# Sphereon Documentation

> Sphereon Documentation: IDK, EDK, VDX, Kiwa eLicense, and eduID Wallet Matching Portal.
- [Introduction](/idk/introduction.md): Introduction to the Identity Development Kit
- [Architecture](/idk/architecture.md): Command-based architecture, service aggregation, and contracts

## IDK

- [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions
- [Module Reference](/idk/guides/modules.md): Complete list of all IDK modules organized by domain
- [Platform Setup](/idk/guides/platform-setup.md): Platform-specific configuration for Android, iOS, JVM, and JavaScript

### Dependency Injection

- [Injection Scopes](/idk/v0.10/guides/di/scopes.md): This document explains the three dependency injection (DI) scopes used across the Identity Development Kit (IDK) core libraries and the solutions that build on top of the SDK:
- [App component setup](/idk/v0.10/guides/di/app-setup.md): Please read the scopes documentation first to grasp the 3 scopes being used in the IDK.
- [Extending the DI Graph](/idk/guides/di/extending-di.md): How to extend the IDK dependency injection graph with custom services using Metro

### Core

- [Events System](/idk/v0.13/guides/core/events.md): Core event broadcasting, filtering, and subscription in the IDK
- [CBOR](/idk/guides/cbor.md): CBOR encoding, decoding, and builder DSL

#### Configuration

- [Configuration](/idk/v0.13/guides/config/configuration.md): Using the ConfigService to read and write configuration in your application
- [Configuration Providers](/idk/v0.13/guides/config/providers.md): Available configuration providers and how to enable, disable, and configure them
- [Property Resolution Pipeline](/idk/v0.13/guides/config/property-resolution.md): Understanding the IDK property resolution pipeline and value interpolation
- [Secret Management](/edk/guides/config/secrets.md): Configuring AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault providers in the EDK
- [Multi-Tenancy](/idk/v0.13/guides/config/multi-tenancy.md): Implementing multi-tenant applications with the IDK

#### Logging

- [Logging](/idk/guides/core/logging/overview.md): Structured, scope-aware logging in the IDK
- [Scoped Loggers](/idk/guides/core/logging/scoped-loggers.md): Using app, user context, and session loggers with proper scope isolation
- [Logging Configuration](/idk/guides/core/logging/configuration.md): Configuring log levels, policies, output formats, and providers

### Identity

- [Identity](/idk/guides/identity/overview.md): Overview of the IDK identity framework covering verification, matching, resolution, reconciliation, and how they integrate with DIDs, trust, and identifier resolution

#### Decentralized Identifiers

- [DID REST Services](/edk/v0.13/guides/did/overview.md): DID management REST APIs in the EDK
- [DID Resolution](/idk/v0.13/guides/did/resolution.md): Resolving and querying DIDs
- [DID Management](/idk/v0.13/guides/did/management.md): Creating and managing DIDs
- [Identifier Resolution](/idk/v0.13/guides/crypto/identifier-resolution.md): Resolve cryptographic identifiers to keys and certificates

#### Trust Establishment

- [Trust Framework Overview](/idk/v0.13/guides/trust/overview.md): Understanding trust validation in the IDK
- [ETSI Trust Lists](/idk/v0.13/guides/trust/etsi-trust-lists.md): Working with ETSI TS 119 612 trust service lists
- [Certificate Validation](/idk/v0.13/guides/trust/certificate-validation.md): X.509 certificate chain validation in the IDK
- [OpenID Federation Trust](/idk/guides/trust/openid-federation.md): Trust chain resolution and verification for OpenID Federation entities
- [DID-Based Trust](/idk/guides/trust/did-trust.md): Trust validation for Decentralized Identifiers

### Digital Credentials


#### Mobile Credentials (mDoc)

- [Mobile Credentials Overview](/idk/v0.13/guides/mdoc/overview.md): Introduction to ISO/IEC 18013-5 mobile credentials

##### Engagement

- [intro](/idk/v0.10/guides/mdoc/engagement/intro.md): Currently, the Mdoc SDK supports the following device engagement methods:
- [Engagement Manager](/idk/v0.13/guides/mdoc/engagement/engagement-manager.md): Using MdocEngagementManager to create and manage mDoc sessions
- [Engagement and Retrieval](/idk/v0.10/guides/mdoc/engagement/engagement-retrieval.md): Overview
- [Event and UI handling](/idk/v0.10/guides/mdoc/engagement/events-ui.md): Event handling and UI projection

##### Data Transfer

- [Transfer Manager](/idk/v0.13/guides/mdoc/transfer/transfer-manager.md): Managing mDoc data transfer with TransferManager
- [Device Request and Response](/idk/v0.13/guides/mdoc/transfer/request-response.md): Understanding mDoc DeviceRequest and DeviceResponse structures
- [Session Transcript](/idk/v0.13/guides/mdoc/transfer/session-transcript.md): Understanding cryptographic session binding in mDoc

##### Transports

- [BLE Transport](/idk/v0.13/guides/mdoc/transports/ble.md): Bluetooth Low Energy transport for mDoc transfer
- [NFC Transport](/idk/v0.13/guides/mdoc/transports/nfc.md): Near Field Communication transport for mDoc transfer
- [HTTP/WebSocket Transport](/idk/v0.13/guides/mdoc/transports/http-websocket.md): HTTP and WebSocket transport for remote mDoc transfer

#### SD-JWT

- [SD-JWT Overview](/idk/v0.13/guides/sdjwt/overview.md): Understanding Selective Disclosure JWT in the IDK
- [SD-JWT Issuance](/idk/v0.13/guides/sdjwt/issuance.md): Creating SD-JWT credentials with the IDK
- [SD-JWT Presentation](/idk/v0.13/guides/sdjwt/presentation.md): Presenting and verifying SD-JWT credentials with the IDK

