How do I integrate the EU Digital Identity Wallet (EUDIW) into my IAM platform?

Thoryn provides a working EUDIW connector that acts as an OpenID4VP relying party. Your application calls the Thoryn API to initiate a wallet presentation request. Thoryn handles ARF-aligned protocol negotiation, PID verification and credential validation. No need to implement OpenID for Verifiable Presentations or SD-JWT verification yourself.

Is Thoryn compliant with eIDAS 2.0 and the Architecture Reference Framework (ARF)?

Yes. Thoryn is architected for eIDAS 2.0 compliance from the ground up. The EUDIW connector follows the ARF specifications and supports OpenID4VP for verifiable presentations and SD-JWT selective disclosure. As a Netherlands-incorporated entity operating exclusively on EU infrastructure, Thoryn has no US CLOUD Act exposure — a critical requirement for regulated relying parties.

What is the difference between Thoryn and US-based IAM providers like WorkOS or Auth0 for eIDAS compliance?

US-incorporated IAM vendors remain subject to the CLOUD Act even when hosting data in EU data centers. A US federal subpoena can compel disclosure of identity data regardless of server location. Thoryn is incorporated in the Netherlands with EU-only infrastructure and no US parent, placing it completely outside CLOUD Act jurisdiction — a hard requirement for organizations processing eIDAS-level identity data under NIS2 and DORA.

eIDAS 2.0 Working EUDIW connector — become a relying party today

Enterprise IAM.
Built in Europe.

Add SSO, SCIM and KYC to your product with a few lines of code. No US jurisdiction risk. NIS2 and DORA-ready out of the box.

Request access Talk to us

No SSO tax EU-only infrastructure CLOUD Act-free NIS2 & DORA-ready

thoryn dashboard

FEATURES

Audit logs Immutable event trail

Enabled

Enterprise SSO SAML · OIDC · any IdP

Enabled

SCIM provisioning Auto user sync

Enabled

KYC verification EU-only · GDPR native

Enabled

Custom domains White-label auth

Disabled

Enterprise SSO· Ready · Enabled EUDIW Connector· POC Live · eIDAS 2.0 SCIM Provisioning· Ready · Enabled OpenID4VP· ARF 1.4 · Enabled KYC Verification· Ready · Enabled SD-JWT Credentials· Ready · Enabled Audit Logs· Ready · Enabled SAML 2.0· Ready · Enabled OIDC· Ready · Enabled PID Verification· LoA High · Enabled NIS2 Compliance· Ready · Enabled DORA Readiness· Ready · Enabled EU Data Residency· Ready · Enabled Relying Party API· eIDAS 2.0 · Enabled Enterprise SSO· Ready · Enabled EUDIW Connector· POC Live · eIDAS 2.0 SCIM Provisioning· Ready · Enabled OpenID4VP· ARF 1.4 · Enabled KYC Verification· Ready · Enabled SD-JWT Credentials· Ready · Enabled Audit Logs· Ready · Enabled SAML 2.0· Ready · Enabled OIDC· Ready · Enabled PID Verification· LoA High · Enabled NIS2 Compliance· Ready · Enabled DORA Readiness· Ready · Enabled EU Data Residency· Ready · Enabled Relying Party API· eIDAS 2.0 · Enabled

Features

Everything enterprise-ready.
Zero US jurisdiction.

The complete IAM stack your enterprise customers require — built natively on EU infrastructure, outside CLOUD Act reach.

Enterprise SSO

SAML 2.0 and OIDC support for any identity provider — Okta, Entra ID, Google Workspace and more. One integration, all IdPs.

SCIM Provisioning

Automatic user and group sync from corporate directories. Users are provisioned and deprovisioned in real time.

KYC Verification

EU-native identity verification with GDPR-compliant data handling. No data leaves European jurisdiction.

Audit Logs

Immutable, tamper-proof event trail. Query, export and forward logs to your SIEM. Required for NIS2 and DORA.

