# Sphereon Documentation > Sphereon Documentation: IDK, EDK, VDX, Kiwa eLicense, and eduID Wallet Matching Portal. ## Start Here - [Introduction](/idk/introduction.md): Introduction to the Identity Development Kit - [Architecture](/idk/architecture.md): Command-based architecture, service aggregation, and contracts - [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions - [Platform Setup](/idk/guides/platform-setup.md): Platform-specific configuration for Android, iOS, JVM, and JavaScript ## Concepts and Models - [Identity Model](/idk/guides/identity/overview.md): Overview of the IDK identity framework covering verification, matching, resolution, reconciliation, and how they integrate with DIDs, trust, and identifier resolution ### Digital Credentials - [Credential Design](/edk/guides/credential-design/overview.md): How a developer uses the EDK credential design service, what changes versus the IDK base, and what each EDK module is for - [SD-JWT](/idk/v0.13/guides/sdjwt/overview.md): Understanding Selective Disclosure JWT in the IDK - [Mobile Credentials](/idk/v0.13/guides/mdoc/overview.md): Introduction to ISO/IEC 18013-5 mobile credentials ### Identity, Trust, and Identifiers - [Decentralized Identifiers](/edk/v0.13/guides/did/overview.md): DID management REST APIs in the EDK - [Trust Establishment](/idk/v0.13/guides/trust/overview.md): Understanding trust validation in the IDK - [Identifier Resolution](/idk/v0.13/guides/crypto/identifier-resolution.md): Resolve cryptographic identifiers to keys and certificates ### Protocols - [OpenID4VP](/edk/v0.13/guides/oid4vp/overview.md): OpenID for Verifiable Presentations - verifying credentials from digital wallets - [OpenID4VCI](/edk/guides/oid4vci/overview.md): How the EDK extends the IDK OpenID4VCI issuer with a multi-phase attribute pipeline, pluggable attribute sources, deferred and approved issuance, async-callback ingress, and tenant-aware paths ### mDoc Concepts - [Engagement](/idk/v0.10/guides/mdoc/engagement/intro.md): Currently, the Mdoc SDK supports the following device engagement methods: - [Request and Response](/idk/v0.13/guides/mdoc/transfer/request-response.md): Understanding mDoc DeviceRequest and DeviceResponse structures - [Session Transcript](/idk/v0.13/guides/mdoc/transfer/session-transcript.md): Understanding cryptographic session binding in mDoc - [Party Models](/idk/v0.13/guides/data-store/party-management.md): Data models for parties, identities, and tenants in the IDK ## Technical Guides ### Runtime and Dependency Injection - [Injection Scopes](/idk/v0.10/guides/di/scopes.md): This document explains the three dependency injection (DI) scopes used across the Identity Development Kit (IDK) core libraries and the solutions that build on top of the SDK: - [App component setup](/idk/v0.10/guides/di/app-setup.md): Please read the scopes documentation first to grasp the 3 scopes being used in the IDK. - [Extending the DI Graph](/idk/guides/di/extending-di.md): How to extend the IDK dependency injection graph with custom services using Metro ### Core Infrastructure - [Events System](/idk/v0.13/guides/core/events.md): Core event broadcasting, filtering, and subscription in the IDK - [CBOR](/idk/guides/cbor.md): CBOR encoding, decoding, and builder DSL #### Configuration - [Configuration](/idk/v0.13/guides/config/configuration.md): Using the ConfigService to read and write configuration in your application - [Configuration Providers](/idk/v0.13/guides/config/providers.md): Available configuration providers and how to enable, disable, and configure them - [Property Resolution Pipeline](/idk/v0.13/guides/config/property-resolution.md): Understanding the IDK property resolution pipeline and value interpolation - [Secret Management](/edk/guides/config/secrets.md): Configuring AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault providers in the EDK - [Multi-Tenancy](/idk/v0.13/guides/config/multi-tenancy.md): Implementing multi-tenant applications with the IDK #### Logging - [Logging](/idk/guides/core/logging/overview.md): Structured, scope-aware logging in the IDK - [Scoped Loggers](/idk/guides/core/logging/scoped-loggers.md): Using app, user context, and session loggers with proper scope isolation - [Logging Configuration](/idk/guides/core/logging/configuration.md): Configuring log levels, policies, output formats, and providers ### Cryptography and Keys - [Key Management](/idk/v0.13/guides/crypto/key-management.md): Managing cryptographic keys with the KeyManagerService - [KMS Providers](/idk/v0.13/guides/crypto/kms-providers.md): Configuring key management system providers - [Signing and Verification](/idk/v0.13/guides/crypto/signing-verification.md): Creating and verifying cryptographic signatures - [JOSE and COSE Operations](/idk/v0.13/guides/crypto/cose-jose.md): Working with JOSE and COSE cryptographic message formats ### DIDs and Trust - [DID Resolution](/idk/v0.13/guides/did/resolution.md): Resolving and querying DIDs - [DID Management](/idk/v0.13/guides/did/management.md): Creating and managing DIDs - [ETSI Trust Lists](/idk/v0.13/guides/trust/etsi-trust-lists.md): Working with ETSI TS 119 612 trust service lists - [Certificate Validation](/idk/v0.13/guides/trust/certificate-validation.md): X.509 certificate chain validation in the IDK - [OpenID Federation Trust](/idk/guides/trust/openid-federation.md): Trust chain resolution and verification for OpenID Federation entities - [DID-Based Trust](/idk/guides/trust/did-trust.md): Trust validation for Decentralized Identifiers ### Credential Implementation #### Credential Design - [Working with Designs](/idk/guides/credential-design/designs.md): Creating and managing credential, issuer, and verifier designs in the IDK - [Resolution and Import](/idk/guides/credential-design/resolution.md): Resolving credential designs from multiple sources and importing external metadata #### SD-JWT - [SD-JWT Issuance](/idk/v0.13/guides/sdjwt/issuance.md): Creating SD-JWT credentials with the IDK - [SD-JWT Presentation](/idk/v0.13/guides/sdjwt/presentation.md): Presenting and verifying SD-JWT credentials with the IDK #### mDoc Engagement - [Engagement Manager](/idk/v0.13/guides/mdoc/engagement/engagement-manager.md): Using MdocEngagementManager to create and manage mDoc sessions - [Engagement and Retrieval](/idk/v0.10/guides/mdoc/engagement/engagement-retrieval.md): Overview - [Event and UI handling](/idk/v0.10/guides/mdoc/engagement/events-ui.md): Event handling and UI projection #### mDoc Data Transfer - [Transfer Manager](/idk/v0.13/guides/mdoc/transfer/transfer-manager.md): Managing mDoc data transfer with TransferManager #### mDoc Transports - [BLE Transport](/idk/v0.13/guides/mdoc/transports/ble.md): Bluetooth Low Energy transport for mDoc transfer - [NFC Transport](/idk/v0.13/guides/mdoc/transports/nfc.md): Near Field Communication transport for mDoc transfer - [HTTP/WebSocket Transport](/idk/v0.13/guides/mdoc/transports/http-websocket.md): HTTP and WebSocket transport for remote mDoc transfer ### OAuth 2.0 and OpenID #### OAuth 2.0 - [OAuth 2.0 Client](/idk/v0.13/guides/oauth2/client.md): Using the IDK OAuth 2.0 client for authorization flows - [Authorization Server](/idk/v0.13/guides/oauth2/authorization-server.md): Building OAuth 2.0 authorization servers with the IDK - [DPoP and PKCE](/idk/v0.13/guides/oauth2/dpop-pkce.md): Using DPoP and PKCE for enhanced OAuth 2.0 security - [JWT Validation](/idk/v0.13/guides/oauth2/jwt-validation.md): Validating JWT access tokens in IDK applications #### OpenID4VP - [OID4VP Holder](/idk/v0.13/guides/oid4vp/holder.md): Implementing wallet holder functionality for OID4VP presentations - [OID4VP Verifier](/idk/v0.13/guides/oid4vp/verifier.md): Implementing relying party verification