Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Here are the most important things you need to know about the SSI Kit:
It is written in Kotlin/Java. It can be directly integrated (Maven/Gradle dependency) or run as RESTful web-service. A CLI tool allows you to run all functions manually.
It is open source (Apache 2). You can use the code for free and without strings attached.
It is a holistic solution that allows you to build use cases “end-to-end”. There is no need to research, combine or tweak different libraries to build pilots or production systems.
It abstracts complexity and low-level functionality via different interfaces (CLI, APIs). Additional services facilitate development and integration (e.g. Issuer and Verifier Portals).
It is modular, composable and built on open standards allowing you to customize and extend functionality with your own or third party implementations and to preventing lock-in.
It is flexible in a sense that you can deploy and run it on-premise, in your (multi) cloud environment or as a library in your application.
It enables you to use different identity ecosystems like Europe’s emerging identity ecosystem (EBSI, ESSIF) in anticipation of a multi-ecosystem future.
Signatory allows you to digitize paper credentials and automate data provision to your stakeholders.
It provides all functionality required by “Issuers”. For example:
Process and authenticate data requests by people or organisations,
Import data (from local storage or third parties),
Create re-usable VC templates,
Create VCs in different formats (e.g. JSON/JWT, JSON-LD),
Sign VCs using different key types (e.g. ed25519, secp256K1, RSA),
Manage the lifecycle of VCs (e.g. revocation).
Issue VCs (e.g. via OIDC/SIOP)
Custodian is a secure data hub for people and organizations. It provides all functionality required by “Holders”. For example:
Interact with Registries (read, write)
Create, store, manage keys, data (DIDs, VCs) and other secrets,
Request and import data (VCs) from third parties,
Selectively disclose data (VCs/VPs) for authentication and identification,
Manage consent and data access in a user-centric fashion.
Auditor allows you to verify your stakeholders’ identity data and offer frictionless access to services or products. It provides all functionality required by “Verifiers”. For example:
request data (VCs/VPs) from stakeholders,
verify data (VCs/VPs; incl. integrity, validity, provenance, authenticity),
trigger pre-defined actions following the verification.
The verification steps can be dynamically configured by passing "verification policies" to each verification attempt.
The SSI Kit comes with the following set of built-in verification polices:
SignaturePolicy: Loads or resolves DID, loads public key and verifies the credentials signature.
JsonSchemaPolicy: Validates the credential against the JSON schema.
TrustedSchemaRegistryPolicy: Checks if the JSON schema is anchored in the EBSI Trusted Schema Registry.
TrustedIssuerDidPolicy: Checks if the issuer DID is anchored on the EBSI DID registry.
TrustedIssuerRegistryPolicy: Checks if the issuer got inserted in the EBSI TIR (Trusted Issuer Registry).
TrustedSubjectDidPolicy: Checks if the issuer DID is anchored on the EBSI DID registry.
IssuedDateBeforePolicy: Checks if issued date is in the past.
ValidFromBeforePolicy: Checks if valid-from date is in the past.
ExpirationDateAfterPolicy: Checks if expiration-date is in the futrue.
CredentialStatusPolicy: Checks if credential is revoked based on the credential-status list.
The SSI Kit establishes an identity infrastructure layer for any use case in any industry. Its core services are in the scope of:
Registry Interactions (e.g. read, write; agnostic towards the underlying tech e.g. DLT, DNS)
Key Management (e.g. generate, sign, import, export, manage lifecycle)
Decentralized Identifier (DID) operations (e.g. register, resolve, manage lifecycle)
Verifiable Credential/Presentations (VC, VP) operations (e.g. create, issue, present, verify)
Ecosystem specific use cases (e.g. onboarding, data exchange and monetization)
Illustration:
This section elaborates the theory behind the SSI Kit:
SSI Kit | Basics - Learn what the SSI Kit is and what it does.
SSI Flavors & Ecosystems - Learn which SSI flavors and identity ecosystems we support.
Architecture - Explore the SSI Kit's multi-layered architecture and components.
Use Cases - Explore use cases you can implement with the SSI Kit.
SSI-Kit feature list - Explore all features in an overview list.
Important: Please be informed that, beginning from December 2023, the SSI Kit will no longer receive new features. Furthermore, the SSI Kit is planned for discontinuation by the end of Q3 2024. However, all functionalities offered by the SSI Kit will be integrated into our new libraries, APIs, and apps in the walt.id identity repo. Giving you more modularity, flexibility and ease-of-use to build end-to-end digital identity and wallet solutions. Read the transition guide here. For any clarification or queries, feel free to contact us as we aim to make this transition as smooth as possible.
This documentation will help you understand how the SSI Kit works and how you can use it. However, it presumes a certain level of knowledge about Self-Sovereign Identity (SSI) so
if you are already familiar with SSI, you can jump to the introduction of the SSI Kit.
if you are new to SSI, please continue with our introduction to Self-Sovereign Identity.
Our products are agnostic towards the underlying technologies used to implement Trust Registries, which means that the SSI Kit is potentially compatible with any type of Trust Registry.
