Free 30-min Web3 Consultation
Book Consultation
Smart Contract Security Audits
View Audit Services
Custom DeFi Protocol Development
Explore DeFi
Full-Stack Web3 dApp Development
View App Services
Free 30-min Web3 Consultation
Book Consultation
Smart Contract Security Audits
View Audit Services
Custom DeFi Protocol Development
Explore DeFi
Full-Stack Web3 dApp Development
View App Services
Free 30-min Web3 Consultation
Book Consultation
Smart Contract Security Audits
View Audit Services
Custom DeFi Protocol Development
Explore DeFi
Full-Stack Web3 dApp Development
View App Services
Free 30-min Web3 Consultation
Book Consultation
Smart Contract Security Audits
View Audit Services
Custom DeFi Protocol Development
Explore DeFi
Full-Stack Web3 dApp Development
View App Services
LABS
Glossary

SIOPv2

SIOPv2 (Self-Issued OpenID Connect Provider v2) is a decentralized authentication protocol that enables a user to authenticate using a Decentralized Identifier (DID) and verifiable presentations without a centralized identity provider.
Chainscore © 2026
definition
DECENTRALIZED IDENTITY PROTOCOL

What is SIOPv2?

SIOPv2 is a foundational protocol for user-centric digital identity, enabling secure authentication without centralized authorities.

Self-Issued OpenID Provider v2 (SIOPv2) is an OpenID Connect (OIDC) extension that allows an individual to act as their own OpenID Provider (OP) using a Decentralized Identifier (DID) and Verifiable Credentials (VCs). Instead of relying on a corporate identity provider like Google or Facebook, users generate and control their own cryptographic keys, signing authentication responses directly from their wallet or agent. This shifts the paradigm from centralized account logins to portable, user-owned digital identities that can interact with any Relying Party (RP) supporting the standard.

The core technical flow involves a Relying Party (e.g., a website or dApp) sending an OIDC authentication request to the user's SIOP wallet. The wallet, which holds the user's private keys and DIDs, processes this request. It then creates and signs an ID Token—a JSON Web Token (JWT)—that contains claims about the user, such as their DID, and returns it to the RP. The RP verifies the token's signature against the public keys published in the user's DID Document, establishing trust without a central intermediary. This process is formally defined in the OpenID Connect for Verifiable Presentations specification.

SIOPv2 is a critical component of the broader SSI (Self-Sovereign Identity) stack, enabling DID-based authentication. Its primary use cases include passwordless login for decentralized applications (dApps), secure access to verifiable credential wallets, and compliant Know Your Customer (KYC) flows where users present attested credentials without revealing unnecessary personal data. By decoupling identity from specific platforms, SIOPv2 promotes interoperability, reduces phishing risks associated with centralized passwords, and gives users cryptographic proof of control over their identity.

how-it-works
PROTOCOL MECHANICS

How SIOPv2 Works

SIOPv2 is a decentralized identity protocol that enables users to authenticate to relying parties using a self-custodied wallet, without needing a centralized identity provider.

Self-Issued OpenID Provider v2 (SIOPv2) is an OpenID Connect (OIDC) extension that defines how a Decentralized Identifier (DID) holder acts as their own OpenID Provider. The core mechanism involves the Relying Party (RP) sending an authentication request to the user's wallet. This request, formatted as a JWT or a URL, specifies the required credentials, such as a Verifiable Presentation containing a Verifiable Credential. The user's wallet, functioning as the OpenID Provider (OP), processes this request, obtains user consent, and returns a signed ID Token in the form of a Verifiable Presentation (VP) to complete the authentication flow.

The protocol operates through a direct, peer-to-peer connection between the user's identity wallet and the Relying Party's backend, eliminating traditional intermediaries. A key technical component is the response_mode parameter, often set to direct_post.jwt, which dictates how the authentication response is delivered. The returned ID Token is a JSON Web Token (JWT) that is signed with the key material from the user's DID, providing cryptographic proof of ownership. This token contains the user's DID and the presented claims, allowing the RP to verify the signature against the user's public key resolved from their DID document on a verifiable data registry.

For a practical example, consider a user logging into a decentralized application (dApp). The dApp (RP) redirects the user to their SIOPv2-compatible wallet with an OIDC authorization request. The wallet displays the requested data (e.g., "This app requests your name and age"). After user approval, the wallet creates a signed VP containing the relevant Verifiable Credentials and sends it back to the dApp's callback endpoint. The dApp validates the JWT signature and the credentials' proofs, granting access without ever handling a password or relying on a service like Google or Facebook.

key-features
DECENTRALIZED IDENTITY

Key Features of SIOPv2

Self-Issued OpenID Connect Provider v2 (SIOPv2) is a decentralized identity protocol that enables users to authenticate with web services using credentials they control, without relying on a central authority.

