Thoryn

We make trust programmable.

Every trust decision in your product — who someone is, what they're allowed to do, who vouches for them — expressed as code and anchored on EU-only infrastructure. NIS2 and DORA-ready out of the box.

Request accessTalk to us
  • NIS2
  • DORA
  • GDPR
  • eIDAS 2.0
Uptime SLA
99.9%

Uptime SLA

Auth response
<100ms

Auth response

Data residency
EU-only

Data residency

To first customer
<5 days

To first customer

Platform

Every primitive you need to program trust

Identity, credentials, enforcement, policy — exposed as APIs, shipped as code, running on EU-only infrastructure.

Enterprise SSO

SAML 2.0 and OIDC federation with every IdP your customers run — Okta, Azure AD, Google Workspace, and long-tail SAML providers.

SCIM 2.0 provisioning

Lifecycle provisioning from your customers' directory into your product — no more manual user CSVs.

KYC verification

Identity proofing for regulated onboarding, anchored in EU-native document and biometric checks.

Audit logs

Tamper-evident, exportable audit logs for every authentication, provisioning event, and admin action.

Legacy protocol gateway

LDAP, Kerberos, and legacy SAML endpoints translated to modern OIDC — without touching your app code.

Admin portal

A governance surface your ops team can use: tenants, connections, policies, and delegated admin.

Modern SDKs

TypeScript, Go, Python, Java, and Kotlin — with clear docs, typed APIs, and webhooks.

eIDAS 2.0 support

Accept EU Digital Identity Wallet presentations as a first-class identity source.

Products

Seven primitives. One programmable trust fabric.

Each piece of your product's trust model — built, exposed, and governed as an API.

Identity, programmable

The OID4VP gateway for your verifiable credentials.

Accept SD-JWT and mDoc credentials from holder wallets. Verify issuers, enforce selective disclosure, and get verified claims back via webhook — all on EU-only infrastructure.

  • products.broker.features.f1.title
  • products.broker.features.f2.title
  • products.broker.features.f3.title
  • products.broker.features.f4.title
Explore Broker

Authorization, programmable

OAuth2 authorization, without running a user database.

A stateless authorization server that brokers user authentication across multiple external IdPs, signs tokens via Vault Transit, and protects refresh tokens with family tracking.

  • products.hub.features.f1.title
  • products.hub.features.f2.title
  • products.hub.features.f3.title
  • products.hub.features.f4.title
Explore Hub

Trust anchors, programmable

The trust anchor for every credential your system accepts.

A registry of trusted VC issuers and the credential types they are authorised to issue. Called in real time from the broker on every verification — revoke an issuer and every verifier stops accepting their credentials within seconds.

  • products.trustRegistry.features.f1.title
  • products.trustRegistry.features.f2.title
  • products.trustRegistry.features.f3.title
  • products.trustRegistry.features.f4.title
Explore Trust Registry

Credentials, programmable

A wallet for users who don't want to manage keys.

A server-side credential store for authenticated users. Receives credentials via OID4VCI, stores them encrypted at rest, and handles two-step consent flow for presentation — with holder binding and audit logs.

  • products.cloudWallet.features.f1.title
  • products.cloudWallet.features.f2.title
  • products.cloudWallet.features.f3.title
  • products.cloudWallet.features.f4.title
Explore Cloud Wallet

Enforcement, programmable

Let the right credentials open the right doors.

A physical access gateway that validates Verifiable Credentials at doors. Sites, zones, doors — operators configure the hierarchy; visitors present credentials via QR; TrustGate allows or denies entry and writes an audit log. No credential storage on device.

  • products.trustGate.features.f1.title
  • products.trustGate.features.f2.title
  • products.trustGate.features.f3.title
  • products.trustGate.features.f4.title
Explore TrustGate

Rules, programmable

Access rules. In JSON. Evaluated in a millisecond.

A pure Kotlin library for evaluating JSON rule trees against credential claims. No HTTP layer, no database, no Spring dependency — any JVM app embeds it and calls it directly.

  • products.policyEngine.features.f1.title
  • products.policyEngine.features.f2.title
  • products.policyEngine.features.f3.title
  • products.policyEngine.features.f4.title
Explore Policy Engine

Developer experience

Integrate in minutes, not months

Install the SDK, redirect to Thoryn, receive a normalized profile. Four steps. Same flow for enterprise SSO, eIDAS 2.0, or social login.

  1. Install SDK
  2. Redirect to Thoryn
  3. Receive normalized profile
  4. Use REST, JSON, or webhooks
Node.js
import { ThorynClient } from "@thoryn/sdk";

const thoryn = new ThorynClient({
  clientId: process.env.THORYN_CLIENT_ID,
  clientSecret: process.env.THORYN_CLIENT_SECRET,
});

// 1. Redirect the user to Thoryn
app.get("/login", (req, res) => {
  res.redirect(thoryn.authorizeUrl({ redirectUri: "/callback" }));
});

// 2. Receive a normalized profile
app.get("/callback", async (req, res) => {
  const { profile } = await thoryn.handleCallback(req);
  req.session.user = profile;
  res.redirect("/app");
});

Compare

How Thoryn compares

Against a typical identity vendor — genericized, because the differentiators are the same everywhere.

FeatureThorynTypical vendor
EU-only infrastructure
Cloud Act exposureNoneDirect
NIS2 / DORA ready out of the box
KYC built in
Legacy protocol gateway
eIDAS 2.0 support
Per-connection pricing
Go-live speed5 daysWeeks
IncorporationNLUS

Onboarding

Live in 5 days

Not weeks of integration. Not a quarter of compliance review.

  1. Days 1–2 · Integrate

    Install the SDK, wire one redirect, swap tokens. Your dev team does this.

  2. Day 3 · Configure

    Connect your first enterprise tenant via SAML or OIDC. Our ops team does this with you.

  3. Days 4–5 · Go live

    Run through the final security review and flip production traffic. You send your first customer to the login page.

eIDAS 2.0

Programmable trust meets the EU wallet.

Thoryn ships the OpenID4VP flow, SD-JWT VC and mdoc support, and the trust framework plumbing — so you can start accepting EUDIW presentations in days, not quarters.

  • OpenID4VP verifier on EU-only infrastructure
  • ARF 1.4+ compliant; tested against reference wallets
  • Revocation, replay protection, structured audit
Learn more
EUDIW integration diagram

Compliance

Compliance isn't a feature. It's the foundation.

We built Thoryn for the customer who has to pass security review before they can sign the contract.

  • Zero CLOUD Act exposure — Dutch incorporation, EU-only infrastructure
  • NIS2 and DORA controls built in, with mapped evidence per control
  • Faster security reviews because we can answer the questionnaire for you
  • No SSO pricing tax — SSO ships with the product, not as a tier

Recognised in the market

Placeholder quotes — real press and customer quotes shipped in SSO-618.

Thoryn let us onboard our first regulated customer in a week — instead of the quarter we had blocked on our roadmap.

Placeholder Name

CTO · Customer / NL

Finally an IAM vendor that answers the CLOUD Act question with a straight 'we don't have that exposure.'

Placeholder Name

Head of Security · Customer / EU

They shipped the eIDAS 2.0 verifier we had mentally budgeted two engineering quarters for.

Placeholder Name

Principal Engineer · Customer / NL

Ready to make trust programmable?

Talk to us about a pilot — we can have you live in 5 days.

Request accessTalk to us