The SSI Kit supports:
Permissionless Blockchains (e.g. Ethereum),
Permissioned Blockchains (e.g. Ethereum Enterprise/Hyperledger Besu),
Domain Name Service (DNS),
Pure peer-to-peer approaches that do not require Registries.
Note that we are continuously adding support for new Registries and underlying technologies.
You can learn more about Trust Registries here.
Cryptographic keys convey control over digital identities and enable core functionality such as encryption and authentication.
The SSI Kit supports:
EdDSA / ed25519
ECDSA / secp256k1
ECDSA / secp256r1
RSA
Note that we are continuously adding support for new key types.
You can learn more about keys .
Our open source solutions enable you to use different types of DIDs and different identity ecosystems. Every relevant functionality is supported from the generation of DIDs and DID Documents to anchoring or resolving them on/from Registries.
We currently support the following DID methods:
did:ebsi
did:web
did:key
did:jwk
did:iota
did:cheqd
Note that we are continuously adding support for new DID methods.
You can learn more about DIDs here.
This software-layer holds a set of generic core services for common SSI and cryptographic functions. The services are in the scope of key management, decentralized identifiers, verifiable credentials and data storage.
The following is a short summary of the interfaces available. The detailed functions are described in the documentation further on.
Handles keys and cryptographic operations like the generation of signatures (e.g. linked data, JWT) with signature types such as ES256K or EdDSA.
Keys can be stored in a file and database keystore, which is extendable to HSMs and WebKMS.
Abstracts common functionality related to Decentralised Identifiers (DIDs, DID Documents) for methods like “did:web”, “did:key”, “did:ebsi”.
Abstracts common functionality related to Verifiable Credentials (VCs) and Verifiable Presentations (VPs) in different formats like JSON and JSON-LD.
The low-level services expose comon interfaces that can conviniently unitized directly via Kotlin/Java or via the REST API ().
The architecture of the SSI Kit consists of three layers:
Low-Level Services Abstraction: Abstracts complex, low-level operations (e.g. cryptography, key management, digital signatures, data storage).
Ecosystem Abstraction: Abstracts ecosystem-specific requirements based on the relevant technical and governance frameworks (e.g. SSI flavors, business logic, policies).
High-Level Interfaces / APIs: Provides high-level interfaces that hide complexity and facilitate usage for developers.
Also, the architecture allows for the integration of third party solutions throughout the stack. For example:
Key storage (e.g. HSM, WebKMS)
Data storage (e.g. identity hubs, confidential storage)
Registries (e.g. blockchains, DNS)
This architectural openness prevents vendor lock-in and allows you to build SSI-based solutions that meet your unique requirements.
Illustration:
Read on to explore all three abstraction layers in more detail.
Authentication and data exchange protocols (e.g. OIDC/SIOP) enable the exchange of data (VCs) between different parties.
The SSI Kit supports latest OpenID Connect extension for SSI:
The implementation of the protocols is conformant with the latest specs from EBSI https://api-conformance.ebsi.eu/docs/wallet-conformance
You can learn more about protocols here.
Verifiable Credentials (VCs) are digital identity documents that can easily and securely be shared with and verified (incl. validity, integrity, authenticity, provenance) by anyone in a privacy preserving way. Importantly, they are never (!) stored on a blockchain due to privacy and compliance reasons.
The SSI Kit supports W3C Verifiable Credentials in different formats:
JSON / JWT
JSON-LD
Note that we are continuously adding support for new VC types and formats.
You can learn more about VCs here.
The SSI Kit abstracts complexity for developers by following a "multi-stack approach" that enables you to use different implementations or "flavours" of SSI.
As a result, you can participate in different identity ecosystems (e.g. EBSI/ESSIF, Gaia-X, Velocity Network, cheqd and IOTA) and avoid technology-related lock-in effects.
Based on our Introduction to Self-Sovereign Identity (SSI), we distinguish the following concepts or building blocks:
Read on to learn which concrete technologies and implementations we support on the level of
Trust Registries
Keys
Decentralized Identifiers (DIDs)
Verifiable Credentials (VCs)
Data Exchange Protocols
It has always been our goal to provide developers and organizations with great tools, so they can focus on delivering holistic identity solutions. Taking the lessons learned from previous products, we decided to redesign our current offering, resulting in what we now call The Community Stack. A collection of open-source products providing everything to launch any identity solution with ease. You can learn more about it here.
Starting from December 2023, the SSI-Kit will halt feature enhancements, leading to a complete discontinuation planned for end-Q3 2024. It's essential to plan your transition to the new stack effectively. The table below indicates which components of the SSI-Kit are already supported in the new stack.
For Kotlin/Java projects where SSI-Kit was used as a native dependency, utilize the provided Library for equivalent features in the new stack. •
If you employed the REST APIs, simply switch to the supplied API in the new stack.
If you have any question, please reach out.
All relevant new libaries and APIs have found it's place in the waltid-identity repo.
