Scan once.
Consent once.
Authorize everywhere.
DIAP is the consent router between talent and every studio, platform, and AI pipeline in the world. Here's how the entire system works — from capture to authorization to the open ecosystem.
DIAP is infrastructure, not a capture device
Studios bring their own scanners. Talent brings their identity. DIAP sits in the middle and makes consent enforceable.
DIAP doesn't capture faces, record voices, or train models. That's the whole point — the protocol exists because other people are doing that without consent.
Instead, DIAP stores consent rules and mathematical references (one-way embeddings that can verify identity but can't reconstruct it). The database holds math, not faces. If someone breaches the vault, they get hashes that are useless without the original source material.
Studios use their own capture equipment. Talent registers once. Every studio in the world checks with DIAP before using anything. The talent never sits for the same scan twice.
End-to-End Flow
Studio, agency, or self-service — any DIAP-Certified tool captures identity data (face, voice, motion). Raw data stays with the capture source.
The certified tool converts raw data into standardized one-way embeddings — mathematical fingerprints that verify identity but can't reconstruct the original.
Embeddings are submitted to the talent's Identity Vault on DIAP. Raw captures are discarded after extraction. The vault holds math, not biometrics.
The talent (or their agent) sets two-layer consent: Layer 1 controls who can even see they exist in the registry. Layer 2 controls per-project usage rights.
When a studio wants to use a talent's identity, they request a License Token from DIAP. DIAP checks consent and either grants or denies — scoped, time-limited, auditable.
After rendering, the studio submits a Render Receipt — cryptographic proof of what was produced, under what authorization. The audit trail is complete.
Three paths into the Identity Vault
Whether the talent is already registered, has an agent, or has never heard of DIAP — the system handles every scenario.
The simplest case. The actor already registered on the DIAP platform. They have a DIAP ID. The studio knows this because they checked before production, or the talent's agent provided it on the call sheet.
POST /api/v1/identity/anchor/submit with the talent's DIAP IDThe talent is always in control. The studio cannot dump data into someone's vault without explicit approval.
Three ways to register identity
Quality varies. Consent model is identical. Every tier produces standardized DIAP embeddings.
Self-Service
Phone camera + mic
Enough to establish identity anchors and start managing consent. Upgraded when working with certified tools later.
Agency-Assisted
DIAP-Certified capture station
Agencies set up certified stations for their roster — a competitive advantage. "All our talent are DIAP-registered."
Studio-Captured
LiDAR, photogrammetry, voice booth
Captures happen during production anyway. DIAP standardizes the output and routes it to the talent's vault.
The manager and agent model
Built for how the entertainment industry actually works. Agents manage. Talent retains ultimate control.
The kill switch never gets delegated.
An agent can manage everything day-to-day — approvals, visibility, licensing — but only the talent themselves can revoke all consent and delete their identity data. This is a non-negotiable trust principle. No contract, no power of attorney, no corporate structure can override it.
Who pays for what
DIAP doesn't charge for scanning — it charges for authorization. The capture tools are a commodity layer. The consent layer is DIAP's value.
Studios already pay for face scans, voice recordings, and motion capture as part of production. DIAP doesn't add a new cost — it standardizes the output format and routes the embeddings to the talent's vault instead of the studio's proprietary database.
No studio can feel like a free-rider because nobody "uses the scan." Everyone uses DIAP's authorization layer, and everyone pays for that access equally. The scan is the talent's property. The authorization is DIAP's service.
DIAP provides the reference app. Anyone can build on top.
If DIAP is the only app, the ecosystem can't grow faster than one engineering team. The protocol must be open.
Think of it like email. Gmail is Google's email app, but Outlook, Apple Mail, and Thunderbird all access email through the same protocols. Google doesn't block them. The protocol is what matters, not the app.
DIAP provides the reference web platform and the API. Anyone can build a client on top — talent agencies, unions, studios, independent developers. The data stays in DIAP's vault. The consent logic follows DIAP's rules. But the interface can be anything.
Talent Agencies
"CAA Identity Manager"
A branded app where agents manage their entire roster's consent through their own interface. All data lives in DIAP's vault.
Unions & Guilds
SAG-AFTRA Member Portal
Members manage DIAP consent alongside union contracts. The union app calls DIAP's API — they don't rebuild the consent engine.
Studios & Production
ShotGrid / ftrack integration
DIAP checks embedded into production software. When a VFX supervisor starts a shot, the system auto-verifies the License Token.
Independent Developers
Mobile-first talent app
Better UX, social features, portfolio display — specialized for indie creators. Connected to DIAP's vault through the API.
What a third-party app needs
From DIAP (we provide)
- Developer account & API credentials
- SDK & API documentation
- OAuth/OpenID Connect integration
- DIAP certification (for sensitive operations)
What they can't do
- Store embeddings or identity data locally
- Bypass the consent model
- Issue their own tokens or receipts
- Access the kill switch on behalf of talent
How the open ecosystem stays secure
Security comes from controlling the protocol layer, not the app layer.