#### Design

- [Design Overview](/edk/guides/credential-design/overview.md): How a developer uses the EDK credential design service, what changes versus the IDK base, and what each EDK module is for
- [Working with Designs](/idk/guides/credential-design/designs.md): Creating and managing credential, issuer, and verifier designs in the IDK
- [Resolution and Import](/idk/guides/credential-design/resolution.md): Resolving credential designs from multiple sources and importing external metadata

### HTTP Client & Server

- [HTTP Client](/idk/guides/http/http-client.md): Creating HTTP clients with TLS, mTLS, and per-host certificate routing
- [Ktor Server Integration](/idk/v0.13/guides/http/ktor.md): Integrate IDK services with Ktor server applications

### Cryptography

- [Key Management](/idk/v0.13/guides/crypto/key-management.md): Managing cryptographic keys with the KeyManagerService
- [KMS Providers](/idk/v0.13/guides/crypto/kms-providers.md): Configuring key management system providers
- [Signing and Verification](/idk/v0.13/guides/crypto/signing-verification.md): Creating and verifying cryptographic signatures
- [JOSE and COSE Operations](/idk/v0.13/guides/crypto/cose-jose.md): Working with JOSE and COSE cryptographic message formats

### OAuth 2.0 / OpenID


#### OAuth 2.0

- [OAuth 2.0 Client](/idk/v0.13/guides/oauth2/client.md): Using the IDK OAuth 2.0 client for authorization flows
- [Authorization Server](/idk/v0.13/guides/oauth2/authorization-server.md): Building OAuth 2.0 authorization servers with the IDK
- [DPoP and PKCE](/idk/v0.13/guides/oauth2/dpop-pkce.md): Using DPoP and PKCE for enhanced OAuth 2.0 security
- [JWT Validation](/idk/v0.13/guides/oauth2/jwt-validation.md): Validating JWT access tokens in IDK applications

#### OpenID4VP

- [OID4VP Overview](/edk/v0.13/guides/oid4vp/overview.md): OpenID for Verifiable Presentations - verifying credentials from digital wallets
- [OID4VP Holder](/idk/v0.13/guides/oid4vp/holder.md): Implementing wallet holder functionality for OID4VP presentations
- [OID4VP Verifier](/idk/v0.13/guides/oid4vp/verifier.md): Implementing relying party verification for OID4VP
- [Universal OID4VP](/idk/v0.13/guides/oid4vp/universal.md): Backend-focused OID4VP API for web applications and services
- [DCQL Queries](/idk/v0.13/guides/oid4vp/dcql.md): Using Digital Credentials Query Language for credential requests

#### OpenID4VCI

- [OpenID4VCI Overview](/edk/guides/oid4vci/overview.md): How the EDK extends the IDK OpenID4VCI issuer with a multi-phase attribute pipeline, pluggable attribute sources, deferred and approved issuance, async-callback ingress, and tenant-aware paths
- [OID4VCI Holder](/idk/guides/oid4vci/holder.md): Implementing wallet holder functionality for OID4VCI credential issuance
- [OID4VCI Issuer](/idk/guides/oid4vci/issuer.md): Implementing a credential issuer with OID4VCI in the IDK

### Data Storage

- [Key-Value Store](/idk/v0.13/guides/data-store/key-value-store.md): Using the IDK key-value store for persistent data
- [Blob Store](/idk/guides/data-store/blob-store.md): Storing and retrieving binary data with the IDK blob storage abstraction
- [Party Data Models](/idk/v0.13/guides/data-store/party-management.md): Data models for parties, identities, and tenants in the IDK
- [Theming & Branding](/idk/guides/theming.md): Configuring visual themes, design system palettes, and branded UI components across platforms

## Services

- [Services](/idk/services/services-overview.md): Pre-built IDK services for common deployment scenarios
- [KMS REST API](/idk/services/services-kms.md): The KMS REST API service exposes the KeyManagerService over HTTP, turning every key management operation into a REST call. This is the service to use when mobile or browser clients need to delegate key operations to a server, for example when signing with a hardware-backed key that lives in AWS KMS or Azure Key Vault, or when a backend service needs a centralized key management layer.
- [OAuth2 Authorization Server](/idk/services/services-oauth2-as.md): The OAuth2 AS service provides a standards-compliant authorization server that you can embed in your Ktor application. It handles the protocol mechanics of OAuth2 and OpenID Connect while delegating authentication and consent to your application through the UserAuthenticationProvider and ConsentProvider interfaces. You provide the UI and the user database; the service takes care of the rest.
- [OID4VCI Issuer Service](/idk/services/services-oid4vci-issuer.md): The OID4VCI Issuer service implements the OpenID for Verifiable Credential Issuance specification. It handles the server-side protocol for issuing verifiable credentials to holder wallets. The service supports SD-JWT, mDoc (ISO 18013-5), and JWT VC JSON credential formats, multiple grant types (authorization code and pre-authorized code), deferred issuance for asynchronous workflows, and batch issuance for requesting multiple credentials in one round trip. In practice it exposes both holder-facing OID4VCI endpoints and a separate issuer-integration surface used by issuer backend apps and web apps to create and manage issuance flows.
- [OID4VCI Holder Service](/idk/services/services-oid4vci-holder.md): The OID4VCI Holder service provides wallet-side endpoints for acquiring credentials. It acts as a backend-for-frontend service: a mobile wallet or web wallet calls these endpoints to orchestrate the entire issuance flow without implementing the OID4VCI protocol directly. The service handles offer parsing, issuer metadata resolution, token exchange, proof creation, credential requests, and deferred polling.
- [OID4VP Verifier Service](/idk/services/services-oid4vp-verifier.md): The OID4VP Verifier service implements the verifier (relying party) side of OpenID for Verifiable Presentations. It handles both same-device and cross-device verification flows, supports DCQL queries and presentation definitions for specifying which credentials to request, and exposes two API surfaces for different callers: wallet-facing OID4VP endpoints and a verifier-facing Universal OID4VP adapter.
- [Ktor Integration](/idk/services/services-ktor.md): The KotlinInjectPlugin bridges IDK's Metro DI system with Ktor's request pipeline. It is not an application-level service in its own right, but the foundation that all other IDK HTTP services run on. Every IDK HTTP service depends on this plugin being installed.