for OID4VP - [Universal OID4VP](/idk/v0.13/guides/oid4vp/universal.md): Backend-focused OID4VP API for web applications and services - [DCQL Queries](/idk/v0.13/guides/oid4vp/dcql.md): Using Digital Credentials Query Language for credential requests #### OpenID4VCI - [OID4VCI Holder](/idk/guides/oid4vci/holder.md): Implementing wallet holder functionality for OID4VCI credential issuance - [OID4VCI Issuer](/idk/guides/oid4vci/issuer.md): Implementing a credential issuer with OID4VCI in the IDK ### HTTP, Storage, and UI - [HTTP Client](/idk/guides/http/http-client.md): Creating HTTP clients with TLS, mTLS, and per-host certificate routing - [Ktor Server Integration](/idk/v0.13/guides/http/ktor.md): Integrate IDK services with Ktor server applications - [Key-Value Store](/idk/v0.13/guides/data-store/key-value-store.md): Using the IDK key-value store for persistent data - [Blob Store](/idk/guides/data-store/blob-store.md): Storing and retrieving binary data with the IDK blob storage abstraction - [Theming & Branding](/idk/guides/theming.md): Configuring visual themes, design system palettes, and branded UI components across platforms ## Deployable Services - [Service Overview](/idk/services/services-overview.md): Pre-built IDK services for common deployment scenarios - [KMS REST API](/idk/services/services-kms.md): The KMS REST API service exposes the KeyManagerService over HTTP, turning every key management operation into a REST call. This is the service to use when mobile or browser clients need to delegate key operations to a server, for example when signing with a hardware-backed key that lives in AWS KMS or Azure Key Vault, or when a backend service needs a centralized key management layer. - [OAuth2 Authorization Server](/idk/services/services-oauth2-as.md): The OAuth2 AS service provides a standards-compliant authorization server that you can embed in your Ktor application. It handles the protocol mechanics of OAuth2 and OpenID Connect while delegating authentication and consent to your application through the UserAuthenticationProvider and ConsentProvider interfaces. You provide the UI and the user database; the service takes care of the rest. - [OID4VCI Issuer Service](/idk/services/services-oid4vci-issuer.md): The OID4VCI Issuer service implements the OpenID for Verifiable Credential Issuance specification. It handles the server-side protocol for issuing verifiable credentials to holder wallets. The service supports SD-JWT, mDoc (ISO 18013-5), and JWT VC JSON credential formats, multiple grant types (authorization code and pre-authorized code), deferred issuance for asynchronous workflows, and batch issuance for requesting multiple credentials in one round trip. In practice it exposes both holder-facing OID4VCI endpoints and a separate issuer-integration surface used by issuer backend apps and web apps to create and manage issuance flows. - [OID4VCI Holder Service](/idk/services/services-oid4vci-holder.md): The OID4VCI Holder service provides wallet-side endpoints for acquiring credentials. It acts as a backend-for-frontend service: a mobile wallet or web wallet calls these endpoints to orchestrate the entire issuance flow without implementing the OID4VCI protocol directly. The service handles offer parsing, issuer metadata resolution, token exchange, proof creation, credential requests, and deferred polling. - [OID4VP Verifier Service](/idk/services/services-oid4vp-verifier.md): The OID4VP Verifier service implements the verifier (relying party) side of OpenID for Verifiable Presentations. It handles both same-device and cross-device verification flows, supports DCQL queries and presentation definitions for specifying which credentials to request, and exposes two API surfaces for different callers: wallet-facing OID4VP endpoints and a verifier-facing Universal OID4VP adapter. - [Ktor Integration](/idk/services/services-ktor.md): The KotlinInjectPlugin bridges IDK's Metro DI system with Ktor's request pipeline. It is not an application-level service in its own right, but the foundation that all other IDK HTTP services run on. Every IDK HTTP service depends on this plugin being installed. ## Examples and Reference - [OID4VC Demo](/idk/examples/examples-overview.md): Example applications built with the IDK - [Module Reference](/idk/guides/modules.md): Complete list of all IDK modules organized by domain - [REST API Reference](/idk/rest-apis/identity-crypto/kms) - [Kotlin API Reference](pathname:///idk/v0.25.0/api/index.html) - [IDK FAQ](/idk/v0.10/guides/faq.md): General Questions ## REST APIs ### Cryptography & Signatures - [Key Management](/vdx/rest-apis/identity-crypto/kms.md) - [W3C DID](/vdx/rest-apis/identity-crypto/did.md) - [W3C DID Hosting](/vdx/rest-apis/identity-crypto/did-hosting.md) ### Digital Credentials - [Issuer (OID4VCI)](/idk/rest-apis/verifiable-credentials/oid4vci-issuer-session.md) - [Verifier (OID4VP)](/idk/rest-apis/verifiable-credentials/oid4vp-universal.md) - [Credential Query (DCQL)](/idk/rest-apis/verifiable-credentials/dcql.md) - [Status List Hosting](/vdx/rest-apis/verifiable-credentials/statuslist-hosting.md) - [All APIs (combined reference)](/idk/api) ## Guides - [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation - [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions ### Dependency Injection - [Injection Scopes](/idk/v0.10/guides/di/scopes.md): This document explains the three dependency injection (DI) scopes used across the Identity Development Kit (IDK) core libraries and the solutions that build on top of the SDK: - [App component setup](/idk/v0.10/guides/di/app-setup.md): Please read the scopes documentation first to grasp the 3 scopes being used in the IDK. - [Amazon App Platform, Kotlin module structure, and Dependency Injection](/idk/v0.10/guides/di/amazon-app-platform.md): We use Amazon App Platform for Kotlin Gradle module structures and DI with kotlin-inject and kotlin-inject-anvil. ### Configuration - [Configuration](/idk/v0.13/guides/config/configuration.md): Using the ConfigService to read and write configuration in your application - [Configuration Providers](/idk/v0.13/guides/config/providers.md): Available configuration providers and how to enable, disable, and configure them - [Property Resolution Pipeline](/idk/v0.13/guides/config/property-resolution.md): Understanding the IDK property resolution pipeline and value interpolation - [Secret Management](/edk/guides/config/secrets.md): Configuring AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault providers in the EDK - [Multi-Tenancy](/idk/v0.13/guides/config/multi-tenancy.md): Implementing multi-tenant applications with the IDK ### Core - [Events System](/idk/v0.13/guides/core/events.md): Core event broadcasting, filtering, and subscription in the IDK ### Decentralized Identifiers - [DID REST Services](/edk/v0.13/guides/did/overview.md): DID management REST APIs in the EDK - [DID Resolution](/idk/v0.13/guides/did/resolution.md): Resolving and querying DIDs - [DID Management](/idk/v0.13/guides/did/management.md): Creating and managing DIDs ### HTTP Server - [Ktor Server Integration](/idk/v0.13/guides/http/ktor.md): Integrate IDK services with Ktor server applications ### Cryptography - [Key Management](/idk/v0.13/guides/crypto/key-management.md): Managing cryptographic keys with the KeyManagerService - [KMS Providers](/idk/v0.13/guides/crypto/kms-providers.md): Configuring key management system providers - [Identifier Resolution](/idk/v0.13/guides/crypto/identifier-resolution.md): Resolve cryptographic identifiers to keys and certificates - [Signing and Verification](/idk/v0.13/guides/crypto/signing-verification.md): Creating and verifying cryptographic signatures - [JOSE and COSE