README.md

April 14, 2026 · View on GitHub

Sphereon

Identity Development Kit (IDK)

A Kotlin Multiplatform SDK for Digital Identity

License Kotlin Platforms Version

Features  •  Quick Start  •  Modules  •  Services  •  Docs  •  Contributing


Overview

IDK is an open-core Kotlin Multiplatform SDK for digital identity. It covers credential issuance and verification, identity proofing, trust establishment, and secure data exchange. One codebase compiles to Android, iOS, JVM, JavaScript (browser and Node.js), WebAssembly, and Linux native.

You can use IDK on its own to build wallets, verifiers, issuers, and identity services. It also serves as the foundation under Sphereon's commercial Enterprise Development Kit (EDK).

Full documentation: docs.sphereon.com/idk.


Features

Each item links to its guide on the documentation site.

Decentralized Identifiers (DIDs)

  • Create, resolve, and manage W3C DIDs
  • Pluggable DID method support
  • Built-in: did:key, did:jwk, did:web

Mobile Documents (mDoc / mDL)

Cryptographic Services

Trust Management

OpenID for Verifiable Presentations (OID4VP)

OpenID for Verifiable Credential Issuance (OID4VCI)

  • Issuer and holder implementations
  • Authorization code, pre-authorized code, deferred issuance
  • Notification endpoint

SD-JWT

OAuth 2.0 / OpenID Connect

Identity Proofing and Reconciliation

Developer Experience


Supported Platforms

PlatformStatusNotes
JVMSupportedJava 21+
AndroidSupportedAPI 27+ (Android 8.1+); BLE, NFC HCE, Android Keystore
iOSSupportedarm64, x64, simulator-arm64; CoreBluetooth, CoreNFC, Secure Enclave
JavaScriptSupportedBrowser and Node.js, ES modules, TypeScript definitions generated
WebAssemblySupportedwasmJs (browser and Node.js), BigInt, TypeScript definitions
LinuxSupportedx64, server and CLI tooling

See Platform Setup for per-platform requirements.


Quick Start

Full installation and getting-started instructions: docs.sphereon.com/idk/guides/getting-started.

Prerequisites

  • JDK 21 or higher
  • Gradle 9.x (wrapper included)
  • Android SDK, compileSdk 35 (for Android targets)
  • Xcode 15+ (for iOS targets, macOS only)

Installation

Add the Sphereon Maven repository and dependencies to your build.gradle.kts:

repositories {
    mavenCentral()
    maven("https://nexus.sphereon.com/repository/sphereon-opensource-releases/")
    maven("https://nexus.sphereon.com/repository/sphereon-opensource-snapshots/")
}

dependencies {
    // Core API
    implementation("com.sphereon.idk:lib-core-api-public:0.25.0-SNAPSHOT")

    // Cryptography
    implementation("com.sphereon.idk:lib-crypto-core-public:0.25.0-SNAPSHOT")
    implementation("com.sphereon.idk:lib-crypto-core-impl:0.25.0-SNAPSHOT")

    // DIDs
    implementation("com.sphereon.idk:lib-did-resolver-impl:0.25.0-SNAPSHOT")
    implementation("com.sphereon.idk:lib-did-methods-key:0.25.0-SNAPSHOT")

    // mDoc
    implementation("com.sphereon.idk:lib-mdoc-core-public:0.25.0-SNAPSHOT")
    implementation("com.sphereon.idk:lib-mdoc-core-impl:0.25.0-SNAPSHOT")

    // OID4VCI / OID4VP / SD-JWT: add as needed
}

See the installation guide for per-platform setup and the modules reference for the full module catalogue.

npm packages

JavaScript and WebAssembly artefacts are published to npmjs under the @sphereon/idk-* scope. For example:

npm install @sphereon/idk-lib-core-api-public

Snapshots use the snapshot dist-tag (@sphereon/idk-foo@snapshot); released versions are on latest.

Building from Source

git clone https://github.com/Sphereon-Opensource/Identity-Development-Kit.git
cd Identity-Development-Kit
./gradlew build                     # full multiplatform build
./gradlew build -Dkmp.targets=jvm   # JVM only (~5 min)
./gradlew allTests                  # run all tests

On Windows, run ./gradlew --stop before rebuilding if you hit file-locking errors.


Library Modules

Modules follow the lib-<domain>-<feature>-{public,impl} convention. public modules contain interfaces and data models; impl modules contain implementations.

Full module reference: docs.sphereon.com/idk/guides/modules.

