GitHub Application: Issue #255

MoonPay open-sourced the Open Wallet Standard (OWS) on March 23, backed by PayPal, Circle, Ripple, Solana Foundation, Ethereum Foundation, and 15+ others. One BIP-39 seed, one encrypted vault, every chain. EVM, Solana, Bitcoin, Cosmos, Tron, TON, all supported. No privacy chains.

This grant adds Zcash to OWS with full PCZT signing support. Fork open-wallet-standard/core, implement the Zcash chain module, submit an upstream PR. Zcash becomes the first privacy-preserving chain in the standard.

What it does

OWS does the same thing for every chain: store keys, sign pre-built transactions. For EVM that’s signing RLP-encoded payloads. For Zcash that’s signing PCZTs.

The integration adds three commands:

• ows wallet create - ZIP-32 key derivation from the shared BIP-39 seed, produces a Unified Address with Orchard and Sapling receivers alongside all other chains.

• ows sign tx --chain zcash - The core deliverable. Takes a PCZT with proofs already applied, decrypts the spending key, applies Orchard/Sapling/transparent spend authorization signatures, returns the signed PCZT.

• ows sign send-tx --chain zcash - Sign + finalize + broadcast via lightwalletd. End-to-end shielded send in one command.

This is the same PCZT-based signing pattern that Keystone ships via Zashi and OneKey is building under ZCG Grant #228.

Why now

OWS is at v1.0.0 and the chain interface is still being shaped. Agentic payments are moving from experimental to production - x402, MPP, A2A. The chains in OWS get distribution. The chains not in OWS don’t.

If Zcash isn’t in the standard when it matures, adding it later gets harder.

What already exists

The Zcash engine behind CipherScan and CipherPay and zipher-cli already implements ZIP-32 derivation, Sapling + Orchard proof generation, PCZT creation, and lightwalletd sync in production on mainnet. This grant is integration work, wiring that engine into OWS’s chain interface, not reimplementing Zcash cryptography.

Budget

$25,000 - 3 weeks full-time. Single milestone + startup payment.

• Week 1: OWS codebase analysis, chain registration, ZIP-32 key derivation bridge

• Week 2: PCZT signing (Orchard, Sapling, transparent), lightwalletd broadcast, tests

• Week 3: Mainnet validation, upstream PR prep, docs, this forum post with results

Full application details in the GitHub issue linked above. Questions welcome.

I started working on the OWS integration ahead of the grant decision. I believe this is important enough that waiting wasn’t an option, Zcash being in OWS alongside Ethereum, Solana, Bitcoin, and the rest puts it in front of every wallet and agent that adopts the standard. That’s distribution you can’t buy.

The core integration works: ZIP-32 derivation from the shared BIP-39 seed, PCZT signing (Orchard + Sapling + transparent), lightwalletd broadcast with TLS, all functional on mainnet. I submitted a demo to the OWS Hackathon to showcase real use cases built on top: an autonomous prediction market agent that funds cross-chain trades from Zcash’s shielded pool. The hackathon entry is a proof of concept for the grant deliverables, not separate work.

The code is functional but early. No audit, no edge case hardening, no upstream PR yet. That’s what the grant is for, turning a working proof of concept into a production-ready contribution with proper tests, docs, and a clean PR to open-wallet-standard/core.

If the grant gets accepted, the upstream integration ships faster with dedicated time for the polish that matters. If not, I’ll still release it, Zcash should be in every multi-chain standard that matters, and OWS is the one that’s gaining traction right now.

Here’s the tweet:

@Kenbak at the most recent meeting, ZCG voted to approve this proposal. Congratulations!

To keep the community informed, ZCG requests that you provide monthly updates via the forum in this thread.

Please check your forum inbox for a direct message from FPF with important next steps, including a link to the Milestone Payment Request Form and your unique validation code for submitting payment requests.

Amazing, thanks a lot! Back to work

Milestone Update - Zcash OWS Integration Complete

The integration is complete. Zcash is now a fully supported chain in OWS with shielded PCZT signing, unified address derivation, and lightwalletd broadcast.