Universal Gateway

Bridge legacy LDAP and Active Directory into modern SAML/OIDC flows. Sell into enterprise without rearchitecting.

Admin Portal

Self-serve setup for your customers' IT admins. Send a link — they configure their IdP themselves. No back-and-forth.

Modern SDKs

Node.js, Python, Go and REST APIs. Normalised objects, webhook events and multiple environments out of the box.

eIDAS 2.0 eIDAS 2.0

Architected for EU Digital Identity from the ground up. EUDIW compatible by design — when the wallet rolls out, your customers won't need to re-integrate.

NIS2 & DORA-ready

Built to meet NIS2 Article 21 and DORA ICT risk requirements by default. Compliance documentation included.

Developer-first

Integrate in minutes,
not months.

A clean REST API with normalised responses. Add enterprise SSO to your product with under 10 lines of code.

Install the SDK

One package covers SSO, SCIM, KYC and audit logs. Works with your existing auth stack.

Redirect to thoryn

Send your user to the thoryn-hosted auth flow. We handle the IdP negotiation, SAML assertion validation and token exchange.

Receive a normalised profile

A consistent user object regardless of which IdP your customer uses. Ship once, works everywhere.

RESTful, JSON, webhooks

Standard patterns throughout. Real-time webhook events for directory sync, user provisioning and audit log forwarding.

Node.js

// Get profile + token from an IdP after SSO
import Thoryn from '@thoryn/node';

const thoryn = new Thoryn('sk_eu_live_...');

const profile = await thoryn.sso.getProfileAndToken({
  code: req.query.code,
  clientId: 'client_eu_...',
});

// Normalised profile — works for any IdP
// {
//   id: 'prof_01EU...',
//   email: '[email protected]',
//   connection_type: 'okta',
//   jurisdiction: 'EU',
//   nis2_ready: true
// }

How thoryn compares

The enterprise auth stack. Built in Europe.

Most identity platforms give you the features. Only thoryn gives you the features without the US jurisdiction risk.

Feature	WorkOS / Auth0	thoryn
SSO — SAML & OIDC	✓	✓
SCIM provisioning	✓	✓
Audit logs	✓	✓
Admin portal	✓	✓
KYC & identity verification	—	✓
Legacy protocol gateway	—	✓
EU-only infrastructure NIS2 · DORA	—	✓
Outside US CLOUD Act jurisdiction	—	✓
eIDAS 2.0 / EUDIW compatible by design eIDAS 2.0	—	✓
NL-incorporated legal entity	—	✓

* Jurisdiction rows reflect corporate structure and data residency of US-headquartered providers, regardless of EU data center availability. A US CLOUD Act subpoena applies regardless of where servers are located.

Products

One platform. Every enterprise auth requirement.

Ship the features your biggest prospects demand — without building them yourself.

SSO

SAML 2.0 and OIDC. Connects to Okta, Entra ID, Google Workspace, OneLogin, ADFS and any custom IdP. Your customer's IT admin self-configures via the hosted portal.

Directory Sync

SCIM 2.0 provisioning from Okta, Entra ID, Google Workspace, BambooHR and more. Users and groups stay in sync automatically — deprovision in seconds.

KYC

EU-native identity verification for fintech, banking and crypto. GDPR-compliant by design, with no data leaving European jurisdiction. eIDAS-ready.

Time to value

Live in 5 days. No surprises.

A straightforward integration with a self-serve setup flow for your customers — ship once and move on.

Day 1–2

Integrate

Install the SDK, add a few lines of code, configure redirect URIs. Works alongside your existing auth stack.

Day 3

Configure

Create your customer's org in the dashboard. Send them a self-serve link — they configure their IdP, no back-and-forth.

Day 4–5

Go live

Test end-to-end with a real or sandbox IdP. Your first enterprise customer is live — on EU-only infrastructure, fully NIS2/DORA-ready.

