Self-Issued OpenID Provider v2 (SIOPv2) is an OpenID Connect (OIDC) extension that allows an individual to act as their own OpenID Provider (OP) using a Decentralized Identifier (DID) and Verifiable Credentials (VCs). Instead of relying on a corporate identity provider like Google or Facebook, users generate and control their own cryptographic keys, signing authentication responses directly from their wallet or agent. This shifts the paradigm from centralized account logins to portable, user-owned digital identities that can interact with any Relying Party (RP) supporting the standard.
LABS
Glossary
SIOPv2
SIOPv2 (Self-Issued OpenID Connect Provider v2) is a decentralized authentication protocol that enables a user to authenticate using a Decentralized Identifier (DID) and verifiable presentations without a centralized identity provider.
Chainscore © 2026
definition
DECENTRALIZED IDENTITY PROTOCOL
What is SIOPv2?
SIOPv2 is a foundational protocol for user-centric digital identity, enabling secure authentication without centralized authorities.
The core technical flow involves a Relying Party (e.g., a website or dApp) sending an OIDC authentication request to the user's SIOP wallet. The wallet, which holds the user's private keys and DIDs, processes this request. It then creates and signs an ID Token—a JSON Web Token (JWT)—that contains claims about the user, such as their DID, and returns it to the RP. The RP verifies the token's signature against the public keys published in the user's DID Document, establishing trust without a central intermediary. This process is formally defined in the OpenID Connect for Verifiable Presentations specification.
SIOPv2 is a critical component of the broader SSI (Self-Sovereign Identity) stack, enabling DID-based authentication. Its primary use cases include passwordless login for decentralized applications (dApps), secure access to verifiable credential wallets, and compliant Know Your Customer (KYC) flows where users present attested credentials without revealing unnecessary personal data. By decoupling identity from specific platforms, SIOPv2 promotes interoperability, reduces phishing risks associated with centralized passwords, and gives users cryptographic proof of control over their identity.
how-it-works
PROTOCOL MECHANICS
How SIOPv2 Works
SIOPv2 is a decentralized identity protocol that enables users to authenticate to relying parties using a self-custodied wallet, without needing a centralized identity provider.
Self-Issued OpenID Provider v2 (SIOPv2) is an OpenID Connect (OIDC) extension that defines how a Decentralized Identifier (DID) holder acts as their own OpenID Provider. The core mechanism involves the Relying Party (RP) sending an authentication request to the user's wallet. This request, formatted as a JWT or a URL, specifies the required credentials, such as a Verifiable Presentation containing a Verifiable Credential. The user's wallet, functioning as the OpenID Provider (OP), processes this request, obtains user consent, and returns a signed ID Token in the form of a Verifiable Presentation (VP) to complete the authentication flow.
The protocol operates through a direct, peer-to-peer connection between the user's identity wallet and the Relying Party's backend, eliminating traditional intermediaries. A key technical component is the response_mode parameter, often set to direct_post.jwt, which dictates how the authentication response is delivered. The returned ID Token is a JSON Web Token (JWT) that is signed with the key material from the user's DID, providing cryptographic proof of ownership. This token contains the user's DID and the presented claims, allowing the RP to verify the signature against the user's public key resolved from their DID document on a verifiable data registry.
For a practical example, consider a user logging into a decentralized application (dApp). The dApp (RP) redirects the user to their SIOPv2-compatible wallet with an OIDC authorization request. The wallet displays the requested data (e.g., "This app requests your name and age"). After user approval, the wallet creates a signed VP containing the relevant Verifiable Credentials and sends it back to the dApp's callback endpoint. The dApp validates the JWT signature and the credentials' proofs, granting access without ever handling a password or relying on a service like Google or Facebook.
key-features
DECENTRALIZED IDENTITY
Key Features of SIOPv2
Self-Issued OpenID Connect Provider v2 (SIOPv2) is a decentralized identity protocol that enables users to authenticate with web services using credentials they control, without relying on a central authority.
01
Decentralized Identifiers (DIDs)
SIOPv2 uses Decentralized Identifiers (DIDs) as the core user identifier. A DID is a cryptographically verifiable identifier controlled by the user, not a centralized registry. This enables:
- Self-Sovereign Identity: Users own and manage their identity.
