For developers
W3C VC 2.0, OID4VP, OID4VCI, Status List 2021, EUDI ARF. Five minutes from clone to signed credential.
Quickstart
Five shell steps against the public sandbox. No card, no signup form, no waiting list.
Pull the native binary. Linux and macOS supported; Windows preview lands with the next CLI minor.
# 1. Install the thoryn CLI (Homebrew on macOS, curl on Linux).
brew install thoryn-io/tap/thoryn
# Verify the install.
thoryn --versionOpens a browser, runs OAuth 2.0 + PKCE against sandbox.thoryn.org, stores a refresh token under your XDG config dir.
# 2. Authenticate against the sandbox tenant.
# Opens a browser to https://sandbox.thoryn.org/oauth2/authorize and
# stores a refresh token under ~/.config/thoryn/credentials.
thoryn login --hub https://sandbox.thoryn.orgEach relying party gets its own OAuth client with explicit redirect URIs and scopes.
# 3. Register an OAuth client for your local relying party.
thoryn clients create \
--name "My quickstart app" \
--redirect-uri http://127.0.0.1:8888/login/oauth2/code/sandbox \
--grant-types authorization_code,refresh_token \
--scopes openid,profileThe sandbox issuer-bridge signs a W3C VC 2.0 with the tenant's Vault Transit key and returns the compact JWS.
# 4. Mint a test credential against the sandbox issuer-bridge.
curl -X POST https://sandbox.thoryn.org/broker/issue \
-H "Authorization: Bearer $(thoryn token --scope broker:issue)" \
-H "Content-Type: application/json" \
-d '{
"credentialType": "TestSustainabilityCertification",
"subject": { "id": "did:example:holder", "name": "Acme Co." },
"validFrom": "2026-01-01T00:00:00Z",
"validUntil": "2027-01-01T00:00:00Z"
}'Pipe the JWS into /broker/verify/walletless. The verdict + audit row id come back in under 200ms.
# 5. Verify the credential round-trips end to end.
# Pipe the compact JWS from step 4 into the verify endpoint.
curl -X POST https://sandbox.thoryn.org/broker/verify/walletless \
-H "Content-Type: application/json" \
-d '{ "credentialJws": "<paste the JWS from step 4>" }'
# Expected response:
# { "verdict": "VALID", "policyVersion": "walletless-v1", ... }SDKs
Each SDK wraps the same broker API. Pick the one your stack uses; every example on this page is a thin shell over those calls.
Java 21+
Spring-Boot-friendly. Bring your own WebClient or RestClient.
<dependency>
<groupId>io.thoryn</groupId>
<artifactId>thoryn-sdk</artifactId>
<version>0.1.0</version>
</dependency>Kotlin 2.1+
Coroutine-first. Suspend functions everywhere; no reactive bridge.
implementation("io.thoryn:thoryn-sdk-kotlin:0.1.0")Node 20+
TypeScript types ship in the package. ESM + CJS dual build.
npm install @thoryn/sdkPython 3.11+
Async-first. asyncio + httpx; ETA aligned with the public sandbox launch.
pip install thoryn-sdkRepo coming soon
Rust 1.78+
Static binaries for verifier-only deployments at the edge.
cargo add thorynRepo coming soon
API overview
Verify, issue, revoke, replay. Every call below targets sandbox.thoryn.org so you can paste and run.
POST/broker/verify/walletless
Verify a compact-JWS credential against the trust registry, JWKS, and Status List 2021. Returns verdict + audit row id.
curl -X POST https://sandbox.thoryn.org/broker/verify/walletless \
-H "Content-Type: application/json" \
-d '{
"credentialJws": "eyJhbGciOiJFUzI1NiIsImtpZCI6Im1wcy0yMDI2In0..."
}'
# Returns { verdict, policyVersion, credentialClaims, auditRowId }POST/broker/issue
Mint a W3C VC 2.0 credential signed with the tenant's Vault Transit key. Status List entry returned alongside the JWS.
curl -X POST https://sandbox.thoryn.org/broker/issue \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"credentialType": "FSISustainabilityCertification",
"subject": { "id": "did:example:holder" },
"validFrom": "2026-05-12T00:00:00Z",
"validUntil": "2027-05-12T00:00:00Z"
}'
# Returns { credentialJws, auditRowId, statusListEntry }POST/broker/revoke
Flip the credential's bit in the broker-hosted Status List. DAG descendants are marked revoked-via-parent automatically.
curl -X POST https://sandbox.thoryn.org/broker/revoke \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"credentialId": "urn:thoryn:cred:01HZ0...",
"reason": "key_compromise"
}'
# Flips the Status List 2021 bit and propagates to DAG descendants.GET/broker/audit-replay
Replay a past verification using the historical JWKS as it stood at that moment. Anchors the seven-year audit chain.
curl https://sandbox.thoryn.org/broker/audit-replay \
-H "Authorization: Bearer $ACCESS_TOKEN" \
--get \
--data-urlencode "auditRowId=01HZ0X..." \
--data-urlencode "asOf=2026-05-01T00:00:00Z"
# Replays the verification as it would have run on asOf —
# uses historical JWKS + Status List bit at that moment.Full OpenAPI reference and per-endpoint guides live on docs.thoryn.org.
Public sandbox
The sandbox runs the production broker against a separate tenant. Issue, verify, revoke, replay — all signed by the same Vault Transit pipeline.
Standards
Each row reflects what is live in code today. Roadmap items are flagged so you can plan against them.
| Specification | Status | Version |
|---|---|---|
| W3C Verifiable Credentials | Production | 2.0 |
| OID4VP | Staging | draft-23 |
| OID4VCI | Staging | draft-15 |
| W3C Status List 2021 | Live | 1.0 |
| C2PA | Roadmap | 1.3 |
| EUDI ARF | Aligned | 1.4 |
Status reflects the broker, not every SDK. SDK conformance is tracked per release.
Architecture
Broker, issuer-bridges, holder portal, audit chain, trust registry — laid out on one diagram.