## Examples

- [Examples](/idk/examples/examples-overview.md): Example applications built with the IDK
- [IDK FAQ](/idk/v0.10/guides/faq.md): General Questions
- [Kotlin API Reference](pathname:///idk/v0.25.0/api/index.html)

## Guides

- [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation
- [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions

### Dependency Injection

- [Injection Scopes](/idk/v0.10/guides/di/scopes.md): This document explains the three dependency injection (DI) scopes used across the Identity Development Kit (IDK) core libraries and the solutions that build on top of the SDK:
- [App component setup](/idk/v0.10/guides/di/app-setup.md): Please read the scopes documentation first to grasp the 3 scopes being used in the IDK.
- [Amazon App Platform, Kotlin module structure, and Dependency Injection](/idk/v0.10/guides/di/amazon-app-platform.md): We use Amazon App Platform for Kotlin Gradle module structures and DI with kotlin-inject and kotlin-inject-anvil.

### Configuration

- [Configuration](/idk/v0.13/guides/config/configuration.md): Using the ConfigService to read and write configuration in your application
- [Configuration Providers](/idk/v0.13/guides/config/providers.md): Available configuration providers and how to enable, disable, and configure them
- [Property Resolution Pipeline](/idk/v0.13/guides/config/property-resolution.md): Understanding the IDK property resolution pipeline and value interpolation
- [Secret Management](/edk/guides/config/secrets.md): Configuring AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault providers in the EDK
- [Multi-Tenancy](/idk/v0.13/guides/config/multi-tenancy.md): Implementing multi-tenant applications with the IDK

### Core

- [Events System](/idk/v0.13/guides/core/events.md): Core event broadcasting, filtering, and subscription in the IDK

### Decentralized Identifiers

- [DID REST Services](/edk/v0.13/guides/did/overview.md): DID management REST APIs in the EDK
- [DID Resolution](/idk/v0.13/guides/did/resolution.md): Resolving and querying DIDs
- [DID Management](/idk/v0.13/guides/did/management.md): Creating and managing DIDs

### HTTP Server

- [Ktor Server Integration](/idk/v0.13/guides/http/ktor.md): Integrate IDK services with Ktor server applications

### Cryptography

- [Key Management](/idk/v0.13/guides/crypto/key-management.md): Managing cryptographic keys with the KeyManagerService
- [KMS Providers](/idk/v0.13/guides/crypto/kms-providers.md): Configuring key management system providers
- [Identifier Resolution](/idk/v0.13/guides/crypto/identifier-resolution.md): Resolve cryptographic identifiers to keys and certificates
- [Signing and Verification](/idk/v0.13/guides/crypto/signing-verification.md): Creating and verifying cryptographic signatures
- [JOSE and COSE Operations](/idk/v0.13/guides/crypto/cose-jose.md): Working with JOSE and COSE cryptographic message formats

### Mobile Credentials (mDoc)

- [Mobile Credentials Overview](/idk/v0.13/guides/mdoc/overview.md): Introduction to ISO/IEC 18013-5 mobile credentials

#### Engagement

- [intro](/idk/v0.10/guides/mdoc/engagement/intro.md): Currently, the Mdoc SDK supports the following device engagement methods:
- [Engagement Manager](/idk/v0.13/guides/mdoc/engagement/engagement-manager.md): Using MdocEngagementManager to create and manage mDoc sessions
- [Engagement and Retrieval](/idk/v0.10/guides/mdoc/engagement/engagement-retrieval.md): Overview
- [Event and UI handling](/idk/v0.10/guides/mdoc/engagement/events-ui.md): Event handling and UI projection

#### Data Transfer

- [Transfer Manager](/idk/v0.13/guides/mdoc/transfer/transfer-manager.md): Managing mDoc data transfer with TransferManager
- [Device Request and Response](/idk/v0.13/guides/mdoc/transfer/request-response.md): Understanding mDoc DeviceRequest and DeviceResponse structures
- [Session Transcript](/idk/v0.13/guides/mdoc/transfer/session-transcript.md): Understanding cryptographic session binding in mDoc

#### Transports

- [BLE Transport](/idk/v0.13/guides/mdoc/transports/ble.md): Bluetooth Low Energy transport for mDoc transfer
- [NFC Transport](/idk/v0.13/guides/mdoc/transports/nfc.md): Near Field Communication transport for mDoc transfer
- [HTTP/WebSocket Transport](/idk/v0.13/guides/mdoc/transports/http-websocket.md): HTTP and WebSocket transport for remote mDoc transfer

