This document outlines six pilot concepts designed to demonstrate how cryptographic and blockchain-based technologies can address structural challenges in city operations. Each concept targets a specific municipal pain point — from climate programme compliance to cross-agency data sharing — and describes a practical, scoped implementation that could be co-designed with a city partner.
Developed by the Ethereum Foundation Use Case Lab. These pilot concepts are intended as starting points for structured co-design with city partners and relevant stakeholders. Each concept can be adapted to local priorities, constraints, and technical environments.
The Use Case Lab can offer any or all of the following in support of a pilot:
Assistance with system design, integration planning, and technical documentation to connect pilot components with existing city infrastructure.
Financial support to cover development, testing, and deployment costs for scoped pilot implementations.
Introductions to relevant builders, researchers, and institutions across the Ethereum and public sector innovation ecosystems.
Documentation of pilot design, implementation process, and outcomes to support replication and adaptation by other cities.
A specific operational pain point that a city department is actively trying to address — not a theoretical interest in blockchain.
A department or team that can dedicate time to co-design sessions, provide workflow documentation, and test early implementations.
The ability to work within or alongside existing systems — access to relevant data flows, processes, and decision-makers.
Interested? usecaselab@ethereum.org
The following six concepts represent areas where cryptographic technologies can address concrete municipal challenges. Each is designed to be scoped, testable, and adaptable to local context.
Cities administer climate and sustainability programs — tree planting, building retrofits, fleet electrification, waste diversion — where compliance is tracked manually through spreadsheets, periodic inspections, and self-reported data. Verification lags behind activity by months, errors compound silently, and when programs are audited, the city often cannot produce a clear, time-stamped record of what was done, by whom, and whether it met the program's criteria. The result is low-confidence data that weakens both internal decision-making and external credibility, and leaves programs that are genuinely working unable to prove it.
Programme rules — eligibility criteria, reporting thresholds, verification requirements — are encoded as transparent, auditable logic. When a participant submits compliance data (sensor readings, inspection results, contractor reports), the system checks it against the programme's rules and records the result. If conditions are met, the system can trigger downstream actions (e.g., credit issuance, payment authorisation). If not, it flags gaps for human review. Every submission, check, and outcome is time-stamped and publicly verifiable — creating an audit trail that doesn't depend on any single department's record-keeping.
A city runs a building retrofit programme offering tax credits for energy efficiency improvements. Today, a building owner submits paper receipts and a contractor's letter; a city employee manually reviews the file months later. With programmable compliance, the contractor submits verified completion data, the system checks it against programme criteria (e.g., insulation R-value, window rating), and if compliant, automatically queues the credit for issuance — with every step logged and auditable.
Cities are increasingly tying vendor payment to measurable outcomes and performance metrics to strengthen accountability for public spending. However, this approach introduces significant compliance burdens on city staff who must now collect evidence, reconcile milestones against documentation, prepare approval packages, chase incomplete or incorrect submissions, and route multiple payment deliveries over the course of a contract. This delays payments to vendors who have already delivered, discourages smaller providers from applying to performance-based contracts due to the uncertainty and delays in receiving payment, and requires extra staff time and compliance effort.
Contract milestones and financial conditions are first encoded as measurable checks against vendor-submitted data. If these checks pass, they unlock milestone-based payment to the provider for delivery of services. When documentation is submitted, the system validates it against contract-defined criteria and either routes payment for authorisation or flags gaps for human review. The provider's outcome data is verified against contract-defined metrics automatically: a milestone met triggers payment authorisation, a milestone missed triggers review, and the full attestation chain is audit-ready.
Denver spent $274M on homelessness services over four years, but found that some providers were achieving permanent housing outcomes for as few as 2–4% of clients exiting their programmes. The city has since moved away from flat-fee contracts toward performance-based models, paying providers for specific outcomes like housing retention and reduced jail days. With programmable compliance, every submission, verification, and payment action is time-stamped and logged — creating a transparent, publicly inspectable record that the city, the vendor themselves, and the public can independently verify and track over time.
Every interaction between a resident and their city requires proving something such as residency, eligibility, enrolment status, age, address, qualifications, etc. Today, proving any one of these facts means over-sharing: handing over a full document that contains far more personal information than the interaction requires, and repeating the same process with every department, programme and service. The city must also spend time and develop processes to collect and store this data and perform the relevant checks, along with the legal burden and data protection obligations that come with it. The result is friction for residents, liability for the city, and a growing attack surface as AI-generated synthetic identities and deepfake documents become harder to detect and much more ubiquitous.