PR: open-wallet-standard/core #204

Fork: github.com/Kenbak/core (MIT license, usable today)

What shipped

• ows wallet create — ZIP-32 derivation from the shared BIP-39 seed. Zcash unified address (Orchard + Sapling receivers) appears alongside EVM, Solana, Bitcoin, and every other chain. One seed, all chains.

• ows sign tx --chain zcash — Signs PCZTs. Applies Orchard, Sapling, and transparent spend authorization signatures. Skips non-matching actions (dummy/padding) automatically.

• ows sign send-tx --chain zcash — Sign + finalize + broadcast via lightwalletd gRPC over TLS. End-to-end shielded send in one command.

• Feature-gated — All Zcash dependencies are behind zcash-shielded. Non-Zcash builds stay lean.

• 15+ integration tests, developer documentation (zcash-guide.md), updated CONTRIBUTING.md with Zcash build/test instructions.

Mainnet demo

Successfully broadcast a fully shielded Zcash transaction through OWS on mainnet:

1. Check balance via zipher-engine

2. Create a PCZT with zipher-cli send pczt (Creator + Prover roles — no signing key needed)

3. Pass the PCZT hex to ows sign send-tx --chain zcash:mainnet (Signer + broadcast)

4. Transaction accepted by the network

OWS DEMO1600×1277 320 KB

How to try it

OWS signs PCZTs, it doesn’t build them. You need something to create the PCZT first, then OWS signs it. Two options:

Option 1: zipher-cli (easiest)

zipher-cli is our headless Zcash wallet. It handles wallet creation, sync, and PCZT creation.

# 1. Create and sync a wallet

zipher-cli wallet create

zipher-cli sync start

# 2. Create a PCZT (unsigned transaction with ZK proofs)

PCZT=$(zipher-cli send pczt \

--to u1recipient... \

--amount 100000 \

| python3 -c "import sys,json; print(json.load(sys.stdin)['data']['pczt_hex'])")

# 3. Sign and broadcast via OWS

ows sign send-tx \

--chain zcash:mainnet \

--wallet my-wallet \

--tx "$PCZT"

Option 2: Any PCZT-capable tool

Any tool that produces a proved PCZT works. OWS doesn’t care where the PCZT comes from — it just signs. If you’re building on zcash_client_backend, the function you need is create_pczt_from_proposal followed by the Prover role. Pass the serialized bytes to OWS.

Tools that can create PCZTs today:

• zipher-cli (zipher-cli send pczt)

• Any app using zcash_client_backend::data_api::wallet::create_pczt_from_proposal

Works without upstream merge

The upstream PR is open at #204. Upstream acceptance is outside our control and was never a milestone condition.

The fork is MIT-licensed and fully functional today. You can clone it, build it, and use it. If the PR gets merged, Zcash ships to every OWS-adopting wallet and agent automatically. If it doesn’t, the fork works standalone.

What this enables

1. AI agent wallets with Zcash.

OWS is built for AI agents, it’s the interface between agents and wallets. With Zcash in OWS, any agent framework that adopts the standard (MCP, A2A, x402) can hold and spend ZEC shielded. The agent calls ows sign send-tx --chain zcash:mainnet, same API it uses for ETH or SOL. Privacy becomes a one-flag choice, not a separate integration.

2. Cross-chain operations from Zcash’s shielded pool.

One seed in OWS derives keys for every chain. An agent can fund operations from Zcash (private) and execute on EVM (public), same wallet, same seed.

3. Separation of signing from transaction construction.

The PCZT model means the signing key never touches the transaction builder. A server or untrusted environment can do the heavy computation (note selection, ZK proof generation, fee calculation), and OWS signs from a secure context. This is the same security model hardware wallets use, Keystone already ships it via Zodl.

4. Any OWS-compatible wallet gets Zcash for free.

As OWS adoption grows, every wallet and tool that integrates OWS automatically supports Zcash shielded transactions. No per-wallet integration needed. Build the standard once, distribute everywhere.

5. Developer tooling.

If you’re building a Zcash app and need signing infrastructure, you don’t have to build key management from scratch. OWS handles seed storage, encryption, key derivation. Your app just creates PCZTs and passes them to OWS.