01

Decentralized Identifiers (DIDs)

SIOPv2 uses Decentralized Identifiers (DIDs) as the core user identifier. A DID is a cryptographically verifiable identifier controlled by the user, not a centralized registry. This enables:

  • Self-Sovereign Identity: Users own and manage their identity.
  • Portability: The same DID can be used across different services and platforms.
  • Verifiability: DIDs resolve to DID Documents containing public keys for authentication.
02

Verifiable Presentations

Users present claims to verifiers (Relying Parties) as Verifiable Presentations (VPs). A VP is a tamper-evident wrapper for one or more Verifiable Credentials (VCs), signed by the holder. This allows for:

  • Selective Disclosure: Users can share only the specific claims required (e.g., prove you are over 21 without revealing your birthdate).
  • Proof of Authenticity: The cryptographic signature proves the credentials were issued by a trusted issuer and are presented by the legitimate holder.
03

OpenID Connect Core Protocol

SIOPv2 is built as a profile of the widely adopted OpenID Connect (OIDC) standard. It reuses OIDC's core flows, messages, and security constructs but replaces the centralized OIDC Provider with a user-controlled wallet. This provides:

  • Interoperability: Easier integration for developers familiar with OIDC.
  • Established Security: Leverages OIDC's battle-tested security model for authentication.
  • Standardized Flows: Uses the Authorization Code Flow or Implicit Flow adapted for decentralized identity.
04

Wallet-Based Authentication

Authentication is performed by a user's digital wallet (e.g., a mobile app or browser extension), which acts as the Self-Issued OpenID Provider. The wallet:

  • Stores Private Keys: Securely manages the keys associated with the user's DIDs.
  • Signs Authentication Responses: Creates the signed ID Token (a JWT) to prove control of the DID.
  • Manages Credentials: Stores and presents Verifiable Credentials from various issuers.
05

Enhanced User Privacy

SIOPv2 incorporates privacy-by-design principles to minimize data leakage:

  • Pairwise Pseudonymous DIDs: Services can request unique, service-specific DIDs to prevent correlation across different websites.
  • No Central Tracking: There is no central identity provider that can log all user authentications.
  • User Consent: The wallet prompts the user for explicit consent before sharing any credentials or authentication data.
06

Interoperability with W3C Standards

SIOPv2 is designed to be fully compatible with the W3C Verifiable Credentials Data Model and the W3C Decentralized Identifiers specifications. This ensures:

  • Credential Portability: Credentials issued in one ecosystem can be presented in another that supports SIOPv2.
  • Vendor Neutrality: Avoids lock-in to any single vendor's proprietary identity system.
  • Foundation for Ecosystem: Serves as a key bridge between the traditional OIDC web and the emerging decentralized identity stack.
core-components
DECENTRALIZED IDENTITY

Core Components & Data Structures

SIOPv2 (Self-Issued OpenID Provider v2) is a decentralized identity protocol that enables users to authenticate using self-sovereign credentials, such as those stored in a digital wallet, without relying on a centralized identity provider.

01

Decentralized Identifier (DID)

The foundational component of SIOPv2 is a Decentralized Identifier (DID), a globally unique, cryptographically verifiable identifier controlled by the user. It is not issued by a central authority but is self-generated and anchored to a blockchain or other decentralized system. The DID serves as the user's persistent, portable identity key for all interactions.

02

Verifiable Presentation

A Verifiable Presentation is the data package a user (the holder) shares with a Relying Party (e.g., a dApp). It contains one or more Verifiable Credentials and is cryptographically signed by the user's DID. This proves the user possesses the credentials and consents to sharing them, enabling selective disclosure of attributes.

03

SIOPv2 Request Object (JWT)

The authentication flow begins when a Relying Party sends a SIOPv2 Request Object. This is a JSON Web Token (JWT) that specifies:

  • The client_id (the Relying Party's DID)
  • Required scopes and claims
  • The response_type (id_token)
  • A nonce to prevent replay attacks This JWT is passed to the user's wallet, which parses it to understand what is being requested.
04

SIOPv2 Response (ID Token)

The user's wallet constructs the SIOPv2 Response, which is also a JWT (an ID Token). This token includes:

  • The iss and sub fields, both set to the user's DID
  • The aud field set to the Relying Party's DID
  • The requested claims (from Verifiable Credentials)
  • The nonce from the request This ID Token is signed with the private key corresponding to the user's DID, providing cryptographic proof of authentication.
05

Wallet & Holder Binding

A critical security mechanism in SIOPv2 is Holder Binding. It ensures the Verifiable Credentials presented are genuinely possessed by the authenticating user. This is achieved by proving control of the DID that is the subject of the credentials. The wallet signs the ID Token with the same key material linked to that DID, cryptographically binding the user's authentication to their credentials.

