Grant Application - Zcash Integration for the Open Wallet Standard (OWS)

Community Grants
6

Milestone Update - Zcash OWS Integration Complete

The integration is complete. Zcash is now a fully supported chain in OWS with shielded PCZT signing, unified address derivation, and lightwalletd broadcast.

PR: open-wallet-standard/core #204

Fork: github.com/Kenbak/core (MIT license, usable today)

What shipped

  • ows wallet create — ZIP-32 derivation from the shared BIP-39 seed. Zcash unified address (Orchard + Sapling receivers) appears alongside EVM, Solana, Bitcoin, and every other chain. One seed, all chains.

  • ows sign tx --chain zcash — Signs PCZTs. Applies Orchard, Sapling, and transparent spend authorization signatures. Skips non-matching actions (dummy/padding) automatically.

  • ows sign send-tx --chain zcash — Sign + finalize + broadcast via lightwalletd gRPC over TLS. End-to-end shielded send in one command.

  • Feature-gated — All Zcash dependencies are behind zcash-shielded. Non-Zcash builds stay lean.

  • 15+ integration tests, developer documentation (zcash-guide.md), updated CONTRIBUTING.md with Zcash build/test instructions.

Mainnet demo

Successfully broadcast a fully shielded Zcash transaction through OWS on mainnet:

  1. Check balance via zipher-engine

  2. Create a PCZT with zipher-cli send pczt (Creator + Prover roles — no signing key needed)

  3. Pass the PCZT hex to ows sign send-tx --chain zcash:mainnet (Signer + broadcast)

  4. Transaction accepted by the network

OWS DEMO
OWS DEMO1600×1277 320 KB

How to try it

OWS signs PCZTs, it doesn’t build them. You need something to create the PCZT first, then OWS signs it. Two options:

Option 1: zipher-cli (easiest)

zipher-cli is our headless Zcash wallet. It handles wallet creation, sync, and PCZT creation.


# 1. Create and sync a wallet

zipher-cli wallet create

zipher-cli sync start

# 2. Create a PCZT (unsigned transaction with ZK proofs)

PCZT=$(zipher-cli send pczt \

--to u1recipient... \

--amount 100000 \

| python3 -c "import sys,json; print(json.load(sys.stdin)['data']['pczt_hex'])")

# 3. Sign and broadcast via OWS

ows sign send-tx \

--chain zcash:mainnet \

--wallet my-wallet \

--tx "$PCZT"

Option 2: Any PCZT-capable tool

Any tool that produces a proved PCZT works. OWS doesn’t care where the PCZT comes from — it just signs. If you’re building on zcash_client_backend, the function you need is create_pczt_from_proposal followed by the Prover role. Pass the serialized bytes to OWS.

Tools that can create PCZTs today:

  • zipher-cli (zipher-cli send pczt)

  • Any app using zcash_client_backend::data_api::wallet::create_pczt_from_proposal

Works without upstream merge

The upstream PR is open at #204. Upstream acceptance is outside our control and was never a milestone condition.

The fork is MIT-licensed and fully functional today. You can clone it, build it, and use it. If the PR gets merged, Zcash ships to every OWS-adopting wallet and agent automatically. If it doesn’t, the fork works standalone.

What this enables

1. AI agent wallets with Zcash.

OWS is built for AI agents, it’s the interface between agents and wallets. With Zcash in OWS, any agent framework that adopts the standard (MCP, A2A, x402) can hold and spend ZEC shielded. The agent calls ows sign send-tx --chain zcash:mainnet, same API it uses for ETH or SOL. Privacy becomes a one-flag choice, not a separate integration.

2. Cross-chain operations from Zcash’s shielded pool.

One seed in OWS derives keys for every chain. An agent can fund operations from Zcash (private) and execute on EVM (public), same wallet, same seed.

3. Separation of signing from transaction construction.

The PCZT model means the signing key never touches the transaction builder. A server or untrusted environment can do the heavy computation (note selection, ZK proof generation, fee calculation), and OWS signs from a secure context. This is the same security model hardware wallets use, Keystone already ships it via Zodl.

4. Any OWS-compatible wallet gets Zcash for free.

As OWS adoption grows, every wallet and tool that integrates OWS automatically supports Zcash shielded transactions. No per-wallet integration needed. Build the standard once, distribute everywhere.

5. Developer tooling.

If you’re building a Zcash app and need signing infrastructure, you don’t have to build key management from scratch. OWS handles seed storage, encryption, key derivation. Your app just creates PCZTs and passes them to OWS.

2 Likes