Operations](/idk/v0.13/guides/crypto/cose-jose.md): Working with JOSE and COSE cryptographic message formats ### Mobile Credentials (mDoc) - [Mobile Credentials Overview](/idk/v0.13/guides/mdoc/overview.md): Introduction to ISO/IEC 18013-5 mobile credentials #### Engagement - [intro](/idk/v0.10/guides/mdoc/engagement/intro.md): Currently, the Mdoc SDK supports the following device engagement methods: - [Engagement Manager](/idk/v0.13/guides/mdoc/engagement/engagement-manager.md): Using MdocEngagementManager to create and manage mDoc sessions - [Engagement and Retrieval](/idk/v0.10/guides/mdoc/engagement/engagement-retrieval.md): Overview - [Event and UI handling](/idk/v0.10/guides/mdoc/engagement/events-ui.md): Event handling and UI projection #### Data Transfer - [Transfer Manager](/idk/v0.13/guides/mdoc/transfer/transfer-manager.md): Managing mDoc data transfer with TransferManager - [Device Request and Response](/idk/v0.13/guides/mdoc/transfer/request-response.md): Understanding mDoc DeviceRequest and DeviceResponse structures - [Session Transcript](/idk/v0.13/guides/mdoc/transfer/session-transcript.md): Understanding cryptographic session binding in mDoc #### Transports - [BLE Transport](/idk/v0.13/guides/mdoc/transports/ble.md): Bluetooth Low Energy transport for mDoc transfer - [NFC Transport](/idk/v0.13/guides/mdoc/transports/nfc.md): Near Field Communication transport for mDoc transfer - [HTTP/WebSocket Transport](/idk/v0.13/guides/mdoc/transports/http-websocket.md): HTTP and WebSocket transport for remote mDoc transfer ### OAuth 2.0 - [OAuth 2.0 Client](/idk/v0.13/guides/oauth2/client.md): Using the IDK OAuth 2.0 client for authorization flows - [Authorization Server](/idk/v0.13/guides/oauth2/authorization-server.md): Building OAuth 2.0 authorization servers with the IDK - [DPoP and PKCE](/idk/v0.13/guides/oauth2/dpop-pkce.md): Using DPoP and PKCE for enhanced OAuth 2.0 security - [JWT Validation](/idk/v0.13/guides/oauth2/jwt-validation.md): Validating JWT access tokens in IDK applications ### OpenID4VP - [OID4VP Overview](/edk/v0.13/guides/oid4vp/overview.md): OpenID for Verifiable Presentations - verifying credentials from digital wallets - [OID4VP Holder](/idk/v0.13/guides/oid4vp/holder.md): Implementing wallet holder functionality for OID4VP presentations - [OID4VP Verifier](/idk/v0.13/guides/oid4vp/verifier.md): Implementing relying party verification for OID4VP - [Universal OID4VP](/idk/v0.13/guides/oid4vp/universal.md): Backend-focused OID4VP API for web applications and services - [DCQL Queries](/idk/v0.13/guides/oid4vp/dcql.md): Using Digital Credentials Query Language for credential requests ### SD-JWT - [SD-JWT Overview](/idk/v0.13/guides/sdjwt/overview.md): Understanding Selective Disclosure JWT in the IDK - [SD-JWT Issuance](/idk/v0.13/guides/sdjwt/issuance.md): Creating SD-JWT credentials with the IDK - [SD-JWT Presentation](/idk/v0.13/guides/sdjwt/presentation.md): Presenting and verifying SD-JWT credentials with the IDK ### Trust Validation - [Trust Framework Overview](/idk/v0.13/guides/trust/overview.md): Understanding trust validation in the IDK - [ETSI Trust Lists](/idk/v0.13/guides/trust/etsi-trust-lists.md): Working with ETSI TS 119 612 trust service lists - [Certificate Validation](/idk/v0.13/guides/trust/certificate-validation.md): X.509 certificate chain validation in the IDK ### Data Storage - [Key-Value Store](/idk/v0.13/guides/data-store/key-value-store.md): Using the IDK key-value store for persistent data - [Party Data Models](/idk/v0.13/guides/data-store/party-management.md): Data models for parties, identities, and tenants in the IDK - [IDK FAQ](/idk/v0.10/guides/faq.md): General Questions - [Kotlin API Reference](pathname:///idk/v0.13/api/index.html) ## Start Here - [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation ## Concepts and Models ### Organization Structure - [The Party Model](/edk/guides/party/overview.md): How the platform models everyone and everything in your world as parties, gives them identities and identifiers, and connects them with typed relationships, so one tenant can serve consumers, businesses, and agents at the same time. - [Persons and Organizations](/edk/guides/party/persons-and-organizations.md): The party types in depth, how a party is extended with custom properties through specializations, multi-typing one record into several roles, the addresses and registrations that hang off a party, and how roles and attributes drive RBAC and ABAC. - [Organization Units](/edk/guides/party/organization-units.md): How organization units give a tenant its internal structure through two distinct hierarchies, carry branding and terms that resolve by inheritance, and act as full parties in their own right. - [Relationships](/edk/guides/party/relationships.md): Typed, directional relationships between any two parties, the same-entity link for personas of one real-world entity, and how relationship types become the basis for relationship-based access control. - [Identities and Identifiers](/edk/guides/party/identities-and-identifiers.md): The decoupled identity layer on top of parties, identifiers for discovery and authentication, how identifiers are protected at rest, and how login resolves by identifier and application together. ### Semantic Model - [Semantic Model Overview](/edk/guides/semantic-model-walkthrough/overview.md): Why an enterprise semantic model drives issuer designs and verifier DCQL instead of hand-authoring claims, and the catalog, profile, set, and channel layers behind it - [Modeling Your World](/edk/guides/semantic-model-walkthrough/modeling-your-world.md): The party model, entities and relationships, governance overlays, wire-form derivation, version-pinning precedence, usage lineage, the license gate, and pagination - [Provenance & Operations](/edk/guides/semantic-model-walkthrough/provenance-and-operations.md): How usage lineage answers cross-role provenance questions, how governance flows from catalog to issued claims and DCQL, versioning and pinning in practice, and the public API boundaries ### Tenant Model - [Tenant Overview](/edk/guides/tenant/overview.md): How the EDK models tenants, how a request is matched to a tenant, how registration journeys work, and where the application tenant fits. - [Application Tenant and Bootstrap](/edk/guides/tenant/application-tenant.md): The tenant that administers the deployment. Its hosted AS, the first-run setup bootstrap, the application admin API, license status, secret backend selection, and onboarding policy. - [License, Quota, and Policy](/edk/guides/tenant/license-and-policy.md): How a license grants entitlements, the two quota kinds and per-command cost, the denial model, and the extension points that decide who may register a tenant. - [Registration Journeys](/edk/guides/tenant/journeys.md): The tenant registration journeys plus the separate platform bootstrap. Admin direct creation, admin invite by email, public self-service signup, license gates, and the signup state machine. - [Tenant Federation](/edk/guides/tenant/federation.md): How a tenant configures its identity provider after the owner is active. Platform-hosted IdP versus external OIDC federation, the IdP admin REST, write-only client secrets, and claims mapping. - [Domains and Public Endpoints](/edk/guides/tenant/domains-and-endpoints.md): How a tenant binds to hostnames (platform subdomains, verified custom domains) and how it declares the per-service URLs its metadata advertises. - [Tenant Model](/edk/guides/tenant/model.md): The tenant entity as it appears at the API surface. Slugs, the parent/child hierarchy, the status lifecycle, and system tenants. - [Tenant Resolution](/edk/guides/tenant/resolution.md): The order in which an incoming request is matched to a tenant, the