### OAuth 2.0

- [OAuth 2.0 Client](/idk/v0.13/guides/oauth2/client.md): Using the IDK OAuth 2.0 client for authorization flows
- [Authorization Server](/idk/v0.13/guides/oauth2/authorization-server.md): Building OAuth 2.0 authorization servers with the IDK
- [DPoP and PKCE](/idk/v0.13/guides/oauth2/dpop-pkce.md): Using DPoP and PKCE for enhanced OAuth 2.0 security
- [JWT Validation](/idk/v0.13/guides/oauth2/jwt-validation.md): Validating JWT access tokens in IDK applications

### OpenID4VP

- [OID4VP Overview](/edk/v0.13/guides/oid4vp/overview.md): OpenID for Verifiable Presentations - verifying credentials from digital wallets
- [OID4VP Holder](/idk/v0.13/guides/oid4vp/holder.md): Implementing wallet holder functionality for OID4VP presentations
- [OID4VP Verifier](/idk/v0.13/guides/oid4vp/verifier.md): Implementing relying party verification for OID4VP
- [Universal OID4VP](/idk/v0.13/guides/oid4vp/universal.md): Backend-focused OID4VP API for web applications and services
- [DCQL Queries](/idk/v0.13/guides/oid4vp/dcql.md): Using Digital Credentials Query Language for credential requests

### SD-JWT

- [SD-JWT Overview](/idk/v0.13/guides/sdjwt/overview.md): Understanding Selective Disclosure JWT in the IDK
- [SD-JWT Issuance](/idk/v0.13/guides/sdjwt/issuance.md): Creating SD-JWT credentials with the IDK
- [SD-JWT Presentation](/idk/v0.13/guides/sdjwt/presentation.md): Presenting and verifying SD-JWT credentials with the IDK

### Trust Validation

- [Trust Framework Overview](/idk/v0.13/guides/trust/overview.md): Understanding trust validation in the IDK
- [ETSI Trust Lists](/idk/v0.13/guides/trust/etsi-trust-lists.md): Working with ETSI TS 119 612 trust service lists
- [Certificate Validation](/idk/v0.13/guides/trust/certificate-validation.md): X.509 certificate chain validation in the IDK

### Data Storage

- [Key-Value Store](/idk/v0.13/guides/data-store/key-value-store.md): Using the IDK key-value store for persistent data
- [Party Data Models](/idk/v0.13/guides/data-store/party-management.md): Data models for parties, identities, and tenants in the IDK
- [IDK FAQ](/idk/v0.10/guides/faq.md): General Questions
- [Kotlin API Reference](pathname:///idk/v0.13/api/index.html)

## Guides

- [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation

### Core


#### Configuration

- [Configuration System Overview](/edk/v0.13/guides/config/overview.md): EDK configuration system architecture, auto-registration, and module overview
- [Cloud Configuration Providers](/edk/v0.13/guides/config/cloud-providers.md): Using REST and Azure App Configuration cloud providers in the EDK
- [Secret Management](/edk/guides/config/secrets.md): Configuring AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault providers in the EDK
- [Offline Configuration Cache](/edk/v0.13/guides/config/offline-cache.md): Using offline caching for network-resilient configuration in the EDK

#### Audit

- [Audit Logging](/edk/guides/audit/overview.md): Structured audit trails with sensitive data redaction, multiple output formats, and tamper evidence

#### Events & Shared Signals

- [Events System](/edk/v0.13/guides/events/overview.md): EDK event types, subsystems, and transmitter interfaces
- [Shared Signals (SSF)](/edk/guides/events/ssf.md): OpenID Shared Signals and Events for cross-domain security event exchange
- [Command Contracts](/edk/guides/contracts/overview.md): Why EDK attaches rich, app-scoped metadata to every service command, regulation, risk, inputs, outputs, and config in one place

### HTTP & Transport

- [HTTP & Transport](/edk/guides/http/overview.md): External REST APIs and internal command transport, monolith or microservice, same code
- [Universal HTTP Adapter](/edk/v0.13/guides/http/universal-adapter.md): Framework-agnostic HTTP adapter for building portable REST APIs
- [Command Transport](/edk/guides/http/command-transport.md): Dual HTTP RPC and gRPC transport for local and remote command execution
- [Telemetry & Observability](/edk/guides/http/telemetry.md): Distributed tracing, metrics collection, and log correlation with OpenTelemetry

### Authentication & Identity

- [Authentication & Identity](/edk/guides/authentication/overview.md): JWT validation, identity verification, wallet authentication, and identity lifecycle management
- [JWT Validation](/edk/v0.13/guides/authentication/jwt-validation.md): Multi-IdP JWT validation for Ktor and Spring Boot
- [Identity Verification (IDV)](/edk/guides/authentication/idv.md): Composable graph-based identity verification workflows with pluggable method drivers
- [Identity Matching & Reconciliation](/edk/guides/authentication/matching-reconciliation.md): Privacy-preserving identity linking with HMAC hashing, LoA tracking, and policy-driven reconciliation
- [Identity Resolution](/edk/guides/authentication/identity-resolution.md): Pluggable resolver chain for mapping external identifiers to internal identity IDs
- [Auth Bridge](/edk/guides/authentication/auth-bridge.md): Bridge OAuth2/OIDC authorization servers with wallet-based OID4VP credential presentation

### Authorization

- [Authorization Overview](/edk/v0.13/guides/authorization/overview.md): Policy-based authorization with AuthZEN, Cedar, and OPA
- [Cedarling Integration](/edk/v0.13/guides/authorization/cedarling.md): Integrate Cedar policy engine via Cedarling sidecar
- [OPA Integration](/edk/guides/authorization/opa.md): Open Policy Agent integration for policy evaluation
- [Command Authorization Extension](/edk/v0.13/guides/authorization/command-extension.md): Automatic authorization for command execution

### Identity


#### Decentralized Identifiers

- [Decentralized Identifiers](/edk/guides/identity/decentralized-identifiers/overview.md): How the EDK exposes DID lifecycle and DID resolution over REST, and how to choose between the standardized DIF Universal Registrar and the rich Sphereon DID manager API.
- [Universal Registrar (DIF)](/edk/guides/identity/decentralized-identifiers/universal-registrar.md): The EDK's DIF Universal Registrar REST API for creating, updating, and deactivating DIDs.
- [Rich DID manager REST API](/edk/guides/identity/decentralized-identifiers/rich-rest-api.md): The EDK's full-featured DID manager REST API, with sub-resource CRUD, listing, filtering, projections, key-mapping inspection, and document cache control under /api/dids/v1.