- Portability: The same DID can be used across different services and platforms.
- Verifiability: DIDs resolve to DID Documents containing public keys for authentication.
02
Verifiable Presentations
Users present claims to verifiers (Relying Parties) as Verifiable Presentations (VPs). A VP is a tamper-evident wrapper for one or more Verifiable Credentials (VCs), signed by the holder. This allows for:
- Selective Disclosure: Users can share only the specific claims required (e.g., prove you are over 21 without revealing your birthdate).
- Proof of Authenticity: The cryptographic signature proves the credentials were issued by a trusted issuer and are presented by the legitimate holder.
03
OpenID Connect Core Protocol
SIOPv2 is built as a profile of the widely adopted OpenID Connect (OIDC) standard. It reuses OIDC's core flows, messages, and security constructs but replaces the centralized OIDC Provider with a user-controlled wallet. This provides:
- Interoperability: Easier integration for developers familiar with OIDC.
- Established Security: Leverages OIDC's battle-tested security model for authentication.
- Standardized Flows: Uses the Authorization Code Flow or Implicit Flow adapted for decentralized identity.
04
Wallet-Based Authentication
Authentication is performed by a user's digital wallet (e.g., a mobile app or browser extension), which acts as the Self-Issued OpenID Provider. The wallet:
- Stores Private Keys: Securely manages the keys associated with the user's DIDs.
- Signs Authentication Responses: Creates the signed ID Token (a JWT) to prove control of the DID.
- Manages Credentials: Stores and presents Verifiable Credentials from various issuers.
05
Enhanced User Privacy
SIOPv2 incorporates privacy-by-design principles to minimize data leakage:
- Pairwise Pseudonymous DIDs: Services can request unique, service-specific DIDs to prevent correlation across different websites.
- No Central Tracking: There is no central identity provider that can log all user authentications.
- User Consent: The wallet prompts the user for explicit consent before sharing any credentials or authentication data.
06
Interoperability with W3C Standards
SIOPv2 is designed to be fully compatible with the W3C Verifiable Credentials Data Model and the W3C Decentralized Identifiers specifications. This ensures:
- Credential Portability: Credentials issued in one ecosystem can be presented in another that supports SIOPv2.
- Vendor Neutrality: Avoids lock-in to any single vendor's proprietary identity system.
- Foundation for Ecosystem: Serves as a key bridge between the traditional OIDC web and the emerging decentralized identity stack.
core-components
DECENTRALIZED IDENTITY
Core Components & Data Structures
SIOPv2 (Self-Issued OpenID Provider v2) is a decentralized identity protocol that enables users to authenticate using self-sovereign credentials, such as those stored in a digital wallet, without relying on a centralized identity provider.
01
Decentralized Identifier (DID)
The foundational component of SIOPv2 is a Decentralized Identifier (DID), a globally unique, cryptographically verifiable identifier controlled by the user. It is not issued by a central authority but is self-generated and anchored to a blockchain or other decentralized system. The DID serves as the user's persistent, portable identity key for all interactions.
02
Verifiable Presentation
A Verifiable Presentation is the data package a user (the holder) shares with a Relying Party (e.g., a dApp). It contains one or more Verifiable Credentials and is cryptographically signed by the user's DID. This proves the user possesses the credentials and consents to sharing them, enabling selective disclosure of attributes.
03
SIOPv2 Request Object (JWT)
The authentication flow begins when a Relying Party sends a SIOPv2 Request Object. This is a JSON Web Token (JWT) that specifies:
- The client_id (the Relying Party's DID)
- Required scopes and claims
- The response_type (
id_token) - A nonce to prevent replay attacks This JWT is passed to the user's wallet, which parses it to understand what is being requested.
04
SIOPv2 Response (ID Token)
The user's wallet constructs the SIOPv2 Response, which is also a JWT (an ID Token). This token includes:
- The iss and sub fields, both set to the user's DID
- The aud field set to the Relying Party's DID
- The requested claims (from Verifiable Credentials)
- The nonce from the request This ID Token is signed with the private key corresponding to the user's DID, providing cryptographic proof of authentication.