well-known URL forms, and the fail-closed rule that a service advertises only bound URLs. - [Tenant Isolation](/edk/guides/tenant/isolation.md): How the EDK keeps one tenant's data, keys, and operations separate. Schema-per-tenant, row-level, and database-per-tenant isolation, per-tenant signing keys, encryption at rest, and admin scope. ### Licensing and Entitlements - [Features](/edk/guides/concepts/features.md): The licensing primitive. A namespaced, versioned capability key with a declared value type, supported per deployment and enabled by the signed license. - [Products and SKUs](/edk/guides/concepts/products-and-skus.md): How products bundle features into editions, and how a purchased edition becomes the resolved feature set carried in a signed license. - [The Catalog](/edk/guides/concepts/feature-registry-and-product-catalog.md): The read-only view over the features and products a deployment supports, readable through the Platform Admin API. - [Entitlement Resolution](/edk/guides/concepts/entitlement-resolution.md): How the resolver composes the effective entitlement set, decides each command, the twelve denial reasons, and why it is deny-overrides and fail-closed. - [Per-tenant Subscriptions](/edk/guides/concepts/per-tenant-subscriptions.md): The optional per-tenant entitlement source that grants a tenant more than the platform baseline, always bounded by the signed license. ### Identity and Access - [Authentication and Identity](/edk/guides/authentication/overview.md): JWT validation, identity verification, wallet authentication, and identity lifecycle management - [Authorization](/edk/v0.13/guides/authorization/overview.md): Policy-based authorization with AuthZEN, Cedar, and OPA - [Decentralized Identifiers](/edk/guides/identity/decentralized-identifiers/overview.md): How the EDK exposes DID lifecycle and DID resolution over REST, and how to choose between the standardized DIF Universal Registrar and the rich Sphereon DID manager API. ### Credentials and Trust - [Digital Credentials](/edk/guides/digital-credentials/overview.md): How the EDK turns the IDK credential design SDK into a deployable multi-tenant service with SQL persistence, version snapshots, an HTTP API, an offline cache, and OCA bundle support - [Credential Design](/edk/guides/credential-design/overview.md): How a developer uses the EDK credential design service, what changes versus the IDK base, and what each EDK module is for - [OCA Bundles](/edk/guides/oca/overview.md): OCA bundle support in the EDK, parsing, processing, SAID verification, and integration with the credential design system - [eIDAS Signatures](/edk/v0.13/guides/eidas/overview.md): EU-compliant digital signatures with CAdES, PAdES, JAdES, and XAdES support - [Physical Access Control](/edk/guides/access-control/pronto.md): Physical access control integration with Simac Pronto V2 for visitor management, time-bounded access, and NFC card provisioning ## Walkthroughs ### Semantic Authoring Walkthrough - [The Semantic Catalog (L1)](/edk/guides/semantic-model-walkthrough/catalog.md): Build the L1 semantic catalog, define PREDEFINED and SPECIALIZATION entities, first-class relationships with per-end cardinality, and OCA-grounded attribute anatomy, then publish and resolve it so every upstream layer can pin a stable version. - [The Attribute Profile (L2)](/edk/guides/semantic-model-walkthrough/attribute-profile.md): Author the L2 Attribute Profile, a use-case binding that assembles catalog entities into named roles, selects relationships, and applies narrow-only overrides, over the REST API, then publish and resolve it. - [The Attribute Set (L3)](/edk/guides/semantic-model-walkthrough/attribute-set.md): Author an L3 attribute set, a role-scoped traversal subselection of one published profile, with narrow-only overrides, then publish and resolve it via the REST API. - [Channels (L4)](/edk/guides/semantic-model-walkthrough/credential-definitions.md): L4 is the channel-rendering layer (forms, portal pages, PDF documents, API payloads, and verifiable credentials). Author branding, two set-bound VC channels (SD-JWT and mdoc), and an OID4VCI issuance channel, and see how the set-bound channel is the role-neutral artifact that both issuer designs and verifier DCQL queries derive from. - [Issuing](/edk/guides/semantic-model-walkthrough/issuing.md): Render issuer credential designs from set-bound VC channels, create a credential offer, and let a wallet obtain both credentials over OpenID4VCI - [Verifying](/edk/guides/semantic-model-walkthrough/verifying.md): Author a multi-credential DCQL from the same set-bound VC channels the issuer used, create an OpenID4VP auth request, and read the verified claims a wallet presents ### Tenant Owner Activation - [Owner Activation](/edk/guides/tenant/owner-activation.md): How the owner of a newly created tenant completes activation by redeeming a one-time invitation token through the public owner-redemption endpoint. ## Technical Guides ### Core Platform #### Configuration - [Configuration System Overview](/edk/v0.13/guides/config/overview.md): EDK configuration system architecture, auto-registration, and module overview - [Cloud Configuration Providers](/edk/v0.13/guides/config/cloud-providers.md): Using REST and Azure App Configuration cloud providers in the EDK - [Secret Management](/edk/guides/config/secrets.md): Configuring AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault providers in the EDK - [Offline Configuration Cache](/edk/v0.13/guides/config/offline-cache.md): Using offline caching for network-resilient configuration in the EDK #### Audit - [Audit Logging](/edk/guides/audit/overview.md): Structured audit trails with sensitive data redaction, multiple output formats, and tamper evidence #### Events and Shared Signals - [Events System](/edk/v0.13/guides/events/overview.md): EDK event types, subsystems, and transmitter interfaces - [Shared Signals (SSF)](/edk/guides/events/ssf.md): OpenID Shared Signals and Events for cross-domain security event exchange - [Command Contracts](/edk/guides/contracts/overview.md): Why EDK attaches rich, app-scoped metadata to every service command, regulation, risk, inputs, outputs, and config in one place ### HTTP and Transport - [HTTP & Transport](/edk/guides/http/overview.md): External REST APIs and internal command transport, monolith or microservice, same code - [Universal HTTP Adapter](/edk/v0.13/guides/http/universal-adapter.md): Framework-agnostic HTTP adapter for building portable REST APIs - [Command Transport](/edk/guides/http/command-transport.md): Dual HTTP RPC and gRPC transport for local and remote command execution - [Telemetry & Observability](/edk/guides/http/telemetry.md): Distributed tracing, metrics collection, and log correlation with OpenTelemetry ### Authentication and Identity - [JWT Validation](/edk/v0.13/guides/authentication/jwt-validation.md): Multi-IdP JWT validation for Ktor and Spring Boot - [Identity Verification (IDV)](/edk/guides/authentication/idv.md): Composable graph-based identity verification workflows with pluggable method drivers - [Identity Matching & Reconciliation](/edk/guides/authentication/matching-reconciliation.md): Privacy-preserving identity linking with HMAC hashing, LoA tracking, and policy-driven reconciliation - [Identity Resolution](/edk/guides/authentication/identity-resolution.md): Pluggable resolver chain for mapping external identifiers to internal identity IDs - [Auth Bridge](/edk/guides/authentication/auth-bridge.md): Bridge OAuth2/OIDC authorization servers with wallet-based OID4VP credential presentation ### Authorization - [Cedarling Integration](/edk/v0.13/guides/authorization/cedarling.md): Integrate Cedar policy engine via Cedarling sidecar - [OPA