### OAuth 2.0 / OpenID


#### OpenID4VCI

- [OpenID4VCI Overview](/edk/guides/oid4vci/overview.md): How the EDK extends the IDK OpenID4VCI issuer with a multi-phase attribute pipeline, pluggable attribute sources, deferred and approved issuance, async-callback ingress, and tenant-aware paths
- [Attribute Pipeline](/edk/guides/oid4vci/attribute-pipeline.md): When and how to feed attribute values into an EDK issuance flow, why you should provide them as late as possible, and how the protocol moments map to integration patterns
- [Hooking Up Your System](/edk/guides/oid4vci/attribute-sources.md): How to feed attributes into the EDK issuer from your own back-end, REST API, custom source, or async callback
- [REST API](/edk/guides/oid4vci/rest-api.md): HTTP endpoints for driving an issuance pipeline session from outside the OID4VCI protocol path
- [Persistence](/edk/guides/oid4vci/persistence.md): The issuance pipeline session store, the three encryption modes for sensitive payloads, and what gets persisted where

#### OpenID4VP

- [OID4VP Overview](/edk/v0.13/guides/oid4vp/overview.md): OpenID for Verifiable Presentations - verifying credentials from digital wallets
- [OID4VP Integration Guide](/edk/v0.13/guides/oid4vp/integration.md): Step-by-step guide to integrating the Universal OID4VP API
- [DCQL Store](/edk/guides/oid4vp/dcql-store.md): Versioned persistence for DCQL query configurations with PostgreSQL and MySQL backends, plus the DCQL admin and version-history REST API
- [DCQL REST API](/edk/guides/oid4vp/dcql-rest-api.md): HTTP endpoints for managing DCQL query configurations and walking their version history
- [DCQL Authoring](/edk/guides/oid4vp/dcql-authoring.md): Build DCQL queries from semantic attribute selections instead of writing the JSON by hand
- [Verifier DCQL Bindings](/edk/guides/oid4vp/verifier-bindings.md): Per-verifier pinning of shared DCQL queries to specific versions, with scheduled future activations
- [Interactive API Docs](/edk/api/universal-oid4vp)

### Digital Credentials

- [Digital Credentials](/edk/guides/digital-credentials/overview.md): How the EDK turns the IDK credential design SDK into a deployable multi-tenant service with SQL persistence, version snapshots, an HTTP API, an offline cache, and OCA bundle support

#### Design

- [Design Overview](/edk/guides/credential-design/overview.md): How a developer uses the EDK credential design service, what changes versus the IDK base, and what each EDK module is for
- [REST API](/edk/guides/credential-design/rest-api.md): HTTP endpoints for managing credential designs, issuer and verifier designs, render variants, imports, resolution, snapshots, and assets
- [Versioning](/edk/guides/credential-design/versioning.md): Explicit snapshot operations for credential designs, and how to use them for audit, change review, and rollback
- [Persistence & Offline Cache](/edk/guides/credential-design/persistence.md): PostgreSQL and MySQL backends for the credential design store, and the offline failover cache wrapper for wallets and verifier UIs

#### OCA Bundles

- [OCA Bundles](/edk/guides/oca/overview.md): OCA bundle support in the EDK, parsing, processing, SAID verification, and integration with the credential design system
- [Bundle Service](/edk/guides/oca/bundle-service.md): Parsing, processing, and the OcaBundleService interface
- [SAID Verification](/edk/guides/oca/said-verification.md): Three levels of integrity verification for OCA bundles and overlays
- [Credential Design Integration](/edk/guides/oca/credential-design-integration.md): How OCA bundles feed the credential design system through the mapper, the layer provider, and native persistence

### eIDAS Signatures

- [eIDAS Signature Framework](/edk/v0.13/guides/eidas/overview.md): EU-compliant digital signatures with CAdES, PAdES, JAdES, and XAdES support
- [eIDAS Signature Client](/edk/v0.13/guides/eidas/client.md): Programmatic document signing with the eIDAS client API
- [eIDAS REST Server](/edk/v0.13/guides/eidas/server.md): Deploy eIDAS signature capabilities as REST APIs

### Physical Access Control

- [Pronto Integration](/edk/guides/access-control/pronto.md): Physical access control integration with Simac Pronto V2 for visitor management, time-bounded access, and NFC card provisioning

### Persistence

- [Party Persistence](/edk/v0.13/guides/persistence/party.md): Store parties, identities, contacts, and addresses in relational databases
- [Settings Persistence](/edk/v0.13/guides/persistence/settings.md): Hierarchical configuration storage with scope inheritance
- [KV Store Persistence](/edk/v0.13/guides/persistence/kv-store.md): Database-backed key-value storage with multi-scope isolation
- [Database Routing](/edk/v0.13/guides/database/routing.md): Multi-tenant database routing with configurable isolation strategies

