Verifiable Data Exchange Platform
Organizations need to verify who they're dealing with, customers, employees, students, citizens, partners. But digital identity today is fragmented across incompatible systems, relies on self-asserted attributes without cryptographic proof, and struggles to meet the compliance requirements of eIDAS 2.0, GDPR, and sector-specific regulations.
VDX brings trust to your entire operation. It's an enterprise identity and trust platform that unifies verifiable credentials, digital signatures, wallet-based authentication, and secure data exchange into a single deployable product, with the management UIs, workflow engine, and operational tooling to run it in production.
These guides give a high-level overview of the platform's capabilities. To stand up a deployment, see Platform & Tenant Onboarding: it walks the ordered sequence from platform-tenant bootstrap and license activation through tenant creation, owner activation, and provisioning many issuer, verifier, and authorization-server instances per tenant. For specific technical questions, contact Sphereon.
Open Core, Three Layers
The foundations are open source (IDK, Apache 2.0), no vendor lock-in on the identity primitives. Enterprise capabilities are in the EDK: zero-trust authorization, microservice transport, cloud configuration, audit, telemetry. The full VDX platform wraps everything with management portals, workflow orchestration, credential design, device management, and white-label branding.
What VDX Delivers
Verifiable Credentials, Full Lifecycle
Design credential schemas visually. Issue credentials to wallets via OID4VCI. Present with selective disclosure via OID4VP. Verify against trusted issuer lists with cryptographic proof. All credential formats supported: SD-JWT VC, mDL/mdoc (ISO 18013-5/7), and W3C Verifiable Credentials.
The Credential Designer lets non-technical users define what claims to include, which support selective disclosure, and what display metadata wallets should show. The Issuer Management console handles keys, policies, and lifecycle tracking. The Verifier Management console configures what credentials your organization accepts, from which issuers, and with what requirements.
Wallet Authentication & Identity
When a user presents credentials from their digital wallet, VDX handles the complete flow: verification, privacy-preserving identity matching, optional identity verification, and integration with your existing OIDC infrastructure. Returning users are recognized instantly. New users go through configurable verification pipelines, OIDC federation, document scanning, biometric liveness, email OTP, or any combination.
Enterprise applications keep using standard OIDC tokens. They don't need to know how the user authenticated.
Zero-Trust Security
Every command is authorized before execution. Every action is recorded in an immutable audit trail. Every decision is traceable across services.
| Capability | What it means |
|---|---|
| Policy engines | Cedar, OPA, or any AuthZEN-compliant PDP. Swap engines without code changes. |
| Dual-principal auth | Authorize both the end user AND the calling service on every request. |
| Step-up authentication | Challenge users to re-authenticate at higher assurance when operations require it. |
| Audit logging | Automatic sensitive data redaction. JSON, CEF, OCSF export. Tamper-evident hash chains. |
| Distributed tracing | OpenTelemetry with W3C Trace Context. One trace ID across all microservices. |
Digital Signatures & eIDAS
Qualified Electronic Signatures (QES) via QTSP integration. Advanced Electronic Signatures (AES) and Electronic Seals for organizations. Adobe-compatible PDF signatures with long-term validation, timestamping, and HSM support via PKCS#11, Azure Key Vault, and AWS KMS.
Operational Platform
VDX is a complete operational platform with management interfaces and tooling on top of its APIs.
| Component | What it provides |
|---|---|
| Portals | White-labeled collections of forms and workflows for customers, partners, employees, and citizens, integrating credential issuance, verification, authentication, approvals, vault storage, and signing |
| Workflow Engine | Multi-step identity processes with forms, approvals, and saga-based rollback |
| Forms Editor | Visual form builder for data collection, credential requests, and approval workflows |
| Admin Console | Platform administration, tenant management, policy configuration, audit review |
| Issuer Management | Credential schema design, batch/individual issuance, revocation, analytics |
| Verifier Management | Verification requirements, trusted issuer lists, compliance reporting |
| Device Management | Register and manage kiosks, terminals, and card readers with verification policies |
| Authorization Server | STS with RFC 8693 token exchange, identity broker, claims mapping |
| Branding | Per-tenant Material Design 3 theming from a single seed color, or full token customization |
Deploy Your Way
Kubernetes
Helm charts per service. Environment overlays. Horizontal scaling. Health and readiness probes.
Docker Compose
Single-command local setup. Microservices or monolith. PostgreSQL + Keycloak included.
Cloud Native
AWS ECS/EKS, Azure AKS. Prebuilt service images on Eclipse Temurin 21.
On-Premise
Fat JAR or GraalVM native. Air-gapped support. Full data residency control.
Same codebase for microservices and monolith, the difference is configuration, not code. Every layer is tenant-aware: configuration, policies, branding, keys, and data are fully isolated per organization.
Multi-Tenancy Built In
Every layer of VDX, configuration, policies, branding, keys, data, is tenant-aware. Organizations get full isolation while sharing infrastructure.
The scope hierarchy cascades: Application (global defaults) → Tenant (organization overrides) → Principal (user preferences). Property protection ensures security-critical settings at higher scopes can't be overridden by lower scopes.
Configuration pulls from environment variables, Azure App Configuration, AWS Secrets Manager, HashiCorp Vault, database-backed settings, and property files, automatically, based on what's available. Secrets are never stored in plaintext; they're referenced via ${secret:vault:path} and resolved at runtime.
Regulatory Alignment
| eIDAS 2.0 | EU Digital Identity Wallet framework. Qualified trust services. EUDIW and EBW compatible. |
| GDPR | Selective disclosure for data minimization. Crypto-shredding for instant erasure. Consent-as-grants with purpose and revocation. |
| NIS2 | Security-by-design. Incident response logging. Supply chain security through verified credentials. |
| SOC 2 | Immutable audit logs, access controls, encryption at rest, tamper-evident audit store. |
Why Sphereon
Open Core: IDK is Apache 2.0 open source. No vendor lock-in on the foundations.
Standards First: Built on W3C, OpenID, ETSI, ISO, and IETF standards. Interoperable by design.
Zero-Trust Native: Security is built into the architecture.
Enterprise Ready: Multi-tenancy, HSM support, SIEM integration, HA deployment, SLA-backed support.
Future Proof: Kotlin Multiplatform: JVM today, native tomorrow, WebAssembly next.
Get Started
VDX is available as a managed service or for on-premise deployment.
- Website: sphereon.com
- Email: info@sphereon.com
- Open Source: github.com/Sphereon-OpenSource
- IDK Documentation: Open-source identity building blocks
- EDK Documentation: Enterprise development extensions