Integration](/edk/guides/authorization/opa.md): Open Policy Agent integration for policy evaluation - [Command Authorization Extension](/edk/v0.13/guides/authorization/command-extension.md): Automatic authorization for command execution ### Identity APIs - [Party REST API](/edk/guides/party/rest-api.md): The /api/party/v1 surface for managing persons, organizations, organization units, services, groups, relationships, and application bindings, shown as abstract, REST, service command, and gRPC for each operation. - [Universal Registrar (DIF)](/edk/guides/identity/decentralized-identifiers/universal-registrar.md): The EDK's DIF Universal Registrar REST API for creating, updating, and deactivating DIDs. - [Rich DID manager REST API](/edk/guides/identity/decentralized-identifiers/rich-rest-api.md): The EDK's full-featured DID manager REST API, with sub-resource CRUD, listing, filtering, projections, key-mapping inspection, and document cache control under /api/dids/v1. ### OAuth 2.0 and OpenID #### OpenID4VCI - [OpenID4VCI Overview](/edk/guides/oid4vci/overview.md): How the EDK extends the IDK OpenID4VCI issuer with a multi-phase attribute pipeline, pluggable attribute sources, deferred and approved issuance, async-callback ingress, and tenant-aware paths - [Attribute Pipeline](/edk/guides/oid4vci/attribute-pipeline.md): When and how to feed attribute values into an EDK issuance flow, why you should provide them as late as possible, and how the protocol moments map to integration patterns - [Hooking Up Your System](/edk/guides/oid4vci/attribute-sources.md): How to feed attributes into the EDK issuer from your own back-end, REST API, custom source, or async callback - [REST API](/edk/guides/oid4vci/rest-api.md): HTTP endpoints for driving an issuance pipeline session from outside the OID4VCI protocol path - [Persistence](/edk/guides/oid4vci/persistence.md): The issuance pipeline session store, the three encryption modes for sensitive payloads, and what gets persisted where #### OpenID4VP - [OID4VP Overview](/edk/v0.13/guides/oid4vp/overview.md): OpenID for Verifiable Presentations - verifying credentials from digital wallets - [OID4VP Integration Guide](/edk/v0.13/guides/oid4vp/integration.md): Step-by-step guide to integrating the Universal OID4VP API - [DCQL Store](/edk/guides/oid4vp/dcql-store.md): Versioned persistence for DCQL query configurations with PostgreSQL and MySQL backends, plus the DCQL admin and version-history REST API - [DCQL REST API](/edk/guides/oid4vp/dcql-rest-api.md): HTTP endpoints for managing DCQL query configurations and walking their version history - [DCQL Authoring](/edk/guides/oid4vp/dcql-authoring.md): Build DCQL queries from semantic attribute selections instead of writing the JSON by hand - [Verifier DCQL Bindings](/edk/guides/oid4vp/verifier-bindings.md): Per-verifier pinning of shared DCQL queries to specific versions, with scheduled future activations ### Credential Implementation #### Credential Design - [REST API](/edk/guides/credential-design/rest-api.md): HTTP endpoints for managing credential, issuer, and verifier designs, render variants, imports, resolution, snapshots, and assets - [Versioning](/edk/guides/credential-design/versioning.md): Explicit snapshot operations for credential designs, and how to use them for audit, change review, and rollback - [Persistence & Offline Cache](/edk/guides/credential-design/persistence.md): PostgreSQL and MySQL backends for the credential design store, and the offline failover cache wrapper for wallets and verifier UIs #### OCA Bundles - [Bundle Service](/edk/guides/oca/bundle-service.md): Parsing, processing, and the OcaBundleService interface - [SAID Verification](/edk/guides/oca/said-verification.md): Three levels of integrity verification for OCA bundles and overlays - [Credential Design Integration](/edk/guides/oca/credential-design-integration.md): How OCA bundles feed the credential design system through the mapper, the layer provider, and native persistence ### eIDAS and Access Control - [eIDAS Signature Client](/edk/v0.13/guides/eidas/client.md): Programmatic document signing with the eIDAS client API - [eIDAS REST Server](/edk/v0.13/guides/eidas/server.md): Deploy eIDAS signature capabilities as REST APIs ### Persistence and Spring - [Party Persistence](/edk/v0.13/guides/persistence/party.md): Store parties, identities, contacts, and addresses in relational databases - [Settings Persistence](/edk/v0.13/guides/persistence/settings.md): Hierarchical configuration storage with scope inheritance - [KV Store Persistence](/edk/v0.13/guides/persistence/kv-store.md): Database-backed key-value storage with multi-scope isolation - [Database Routing](/edk/v0.13/guides/database/routing.md): Multi-tenant database routing with configurable isolation strategies - [Spring Boot Integration](/edk/v0.13/guides/spring-boot/overview.md): Integrating the IDK with Spring Boot applications ## Tenant Operations - [Per-Tenant Configuration](/edk/guides/tenant/configuration.md): How per-tenant configuration and secrets are stored, read, and updated, and how the App / Tenant / Principal scope chain resolves a value. ## Reference - [REST API Reference](/edk/rest-apis/identity-crypto/kms) - [All APIs](/edk/api) ## Deployment and Installation - [Deployment Architecture](/edk/deployment/architecture.md): The single-port multi-tenant model for an EDK enterprise deployment, the operator and tenant host scheme, the gateway contract, and the host-and-path routing table every fronting layer must satisfy. - [Install on Docker](/edk/deployment/install-docker.md): Run the EDK enterprise stack behind a single-port Traefik gateway with Docker Compose, using local wildcard DNS through saas.localtest.me and a local wildcard TLS certificate. - [Install on Kubernetes (Cilium)](/edk/deployment/install-kubernetes-cilium.md): Deploy the EDK enterprise stack on Kubernetes behind the Cilium Gateway API, with one wildcard HTTPS listener, wildcard TLS through cert-manager DNS-01 or a TLS secret, and the edk-enterprise Helm gateway values. - [Cloud Load Balancers](/edk/deployment/cloud-load-balancers.md): How AWS ALB, GKE Gateway, and Azure Application Gateway conform to the single-port EDK gateway contract, with the one configuration gotcha for each platform and the edk-enterprise example values that encode it. - [Local Multi-Domain Development](/edk/deployment/local-multi-domain-development.md): Develop against the single-port multi-tenant EDK locally with saas.localtest.me wildcard DNS, expose the stack to a real phone wallet through an ngrok wildcard or a Cloudflare Tunnel, or serve it from a domain you control with a publicly trusted Let's Encrypt certificate. - [Provisioning and Onboarding](/edk/deployment/provisioning-and-onboarding.md): Two paths to a fully onboarded EDK platform with its first tenant, an interactive UI path and a scripted REST path through the deployment repository provision script, both producing the same documented end state locally and in production. ## Roles and Topology - [Roles and Topology Overview](/edk/deployment/container-deployment/overview.md): The EDK enterprise containers Sphereon ships to commercial customers, how the platform service and tenant runtime services relate, and how a typical deployment is laid out - [Deployment Topology](/edk/deployment/container-deployment/topology.md): How the platform service, tenant runtime containers, admin console, split PostgreSQL databases, public gateway, and east-west gRPC fit together in a typical deployment - [KMS Container](/edk/deployment/container-deployment/kms.md): The nexus.sphereon.com/edk-docker/enterprise-tenant-kms image, the internal-only crypto authority for tenant runtime services. Provider registration, per-tenant