Skip to main content

Decentralized Identity (DCI)

DCI is an architectural model that shifts control of digital identities away from corporate silos and directly into the hands of the individuals, organizations, or devices that own them.

In a traditional centralized model, an Identity Provider (IdP) holds and controls user identity. Every authentication requires a live call back to that IdP, and every application depends on it remaining available, trustworthy, and compatible. Users have no direct ownership of their credentials, and organizations accumulate large stores of personal data on their behalf.

Decentralized identity breaks this dependency. It is built on the following core components:

  • Cryptographic Identity : each party has a cryptographic identity backed by a key pair, with no central registry required to create or prove ownership of it.
  • Verifiable Credentials (VCs) : cryptographically signed digital documents containing identity claims, verifiable by anyone without contacting the Issuer.
  • Digital Wallets / Holder : secure software where Holders store and selectively present credentials, sharing only what a transaction requires.
  • Issuers : trusted authorities that verify facts about a Holder, issue signed credentials, and can revoke them when they are no longer valid.
  • Verifiers : services that validate credentials by checking the cryptographic signature and revocation status, with no live call to the Issuer.
  • Trust Registries : the mechanism by which Verifiers discover and trust Issuer public keys, via an X.509 certificate chain, a hosted key endpoint, or a published key list.

Together, these form a trust model where identity is portable, privacy-preserving, and controlled by the person it belongs to. The user, not the IdP, decides when and what to share.

ThunderID provides the underlying infrastructure to orchestrate this lifecycle. It acts as an Enterprise Identity Hub, enabling you to issue tamper-evident credentials and verify third-party assertions.

How Verifiable Credentials Work

Verifiable Credentials flow through a three-party framework called the Trust Triangle, where each party plays a distinct role:

HolderWalletIssuerInstitution / AuthorityVerifierRelying PartyTrustNo integration needed Issues VC Presents VP

When to Use This Pattern

This pattern is a good fit when you need to:

  • Remove central intermediaries: Verifiers check credentials offline using cryptographic signatures alone, removing the runtime dependency on a central IdP.

  • Eliminate repeated verification: Replace expensive, manual compliance checks (like KYC or employment verification) with portable, reusable digital proofs that reduce onboarding friction.

  • Maximize user privacy: Allow users to selectively disclose only the specific attributes required for a transaction, minimizing organizational data liability and protecting user privacy at the source.

  • Support offline and edge environments: Secure supply chains, IoT networks, or distributed devices with cryptographic proofs that can be verified resiliently even when the original issuer is offline.

What You Can Build

Credential Issuance

Issue cryptographically signed Verifiable Credentials to user wallets — covering personal identification, professional certifications, vehicle registration, or loyalty cards.

Standalone Claim Verification

Allow users to cryptographically prove specific facts — such as holding an active license or being over a certain age — without disclosing any unrelated personal data.

Onboarding and Authentication

Instantly authenticate users and register new accounts by accepting trusted, tamper-evident digital credentials — eliminating manual identity verification, forms, and document uploads.

ThunderID LogoThunderID Logo

Product

DocsAPIsSDKs
© WSO2 LLC. All rights reserved.Privacy PolicyCookie Policy