Staff know it exists. But whether it is being applied consistently across all eligible areas depends on individual staff members checking conditions manually, interpreting thresholds correctly, and initiating the process on the right timeline. In some districts it happens reliably. In others it does not, and the city has no way to tell the difference without a manual audit. With programmable policy, the conditions are encoded directly against the relevant data sources. When a threshold is crossed, the response is initiated, logged, and auditable. A manager can see at any time whether the policy is being applied, where it has been triggered, and whether the response happened within the expected timeframe. The implementation record exists whether or not anyone was watching. This concept also applies to benefits eligibility triggers, emergency response protocols, environmental threshold enforcement, housing inspection escalations, and any programme where consistent application across populations or geographies is a policy goal.
Cities rely on hundreds of nonprofit and private providers to deliver critical services to residents, from after-school programmes and meal delivery to shelter and healthcare. Tying payment to measurable outcomes and milestones is a reasonable way to strengthen accountability for that spending. In practice, it creates a significant manual burden: city staff must collect evidence, reconcile milestones against documentation, prepare approval packages, chase incomplete submissions, and route payment across multiple stages for every contract. The result is that providers who have already delivered services wait months to be paid, while staff spend time on compliance administration instead of oversight. Smaller nonprofits, which often have no capital cushion to absorb delays, are disproportionately affected, sometimes taking out loans at unrecoverable cost just to keep operating while a payment works its way through the approval chain.
Contract milestones and payment conditions are encoded upfront as structured, verifiable checks. When a provider submits documentation, the system validates it against the contract criteria automatically and either routes payment for authorisation or flags the gap for human review. A milestone met triggers payment. A milestone missed triggers a review. Staff remain in control of oversight decisions, but the routine compliance work, the chasing, the reconciling, the packaging, happens without manual handling. Every submission, verification, and payment action is timestamped and logged, creating an audit trail that is available to the city, the provider, and where appropriate, the public.
A nonprofit provider delivers youth employment services under a performance-based contract with a city workforce development department. The contract pays out across four milestones: programme enrolment, completion, job placement, and 90-day job retention. Today, the provider submits a package of documentation for each milestone to a contract manager, who manually reviews it, checks it against the contract terms, prepares an approval package, and routes it for payment authorisation. Each stage takes days to weeks, and the provider regularly waits two to three months between milestone delivery and payment. With a programmable contract, the provider submits documentation directly against the defined milestone criteria. The system checks it, flags any gaps, and routes a payment authorisation automatically. The provider is paid within days of a verified milestone. The contract manager reviews exceptions rather than every submission. This concept also applies to homelessness services, social care contracts, infrastructure maintenance, housing support programmes, and any service contract where payment is tied to verified delivery.
Every interaction between a resident and their city requires proving something: residency, eligibility, enrolment status, age, address, or qualifications. Today, proving any one of these facts means over-sharing, handing over a full document that contains far more personal information than the interaction requires, and repeating the same process with every department, programme, and service. The city must also develop processes to collect, store, and check this data, along with the data protection obligations that come with it. This creates friction for residents and an expanding store of sensitive data that the city is responsible for protecting. As AI-generated synthetic identities and deepfake documents become easier to produce, the documents cities currently rely on for verification are also becoming easier to forge.
A city-issued digital credential that a resident holds and controls, which can prove specific facts, "lives in this jurisdiction," "is over 18," "is enrolled in programme X", without revealing any information beyond what that specific interaction requires. Sign up once through a standard city portal, verify identity through existing processes, and from that point forward every city service can confirm what it needs to know without the resident handing over a document and without the city collecting data it does not need. The underlying cryptography, zero-knowledge proofs, enables selective disclosure: the ability to prove a fact without exposing the data behind it. Data minimisation becomes a technical property of the system rather than a policy goal that depends on staff compliance.
A resident applies for subsidised childcare. The programme requires proof that their household income falls below a threshold and that they live within the borough. Today the resident submits payslips, a tax return, and a utility bill, all of which are photocopied and stored in a case file. Staff manually check each document and enter the relevant details into the system. With a privacy-preserving digital ID, the programme receives a confirmation that both conditions are met, without seeing the underlying documents or storing any of the personal data behind them. The resident does not need to gather paperwork. The city does not need to store sensitive financial records. The check takes seconds rather than days. This concept also applies to age-gated service access, housing application eligibility, voting and participatory democracy, programme enrolment confirmation, and cross-jurisdictional service portability.