### Spring Boot

- [Spring Boot Integration](/edk/v0.13/guides/spring-boot/overview.md): Integrating the IDK with Spring Boot applications

### Tenant & Onboarding

- [Tenant and Onboarding Overview](/edk/guides/tenant/overview.md): How the EDK models tenants, how the resolution stack maps incoming requests to a tenant, how registration journeys work, and where the application tenant fits in the control plane
- [Tenant Model](/edk/guides/tenant/model.md): The EDK Tenant entity, the parent / child hierarchy, the status lifecycle, slugs, system tenants, and the relationship to the IDK projection.
- [Tenant Resolution](/edk/guides/tenant/resolution.md): How the EDK maps an incoming HTTP request to a tenant. The layered resolver chain, the well-known URL forms, the in-memory cache, and the cross-replica invalidation channel.
- [Domains and Public Endpoints](/edk/guides/tenant/domains-and-endpoints.md): How a tenant binds to network identifiers (platform subdomains, verified custom domains) and how the data planes consult the per-service public-endpoint bindings when they advertise URLs.
- [Registration Journeys](/edk/guides/tenant/journeys.md): The four user-facing paths into RegisterTenantServiceCommand. Admin direct creation, admin invite by email, public self-service signup, and the one-shot bootstrap. End-to-end flows, license gates, and the signup state machine.
- [Application Tenant and Bootstrap](/edk/guides/tenant/application-tenant.md): The control-plane tenant. Its always-on hosted AS, the durable bootstrap gate, the application admin REST under /api/v1/application, license activation, secret backend selection, and onboarding policy.
- [License, Quota, and Policy](/edk/guides/tenant/license-and-policy.md): The License model, LicenseLimits, LicenseFeatures, the onboarding-policy SPI, signup-policy SPIs, the quota services, and how a deployment overlays its own.
- [Per-Tenant Configuration](/edk/guides/tenant/configuration.md): How per-tenant configuration is stored, read, and updated. The tenant_config_property table, the secret classifier, the App / Tenant / Principal scope chain, and the cross-replica invalidation channel.
- [Tenant Isolation](/edk/guides/tenant/isolation.md): How the EDK keeps one tenant's data, keys, and operations isolated from another. Row-level vs per-tenant database isolation, the TenantProvisioner, per-tenant signing keys, encryption at rest, and authorisation scope.

### Container Deployment

- [Container Deployment Overview](/edk/guides/container-deployment/overview.md): The five EDK container images Sphereon ships to commercial customers (KMS, DID, AS, Issuer, Verifier), how they are scoped, how they relate, and how a typical deployment is laid out
- [Deployment Topology](/edk/guides/container-deployment/topology.md): How the five EDK containers, the shared Postgres, the public and internal ingresses, and the service-to-service auth fit together in a typical Kubernetes or Docker Compose deployment
- [KMS Container](/edk/guides/container-deployment/kms.md): The sphereon/enterprise-kms image, the internal-only crypto authority for the EDK stack. Provider registration, per-tenant key aliases, the REST surface that issuer, verifier, AS, and DID call into.
- [DID Container](/edk/guides/container-deployment/did.md): The sphereon/enterprise-did image, a public Universal Resolver plus internal admin and registrar for did:web, did:webvh, did:jwk, and did:key. Per-tenant method allowlists, document publishing, and webvh log management.
- [AS Container](/edk/guides/container-deployment/as.md): The sphereon/enterprise-as image, an OAuth 2.0 / OpenID authorization server scoped to the flows the EDK needs first-hand. Pre-authorized code, wallet federation, client credentials, per-tenant federation provider binding.
- [Issuer Container](/edk/guides/container-deployment/issuer.md): The sphereon/enterprise-issuer image, the OpenID4VCI credential issuer. Protocol endpoints, attribute pipeline, credential design store, integration kinds for AS binding and attribute suppliers, webhooks.
- [Verifier Container](/edk/guides/container-deployment/verifier.md): The sphereon/enterprise-verifier image, the OpenID4VP verifier. Protocol endpoints, DCQL versioned store, per-tenant trust frames, presentation callbacks.
- [Configuration & Secrets](/edk/guides/container-deployment/configuration.md): How the five EDK containers read configuration. The shipped application.yaml, environment variable mapping, per-tenant config stored in Postgres, and the secret-backend choice between Vault, AWS Secrets Manager, Azure Key Vault, and Kubernetes secrets.
- [Operations](/edk/guides/container-deployment/operations.md): Running the EDK containers in production. Health and readiness, OpenTelemetry tracing and metrics, audit, backup and restore, image publishing, and the operator hardening checklist.
- [Kotlin API Reference](pathname:///edk/v0.25.0/api/index.html)

## Guides

- [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation

### HTTP APIs

- [Universal HTTP Adapter](/edk/v0.13/guides/http/universal-adapter.md): Framework-agnostic HTTP adapter for building portable REST APIs

### Authentication

- [JWT Validation](/edk/v0.13/guides/authentication/jwt-validation.md): Multi-IdP JWT validation for Ktor and Spring Boot

### Authorization

- [Authorization Overview](/edk/v0.13/guides/authorization/overview.md): Policy-based authorization with AuthZEN, Cedar, and OPA
- [Cedarling Integration](/edk/v0.13/guides/authorization/cedarling.md): Integrate Cedar policy engine via Cedarling sidecar
- [Command Authorization Extension](/edk/v0.13/guides/authorization/command-extension.md): Automatic authorization for command execution

### DID Services

- [DID REST Services](/edk/v0.13/guides/did/overview.md): DID management REST APIs in the EDK

