Most of the open source IAM projects out there started more than a decade ago, in a world where humans were the only intelligent actors in a system, machines followed instructions without reasoning about them, quantum computing was a research topic, distributed identity infrastructure was still emerging, and deployment practices like GitOps didn't exist yet. The design decisions made then reflected that world well.

That world has changed. AI agents are running in production, holding credentials, calling APIs, and acting on behalf of users and services. Cyberattacks such as harvest-now-decrypt-later and trust-now-forge-later are real. Digital wallet ecosystems are maturing, and modern teams use containerized deployments and practice GitOps. Open source IAM hasn't caught up, and that gap is real. ThunderID is our attempt to close it: a new open source IAM stack built from scratch, designed for the identity problems of this decade and the one that follows.

The team at WSO2, drawing on more than 15 years of experience building and running IAM software at scale, including WSO2 Identity Server, started ThunderID.

ThunderID is designed around four pillars that address the gaps the current generation of open source IAM doesn't cover well.

Agent-native Identity​

AI agents deserve their own notion of identity. Most existing IAM solutions treat an agent as a machine credential, a service account, or an application. ThunderID models AI agents as a distinct identity type, built into the foundation rather than added on top.

What this means in practice:

• Agents are modelled as a distinct identity type with their own lifecycle, supporting delegated authority, consent-aware access, and full traceability.

• IAM operations are exposed through APIs and MCP, so agent-driven workflows can interact with identity services programmatically.

Post-quantum-safe by Design​

RSA and ECDSA are the algorithms that form the backbone of today's PKI. Cyberattacks such as harvest-now-decrypt-later and trust-now-forge-later mean credentials and signed assertions issued today may need to remain valid and unforgeable well into the post-quantum window. ThunderID is crypto-agile by design: algorithms are configurable, not baked in.

What this means in practice:

• Post-quantum-safe algorithms including ML-KEM, ML-DSA, and SLH-DSA are supported as first-class options, with a hybrid mode for running classical and post-quantum algorithms in parallel during transition.

• Crypto-agility applies across the full runtime: key management, credential issuance, signed assertions, and service-to-service communication.

Decentralized Identity Integration​

Decentralized Identifiers (DID), verifiable credentials (VC), digital wallets, and trust registries are moving from specification into production. Among them, digital wallets are increasingly being adopted across personal and enterprise use cases, becoming an integral part of our lives. ThunderID is built to integrate with this ecosystem from the start, not to bolt it on later.

What this means in practice:

• Verifiable credential issuance and presentation, so you can issue credentials to digital wallets and accept presentations for authentication and registration without becoming a credential-format expert.

• Standard APIs covering issuer-verifier-holder interaction patterns for integration with DIDs, digital wallets, and trust registries.

Lightweight, high-performance runtime with GitOps support​

ThunderID is written in Go: high performance, low latency, small runtime footprint. It is headless and API-first, with built-in GitOps support.

What this means in practice:

• Headless and API-first: the console UI, SDKs, and end-user flows sit on top and are replaceable or white-labelable.

• Declarative configuration with built-in GitOps support: IAM definitions are versioned and deployed through the same pipelines as the rest of your platform, on-premises or in the cloud

Developer Experience​

ThunderID aims to provide an opinionated developer experience, with tools and SDKs targeting specific development roles such as application and API developers, AI agent developers, and IAM developers and architects.

ThunderID ships framework-specific SDKs for React, Next.js, Vue.js, and Nuxt.js with pre-built components you can drop into an application like any other framework component, style with the rest of your UI, and use without dealing with the wire-level mechanics of OAuth 2.0, OpenID Connect, or token handling.

If you work directly at the protocol level, the same flows are available through standard OAuth 2.0 and OpenID Connect. SDKs provide a quicker integration path; the underlying standards define the contract. Both approaches are supported equally.

Beyond SDKs, ThunderID provides a console UI, RESTful APIs, server-side and client-side SDKs, and a flow engine and a visual flow designer for building login, registration, account recovery, and step-up authentication experiences without implementing each flow from scratch.

AI agents in ThunderID are not only identities managed by the system. They are also actors that interact with it, performing development and operational tasks with a human in the loop. Core IAM operations such as issuing credentials, granting consent, evaluating policies, and executing flows are available through standard APIs and MCP, allowing agents to discover and invoke identity functions programmatically. These capabilities are also packaged as reusable skills, so agents can consume them without requiring each operation to be individually wrapped by the application.

Get Involved​

ThunderID is in active development and openly built. The best way to understand what it is and where it's going is to try it.

Start with the getting started guide. If you run into something that doesn't work, open a GitHub issue. If you have questions, thoughts on the design, or want to follow the project's direction, join the conversation on GitHub Discussions.

This project is shaped by the people who use it and contribute to it. We're glad you're here.