City departments hold information about residents across health, housing, income, benefits, and education, but this data is siloed across agencies with different systems and legal frameworks. Those frameworks exist for good reason: they were designed to prevent the creation of centralised databases and protect resident privacy. The problem is that until now, the only way for one agency to act on what another agency knows was to transfer the underlying data, which triggered the full weight of data sharing legislation and could take months or years to negotiate for a single data element. Without a technical alternative, the privacy protections that were meant to protect residents have also made it harder for those residents to access the services they are entitled to.
Zero-knowledge cryptography allows one agency to verify a specific fact held by another, such as whether a resident's income falls below a programme threshold, without the underlying data ever leaving the originating system. No record is transferred. No centralised database is created. The receiving agency gets a confirmation of the fact it needs, nothing more. Because no data moves between organisations, the traditional data sharing agreement is not triggered, though appropriate governance and consent frameworks still apply. This is a technical solution to a problem that has previously only had legal and administrative workarounds.
A housing department wants to confirm whether an applicant for emergency rental assistance is already receiving income support from the social services department before processing their application. Today this check either does not happen, creating duplicate payments, or requires a formal data sharing request that delays the process by weeks. With cross-agency verification, the housing department sends a query: does this resident currently receive income support above a defined threshold? The social services system returns a yes or no confirmation. No personal records are transferred. The applicant does not need to provide documentation. The housing department gets the answer it needs to make a decision in real time. This concept also applies to benefits eligibility checks across departments, refugee and newcomer service coordination, cross-departmental case management, and any programme where eligibility depends on information held by another agency.
Cities issue thousands of permits, licences, and certifications every year covering everything from food handler qualifications and trade licences to building permits and health inspection certificates. Verifying any of these outside the issuing department currently means a phone call, an email, or a manual database lookup, and the answer is only as reliable as the person on the other end. Fraudulent or expired credentials circulate because there is no way for a recipient to check status independently. When a licence is revoked, existing copies held by third parties remain in circulation with no mechanism to invalidate them.
Every permit, licence, or certification issued by a city becomes a verifiable digital credential that any authorised party can check instantly and independently, without contacting the issuing body. The key operational difference from a digital PDF or database record is revocation: when a licence expires, is suspended, or is revoked, all copies are invalidated simultaneously. A third party checking the credential gets a live status, not a snapshot from the day it was printed. The verification process confirms only the relevant fact, that the credential is currently valid, without exposing any personal data beyond what the recipient is entitled to see.
A restaurant applies for a catering permit to operate at a city event. The event organiser needs to confirm the permit is valid before the vendor is allowed on site. Today this means the organiser contacts the permits office, waits for a response, and accepts a PDF that may or may not reflect current status. With a verifiable credential, the organiser scans or checks the permit in seconds, receives a live confirmation that it is valid and has not been suspended, and the check is logged without any personal data leaving the issuing system. If the permit is later revoked, the same check would immediately return a negative result regardless of what documents the vendor is holding. This concept also applies to trade and contractor licences, food handler certifications, building and occupancy permits, professional qualifications, and vendor compliance records.
Keeping a public park or square functional involves a significant amount of coordination, inspection, reporting, and reactive work that residents never see and that city staff have no easy way to make visible. Work orders are logged in disconnected systems, informal maintenance contributions from residents or local organisations go unrecorded, and the condition of an asset at any given moment is difficult to establish without a site visit. When budget conversations happen, the labour that has been holding an asset together is largely invisible, which makes it easy to cut and hard to defend. When contractors underdeliver, there is often no clear record of what was and was not done.
A shared, verifiable record of what has been done to a public asset, by whom, and when. City staff, contractors, and community members who contribute maintenance work can log activity against a specific asset, creating a timestamped and auditable history that is visible to the city and, where appropriate, to the public. Condition reports, work orders, inspections, and informal contributions all flow into the same record. This gives city departments a defensible picture of what an asset actually costs to maintain, where gaps in contractor coverage are occurring, and what community activity already exists that the city is currently not capturing or coordinating.
A parks department manages 40 neighbourhood parks under a single maintenance contract. In practice, contractor coverage varies significantly across the portfolio and several parks are informally maintained by nearby residents or community groups who have no official way to log their contributions. When budget cuts are proposed, the department cannot easily demonstrate the actual maintenance load or the gap that would be left. With a shared asset record, every inspection, work order, and logged contribution is tied to a specific park and visible in one place. The department can show what each park costs to maintain in real terms, identify where the contract is not being met, and surface the community activity that is already filling the gap. This concept also applies to libraries, urban green canopy, community centres, street furniture, and any public asset maintained across multiple responsible parties.
Reach out at usecaselab@ethereum.org or schedule a call