Blog
From the Thoryn team
Deep dives on enterprise IAM, eIDAS 2.0, and EU-first identity infrastructure.
16 May 2026 · Mark Bakker
Running the EUDIW reference wallet against our verifier
The EU Digital Identity Wallet rolls out through 2026. Here is how to prepare your relying party now — without waiting for the ecosystem to catch up.
12 May 2026 · Mark Bakker
Six ways to break a wallet broker — a red-teaming walkthrough
Most IAM vendors ship "it's secure." We ship an attack simulator. Here are the six attacks the Thoryn wallet broker defends against, and how.
6 May 2026 · Mark Bakker
Stateless by design — an OAuth2 server that holds zero user state
Most authorization servers store sessions, tokens, and credentials. Ours stores none of them. Here is what moved where, and what we gave up for it.
2 May 2026 · Mark Bakker
Selective disclosure isn't a feature. It's a protocol.
Most identity systems enforce privacy by policy. SD-JWT enforces it by mathematics — the verifier can't over-disclose because the data isn't there.
28 Apr 2026 · Mark Bakker
Programmable trust isn't a slogan. It's an architecture.
Every trust decision in your product — who, what, who vouches — as a piece of code you can read, review, and version. Here is what that actually means in ours.
25 Apr 2026 · Mark Bakker
Why we picked MDX-in-repo for our blog
Headless CMS or MDX files in git? We chose MDX. Here is the reasoning, the trade-offs, and what a post actually looks like end-to-end.