Buterin proposes ZK credits for AI calls

Most internet services still meter access the same way they did years ago: you log in, you attach a payment method, and every request is tied back to a persistent identity. That’s annoying for regular APIs. For AI, it’s worse, because prompts often contain private work, health details, legal drafts, or internal business context. Even if the content is protected, the metadata can still paint a pretty clear picture of who you are and what you do.

The other obvious approach, paying on-chain for every request, flips the problem. Payment is enforced, but it’s slow, expensive, and publicly traceable. Instead of leaking identity through accounts, you leak behavior through a transaction trail.

A new research post proposes a third path: replace identity with stake. The basic idea is simple. A user makes a one-time deposit into a smart contract, then spends down that balance through many API calls that remain unlinkable. A provider gets paid and gets spam protection, but can’t reliably connect one request to the next.

Here’s the rough flow. The user generates a secret key, commits to it on-chain through the deposit, and then uses zero-knowledge proofs to show two things on each request: they are a valid depositor, and they still have enough remaining “credit” to cover the maximum cost of the next call. The anti-spam piece comes from rate-limit nullifiers: each request includes a cryptographic “ticket” that can only be used once. If the same ticket is reused for different requests, the system can mathematically reveal the user’s key and trigger slashing.

Because AI inference costs can vary, the proposal also sketches a refund mechanism. The user pre-pays a maximum price per call, and after the request is served, the provider issues a signed refund ticket for the unused portion. Those refund tickets stay private on the client side and can be aggregated to unlock additional capacity.

The more interesting enforcement idea is a dual-stake model. One part of the deposit can be claimed if double-spending is proven. A separate “policy stake” can be burned (not paid to the provider) if a request violates usage rules, with the slashing event recorded on-chain for public auditing. The goal is to enforce terms-of-service without giving providers a direct financial incentive to falsely accuse users.

The proposal is still early, and the thread itself raises practical questions, including what privacy leaks might remain through timing and billing metadata. But the direction lines up with a broader push toward privacy-preserving rails for AI agents and other high-frequency services, from LLM inference to RPC endpoints and other metered infrastructure.