05
Wallet & Holder Binding
A critical security mechanism in SIOPv2 is Holder Binding. It ensures the Verifiable Credentials presented are genuinely possessed by the authenticating user. This is achieved by proving control of the DID that is the subject of the credentials. The wallet signs the ID Token with the same key material linked to that DID, cryptographically binding the user's authentication to their credentials.
ARCHITECTURAL COMPARISON
SIOPv2 vs. Traditional OpenID Connect
A comparison of the decentralized Self-Issued OpenID Provider v2 (SIOPv2) protocol with the traditional, centralized OpenID Connect (OIDC) flow.
| Feature / Component | SIOPv2 (Decentralized) | Traditional OIDC (Centralized) |
|---|---|---|
Identity Provider (IdP) | User's own wallet or device (Self-Issued) | Centralized third-party service (e.g., Google, Auth0) |
Core Credential | Decentralized Identifier (DID) and Verifiable Credentials (VCs) | Centralized user account identifier (e.g., email, username) |
Trust Anchor | Verifiable Data Registry (e.g., blockchain, DID method) | Trusted third-party IdP and its certificate authority |
User Consent & Data Portability | User holds and selectively discloses credentials | User data is stored and controlled by the IdP |
Authentication Flow | Direct presentation of a Verifiable Presentation (VP) to the Relying Party | Redirect through a centralized OIDC provider (Authorization Code Flow) |
Standardization Body | OpenID Foundation (OIDF) & W3C (DIDs, VCs) | OpenID Foundation (OIDF) & IETF (OAuth 2.0) |
Primary Use Case | Decentralized identity, user-centric data sharing, SSI | Federated login for web and mobile applications |
use-cases
PRACTICAL APPLICATIONS
SIOPv2 Use Cases
Self-Issued OpenID Provider v2 (SIOPv2) enables user-centric, decentralized identity verification. These cards explore its primary applications for secure, portable authentication.
ecosystem-usage
SIOPv2
Ecosystem & Implementations
SIOPv2 (Self-Issued OpenID Provider v2) is a decentralized identity standard that enables users to authenticate using self-issued credentials from their own digital wallet, without relying on a centralized identity provider.
02
Integration with Verifiable Credentials
SIOPv2 is designed to work seamlessly with W3C Verifiable Credentials (VCs). The ID Token can act as a Verifiable Presentation, containing or referencing VCs held in the user's wallet. This creates a unified flow where authentication and credential presentation happen in a single user consent step, forming the basis for Sign-In with Ethereum (SIWE) and other decentralized login systems.
03
Wallet & Agent Implementations
User interaction is managed by identity wallets or agents. Key implementations include:
- Browser Extension Wallets (e.g., MetaMask with Sign-In with Ethereum).
- Mobile Wallet SDKs (e.g., Veramo, Walt.id).
- Cloud/Edge Agents for non-custodial key management. These wallets handle DID resolution, key signing, and the user consent interface for releasing claims.
04
Relying Party Libraries & SDKs
For developers building applications (Relying Parties), several libraries simplify SIOPv2 integration:
- Veramo (JavaScript/TypeScript)
- DIDAuth libraries in various languages.
- OIDC Client Adaptations configured for the
siopv2profile. These handle the authentication request/response flow, JWT verification, DID validation, and signature checks.
06
Governance & Standards Bodies
SIOPv2's development and interoperability are driven by key organizations:
- OpenID Foundation (OIDF): Maintains the core SIOPv2 and OIDC specifications.
- Decentralized Identity Foundation (DIF): Drives wallet and agent interoperability through working groups.
- W3C Credentials Community Group: Ensures alignment with Verifiable Credentials data models. Collaboration ensures the standard remains open, vendor-neutral, and compatible with the broader SSI ecosystem.
SELF-ISSUED IDENTITY PROTOCOL
Technical Deep Dive
SIOPv2 is a foundational standard for decentralized identity, enabling users to authenticate with services using credentials they control, without relying on centralized identity providers.