### OID4VP Verification

- [OID4VP Overview](/edk/v0.13/guides/oid4vp/overview.md): OpenID for Verifiable Presentations - verifying credentials from digital wallets
- [OID4VP Integration Guide](/edk/v0.13/guides/oid4vp/integration.md): Step-by-step guide to integrating the Universal OID4VP API
- [Interactive API Docs](/edk/api/universal-oid4vp)

### eIDAS Signatures

- [eIDAS Signature Framework](/edk/v0.13/guides/eidas/overview.md): EU-compliant digital signatures with CAdES, PAdES, JAdES, and XAdES support
- [eIDAS Signature Client](/edk/v0.13/guides/eidas/client.md): Programmatic document signing with the eIDAS client API
- [eIDAS REST Server](/edk/v0.13/guides/eidas/server.md): Deploy eIDAS signature capabilities as REST APIs

### Configuration

- [Configuration System Overview](/edk/v0.13/guides/config/overview.md): EDK configuration system architecture, auto-registration, and module overview
- [Cloud Configuration Providers](/edk/v0.13/guides/config/cloud-providers.md): Using REST and Azure App Configuration cloud providers in the EDK
- [Offline Configuration Cache](/edk/v0.13/guides/config/offline-cache.md): Using offline caching for network-resilient configuration in the EDK

### Persistence

- [Party Persistence](/edk/v0.13/guides/persistence/party.md): Store parties, identities, contacts, and addresses in relational databases
- [Settings Persistence](/edk/v0.13/guides/persistence/settings.md): Hierarchical configuration storage with scope inheritance
- [KV Store Persistence](/edk/v0.13/guides/persistence/kv-store.md): Database-backed key-value storage with multi-scope isolation

### Database

- [Database Routing](/edk/v0.13/guides/database/routing.md): Multi-tenant database routing with configurable isolation strategies

### Events

- [Events System](/edk/v0.13/guides/events/overview.md): EDK event types, subsystems, and transmitter interfaces

### Spring Boot

- [Spring Boot Integration](/edk/v0.13/guides/spring-boot/overview.md): Integrating the IDK with Spring Boot applications
- [Kotlin API Reference](pathname:///edk/v0.13/api/index.html)
- [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation
- [Credentials & Trust](/vdx/guides/credentials.md): Issue, verify, and manage verifiable credentials with built-in trust establishment and authorization server integration
- [Identity & Authentication](/vdx/guides/identity-platform.md): Wallet authentication, identity reconciliation, composable verification workflows, and enterprise IAM integration
- [Security & Governance](/vdx/guides/security.md): End-to-end zero-trust governance, from policy enforcement through audit trails to compliance reporting
- [Operations & Management](/vdx/guides/operations.md): Portals, workflows, forms, branding, deployment, and device management for the VDX platform
- [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation

## 📚 Guides

- [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation
- [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions
- [Dependency Injection](/kiwa/v0.6/guides/di.md): Dependency Injection and components
- [Holder Functions](/kiwa/v0.6/guides/holder-functions.md): Holder Functions explained
- [eLicense Mdoc display and verification](/kiwa/v0.6/guides/elicense-mdocs.md): eLicense ISO Mdoc display and verification
- [Kotlin API Reference](pathname:///kiwa/v0.13/api/index.html)

## Other

- [Example app](/kiwa/v0.6/other/sample-app.md): eLicense example app
- [Changelog](/kiwa/other/changelog.md): Release history and changes for the Kiwa SDK
- [FAQ](/kiwa/v0.6/other/faq.md): Q: Does the Kiwa eLicense SDK require REST APIs?
- [License Agreement](/kiwa/v0.6/other/license.md): Be aware the Kiwa eLicense SDK eLicense is governed by a license agreement and is proprietary. Licensees will have source code access

## 📚 Guides

- [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation
- [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions
- [Dependency Injection](/kiwa/v0.6/guides/di.md): Dependency Injection and components
- [Holder Functions](/kiwa/v0.6/guides/holder-functions.md): Holder Functions explained
- [eLicense Mdoc display and verification](/kiwa/v0.6/guides/elicense-mdocs.md): eLicense ISO Mdoc display and verification
- [Kotlin API Reference](pathname:///kiwa/v0.10/api/index.html)

## Other

- [Example app](/kiwa/v0.6/other/sample-app.md): eLicense example app
- [FAQ](/kiwa/v0.6/other/faq.md): Q: Does the Kiwa eLicense SDK require REST APIs?
- [License Agreement](/kiwa/v0.6/other/license.md): Be aware the Kiwa eLicense SDK eLicense is governed by a license agreement and is proprietary. Licensees will have source code access

## 📚 Guides

- [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation
- [Sdk installation](/kiwa/v0.6/guides/installation.md): eLicense Sdk installation instructions
- [Dependency Injection](/kiwa/v0.6/guides/di.md): Dependency Injection and components
- [Holder Functions](/kiwa/v0.6/guides/holder-functions.md): Holder Functions explained
- [eLicense Mdoc display and verification](/kiwa/v0.6/guides/elicense-mdocs.md): eLicense ISO Mdoc display and verification
- [Kotlin API Reference](pathname:///kiwa/v0.6/api/index.html)

## Other

- [Example app](/kiwa/v0.6/other/sample-app.md): eLicense example app
- [FAQ](/kiwa/v0.6/other/faq.md): Q: Does the Kiwa eLicense SDK require REST APIs?
- [License Agreement](/kiwa/v0.6/other/license.md): Be aware the Kiwa eLicense SDK eLicense is governed by a license agreement and is proprietary. Licensees will have source code access