06

Relationship to OIDC & Verifiable Credentials

SIOPv2 is a profile of the OpenID Connect (OIDC) standard, re-purposing its flows for a decentralized model. Instead of an OpenID Provider (OP) like Google, the user acts as their own Self-Issued OP. It is designed to work seamlessly with W3C Verifiable Credentials, allowing standardized, interoperable credentials to be presented within the OIDC authentication framework.

EXPLORE
ARCHITECTURAL COMPARISON

SIOPv2 vs. Traditional OpenID Connect

A comparison of the decentralized Self-Issued OpenID Provider v2 (SIOPv2) protocol with the traditional, centralized OpenID Connect (OIDC) flow.

Feature / ComponentSIOPv2 (Decentralized)Traditional OIDC (Centralized)

Identity Provider (IdP)

User's own wallet or device (Self-Issued)

Centralized third-party service (e.g., Google, Auth0)

Core Credential

Decentralized Identifier (DID) and Verifiable Credentials (VCs)

Centralized user account identifier (e.g., email, username)

Trust Anchor

Verifiable Data Registry (e.g., blockchain, DID method)

Trusted third-party IdP and its certificate authority

User Consent & Data Portability

User holds and selectively discloses credentials

User data is stored and controlled by the IdP

Authentication Flow

Direct presentation of a Verifiable Presentation (VP) to the Relying Party

Redirect through a centralized OIDC provider (Authorization Code Flow)

Standardization Body

OpenID Foundation (OIDF) & W3C (DIDs, VCs)

OpenID Foundation (OIDF) & IETF (OAuth 2.0)

Primary Use Case

Decentralized identity, user-centric data sharing, SSI

Federated login for web and mobile applications

use-cases
PRACTICAL APPLICATIONS

SIOPv2 Use Cases

Self-Issued OpenID Provider v2 (SIOPv2) enables user-centric, decentralized identity verification. These cards explore its primary applications for secure, portable authentication.

01

Decentralized Login (dLogin)

SIOPv2 enables passwordless, phishing-resistant login to web applications using a Decentralized Identifier (DID) and cryptographic proof, replacing traditional OAuth flows.

  • User Control: Users authenticate directly from their digital wallet (e.g., MetaMask, Spruce ID) without relying on a central identity provider.
  • Protocol: Functions as a Relying Party in the OpenID Connect protocol, where the user acts as their own OpenID Provider.
  • Example: Logging into a DeFi dashboard by signing a SIOPv2 request with your Ethereum wallet, proving control of your did:ethr DID.
EXPLORE
02

Verifiable Credential Presentation

SIOPv2 is the authentication layer for presenting W3C Verifiable Credentials (VCs), enabling selective disclosure of attested claims.

  • Flow Extension: Often combined with the OpenID for Verifiable Credentials (OIDC4VC) protocol. The SIOPv2 exchange establishes the session, and a subsequent Verifiable Presentation is submitted.
  • Selective Disclosure: Users can prove specific claims (e.g., "I am over 18") from a credential without revealing the entire document.
  • Use Case: Proving KYC status to a regulated exchange by presenting a credential from a trusted issuer, authenticated via your SIOP DID.
EXPLORE
03

Cross-Domain Single Sign-On (SSO)

Provides a decentralized SSO experience across unrelated services, using the user's portable DID as the common identifier instead of a corporate directory.

  • Portability: Your identity is not locked to a specific domain (e.g., @company.com) or social provider (Google, Facebook).
  • Trust Framework: Services trust the cryptographic proof from your DID's public key, not a central authority.
  • Architecture: Enables SSO across a consortium of organizations or within decentralized autonomous organizations (DAOs) where no central IT exists.
EXPLORE
04

Wallet-to-Wallet Authentication

Enables secure authentication and session establishment directly between two user-controlled agents, such as mobile or browser extension wallets.

  • Peer-to-Peer: Facilitates interactions like secure messaging, peer-to-peer transactions, or accessing a user's decentralized data vault.
  • Session Keys: The established session can be used to derive ephemeral keys for ongoing, secure communication.
  • Protocol Foundation: A core mechanism for Decentralized Web Nodes (DWN) and other agent-to-agent communication protocols in the SSI (Self-Sovereign Identity) stack.
EXPLORE
05

Compliance & Regulatory Proofs

Streamlines regulatory compliance (e.g., Travel Rule, AML) by allowing users to cryptographically prove attributes to regulated entities in a privacy-preserving manner.

  • Auditable Proofs: Entities receive a verifiable presentation with a cryptographic audit trail, reducing manual checks.
  • Privacy by Design: Users minimize data exposure using zero-knowledge proofs or selective disclosure.
  • Real-World Use: A crypto wallet proving its user's jurisdiction or accredited investor status to a decentralized exchange (DEX) or lending protocol prior to high-value transactions.
EXPLORE
06

IoT & Device Authentication

Provides a scalable model for authenticating Internet of Things (IoT) devices and machines using DIDs, enabling secure machine-to-machine (M2M) communication.

  • Device Identity: Each device has its own DID stored in a secure element, used to sign SIOPv2 requests.
  • Automated Flows: Enables autonomous devices to authenticate to networks, APIs, or other devices without human intervention.
  • Supply Chain: Devices can prove their manufacturer, firmware version, and compliance status throughout their lifecycle.
EXPLORE
ecosystem-usage
SIOPv2

Ecosystem & Implementations

SIOPv2 (Self-Issued OpenID Provider v2) is a decentralized identity standard that enables users to authenticate using self-issued credentials from their own digital wallet, without relying on a centralized identity provider.

01

Core Protocol Specification

Defined by the OpenID Foundation, SIOPv2 is a profile of the OpenID Connect (OIDC) protocol. It replaces the traditional OIDC Relying Party (RP) to Identity Provider (IdP) flow with a direct RP to Wallet interaction. The user's wallet acts as the Self-Issued OpenID Provider, generating and signing ID Tokens containing verifiable claims.

EXPLORE
02

Integration with Verifiable Credentials

SIOPv2 is designed to work seamlessly with W3C Verifiable Credentials (VCs). The ID Token can act as a Verifiable Presentation, containing or referencing VCs held in the user's wallet. This creates a unified flow where authentication and credential presentation happen in a single user consent step, forming the basis for Sign-In with Ethereum (SIWE) and other decentralized login systems.

03

Wallet & Agent Implementations

User interaction is managed by identity wallets or agents. Key implementations include:

  • Browser Extension Wallets (e.g., MetaMask with Sign-In with Ethereum).
  • Mobile Wallet SDKs (e.g., Veramo, Walt.id).
  • Cloud/Edge Agents for non-custodial key management. These wallets handle DID resolution, key signing, and the user consent interface for releasing claims.
04

Relying Party Libraries & SDKs

For developers building applications (Relying Parties), several libraries simplify SIOPv2 integration:

  • Veramo (JavaScript/TypeScript)
  • DIDAuth libraries in various languages.
  • OIDC Client Adaptations configured for the siopv2 profile. These handle the authentication request/response flow, JWT verification, DID validation, and signature checks.
05

Use Case: Sign-In with Ethereum (SIWE)

SIWE is the most prominent application of SIOPv2. It defines a specific SIOPv2 profile where:

  • The user's Ethereum account serves as the identifier (using a did:pkh or did:ethr DID).
  • The wallet signs a standardized EIP-4361 message format contained within the SIOPv2 ID Token.
  • This provides a cryptographically secure, self-custodied login alternative to platforms like Google or Facebook.
EXPLORE
06

Governance & Standards Bodies

SIOPv2's development and interoperability are driven by key organizations:

  • OpenID Foundation (OIDF): Maintains the core SIOPv2 and OIDC specifications.
  • Decentralized Identity Foundation (DIF): Drives wallet and agent interoperability through working groups.
  • W3C Credentials Community Group: Ensures alignment with Verifiable Credentials data models. Collaboration ensures the standard remains open, vendor-neutral, and compatible with the broader SSI ecosystem.
SELF-ISSUED IDENTITY PROTOCOL

Technical Deep Dive

SIOPv2 is a foundational standard for decentralized identity, enabling users to authenticate with services using credentials they control, without relying on centralized identity providers.

SIOPv2 (Self-Issued OpenID Provider v2) is a decentralized identity protocol that allows an individual to act as their own OpenID Provider, using a Decentralized Identifier (DID) and Verifiable Credentials (VCs) to authenticate with a Relying Party (RP). It works by extending the OpenID Connect (OIDC) flow: instead of redirecting to a third-party provider like Google, the user's SIOP wallet (e.g., a mobile app) generates a self-issued ID Token signed with the private key associated with their DID. This token contains claims about the user, which can be optionally backed by verifiable credentials, proving attributes like age or membership without revealing the underlying credential data.

security-considerations
SIOPV2

Security & Privacy Considerations

Self-Issued OpenID Provider v2 (SIOPv2) is a decentralized identity protocol enabling users to authenticate using self-custodied credentials, such as a blockchain wallet, without relying on a centralized identity provider.

01

Decentralized Authentication

SIOPv2 shifts the authentication authority from a central server (like Google or Facebook) to the user's own device. The user's wallet acts as the OpenID Provider (OP), directly issuing ID Tokens signed with the user's private key. This eliminates reliance on third-party identity providers and their associated data collection practices.

EXPLORE
02

Verifiable Presentation & Minimal Disclosure

A core privacy feature is the ability to present cryptographically verifiable claims without revealing the entire credential. Using Selective Disclosure or Zero-Knowledge Proofs (ZKPs), a user can prove they are over 21 without disclosing their exact birth date or other personal data, adhering to data minimization principles.

03

Phishing & Replay Attack Mitigation

The protocol includes several defenses against common attacks:

  • Nonce and State Parameters: Prevent replay attacks by ensuring authentication responses are unique to a single request.
  • Audience (aud) Claim: The ID Token is cryptographically bound to the specific Relying Party's (RP) client ID.
  • User-Initiated Flow: Authentication is always triggered by a user action (e.g., signing a message), making unsolicited auth requests ineffective.
04

Key Management & Custody Risks

Security is contingent on the user's ability to secure their signing key (e.g., a wallet's private key). This introduces risks:

  • Key Loss: Losing the private key means losing the digital identity, with no central recovery mechanism.
  • Key Theft: Compromise of the device or seed phrase leads to full identity theft.
  • User Responsibility: Shifts the security burden and complexity from service providers to end-users.
05

Decentralized Identifiers (DIDs) as Issuer

SIOPv2 uses Decentralized Identifiers (DIDs) as the issuer (iss) of the ID Token. The DID is a URI that points to a DID Document containing public keys. This allows any verifier to resolve the DID, fetch the public key, and independently verify the token's signature without a central registry, ensuring cryptographic verifiability across systems.

06

Interoperability with Existing OAuth2/OpenID Connect

SIOPv2 is designed as a profile of OAuth 2.0 and OpenID Connect Core 1.0. This allows Relying Parties (RPs) to integrate decentralized authentication using familiar libraries and flows. The SIOP Relying Party treats the user's wallet as a standard, but decentralized, OpenID Provider, simplifying adoption while maintaining the security and privacy benefits of the protocol.

EXPLORE
SIOPV2

Common Misconceptions

Self-Issued OpenID Provider v2 (SIOPv2) is a core standard for decentralized identity, often misunderstood in its relationship to blockchain and Verifiable Credentials. This section clarifies key technical distinctions.

No, SIOPv2 is not a blockchain protocol. SIOPv2 is a decentralized identity standard that extends the OpenID Connect (OIDC) framework to allow an individual to act as their own identity provider (Self-Issued) without relying on a centralized service. It is an authentication protocol that can be used with any Decentralized Identifier (DID) method, some of which are implemented on blockchains. The blockchain may be used to anchor and verify the DID's cryptographic keys, but SIOPv2 itself operates at the application layer for secure, user-centric sign-in flows.

Key Distinction: Think of SIOPv2 as the "login button" standard that uses your decentralized identity (your DID), while the blockchain is one possible backend system for managing that identity's root of trust.

SIOPV2

Frequently Asked Questions (FAQ)

Self-Issued OpenID Provider v2 (SIOPv2) is a core standard for decentralized identity, enabling users to authenticate using their own digital wallets. This FAQ clarifies its purpose, mechanics, and role in the Web3 ecosystem.

Self-Issued OpenID Provider v2 (SIOPv2) is a decentralized identity protocol that allows a user to act as their own OpenID Provider using a digital wallet, such as a blockchain wallet, to authenticate to a Relying Party (RP). It works by extending the OAuth 2.0 and OpenID Connect (OIDC) framework: instead of relying on a centralized identity provider like Google, the user's wallet generates a Verifiable Presentation containing a Decentralized Identifier (DID) and Verifiable Credentials. The user signs an authentication request from the RP with their wallet's private key, proving control of their DID without revealing the key itself. This creates a secure, user-centric login flow where the individual maintains full control over their identity data.

ENQUIRY

Get In Touch
today.

Our experts will offer a free quote and a 30min call to discuss your project.

NDA Protected
24h Response
Directly to Engineering Team
10+
Protocols Shipped
$20M+
TVL Overall
NDA Protected Directly to Engineering Team