SIOPv2 (Self-Issued OpenID Provider v2) is a decentralized identity protocol that allows an individual to act as their own OpenID Provider, using a Decentralized Identifier (DID) and Verifiable Credentials (VCs) to authenticate with a Relying Party (RP). It works by extending the OpenID Connect (OIDC) flow: instead of redirecting to a third-party provider like Google, the user's SIOP wallet (e.g., a mobile app) generates a self-issued ID Token signed with the private key associated with their DID. This token contains claims about the user, which can be optionally backed by verifiable credentials, proving attributes like age or membership without revealing the underlying credential data.
security-considerations
SIOPV2
Security & Privacy Considerations
Self-Issued OpenID Provider v2 (SIOPv2) is a decentralized identity protocol enabling users to authenticate using self-custodied credentials, such as a blockchain wallet, without relying on a centralized identity provider.
02
Verifiable Presentation & Minimal Disclosure
A core privacy feature is the ability to present cryptographically verifiable claims without revealing the entire credential. Using Selective Disclosure or Zero-Knowledge Proofs (ZKPs), a user can prove they are over 21 without disclosing their exact birth date or other personal data, adhering to data minimization principles.
03
Phishing & Replay Attack Mitigation
The protocol includes several defenses against common attacks:
- Nonce and State Parameters: Prevent replay attacks by ensuring authentication responses are unique to a single request.
- Audience (
aud) Claim: The ID Token is cryptographically bound to the specific Relying Party's (RP) client ID. - User-Initiated Flow: Authentication is always triggered by a user action (e.g., signing a message), making unsolicited auth requests ineffective.
04
Key Management & Custody Risks
Security is contingent on the user's ability to secure their signing key (e.g., a wallet's private key). This introduces risks:
- Key Loss: Losing the private key means losing the digital identity, with no central recovery mechanism.
- Key Theft: Compromise of the device or seed phrase leads to full identity theft.
- User Responsibility: Shifts the security burden and complexity from service providers to end-users.
05
Decentralized Identifiers (DIDs) as Issuer
SIOPv2 uses Decentralized Identifiers (DIDs) as the issuer (iss) of the ID Token. The DID is a URI that points to a DID Document containing public keys. This allows any verifier to resolve the DID, fetch the public key, and independently verify the token's signature without a central registry, ensuring cryptographic verifiability across systems.
SIOPV2
Common Misconceptions
Self-Issued OpenID Provider v2 (SIOPv2) is a core standard for decentralized identity, often misunderstood in its relationship to blockchain and Verifiable Credentials. This section clarifies key technical distinctions.
No, SIOPv2 is not a blockchain protocol. SIOPv2 is a decentralized identity standard that extends the OpenID Connect (OIDC) framework to allow an individual to act as their own identity provider (Self-Issued) without relying on a centralized service. It is an authentication protocol that can be used with any Decentralized Identifier (DID) method, some of which are implemented on blockchains. The blockchain may be used to anchor and verify the DID's cryptographic keys, but SIOPv2 itself operates at the application layer for secure, user-centric sign-in flows.
Key Distinction: Think of SIOPv2 as the "login button" standard that uses your decentralized identity (your DID), while the blockchain is one possible backend system for managing that identity's root of trust.
SIOPV2
Frequently Asked Questions (FAQ)
Self-Issued OpenID Provider v2 (SIOPv2) is a core standard for decentralized identity, enabling users to authenticate using their own digital wallets. This FAQ clarifies its purpose, mechanics, and role in the Web3 ecosystem.
Self-Issued OpenID Provider v2 (SIOPv2) is a decentralized identity protocol that allows a user to act as their own OpenID Provider using a digital wallet, such as a blockchain wallet, to authenticate to a Relying Party (RP). It works by extending the OAuth 2.0 and OpenID Connect (OIDC) framework: instead of relying on a centralized identity provider like Google, the user's wallet generates a Verifiable Presentation containing a Decentralized Identifier (DID) and Verifiable Credentials. The user signs an authentication request from the RP with their wallet's private key, proving control of their DID without revealing the key itself. This creates a secure, user-centric login flow where the individual maintains full control over their identity data.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall