Thoryn

We make trust programmable.

Every trust decision in your product — who someone is, what they're allowed to do, who vouches for them — expressed as code and anchored on EU-only infrastructure. NIS2 and DORA-ready out of the box.

Request accessBook a demo
  • NIS2
  • DORA
  • GDPR
  • eIDAS 2.0
99.9%
Uptime SLA
<100ms
Auth response
EU-only
Data residency
<5 days
To first customer

Platform

Every primitive you need to program trust

Identity, credentials, enforcement, policy — exposed as APIs, shipped as code, running on EU-only infrastructure.

Enterprise SSO

SAML 2.0 and OIDC federation with every IdP your customers run — Okta, Azure AD, Google Workspace, and long-tail SAML providers.

SCIM 2.0 provisioning

Lifecycle provisioning from your customers' directory into your product — no more manual user CSVs.

KYC verification

Identity proofing for regulated onboarding, anchored in EU-native document and biometric checks.

Audit logs

Tamper-evident, exportable audit logs for every authentication, provisioning event, and admin action.

Legacy protocol gateway

LDAP, Kerberos, and legacy SAML endpoints translated to modern OIDC — without touching your app code.

Admin portal

A governance surface your ops team can use: tenants, connections, policies, and delegated admin.

Modern SDKs

TypeScript, Go, Python, Java, and Kotlin — with clear docs, typed APIs, and webhooks.

eIDAS 2.0 support

Accept EU Digital Identity Wallet presentations as a first-class identity source.

Products

Ten primitives. One programmable trust fabric.

Each piece of your product's trust model — built, exposed, and governed as an API.

Authorization, programmable

OAuth2 authorization, without running a user database.

A stateless OAuth2 / OIDC authorization server that brokers user authentication across multiple external IdPs, signs tokens via Vault Transit, and protects refresh tokens with family tracking.

  • Stateless — no central session store
  • Vault Transit signing for every JWT
  • Refresh-token families with replay detection
  • PAR + PKCE + OIDC federation out of the box
Explore Hub

Identity, programmable

The OID4VP gateway for your verifiable credentials.

Accept SD-JWT and mdoc credentials from holder wallets. Verify issuers, enforce selective disclosure, and get verified claims back via webhook — all on EU-only infrastructure.

  • OpenID4VP + SD-JWT VC + mdoc
  • 10-step trust-chain validation per presentation
  • Selective disclosure enforced at the protocol layer
  • Webhook callback with HMAC-signed verified claims
Explore Broker

Issuance, programmable

Become an issuer without building an issuer.

Become an issuer without building an issuer. OID4VCI-compliant minting for SD-JWT VC credentials, with templates, status-list revocation, and multi-tenant isolation.

  • OID4VCI pre-authorized + auth-code flows
  • Operator-defined credential templates (VCTs)
  • Status-list revocation
  • Multi-tenant isolation, deferred issuance
Explore Credential Issuer

Credentials, programmable

A wallet for users who don't want to manage keys.

A server-side wallet for users who don't want to manage keys. Receives credentials via OID4VCI, encrypts at rest, two-step consent before presenting.

  • Browser-side holder wallet (no app required)
  • AES-256-GCM encryption at rest
  • OID4VCI receive + OpenID4VP present
  • Audit log per credential and presentation
Explore Cloud Wallet

Wallets, programmable

Embed a wallet in your app — don't build one from scratch.

Embed a wallet in your app — don't build one from scratch. iOS + Android via Kotlin Multiplatform, hardware-backed keys, ARF-high-assurance eligible.

  • Hardware-backed keys (Secure Enclave / StrongBox)
  • Biometric gate on every presentation
  • Kotlin Multiplatform shared core
  • Swift Package Manager + Maven Central distribution
Explore Native Wallet SDK

Trust anchors, programmable

The trust anchor for every credential your system accepts.

The trust anchor for every credential your system accepts. Live-queried on every presentation; revoke an issuer once and every verifier rejects in seconds.

  • EU Trusted Lists (ETSI TS 119 612) ingestion
  • OpenID Federation 1.0 for private federations
  • Redis-backed JWKS caching
  • Instant revocation propagation
Explore Trust Registry

Schemas, programmable

The schema side of the credential fabric.

The schema side of the credential fabric. SD-JWT VC type metadata — what a credential is, what claims it carries, how to display it.

  • Public HTTP resolver for SD-JWT VC type metadata
  • Long Cache-Control to keep verifiers off the hot path
  • Versioning + safe deprecation chain
  • Complementary to Trust Registry
Explore VCT Registry

EUDI, programmable

Become a relying party. Without the integration burden.

The EU Digital Identity Wallet relying-party surface. ARF 1.4+ conformant; tested against the NL + EU reference wallets; ready for EUDIW rollout.

  • ARF 1.4+ conformant verifier
  • mdoc + SD-JWT VC accepted
  • Wallet-attestation verification (roadmap)
  • Tested against NL + EU reference wallets
Explore products.eidas.name

Enforcement, programmable

Let the right credentials open the right doors.

