Start with Identity
12 deep dives

Identity standards, explained

Standards tracker →

The protocols that hold identity together, in plain language: what each one is, how it works, where it stands, and the pitfalls to avoid. For the at-a-glance status table, see the research tracker.

OAuth 2.0
stable
RFC 6749 (+ RFC 6750) · IETF

OAuth 2.0 is the delegated authorization framework that lets an app obtain scoped access to resources on a user's behalf. It is about access, not identity.

OAuth 2.1
draft
draft-ietf-oauth-v2-1 · IETF

OAuth 2.1 is a consolidation of OAuth 2.0 plus a decade of security best practice into a single, safer-by-default specification.

OpenID Connect (OIDC)
stable
OpenID Connect Core 1.0 · OpenID Foundation

OpenID Connect is the identity layer on top of OAuth 2.0. It is what you use to log a user in and learn who they are.

SAML 2.0
stable
OASIS SAML v2.0 · OASIS

SAML 2.0 is the XML-based standard behind enterprise single sign-on. It is older than OIDC but remains the lingua franca of enterprise federation.

WebAuthn / FIDO2
draft
W3C Web Authentication Level 3 · W3C

WebAuthn and FIDO2 are the standards behind passkeys and security keys: public-key authentication that is resistant to phishing by design.

FAPI (Financial-grade API)
stable
FAPI 1.0 and FAPI 2.0 · OpenID Foundation

FAPI is a hardened OAuth and OIDC security profile for high-risk APIs such as open banking, where a standard OAuth setup is not strong enough.

SCIM 2.0
stable
RFC 7643 & RFC 7644 · IETF

SCIM is the standard for automatically provisioning and deprovisioning user accounts across applications. It is how identity flows between systems.

Verifiable Credentials & SD-JWT
recommendation
W3C VC Data Model 2.0; IETF SD-JWT VC · W3C / IETF

Verifiable Credentials are tamper-evident digital credentials a user holds in a wallet and presents without contacting the issuer. They underpin decentralized identity and the EU wallet.

Decentralized Identifiers (DID)
recommendation
W3C DID Core 1.0 · W3C

Decentralized Identifiers are identifiers a subject controls without a central registry, resolving to a document of public keys and endpoints. They anchor the trust in decentralized identity.

eIDAS 2.0 & the EU Digital Identity Wallet
stable
Regulation (EU) 2024/1183 + Architecture and Reference Framework (ARF) · European Commission

eIDAS 2.0 mandates a digital identity wallet for every EU citizen and is the largest real-world driver of decentralized identity, verifiable credentials, and the OpenID4VC protocols.

ISO/IEC 18013-5 Mobile Driver's License (mDL)
stable
ISO/IEC 18013-5:2021 (+ 18013-7 for online) · ISO/IEC

ISO/IEC 18013-5 is the standard for driver's licenses issued to a phone wallet, with selective disclosure in person and, via 18013-7, online. It is the fastest-moving government credential format.

OpenID for Verifiable Credentials (OpenID4VC)
stable
OpenID4VCI, OpenID4VP, SIOPv2 + HAIP 1.0 · OpenID Foundation

OpenID4VC is the OpenID Foundation family that issues and presents verifiable credentials over OAuth 2.0. It is the transport layer turning decentralized identity standards into working wallets.