ARCHITECT
HUB
Credential infrastructure for engineering teams
Integrate decentralized identity and verifiable credentials into your stack on your terms. Choose between fully managed SaaS APIs, self-hosted enterprise containers, or low-level cryptographic SDKs.
The deployment matrix: build vs. buy.
Select the integration model that aligns with your security, performance, and data sovereignty requirements, ranging from managed SaaS to core identity primitives.
The following matrix compares the technical trade-offs across our vdx, edk, and idk deployment paths.
| Capability | Sphereon VDX Managed SaaS |
Sphereon EDK Self-Hosted Containers |
Sphereon IDK Core SDK Libraries |
|---|---|---|---|
| Best for | Rapid integration, zero-maintenance | Strict data sovereignty, on-prem | Custom identity products, deep integrations |
| Hosting | Managed SaaS, Private Cloud, or On-Prem | Self-managed: Cloud, On-Prem, or In-process (Monolith/Mobile) | Native: JVM, iOS, Android, JS, WASM, or Linux binary |
| Time to market | Days | Weeks | Months |
| Integration interface | REST APIs, Webhooks, OIDC | Local (in-process), HTTP RPC, gRPC, REST APIs | Kotlin Multiplatform native libraries (JVM, iOS, Android, JS, WASM) |
| Maintenance load | None | Medium | High |
Technical specifications and documentation.
Review protocol support, hosting requirements, and integration patterns. These deep dives provide the technical context needed to transition from high-level architecture to implementation.
Sphereon VDX
(Managed Verification Layer)
A deployment-agnostic managed service that acts as a secure bridge between standards-based wallets and your enterprise backend. We handle the cryptographic heavy lifting and protocol updates so you can focus on business logic.
- Infrastructure: Managed SaaS, Private Cloud, or On-Premise.
- Integration methods: REST APIs, Webhooks, OIDC Bridge.
- Key management: Managed KMS with automated rotation and high availability.
- Compliance: Designed to meet NIS2 technical evidence requirements for auditable outcomes.
Explore the API
Review endpoint structures and authentication methods to see how the vdx interface remains consistent across all hosting environments.
Sphereon EDK
(Enterprise Development Kit)
The edk adds the production-grade infrastructure required for enterprise deployments, including Zero-Trust authorization (AuthZEN) and identity verification workflows.
- Deployment modes: Mobile App, Monolith, Microservices, or vdx Integration.
- Transport: Location-transparent command execution via Local, HTTP RPC, or gRPC.
- Persistence: Multi-tenant routing for PostgreSQL, MySQL, and SQLite.
- Extensions: Includes eIDAS digital signatures and physical access control integration.
Review deployment specs
Access container registry details, AuthZEN policy configurations, and Spring Boot auto-configuration guides.
Sphereon IDK
(Identity Development Kit)
The open-source foundation providing essential identity primitives: cryptography, DIDs, and verifiable credentials. Built on Kotlin Multiplatform for native performance across all environments.
- Platforms: JVM, iOS, Android, JS, WASM, and Linux.
- Core Protocols: OID4VP, SD-JWT, and standard DID resolution.
- Architecture: Uses Metro DI for dependency injection and a transport-transparent command lifecycle.
- License: Open Source (Apache 2.0).
Access the libraries
Dig into the SDKs. Review the class structures and multiplatform implementation guides for Kotlin and TypeScript engineers.
Security and trust foundation
Zero-trust authorization
Every command is evaluated against external policy decision points using the AuthZEN specification. We support Cedar and OPA to ensure business logic remains separate from access control.
Auditable compliance
Structured audit logging includes automatic sensitive data redaction and tamper evidence via hash chaining. Every decision is recorded with full session context and trace ids.
Secret management
Integrated with AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault. Secrets are resolved at runtime via secure interpolation and never stored in plaintext.
Next steps for your architecture
Every enterprise stack has its own set of constraints. If you have specific questions regarding transport-transparent commands, database routing, or AuthZEN implementation, or anything else, our engineering team is available for technical peer reviews to help you map out the right integration path.