key aliases, the REST surface that issuer, verifier, tenant AS, and DID call into. - [DID Container](/edk/deployment/container-deployment/did.md): The nexus.sphereon.com/edk-docker/enterprise-did image, a public Universal Resolver plus internal admin and registrar for did:web, did:webvh, did:jwk, and did:key. Per-tenant method allowlists, document publishing, and webvh log management. - [AS Container](/edk/deployment/container-deployment/as.md): The nexus.sphereon.com/edk-docker/enterprise-tenant-as image, an OAuth 2.0 / OpenID authorization server scoped to tenant runtime flows. Pre-authorized code, wallet federation, client credentials, per-tenant federation provider binding. - [Issuer Container](/edk/deployment/container-deployment/issuer.md): The nexus.sphereon.com/edk-docker/enterprise-issuer image, the OpenID4VCI credential issuer. Protocol endpoints, attribute pipeline, credential design store, integration kinds for AS binding and attribute suppliers, webhooks. - [Verifier Container](/edk/deployment/container-deployment/verifier.md): The nexus.sphereon.com/edk-docker/enterprise-verifier image, the OpenID4VP verifier. Protocol endpoints, DCQL versioned store, per-tenant trust frames, presentation callbacks. - [Configuration & Secrets](/edk/deployment/container-deployment/configuration.md): How the EDK enterprise containers read configuration, including platform configuration, mounted YAML, environment variables, per-tenant config stored in the tenant workload database, and secret backends. - [Operations](/edk/deployment/container-deployment/operations.md): Running the EDK containers in production. Health and readiness, OpenTelemetry tracing and metrics, audit, backup and restore, image distribution and delivered versions, and the operator hardening checklist. ## Tenant Deployment - [Onboarding Walkthrough](/edk/deployment/onboarding-walkthrough.md): The end-to-end ordered runbook an operator follows to bring up an EDK deployment and onboard a tenant, from platform bootstrap through instance deployment. - [Instance Deployment](/edk/deployment/instance-deployment.md): Making a tenant's OID4VCI issuer, OID4VP verifier, and OAuth2 AS reachable by binding their public endpoints. ## Enterprise Deployment Walkthrough - [Walkthrough Overview](/edk/deployment/enterprise-deployment/overview.md): This walkthrough takes a fresh EDK enterprise deployment from container installation to issuing and verifying credentials. First-run onboarding can be completed with the onboarding web interface, the setup REST API, or offline license resources. The API examples shown here are sanitized captures from the published enterprise containers, so the examples reflect actual wire behavior. ### Part 1: Deploying EDK - [Images and Helm chart](/edk/deployment/enterprise-deployment/images-and-chart.md): The Enterprise Development Kit Deployment repository uses published images only. The public customer deployment surface is the deployment repository: Compose, Helm, gateway examples, Postman, and provisioning scripts. - [Platform onboarding](/edk/deployment/enterprise-deployment/platform-onboarding.md): A fresh deployment starts with first-run setup on the platform container. First-run setup has two jobs: - [Operator sign-in](/edk/deployment/enterprise-deployment/operator-sign-in.md): Platform administration calls, from tenant registration onward, carry a bearer token for the platform operator. Setup creates or reconciles the platform tenant, its hosted authorization server, and the operator account before the setup gate closes. This page shows how the operator obtains the token after the issued license has been installed. ### Part 2: Using the REST APIs - [First tenant](/edk/deployment/enterprise-deployment/first-tenant.md): Tenants are registered through the Platform Admin API on the platform service. These calls carry the operator bearer token obtained through operator sign-in. Schemas are in the Platform Admin API reference. - [Service configuration](/edk/deployment/enterprise-deployment/service-configuration.md): Tenant-owned service instances are configured through the Platform Config API at /api/platform/config/v1. This surface is separate from Platform Admin: Platform Admin manages tenants, domains, signup, operator onboarding, and federation IdPs; Platform Config manages service instances and typed configuration sections for those instances. - [Keys and did:web](/edk/deployment/enterprise-deployment/keys-and-did.md): The tenant needs an ES256 key pair for signing credentials (the assertionMethod key) and one for authentication, anchored in a did:web identifier that external parties can resolve. Key operations live on the KMS service (KMS API reference); DID operations on the DID service (DID API reference). - [Issuer settings](/edk/deployment/enterprise-deployment/issuer-tenant-config.md): The issuer design is the tenant's issuing identityweb identifier whose assertion key signs the credentials. Schemas are in the Credential Design API reference. - [Credential designs](/edk/deployment/enterprise-deployment/credential-designs.md): A credential design defines a credential type - [Status lists](/edk/deployment/enterprise-deployment/status-lists.md): Revocation for the EuPid uses an IETF Token Status List: a signed, compressed bit array hosted at a public URL. Each issued SD-JWT carries a status claim pointing at the list URI and an index in the array. Management schemas are in the Status List Management API reference; the public surface in the Status List Hosting API reference. - [Issuing credentials](/edk/deployment/enterprise-deployment/issuing.md): There are two ways to get subject data into an issuance: supply it inline when creating the offer (the simple approach), or let attribute sources contribute it into a pipeline session (the pipeline API). Both end in the same wallet-facing OID4VCI protocol. Backend schemas are in the OID4VCI Issuer API reference. - [DCQL queries](/edk/deployment/enterprise-deployment/dcql-queries.md): DCQL (Digital Credentials Query Language) describes what a verifier requests claims a query does not name are not revealed. Queries are stored on the verifier service (DCQL API reference). - [Verifier and verification](/edk/deployment/enterprise-deployment/verifier-binding.md): A verification session references a stored DCQL query by its id, so what production verifications request is governed by the stored, versioned query rather than by inline request bodies. Schemas are in the OID4VP Verifier API reference. - [Accounts and identities](/edk/deployment/enterprise-deployment/accounts-and-identities.md): The hosted authorization server distinguishes two kinds of principals, with different rules: - [Authorization code flow](/edk/deployment/enterprise-deployment/authorization-code-issuance.md): The pre-authorized code flow used earlier suits backend-initiated issuance where the subject is already known. The authorization code flow inverts this: the wallet sends the user to the authorization server to authenticate first, and the issuer resolves the subject's claims from the authenticated identity. - [Downloads](/edk/deployment/enterprise-deployment/downloads.md): The complete walkthrough is available as a Postman collection. It ships in the deployment repository under postman/. Every page in this section corresponds to a collection folder with the same number, and the examples shown in the documentation are produced by running this collection. ## REST APIs ### Cryptography & Signatures - [Key Management](/vdx/rest-apis/identity-crypto/kms.md) - [W3C DID](/vdx/rest-apis/identity-crypto/did.md) - [W3C DID Hosting](/vdx/rest-apis/identity-crypto/did-hosting.md) - [eIDAS Signature](/vdx/rest-apis/identity-crypto/eidas-signature.md) - [Trust