Sphereon
Identity SDK
Build Verifiable Credential and Digital Identity applications with our open-source developer kit.
The Sphereon IDK (Identity Developer Kit) is our open-source SDK for teams building issuers, verifiers, and wallet-integrations. It supports multiple identifier types and DID methods, several credential formats, and modern issuance and verification flows in a modular architecture.
IDK runs across web, mobile (native and React Native), and Node.js. Use it as an embedded library, or expose selected capabilities through your own REST layer when you need an API surface.
Looking for enterprise-grade persistence, multi-tenancy, and managed key integration? See Sphereon EDK (Enterprise Development Kit).
Sphereon IDK
Sphereon IDK is built on open ISO/W3C standards for Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). It helps you implement interoperable credential flows and connect them to existing IAM and business applications using OpenID-based credential protocols.
- Typescript/ Kotlin Multiplatform Libraries
- Modular packages (only include what you use)
- Multiple DID methods and identifier types
- Multiple issuance and verification methods
- Designed for Node.js agents, issuer services, verifier services, and mobile/web apps
- Open Source (Apache 2.0)
Best for: R&D and product teams who want full control of the underlying protocols and cryptography, are building single-tenant solutions (or their own tenancy model), and need low-level integration flexibility.
Technical specifications:
1) Key management and secure signing
- Remote signing architecture: hashes payloads locally and sends only the hash to a secure key system for signing; private keys never leave the secure vault.
- Native integrations: Azure Key Vault (create/sign/rotate), AWS KMS (AWS-managed keys and CMKs), Google Cloud KMS, HashiCorp Vault.
- Key lifecycle automation: rotation policies and versioning without breaking verification (KID/DID versioning).
2) DID (Decentralized Identifier) management
- Lifecycle operations: Create, Resolve (Read), Update, Deactivate.
- Supported DID methods: did:key, did:web, did:jwk, and ledger-based support for did:ethr (Ethereum).
- DID document handling: parsing and validation of W3C-compliant DID Documents; management of verification methods (keys) and service endpoints.
3) Credential formats and standards
- W3C data models: JWT-VC and JSON-LD credentials.
- IETF selective disclosure: SD-JWT (privacy-preserving credentials; relevant for eIDAS 2.0 style requirements).
- ISO mobile documents: ISO/IEC 18013-5 (mDL) and mdoc/CBOR handling for mobile wallet encodings.
4) Exchange protocols (issuance and presentation)
- OID4VCI (issuance): Code Flow and Pre-Authorized Code Flow.
- OID4VP (presentation): request and verification of credentials via OpenID Connect.
- SIOPv2: Self-Issued OpenID Provider v2 for wallet login.
- OID4VP + DCQL: supports DCQL (Data and Claims Query Language) to express which credentials/claims a verifier requires.
- DIF Presentation Exchange (optional legacy/backward compatibility): definition generation (complex queries) and submission handling (filter/select credentials that match a request).
5) Cryptography and security
- Signature suites: ES256 (P-256), EdDSA (Ed25519), Secp256k1; plus advanced BBS+ / BLS enabling ZKP-style capabilities and selective disclosure for JSON-LD.
- Encryption: JWE (JSON Web Encryption).
- Key operations: JWK generation; conversion between PEM/Hex/JWK; interfaces for local software keystores.
6) Utility and interoperability
- Trust management: X.509 certificate chain handling and integration with Trusted Service Lists (TSL) for issuer legitimacy verification.
- Discovery: generation and parsing of .well-known/did-configuration and openid-configuration.
- Data persistence interfaces: generic interfaces to plug into databases (SQL, Mongo, Redis) for storing credential and DID state.