## Guides

- [eduID Wallet Matching Portal](/eduid-wallet-matching-portal/guides/getting-started.md): Privacy-preserving identity matching portal connecting eduID wallet credentials with institutional identities via SURFconext federation
- [System Architecture](/eduid-wallet-matching-portal/guides/architecture.md): Service topology, inter-service communication, and deployment architecture for the matching portal
- [Authentication Flows](/eduid-wallet-matching-portal/guides/authentication-flows.md): Three authentication paths - federated OIDC login, wallet fast-path for known holders, and wallet reconciliation for new holders

### Identity Matching

- [Identity Matching](/eduid-wallet-matching-portal/guides/matching/overview.md): How external identifiers are linked to internal identities using privacy-preserving HMAC hashing
- [IdentityMatch Record](/eduid-wallet-matching-portal/guides/matching/identity-match.md): The hash-based index linking external identifiers to internal identity IDs
- [IdentityLinkBinding Record](/eduid-wallet-matching-portal/guides/matching/identity-link-binding.md): Encrypted holder-to-institution mapping with cached canonical attributes and assurance metadata
- [Key Rotation](/eduid-wallet-matching-portal/guides/matching/key-rotation.md): Zero-downtime HMAC and encryption key rotation with dual-read support and lazy migration

### Reconciliation

- [Identity Reconciliation](/eduid-wallet-matching-portal/guides/reconciliation/overview.md): Policy-driven decision engine that determines what to do when a user presents wallet credentials
- [Selector Rules](/eduid-wallet-matching-portal/guides/reconciliation/selector-rules.md): Declarative rule engine for reconciliation decisions - conditions, priorities, and plan templates
- [Material Profiles](/eduid-wallet-matching-portal/guides/reconciliation/material-profiles.md): Recipes for constructing identity link bindings - which identifiers to hash and which attributes to encrypt
- [Reconciliation Sessions](/eduid-wallet-matching-portal/guides/reconciliation/reconciliation-session.md): OIDC-based reconciliation session lifecycle - creation, redirect, callback, and completion

### Encryption & Key Management

- [Encryption & Key Management](/eduid-wallet-matching-portal/guides/encryption/overview.md): Three domain-separated cryptographic keys protecting identity data at rest - HMAC-SHA256 for hashing, AES-256-GCM for encryption
- [Cryptographic Keys](/eduid-wallet-matching-portal/guides/encryption/cryptographic-keys.md): Key aliases, algorithms, KMS provider configuration, and key version management
- [Encrypted Storage Patterns](/eduid-wallet-matching-portal/guides/encryption/encrypted-storage.md): How sensitive data is encrypted before persistence and decrypted on read - envelope encryption, AES-256-GCM payloads, and zero-plaintext guarantees

### REST APIs

- [REST API Overview](/eduid-wallet-matching-portal/guides/rest-api/overview.md): Complete API surface - OID4VP sessions, IDV reconciliation, external identity API, STS OIDC endpoints, and frontend BFF routes
- [OID4VP Session API](/eduid-wallet-matching-portal/guides/rest-api/oid4vp-sessions.md): Create, poll, and complete wallet authentication sessions via OID4VP
- [IDV Reconciliation API](/eduid-wallet-matching-portal/guides/rest-api/idv-reconciliation.md): Initiate, callback, and complete identity verification reconciliation flows
- [External Reconciliation API](/eduid-wallet-matching-portal/guides/rest-api/external-api.md): REST API for authorized third-party systems to access reconciled identity data, auxiliary data, and GDPR erasure
- [STS (OAuth2/OIDC) Endpoints](/eduid-wallet-matching-portal/guides/rest-api/sts-endpoints.md): Full OIDC Provider endpoints - authorization, token, introspection, revocation, JWKS, and discovery
- [Frontend BFF Routes](/eduid-wallet-matching-portal/guides/rest-api/frontend-bff.md): Next.js Backend-For-Frontend routes that proxy requests to STS and Auth Bridge

### Database

- [Database Overview](/eduid-wallet-matching-portal/guides/database/overview.md): Seven PostgreSQL tables powering identity matching, reconciliation, auxiliary data, key rotation, and audit
- [Schema Reference](/eduid-wallet-matching-portal/guides/database/schema-reference.md): Complete DDL for all seven tables - columns, types, constraints, indexes, and encryption annotations
- [GDPR Data Lifecycle](/eduid-wallet-matching-portal/guides/database/gdpr-data-lifecycle.md): Data retention, soft delete, hard delete, inactive binding cleanup, and GDPR Art. 17 erasure

### Operations

- [Deployment Guide](/eduid-wallet-matching-portal/guides/operations/deployment.md): Docker Compose setup, environment variables, service dependencies, and production deployment considerations
- [Configuration Reference](/eduid-wallet-matching-portal/guides/operations/configuration.md): Complete application.yml reference for STS and Auth Bridge - all properties with defaults and descriptions
- [Monitoring & Observability](/eduid-wallet-matching-portal/guides/operations/monitoring.md): Audit events, session cleanup monitoring, key migration tracking, and operational health indicators

### Security & Privacy

- [Privacy Architecture](/eduid-wallet-matching-portal/guides/security/privacy-architecture.md): Privacy-by-design principles - no plaintext storage, domain-separated keys, tenant isolation, data minimization, and crypto-shredding
- [Audit Trail](/eduid-wallet-matching-portal/guides/security/audit-trail.md): Append-only audit event logging for identity operations, reconciliation decisions, and GDPR compliance evidence

## Other Pages

- /
- /edk/api/universal-oid4vp
- /ssi-sdk