Domains](/vdx/rest-apis/identity-crypto/trust-domain.md) ### Digital Credentials - [Issuer (OID4VCI)](/vdx/rest-apis/verifiable-credentials/oid4vci-issuer.md) - [Verifier (OID4VP)](/vdx/rest-apis/verifiable-credentials/oid4vp-verifier.md) - [Credential Design](/vdx/rest-apis/verifiable-credentials/credential-design.md) - [Credential Query (DCQL)](/edk/rest-apis/verifiable-credentials/dcql-edk.md) - [Status List Hosting](/vdx/rest-apis/verifiable-credentials/statuslist-hosting.md) - [Status List](/vdx/rest-apis/verifiable-credentials/statuslist-management.md) ### Semantics & Catalog - [Attribute Authoring](/vdx/rest-apis/semantics/semantic-model-authoring.md) ### Parties & Accounts - [Identity Auth](/vdx/rest-apis/parties/identity-auth.md) ### Tenancy & Platform - [Platform Admin](/vdx/rest-apis/platform/platform-admin.md) - [Platform Setup](/vdx/rest-apis/platform/platform-setup.md) - [Platform Config](/vdx/rest-apis/platform/platform-config.md) - [All APIs (combined reference)](/edk/api) ## Guides - [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation ### HTTP APIs - [Universal HTTP Adapter](/edk/v0.13/guides/http/universal-adapter.md): Framework-agnostic HTTP adapter for building portable REST APIs ### Authentication - [JWT Validation](/edk/v0.13/guides/authentication/jwt-validation.md): Multi-IdP JWT validation for Ktor and Spring Boot ### Authorization - [Authorization Overview](/edk/v0.13/guides/authorization/overview.md): Policy-based authorization with AuthZEN, Cedar, and OPA - [Cedarling Integration](/edk/v0.13/guides/authorization/cedarling.md): Integrate Cedar policy engine via Cedarling sidecar - [Command Authorization Extension](/edk/v0.13/guides/authorization/command-extension.md): Automatic authorization for command execution ### DID Services - [DID REST Services](/edk/v0.13/guides/did/overview.md): DID management REST APIs in the EDK ### OID4VP Verification - [OID4VP Overview](/edk/v0.13/guides/oid4vp/overview.md): OpenID for Verifiable Presentations - verifying credentials from digital wallets - [OID4VP Integration Guide](/edk/v0.13/guides/oid4vp/integration.md): Step-by-step guide to integrating the Universal OID4VP API - [Interactive API Docs](/edk/api) ### eIDAS Signatures - [eIDAS Signature Framework](/edk/v0.13/guides/eidas/overview.md): EU-compliant digital signatures with CAdES, PAdES, JAdES, and XAdES support - [eIDAS Signature Client](/edk/v0.13/guides/eidas/client.md): Programmatic document signing with the eIDAS client API - [eIDAS REST Server](/edk/v0.13/guides/eidas/server.md): Deploy eIDAS signature capabilities as REST APIs ### Configuration - [Configuration System Overview](/edk/v0.13/guides/config/overview.md): EDK configuration system architecture, auto-registration, and module overview - [Cloud Configuration Providers](/edk/v0.13/guides/config/cloud-providers.md): Using REST and Azure App Configuration cloud providers in the EDK - [Offline Configuration Cache](/edk/v0.13/guides/config/offline-cache.md): Using offline caching for network-resilient configuration in the EDK ### Persistence - [Party Persistence](/edk/v0.13/guides/persistence/party.md): Store parties, identities, contacts, and addresses in relational databases - [Settings Persistence](/edk/v0.13/guides/persistence/settings.md): Hierarchical configuration storage with scope inheritance - [KV Store Persistence](/edk/v0.13/guides/persistence/kv-store.md): Database-backed key-value storage with multi-scope isolation ### Database - [Database Routing](/edk/v0.13/guides/database/routing.md): Multi-tenant database routing with configurable isolation strategies ### Events - [Events System](/edk/v0.13/guides/events/overview.md): EDK event types, subsystems, and transmitter interfaces ### Spring Boot - [Spring Boot Integration](/edk/v0.13/guides/spring-boot/overview.md): Integrating the IDK with Spring Boot applications - [Kotlin API Reference](pathname:///edk/v0.13/api/index.html) - [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation - [Platform & Tenant Onboarding](/vdx/guides/onboarding.md): Bootstrap the platform tenant, activate a license, create tenants, and provision many issuer, verifier, and authorization-server instances per tenant - [Credentials & Trust](/vdx/guides/credentials.md): Issue, verify, and manage verifiable credentials with built-in trust establishment and authorization server integration - [Identity & Authentication](/vdx/guides/identity-platform.md): Wallet authentication, identity reconciliation, composable verification workflows, and enterprise IAM integration - [Security & Governance](/vdx/guides/security.md): End-to-end zero-trust governance, from policy enforcement through audit trails to compliance reporting - [Operations & Management](/vdx/guides/operations.md): Portals, workflows, forms, branding, deployment, and device management for the VDX platform ## REST APIs ### Cryptography & Signatures - [Key Management](/vdx/rest-apis/identity-crypto/kms.md) - [W3C DID](/vdx/rest-apis/identity-crypto/did.md) - [W3C DID Hosting](/vdx/rest-apis/identity-crypto/did-hosting.md) - [eIDAS Signature](/vdx/rest-apis/identity-crypto/eidas-signature.md) - [Trust Domains](/vdx/rest-apis/identity-crypto/trust-domain.md) ### Digital Credentials - [Issuer (OID4VCI)](/vdx/rest-apis/verifiable-credentials/oid4vci-issuer.md) - [Verifier (OID4VP)](/vdx/rest-apis/verifiable-credentials/oid4vp-verifier.md) - [Credential Design](/vdx/rest-apis/verifiable-credentials/credential-design.md) - [Credential Query (DCQL)](/vdx/rest-apis/verifiable-credentials/dcql-vdx.md) - [Status List Hosting](/vdx/rest-apis/verifiable-credentials/statuslist-hosting.md) - [Status List](/vdx/rest-apis/verifiable-credentials/statuslist-management.md) ### Semantics & Catalog - [Attribute Authoring](/vdx/rest-apis/semantics/semantic-model-authoring.md) - [Semantic Binding](/vdx/rest-apis/semantics/semantic-binding.md) - [Semantic Vocabulary](/vdx/rest-apis/semantics/semantic-vocabulary.md) ### Parties & Accounts - [Party Management](/vdx/rest-apis/parties/party-manager.md) - [User Manager](/vdx/rest-apis/parties/user-manager.md) - [Identity Auth](/vdx/rest-apis/parties/identity-auth.md) ### Services - [Software / Instance Manager](/vdx/rest-apis/services/software-manager.md) - [Attribute Sources](/vdx/rest-apis/services/attribute-source.md) - [Resource & Booking](/vdx/rest-apis/services/resource-manager.md) - [Email](/vdx/rest-apis/services/email.md) ### Tenancy & Platform - [Platform Admin](/vdx/rest-apis/platform/platform-admin.md) - [Platform Setup](/vdx/rest-apis/platform/platform-setup.md) - [Platform Config](/vdx/rest-apis/platform/platform-config.md) - [Invitations & Redemption](/vdx/rest-apis/platform/invitation.md) - [Forms](/vdx/rest-apis/platform/forms.md) ### Other - [license-portal](/vdx/rest-apis/other/license-portal.md) - [identity-manager](/vdx/rest-apis/other/identity-manager.md) - [All APIs (combined reference)](/vdx/api) - [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation ## 📚 Guides - [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation - [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions - [Dependency Injection](/kiwa/v0.6/guides/di.md): Dependency Injection and components - [Holder Functions](/kiwa/v0.6/guides/holder-functions.md): Holder Functions explained - [eLicense Mdoc display and verification](/kiwa/v0.6/guides/elicense-mdocs.md): eLicense ISO Mdoc display and verification - [Kotlin API Reference](pathname:///kiwa/v0.13/api/index.html) ## Other - [Example app](/kiwa/v0.6/other/sample-app.md): eLicense example app - [Changelog](/kiwa/other/changelog.md): Release history and changes for the Kiwa SDK - [FAQ](/kiwa/v0.6/other/faq.md): Q: Does the Kiwa eLicense SDK require REST APIs? - [License