Deterministic DIDs and Golden Records via HMAC-SHA256

Every contact and company gets a permanent cryptographic identity. The same person across your CRM, ad platforms, and email tools always resolves to the same entity. Deterministic Digital Identity Documents (DIDs) built on HMAC-SHA256 ensure immutable, stable identifiers across your entire data ecosystem.

Try Identity Resolution Technical Docs

How Identity Resolution Works

Deterministic cryptographic identifiers that follow people across jobs, tools, and data sources.

Immutable

Deterministic DIDs

Signal priority determines the DID: LinkedIn URL first, then email, then phone, then domain. HMAC-SHA256 generates a deterministic, immutable identifier. The same input always produces the same DID, across any system.

Per-Tenant

Golden Records

Golden Records provide a per-tenant view of each entity: did:icustomer:<tenantID>:person:<hmac>. Universal DIDs enable cross-tenant deduplication: did:icustomer:global:person:<hmac>. The oGraph stores and caches all resolved entities.

7 Tables

oGraph Identity Store

PostgreSQL knowledge graph with tables for did_registry, did_sameas (Golden to Universal DID mapping), persons, companies, employment edges, decision_trace (immutable audit trail), and provenance_vcs (provenance hash records).

Unified

Cross-System Resolution

A contact that enters via REST API, MCP, CLI, or Gateway all resolves to the same DID. The same person in Salesforce, HubSpot, LinkedIn Ads, and email tools is always recognized as one entity. No duplicates across systems.

Why Deterministic Beats Probabilistic

Probabilistic matching guesses based on patterns and scores. Deterministic matching computes identity from verified signals. OneSource uses a strict signal priority: LinkedIn URL takes precedence, then email, then phone, then domain. HMAC-SHA256 ensures the same input always produces the same DID. No confidence thresholds to tune, no false merges from fuzzy logic.

HMAC-SHA256Signal PriorityZero False Merges

See Identity Capabilities

Media placeholder

Champion Tracking Across Job Changes

When a contact changes jobs, their DID persists. The POST /v1/contact/champion-tracking endpoint detects employment transitions, updates the contact record, and enriches the new company data. The full history of interactions and attributes is maintained across the person's career. Set up monitoring via the CLI with onesource schedule create for automated job-change alerts.

Champion TrackingJob ChangesPersistent DIDs

Media placeholder

Identity Resolution FAQ

Signal priority for HMAC-SHA256 hashing: LinkedIn URL (highest priority), email, phone, then domain. The first available signal in priority order determines the DID. Multiple identifiers are stored but only the highest-priority signal drives the hash.

Golden Records are per-tenant: did:icustomer:<tenantID>:person:<hmac>. They represent your view of a contact. Universal DIDs are cross-tenant: did:icustomer:global:person:<hmac>. They enable deduplication across organizations. The did_sameas table maps between them.

The oGraph is a PostgreSQL knowledge graph with dedicated tables: did_registry for Universal DIDs, persons and companies for entity records with JSONB raw data, employment for person-company edges, decision_trace for immutable audit trails, and provenance_vcs for hash-based provenance records.

Yes. POST /v2/identity/resolve accepts identifiers and returns the Universal DID and Golden Record DID. POST /v2/contact/enrich-by-id/single expands an existing contact by its Universal DID. Both endpoints cost 1 credit per hit.

Unify Your Customer Identities

POST to /v2/identity/resolve with an email or LinkedIn URL to see deterministic DIDs in action. 1 credit per resolution.

Start Resolving Contact Sales