COMPLIANCE STATUS

NIS2 Article 21 ✓ Compliant

DORA ICT risk ✓ Ready

GDPR data residency ✓ EU-only

CLOUD Act jurisdiction ✗ Not applicable

Legal entity NL · KvK registered

Why thoryn

Compliance isn't a feature.
It's the foundation.

US-incorporated IAM vendors — even those with EU data centers — remain subject to CLOUD Act jurisdiction. That's a compliance gap your enterprise customers are closing.

Zero US CLOUD Act exposure

NL-incorporated, EU-infrastructure, no US parent. Your identity data is completely outside American legal reach.

NIS2 & DORA out of the box

Audit logs, incident reporting and ICT risk controls are built in — not bolted on. Pass your next compliance audit faster.

Close enterprise deals, not security reviews

Send your prospect's CISO to thoryn's trust page. The compliance questions answer themselves.

No SSO tax

Enterprise SSO included in all plans. We believe security features shouldn't be a pricing penalty.

eIDAS 2.0 · EUDIW

Become a relying party.
Without the integration burden.

The EU Digital Identity Wallet (EUDIW) rolls out across all 27 member states by 2026. Regulated sectors — banks, telecoms, energy, public services — must accept wallet-based authentication. Thoryn's EUDIW connector handles the full ARF-aligned protocol stack so your team doesn't have to.

Our working proof-of-concept accepts PID (Person Identification Data) from EUDIW-compliant wallets via OpenID for Verifiable Presentations (OpenID4VP). Credentials are verified against the EU trust framework and returned as a normalised identity object — the same API your SSO integration already uses.

Protocol OpenID for Verifiable Presentations (OpenID4VP)

Credential format SD-JWT VC · mdoc (ISO 18013-5)

Framework ARF 1.4+ · eIDAS 2.0 Implementing Acts

Identity data PID · LPID · EAA · QEAA

Jurisdiction EU-only · No CLOUD Act exposure · NL incorporated

Assurance level LoA High (eIDAS) · Suitable for regulated onboarding

Request connector demo Technical docs

thoryn — EUDIW connector flow POC live

Your app initiates a presentation request

POST /v1/wallet/request
→ returns a QR code + deep link URI

User scans with their EUDIW wallet app

OpenID4VP request_uri deliveredARF 1.4
Selective disclosure — only requested attributes

Thoryn verifies credential & trust chain

SD-JWT signature validationEU trust list
Issuer certificate checked against LOTL

Normalised identity returned to your app

{ id, given_name, family_name, pid_verified: true,
loa: "high", jurisdiction: "EU", nis2_ready: true }

Same API as your existing SSO integration

No new SDK needed · webhook events includedGDPR native

Pricing

Simple, transparent pricing.

Tailored to your scale. We price per conversation — no tiers, no surprise overages, no SSO tax. Contact us to discuss the right plan for your organisation.

[email protected]

No SSO tax

No per-seat surprises

EU-only infrastructure included

NIS2 & DORA compliance included

Enterprise IAM.Built in Europe.

Everything enterprise-ready.Zero US jurisdiction.

Enterprise SSO

SCIM Provisioning

KYC Verification

Audit Logs

Universal Gateway

Admin Portal

Modern SDKs

eIDAS 2.0 eIDAS 2.0

NIS2 & DORA-ready

Integrate in minutes,not months.

Install the SDK

Redirect to thoryn

Receive a normalised profile

RESTful, JSON, webhooks

The enterprise auth stack. Built in Europe.

One platform. Every enterprise auth requirement.

SSO

Directory Sync

KYC

Live in 5 days. No surprises.

Integrate

Configure

Go live

Compliance isn't a feature.It's the foundation.

Zero US CLOUD Act exposure

NIS2 & DORA out of the box

Close enterprise deals, not security reviews

No SSO tax

Become a relying party.Without the integration burden.

Simple, transparent pricing.

Talk to us.

Enterprise IAM.
Built in Europe.

Everything enterprise-ready.
Zero US jurisdiction.

Integrate in minutes,
not months.

Compliance isn't a feature.
It's the foundation.

Become a relying party.
Without the integration burden.