SSI-Kit Feature | The Community Stack |
---|---|
Keys Operations: Create, Update, Delete
All types of operations are supported
ed25519
Available via: • Crypto Lib • Wallet-API
secp256k1
Available via: • Crypto Lib • Wallet-API
secp256r1
Available via: • Crypto Lib • Wallet-API
rsa
Available via: • Crypto Lib • Wallet-API
DIDs Operations: Create, Register, Resolve, Delete
All types of operations are supported
did:key
Available via: • DID Lib • Wallet API
did:jwk
Available via: • DID Lib • Wallet API
did:web
Available via: • DID Lib • Wallet API
did:cheqd
Available via: • DID Lib • Wallet API
did:iota
Available via: • DID Lib • Wallet API
did:ebsi
Not yet supported
W3C Credentials
Issuance
W3C Credential Issuance as JWTs
Available via: • Verifiable Credential Lib • Issuer API
W3C Credential Issuance as SD-JWTs
Available via: • Verifiable Credential Lib • Issuer API
W3C Credential Issuance as JSON-LD
Not yet supported
Verification
W3C Credential Verification (JWTs)
Available via: • Verifiable Credential Lib • Verifier API Please note, the issuer API only supports did:key at this point.
W3C Credential Verification (SD-JWTs)
Available via: • Verifiable Credential Lib • Verifier API
W3C Credential Verification (JSON-LD)
Not yet supported
Other Credential Features
Credential Templates
In The Community Stack, we no longer have the notion of a credential template. The issuance will simply happen by providing the full W3C data schema, which will then be signed. A list of credentials schemas can be found here
Credential Revocation
Not yet supported
Policies
Similar. A list of all policies can be found here.
Open-Policy Agent Policies
Not yet supported. However, the new webhook policies also give you great flexibility until we will reintroduce Open-Policy Agent policies.
Issuance & Verification via OpenID4VC
Available via: • OpenID4VC Lib • Issuer API • Verifier API
We believe in a multi-ecosystem future.
This is why we built an abstraction layer for ecosystem-specific operations and business logic. The idea is to support any ecosystem with a single solution that does not put any additional burden on developers. As a result, you can use our solutions to participate in different ecosystems without having to switch between different technical implementations.
We currently support:
EBSI/ESSIF (EU's new decentralized identity ecosystem)
Gaia-X (EU's new cloud infrastructure)
Velocity Network
cheqd Network
IOTA
Note that we are continuously adding new ecosystems.
Learn about Self-Sovereign Identity (SSI).
Welcome to our Introduction to Self-Sovereign Identity (SSI) for developers and technical readers.
Before you get started, feel free to explore other (less technical) resources that will help you and your team to get a more holistic understanding of SSI and digital identity in general:
Learn what the SSI Kit is.
The SSI Kit offers everything you need to use Self-Sovereign Identity (SSI) with ease.
The following sections elaborate the SSI Kit's unique properties, enabled functionality and components.
The SSI Kit exposes high-level interfaces / APIs to hide the complex introduced by
low-level services (e.g. key management, signing, data storage)
different ecosystems (i.e. different SSI flavors, business logic and governance frameworks).
issuing Verifiable Credentials by the Signatory,
holding (storing, presenting) Verifiable Credentials by the Custodian
and verifying Verifiable Credentials by the Auditor.
The interfaces can be used in JVM-based applications directly, or via the REST API.
Use cases you can build with the SSI Kit.
You can use Self-Sovereign Identity (SSI) - and by extension the SSI Kit - to solve any identity-related problem.
You can use the SSI Kit to enable your users, customers, employees or partners to access information, services or products. By this, you can replace today's cumbersome sign-up and login processes (usernames, passwords) with more seamless experiences.
In other words, you can SSI to authenticate stakeholders you already know.
You can use the SSI Kit to identify people, organizations or even things to provide them with information, services or products.
Identity proofing is particularly important in the AML (anti-money launder) regulated industries, but is seeing growing adoption by non-regulated industries and platforms to prevent fraud, SPAM and other malicious behaviour.
Simply put, you can use SSI to identify stakeholders you do not yet know.
You can use the SSI Kit to verify any identity-related information beyond a person’s or company’s core identity (see Identity Proofing / Verification), which can be important when evaluating risks or performing compliance assessments.
For example, you can use SSI for
employment background checks (education, work, criminal history)
financial due diligence (bank account information, liquidity events, credit ratings)
any other type of data verification required for transactions from insurance or health data to social proofs like ratings or recommendations.
SSI can be used to digitize any type of identity-related information in order to replace paper-based identity documents or cards with digital ones that are easier to manage, share and verify as well as harder to forge.
For example, think about official public sector documents such as identity certificates or about licenses or certificates that convey allowance to perform regulated activities.
You can find more examples in our White Papers:
.
The functionality of the high-level interfaces correlate with the . The functions are grouped around:
The Swagger documentation can be found under section .
(co-authored by the Boston Consulting Group)
You can launch identity wallets or extend your existing applications with the SSI capabilities. Check out our if you are interested to learn more.
If you have any questions, feel free to .