A simple city-issued digital credential that verifies specific facts about a resident: "lives in this jurisdiction," "is over 18," "is enrolled in programme X/Y/Z", without revealing any information beyond what is needed for that specific interaction. The resident experience will remain familiar: sign up once through a standard city portal, verify identity through existing processes, and from that point forward, every city service can confirm what it needs to know without collecting data on what it doesn't need to know. The underlying cryptography (zero-knowledge proofs) enables selective disclosure — the ability to prove a fact without exposing the data behind it to make data minimisation enforced at the technical level rather than just a policy goal.
If a resident applies for a district bus pass requiring proof of residency, then the system verifies "this person is a resident of this district" (verification) without the transit office ever seeing their full address (privacy preservation), and the verification result is logged instead of recording the personal data collected (compliance). This concept also applies to benefits eligibility across departments, age-gated service access, civic voting and participation verification, programme enrolment confirmation, and cross-jurisdictional service portability.
City departments hold critical information about residents pertaining to health, housing, income, benefits, education, etc, but this data is siloed across agencies with different systems and legal frameworks created to prevent the creation of centralized databases due to privacy concerns. Because of these precautions, data sharing agreements can take months or years to negotiate, often for a single data element, and residents need to re-prove identity and eligibility from scratch with every agency and programme. Many give up the process of accessing support and oftentimes the people who need the most help bear the heaviest documentation burden.
Zero-knowledge cryptography allows one agency to verify a specific fact from another's records, such as whether someone's income is below a threshold, without either agency seeing the underlying data. A proof is generated that proves a certain fact, however the raw data never has to leave an organization's database. As a result, no data sharing agreements are required because no data is ever shared. Combined with a portable, resident-held credential (see Digital ID pilot concept), a person can verify eligibility once and carry that status across every agency they interact with.
A single parent working two jobs qualifies for reduced-rate transit, subsidised childcare, and rental assistance. Today, they take time off work to visit three separate offices, fill out three separate applications, and provide the same proof of income documents to three separate intake workers, each of whom enters the information into a different system. The process takes weeks and requires multiple follow-up visits. With a portable verified credential, the parent proves income eligibility once at the first office. At the second and third, they present the credential and the system confirms eligibility instantly without the agency ever seeing their pay stubs, tax returns, or employer details. No data leaves any database. No data sharing agreement is needed. The parent accesses all three programmes in a single week instead of three months. This concept also applies to benefits navigation, refugee and newcomer coordination, cross-departmental case management, and multi-provider coordination for vulnerable populations.
Cities issue thousands of permits, licences, and certifications every year in the form of paper documents or entries in local databases. These formats make it difficult to verify documents outside the issuing body, requiring manual contact to confirm authenticity.
Every permit, licence, or certification issued by a city becomes a verifiable digital credential. Anyone — whether another department, jurisdiction, or member of the public—can verify authenticity instantly without contacting the issuing body. Revocation or expiry invalidates all copies simultaneously. Privacy-preserving cryptography ensures that no personal data can be extracted from the verification process, only the relevant fact ("this credential is valid") is confirmed.
A family moves to a new district and needs to enrol their child in a new school. Today this means manually requesting and transferring transcripts and proof of enrolment from the previous school. With verifiable credentials, the parent carries digital records issued by the previous school that the new school can verify instantly and independently. This concept also applies to health inspection certificates, building and occupancy permits, professional and trade licences, and vendor qualification certifications.
Investment and maintenance of public infrastructure like parks, libraries and urban green canopy is funded through municipal budgets that are increasingly constrained and often the first line item cut. When cities contract maintenance out, coverage is frequently incomplete with contractors not servicing every neighbourhood equally or leaving work unfinished. Residents who derive direct value from these assets have no mechanism to invest in their upkeep, and those who already informally maintain public spaces have no official framework to coordinate within or be compensated for that contribution.
A democratized investment mechanism and maintenance scheme, structured as a sidecar alongside existing municipal financing avenues, that allows residents and local businesses to directly fund specific local infrastructure. Returns can be structured through well known avenues like carbon credits or usage-based revenue. Residents can take on upkeep work that the city cannot afford to contract or that contractors are not covering, with visible coordination of contributions, asset condition, and work needed.
A city identifies a neighbourhood park where the maintenance contract covers structural repairs and routine seasonal upkeep. A community infrastructure bond for the park. A local café owner invests $500, a group of residents each put in $50, and a nearby business contributes $2,000. The bond funds a seasonal maintenance programme and generates returns for investors through carbon credits from the park's tree canopy. A retired resident who already mows the grass and trims hedges every week registers as a community maintainer, logs their work through the platform, and receives compensation from the fund which also received 3% of park revenue from the cafe and street vendor permit sales. The park's condition, fund balance, maintenance schedule, and contributor activity are all publicly visible and auditable.
Interested in exploring any of these for your city? We'd like to schedule a 45-minute co-design session with your team and relevant stakeholders to explore which of these areas fits your current priorities and what a scoped pilot could look like. Contact: usecaselab@ethereum.org