Core
ModuleDescription
lib-core-api-publicCore interfaces, IdkResult, command pattern, error types, tracing
lib-core-api-defaultDefault implementations of core APIs
lib-core-events-public / -implEvent system for pub/sub
lib-core-loggers-mobile-loggerMobile-friendly logger sink
lib-conf-settingsMultiplatform configuration management
lib-conf-yamlYAML config source
Cryptography
ModuleDescription
lib-crypto-core-public / -implCore crypto operations, JWS, JWE, JWT
lib-crypto-kms-provider-softwareSoftware-based key storage (ephemeral)
lib-crypto-kms-provider-awsAWS KMS integration
lib-crypto-kms-provider-azureAzure Key Vault / HSM integration
lib-crypto-kms-provider-mobileiOS Keychain / Android Keystore
lib-crypto-kms-provider-restRemote KMS via REST API
lib-crypto-kms-rest-serverKMS REST server implementation
Decentralized Identifiers (DID)
ModuleDescription
lib-did-core-publicDID data models and interfaces
lib-did-resolver-public / -implUniversal DID resolver
lib-did-manager-public / -implDID lifecycle management
lib-did-methods-keydid:key method support
lib-did-methods-jwkdid:jwk method support
lib-did-methods-webdid:web method support
lib-did-persistence-memoryIn-memory DID storage
lib-did-persistence-sqliteSQLite DID storage
Mobile Documents (mDoc / mDL)
ModuleDescription
lib-mdoc-core-public / -implISO/IEC 18013-5 mDoc parsing and creation
lib-mdoc-datatransferDevice engagement and session handling
lib-mdoc-transport-bleBluetooth Low Energy transport
lib-mdoc-transport-nfcNFC transport (Android)
lib-mdoc-transport-oid4vpOID4VP transport integration
lib-mdoc-readermDoc reader/verifier functionality
OpenID4VP / OpenID4VCI / OAuth2
ModuleDescription
lib-openid-oid4vp-common-publicShared OID4VP types
lib-openid-oid4vp-holder-public / -implWallet/holder OID4VP support
lib-openid-oid4vp-verifier-public / -implVerifier OID4VP support
lib-openid-oid4vp-dcqlDCQL query language
lib-openid-oid4vci-common-publicShared OID4VCI types
lib-openid-oid4vci-holder-public / -implHolder OID4VCI flow
lib-openid-oid4vci-issuer-public / -implIssuer OID4VCI flow
lib-oauth2-client-public / -implOAuth2 client implementation
lib-oauth2-server-authorization-public / -implOAuth2 authorization server
lib-oauth2-server-resource-public / -implOAuth2 resource server
lib-oauth2-jwt-validation-api / -implJWT validation utilities
SD-JWT
ModuleDescription
lib-sdjwt-public / -implSelective Disclosure JWT
Identity Proofing
ModuleDescription
lib-identity-resolution-public / -implIdentity resolution and lookup
lib-identity-matching-public / -implProbabilistic identity matching
lib-identity-reconciliation-public / -implPolicy-driven reconciliation
lib-identity-idv-public / -implIdentity verification orchestration
Data Link / Transport
ModuleDescription
lib-data-link-bleBLE communication layer
lib-data-link-nfcNFC communication layer
lib-data-link-http-client-public / -implHTTP client abstraction
Storage
ModuleDescription
lib-data-store-kv-public / -implKey-value storage abstraction
lib-data-store-kv-impl-memoryIn-memory KV store
lib-data-store-kv-impl-kottagePersistent KV store (Kottage)
lib-data-store-blob-public / -impl-fsBlob storage (filesystem)
lib-data-store-party-public / -implParty / tenant data models
Trust
ModuleDescription
lib-trust-etsiETSI trust list support
lib-trust-etsi-entities-publicETSI entities models
lib-trust-x509X.509 certificate trust
lib-trust-didDID-based trust
lib-trust-oidfedOpenID Federation
Credential Design
ModuleDescription
lib-credential-claims-mapper-public / -implClaim mapping for credential payloads
lib-data-store-credential-design-public / -implCredential design registry
Server / Integration
ModuleDescription
ktor-server-kotlin-injectKtor + Metro DI integration
CBOR
ModuleDescription
lib-cbor-public / -implCBOR encoding/decoding

Services

IDK ships reference services that wrap the core libraries with HTTP adapters. Each has its own page on the documentation site.

ServiceModuleDocumentation
KMS RESTservices/kmsdocs.sphereon.com/idk/services/kms
Ktor baseservices/ktordocs.sphereon.com/idk/services/ktor
OAuth 2.0 Authorization Serverservices/oauth2-as/restdocs.sphereon.com/idk/services/oauth2-as
OID4VCI Issuerservices/oid4vci-issuer/restdocs.sphereon.com/idk/services/oid4vci-issuer
OID4VP Verifierservices/oid4vp-verifier/restdocs.sphereon.com/idk/services/oid4vp-verifier

The OID4VCI Holder REST service has moved to the Enterprise Development Kit. Holder library modules (lib-openid-oid4vci-holder-*) remain in IDK.