OAuth/OpenID Connect authentication
Talent logs in through DIAP's identity provider. Third-party apps get a scoped access token, never the user's credentials. Talent can revoke any app's access instantly.
Scoped API permissions
Developers declare what permissions they need (read profile, manage consent, submit anchors). Talent grants scopes per app. A status-check app doesn't get consent management access.
Certification tiers
Read-only apps need minimal registration. Talent management apps require full security audits. Capture tools need additional embedding-quality audits. The trust requirements scale with the risk.
Complete audit trail
Every API call from every third-party app is logged. Talent sees which app did what, when. If an app misbehaves, DIAP revokes its credentials instantly across all users.
No data residency in third-party apps
The golden rule. Apps can display identity data but must never cache or store it beyond the current session. Identity data lives in DIAP's vault — period.
Three types of tools that build on DIAP
From face scanners to AI pipelines to entirely new identity modules — the protocol is extensible.
Type 1 — Capture Tools
Face scanners, voice recorders, motion capture rigs — the front-end devices that create initial biometric data. They're not part of DIAP itself; they're certified integrations.
Type 2 — Rendering & Generation Tools
The AI pipelines that actually use identity data — deepfake generators, voice synthesizers, motion retargeting systems, script derivative engines.
Type 3 — Custom Modules
DIAP defines identity modules for voice, face, expression, motion, and script. But the protocol is extensible — hand geometry, gait patterns, dental records for forensic VFX, or any new asset type can be proposed and certified.
Like USB — anyone can make a device, but it has to follow the spec to work with the ecosystem.
Costs for building on DIAP
Talent is always free. Developers pay proportional to the value they extract.
A small indie developer building a portfolio app for talent pays almost nothing — low API volume. Adobe integrating DIAP into their enterprise pipeline pays significantly more — high API volume plus enterprise certification.
The pricing scales with value extracted, not with the number of apps. This is the same model that turned Stripe into a $95B company — they didn't build every checkout page themselves. They built the payment infrastructure and let a million developers build on top.
What lives inside the Identity Vault
The vault stores math, not faces. Multiple anchors per module, quality upgrades over time.
Every use is logged — even within an existing authorization
Studios don't re-request for every session within an approved scope. But every single use — especially AI modifications — is tracked and visible to the talent.
When a studio gets a License Token for a talent's voice on a project, they can work freely within that scope — recording sessions, AI-assisted line adjustments, quality fixes — without interrupting production with repeated requests. But DIAP logs every interaction separately.
One token. Multiple Render Receipts. Full transparency on every use.
AI Modification Flags
When AI is involved in modifying previously-authorized content, the Render Receipt captures exactly what happened — so the talent sees not just that their voice was used again, but how.
Requires new License Token
- Different project or episode
- Different rights (render → training)
- Token expired
- Talent revoked consent
- Different identity module
No new request needed (still logged)
- Same project, same scope, same rights
- AI modification of authorized content
- Multiple sessions within token validity
- Quality adjustments on same deliverable
Three mechanisms that make compliance the only rational choice
No system can put a camera inside every render farm. But DIAP makes non-compliance extremely risky and highly detectable.
Mechanism 1 — Render Receipts
Mandatory, after every render
The primary enforcement tool. Studios must submit a Render Receipt when producing output using a talent's identity. This is a contractual and technical requirement of being DIAP-Certified. DIAP validates the token is still valid, scope matches, time window is respected, and logs everything to the talent's audit trail.
Mechanism 2 — Token Heartbeat & Scoped Expiry
Real-time monitoring during active sessions
License Tokens are short-lived and scope-locked. Studios must refresh them periodically. Active rendering sessions send heartbeat pings. If heartbeats stop but no Render Receipt is submitted — that's a compliance flag.
Mechanism 3 — Watermark Verification
Passive, ongoing, anyone can check
Every output rendered under DIAP authorization includes dual-layer watermarks: a pixel-level steganographic payload (invisible to the eye) and an ultrasonic audio frequency fingerprint (inaudible at 18–20.5kHz). Each asset gets a unique Sound ID. When content appears anywhere — streaming platforms, social media, advertisements — anyone can verify it through either channel.
Linked to active token and matching receipt → Authorized ✓
Token no longer valid → Flagged for review ⚠️
Content using identity without DIAP authorization → Unauthorized ✗
The honest gap — and why compliance is still rational
No system can track what happens on hardware you don't control. If a studio renders frames internally and never submits a Render Receipt, DIAP doesn't see it in real-time. But the enforcement mechanisms make non-compliance extremely risky:
Periodic audits compare studio rendering logs with DIAP receipt records. Gaps are violations.
Unauthorized content without valid watermarks (pixel or audio frequency) is detectable by anyone running verification.
No refresh call = no active authorization. Any output is unauthorized by definition.
Distributors and streamers can require DIAP verification before accepting content.
Same model as financial auditing — you make the consequences severe and detection likely enough that compliance is the rational choice.
The protocol is the product.
DIAP doesn't capture your face. It doesn't train on your voice. It doesn't build the tools. It makes sure everyone who does has to ask first — and prove they did.
Digital Identity Authorization Protocol · How It Works