Agreement](/kiwa/v0.6/other/license.md): Be aware the Kiwa eLicense SDK eLicense is governed by a license agreement and is proprietary. Licensees will have source code access ## 📚 Guides - [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation - [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions - [Dependency Injection](/kiwa/v0.6/guides/di.md): Dependency Injection and components - [Holder Functions](/kiwa/v0.6/guides/holder-functions.md): Holder Functions explained - [eLicense Mdoc display and verification](/kiwa/v0.6/guides/elicense-mdocs.md): eLicense ISO Mdoc display and verification - [Kotlin API Reference](pathname:///kiwa/v0.10/api/index.html) ## Other - [Example app](/kiwa/v0.6/other/sample-app.md): eLicense example app - [FAQ](/kiwa/v0.6/other/faq.md): Q: Does the Kiwa eLicense SDK require REST APIs? - [License Agreement](/kiwa/v0.6/other/license.md): Be aware the Kiwa eLicense SDK eLicense is governed by a license agreement and is proprietary. Licensees will have source code access ## 📚 Guides - [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation - [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions - [Dependency Injection](/kiwa/v0.6/guides/di.md): Dependency Injection and components - [Holder Functions](/kiwa/v0.6/guides/holder-functions.md): Holder Functions explained - [eLicense Mdoc display and verification](/kiwa/v0.6/guides/elicense-mdocs.md): eLicense ISO Mdoc display and verification - [Kotlin API Reference](pathname:///kiwa/v0.6/api/index.html) ## Other - [Example app](/kiwa/v0.6/other/sample-app.md): eLicense example app - [FAQ](/kiwa/v0.6/other/faq.md): Q: Does the Kiwa eLicense SDK require REST APIs? - [License Agreement](/kiwa/v0.6/other/license.md): Be aware the Kiwa eLicense SDK eLicense is governed by a license agreement and is proprietary. Licensees will have source code access ## Guides - [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation - [System Architecture](/eduid-wallet-matching-portal/guides/architecture.md): Service topology, inter-service communication, and deployment architecture for the matching portal - [Authentication Flows](/eduid-wallet-matching-portal/guides/authentication-flows.md): Three authentication paths - federated OIDC login, wallet fast-path for known holders, and wallet reconciliation for new holders ### Identity Matching - [Identity Matching](/eduid-wallet-matching-portal/guides/matching/overview.md): How external identifiers are linked to internal identities using privacy-preserving HMAC hashing - [IdentityMatch Record](/eduid-wallet-matching-portal/guides/matching/identity-match.md): The hash-based index linking external identifiers to internal identity IDs - [IdentityLinkBinding Record](/eduid-wallet-matching-portal/guides/matching/identity-link-binding.md): Encrypted holder-to-institution mapping with cached canonical attributes and assurance metadata - [Key Rotation](/eduid-wallet-matching-portal/guides/matching/key-rotation.md): Zero-downtime HMAC and encryption key rotation with dual-read support and lazy migration ### Reconciliation - [Identity Reconciliation](/eduid-wallet-matching-portal/guides/reconciliation/overview.md): Policy-driven decision engine that determines what to do when a user presents wallet credentials - [Selector Rules](/eduid-wallet-matching-portal/guides/reconciliation/selector-rules.md): Declarative rule engine for reconciliation decisions - conditions, priorities, and plan templates - [Material Profiles](/eduid-wallet-matching-portal/guides/reconciliation/material-profiles.md): Recipes for constructing identity link bindings - which identifiers to hash and which attributes to encrypt - [Reconciliation Sessions](/eduid-wallet-matching-portal/guides/reconciliation/reconciliation-session.md): OIDC-based reconciliation session lifecycle - creation, redirect, callback, and completion ### Encryption & Key Management - [Encryption & Key Management](/eduid-wallet-matching-portal/guides/encryption/overview.md): Three domain-separated cryptographic keys protecting identity data at rest - HMAC-SHA256 for hashing, AES-256-GCM for encryption - [Cryptographic Keys](/eduid-wallet-matching-portal/guides/encryption/cryptographic-keys.md): Key aliases, algorithms, KMS provider configuration, and key version management - [Encrypted Storage Patterns](/eduid-wallet-matching-portal/guides/encryption/encrypted-storage.md): How sensitive data is encrypted before persistence and decrypted on read - envelope encryption, AES-256-GCM payloads, and zero-plaintext guarantees ### REST APIs - [REST API Overview](/eduid-wallet-matching-portal/guides/rest-api/overview.md): Complete API surface - OID4VP sessions, IDV reconciliation, external identity API, STS OIDC endpoints, and frontend BFF routes - [OID4VP Session API](/eduid-wallet-matching-portal/guides/rest-api/oid4vp-sessions.md): Create, poll, and complete wallet authentication sessions via OID4VP - [IDV Reconciliation API](/eduid-wallet-matching-portal/guides/rest-api/idv-reconciliation.md): Initiate, callback, and complete identity verification reconciliation flows - [External Reconciliation API](/eduid-wallet-matching-portal/guides/rest-api/external-api.md): REST API for authorized third-party systems to access reconciled identity data, auxiliary data, and GDPR erasure - [STS (OAuth2/OIDC) Endpoints](/eduid-wallet-matching-portal/guides/rest-api/sts-endpoints.md): Full OIDC Provider endpoints - authorization, token, introspection, revocation, JWKS, and discovery - [Frontend BFF Routes](/eduid-wallet-matching-portal/guides/rest-api/frontend-bff.md): Next.js Backend-For-Frontend routes that proxy requests to STS and Auth Bridge ### Database - [Database Overview](/eduid-wallet-matching-portal/guides/database/overview.md): Seven PostgreSQL tables powering identity matching, reconciliation, auxiliary data, key rotation, and audit - [Schema Reference](/eduid-wallet-matching-portal/guides/database/schema-reference.md): Complete DDL for all seven tables - columns, types, constraints, indexes, and encryption annotations - [GDPR Data Lifecycle](/eduid-wallet-matching-portal/guides/database/gdpr-data-lifecycle.md): Data retention, soft delete, hard delete, inactive binding cleanup, and GDPR Art. 17 erasure ### Operations - [Deployment Guide](/eduid-wallet-matching-portal/guides/operations/deployment.md): Docker Compose setup, environment variables, service dependencies, and production deployment considerations - [Configuration Reference](/eduid-wallet-matching-portal/guides/operations/configuration.md): Complete application.yml reference for STS and Auth Bridge - all properties with defaults and descriptions - [Monitoring & Observability](/eduid-wallet-matching-portal/guides/operations/monitoring.md): Audit events, session cleanup monitoring, key migration tracking, and operational health indicators ### Security & Privacy - [Privacy Architecture](/eduid-wallet-matching-portal/guides/security/privacy-architecture.md): Privacy-by-design principles - no plaintext storage, domain-separated keys, tenant isolation, data minimization, and crypto-shredding - [Audit Trail](/eduid-wallet-matching-portal/guides/security/audit-trail.md): Append-only audit event logging for identity operations, reconciliation decisions, and GDPR compliance evidence ## Other Pages - / - /edk/api/ - /edk/category/concepts-and-models - /edk/category/deployment-and-installation - /edk/category/reference - /edk/category/start-here - /edk/category/technical-guides - /edk/category/tenant-operations - /edk/category/walkthroughs - /idk/api/ - /idk/category/concepts-and-models - /idk/category/deployable-services - /idk/category/examples-and-reference - /idk/category/start-here - /idk/category/technical-guides - /ssi-sdk - /vdx/api/