Credential-gated physical access. Sites, zones, doors — operators configure the hierarchy; visitors present at QR readers; no PII stored on the device.

  • Site → Zone → Door hierarchy
  • No PII stored on the device — by design
  • Append-only access log
  • Delegates verification to Broker
Explore TrustGate

Rules, programmable

Access rules. In JSON. Evaluated in a millisecond.

Deterministic access rules as code. A pure Kotlin library evaluating JSON rule trees against credential claims — no HTTP, no database, no Spring.

  • Library, not a service — embed the JAR
  • Deterministic JSON-tree rules
  • Auditable decision traces per evaluation
  • No dynamic code execution surface
Explore Policy Engine

Developer experience

Integrate in minutes, not months

Install the SDK, redirect to Thoryn, receive a normalized profile. Four steps. Same flow for enterprise SSO, eIDAS 2.0, or social login.

  1. Install SDK
  2. Redirect to Thoryn
  3. Receive normalized profile
  4. Use REST, JSON, or webhooks
Node.js
import { ThorynClient } from "@thoryn/sdk";

const thoryn = new ThorynClient({
  clientId: process.env.THORYN_CLIENT_ID,
  clientSecret: process.env.THORYN_CLIENT_SECRET,
});

// 1. Redirect the user to Thoryn
app.get("/login", (req, res) => {
  res.redirect(thoryn.authorizeUrl({ redirectUri: "/callback" }));
});

// 2. Receive a normalized profile
app.get("/callback", async (req, res) => {
  const { profile } = await thoryn.handleCallback(req);
  req.session.user = profile;
  res.redirect("/app");
});

Compare

How Thoryn compares

Against a typical identity vendor — genericized, because the differentiators are the same everywhere.

FeatureThorynTypical vendor
EU-only infrastructure
Cloud Act exposureNoneDirect
NIS2 / DORA ready out of the box
KYC built in
Legacy protocol gateway
eIDAS 2.0 support
Per-connection pricing
Go-live speed5 daysWeeks
IncorporationNLUS

Onboarding

Live in 5 days

Not weeks of integration. Not a quarter of compliance review.

  1. Days 1–2 · Integrate

    Install the SDK, wire one redirect, swap tokens. Your dev team does this.

  2. Day 3 · Configure

    Connect your first enterprise tenant via SAML or OIDC. Our ops team does this with you.

  3. Days 4–5 · Go live

    Run through the final security review and flip production traffic. You send your first customer to the login page.

eIDAS 2.0

Programmable trust meets the EU wallet.

Thoryn ships the OpenID4VP flow, SD-JWT VC and mdoc support, and the trust framework plumbing — so you can start accepting EUDIW presentations in days, not quarters.

  • OpenID4VP verifier on EU-only infrastructure
  • ARF 1.4+ compliant; tested against reference wallets
  • Revocation, replay protection, structured audit
Learn more
EUDIW integration diagram

Compliance

Compliance isn't a feature. It's the foundation.

We built Thoryn for the customer who has to pass security review before they can sign the contract.

  • Zero CLOUD Act exposure — Dutch incorporation, EU-only infrastructure
  • NIS2 and DORA controls built in, with mapped evidence per control
  • Faster security reviews because we can answer the questionnaire for you
  • No SSO pricing tax — SSO ships with the product, not as a tier

What we stand on

Standards we conform to, infrastructure we run on, and the compliance posture we've built — open evidence, not testimonials we don't have.

Protocol alignment

  • OpenID Foundation OpenID4VP, OpenID4VCI, OpenID Connect Core, OpenID Federation 1.0
  • IETF OAuth 2.0, PKCE, PAR, DPoP, mTLS, Device Code, Token Exchange, JWT access token, SD-JWT VC
  • EU Commission ARF 1.4+ Architecture and Reference Framework for the EU Digital Identity Wallet
  • ISO ISO/IEC 18013-5 mdoc for EUDIW + mobile driving licence credentials

Built on open infrastructure

  • HashiCorp Vault Transit engine for signing keys; private keys never touch the JVM heap
  • Spring Authorization Server 7 OAuth 2.0 / OIDC server framework — battle-tested, audited, open
  • Hetzner Germany EU-only infrastructure; zero CLOUD Act exposure by design
  • Postgres + Redis Operational state in standard, self-hosted components — no SaaS lock-in

Compliance posture

  • GDPR Data residency, lawful basis, DPA template ready for execution
  • NIS2 Mapped controls, incident-response runbooks, supervisor-audit-ready evidence pack
  • DORA ICT register entries, third-party-provider documentation for financial-services customers
  • eIDAS 2.0 Relying-party surface shipped today; issuer surface on the 2026 roadmap

Ready to make trust programmable?

Talk to us about a pilot — we can have you live in 5 days.

Request accessBook a demo