Services overview: docs.sphereon.com/idk/services/overview.


Architecture

IDK separates APIs from implementations:

lib/<domain>/
  ├── public/     # Interfaces, data models, contracts
  └── impl/       # Implementations (swappable)

Architecture deep-dive: docs.sphereon.com/idk/architecture.

Error Handling

IDK uses IdkResult<V, E> for explicit error handling instead of exceptions:

import com.sphereon.core.api.Ok
import com.sphereon.core.api.Err
import com.sphereon.core.api.error.IdkError

fun createDid(): IdkResult<String, IdkError> {
    return Ok("did:key:z6Mk...")
    // or: Err(IdkError.ILLEGAL_ARGUMENT_ERROR(message = "Invalid key type"))
}

when (val result = createDid()) {
    is Ok  -> println("Created: ${result.value}")
    is Err -> println("Failed: ${result.error.message}")
}

Dependency Injection

IDK uses Metro for compile-time DI across all platforms. Metro is a Kotlin compiler plugin and works on every Kotlin Multiplatform target the IDK ships to. See the DI app-setup guide and the scopes guide.

Scopes: AppScope > UserScope > SessionScope.


Documentation

Full documentation: docs.sphereon.com/idk.

SectionLink
Introductiondocs.sphereon.com/idk/introduction
Getting Starteddocs.sphereon.com/idk/guides/getting-started
Installationdocs.sphereon.com/idk/guides/installation
Platform Setupdocs.sphereon.com/idk/guides/platform-setup
Architecturedocs.sphereon.com/idk/architecture
Module Referencedocs.sphereon.com/idk/guides/modules
Servicesdocs.sphereon.com/idk/services/overview
FAQdocs.sphereon.com/idk/guides/faq

Generating local API docs (Dokka)

./gradlew dokkaGenerate

Output: build/dokka/html/index.html. The hosted Dokka build is also linked from the documentation site.

Build commands

CommandDescription
./gradlew buildBuild all modules (multiplatform)
./gradlew build -Dkmp.targets=jvmJVM only (~5 min)
./gradlew allTestsRun all tests on configured targets
./gradlew jvmTestRun JVM tests only
./gradlew testDebugUnitTestRun Android unit tests
./gradlew iosSimulatorArm64TestRun iOS simulator tests
./gradlew dokkaGenerateGenerate API documentation
BUILD_XCFRAMEWORKS=true ./gradlew buildBuild with iOS XCFrameworks

Enterprise Development Kit (EDK)

Sphereon's proprietary product that extends the IDK with the layers required for production enterprise deployments. The IDK provides the identity primitives (cryptography, DIDs, verifiable credentials, SD-JWT, OID4VP, KMS, command/DI framework); the EDK adds:

  • Zero-trust authorization via the OpenID AuthZEN specification, with Cedarling (Cedar), OPA, and any AuthZEN-compliant PDP supported. Authorization is transparent: a PolicyCommandExtension intercepts every command before execution.
  • Identity verification and reconciliation: composable IDV workflows chaining OIDC, document scanning, biometric, and OTP verification; privacy-preserving identity matching with HMAC-hashed linking; policy-driven reconciliation; an auth bridge from wallet presentations to OAuth2/OIDC.
  • Microservice transport: dual transport that makes command execution location-transparent. The same command can run in-process or be forwarded to a remote service via HTTP RPC or gRPC, controlled by configuration.
  • Cloud configuration and secrets: cloud config providers (Azure App Configuration, REST), secret vaults (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault), ${secret:vault:path} interpolation, offline cache.
  • Audit and compliance: structured audit logging with sensitive-data redaction, multiple output formats (JSON, CEF, OCSF), tamper evidence via hash chaining and signed checkpoints.

Verifiable Data Exchange (VDX)

The full platform on top of EDK and IDK. An enterprise identity and trust platform that unifies verifiable credentials, digital signatures, wallet-based authentication, and secure data exchange into a single deployable product, with management UIs, workflow orchestration, and operational tooling. Includes the Credential Designer, Issuer/Verifier Management consoles, wallet authentication flow, and white-label branding. Full platform documentation is in progress (Q2 2026).


Contributing

See CONTRIBUTING.md for the upstream-first PR flow and review process.

Open PRs against develop on this repo. Maintainers review here, apply the change in the internal repo with a Co-authored-by: trailer, and the mirror brings the result back. Your work appears on develop with the original attribution.

For security issues, follow the disclosure process in SECURITY.md. Do not open public PRs or issues for vulnerabilities.


License

Licensed under the Apache License, Version 2.0. See LICENSE for details.


Built by Sphereon. Creating Trust In A Digital World.

Website  •  Documentation  •  GitHub