ThunderID is a lightweight, open-source Identity and Access Management (IAM) engine built to secure access for humans, AI agents, and machines.
Designed for the agentic era, ThunderID provides a developer-first IAM platform and supporting tools for securing applications, APIs, services, and agent-driven workflows across traditional and decentralized identity ecosystems, with post-quantum-ready security built in from the start.
Core design goals of ThunderID include:
- Agent-native identity: Manage AI agents as first-class identities with delegated authority, consent-aware access, traceability, and support for issuing verifiable credentials to agents. ThunderID also aims to expose IAM capabilities through interfaces that agents can use safely and programmatically.
- Decentralized identity: Bridge the adoption gap for relying parties by making it practical for service providers to consume, verify, and trust decentralized identity in real-world applications, including DIDs, verifiable credentials, digital wallets, trust registries, and issuer-verifier-holder interaction models.
- Cloud-native IAM: Provide a lightweight, containerized identity product that can run across on-premises and cloud environments, with declarative identity flows, policies, and configuration suitable for automation, versioning, and GitOps practices.
- Post-quantum-safe security: Build on a crypto-agile foundation where algorithms, key types, signing methods, and token protection mechanisms can evolve over time, including support for post-quantum-safe algorithms and hybrid transition approaches across key management, credential issuance, assertions, and secure service-to-service communication.
Get started by exploring how ThunderID can be used to secure:
- Applications - by following Securing B2C Application Guide
- AI Agents - by following Securing AI Agents Guide
To learn more about overall requirements, solution patterns of these scenarios, refer to the Use Cases section.
Visit Get ThunderID to learn more about installation methods.
-
Identity Management
- Humans, AI agents, and workloads as first-class identity types
- Hierarchical organizational units (OUs) and groups
-
Standards
- OAuth 2.1 and OpenID Connect, with PAR and PKCE
- WebAuthn / passkeys
- IdP federation — Google, Microsoft, GitHub, and any OIDC or SAML provider
-
User Journeys
- Login, registration, and recovery defined as journeys
- 20+ built-in executors - password, passkey, OTP, social login, consent, and more
- Orchestratable in the server or the application
- Themeable end-user UI
-
Authorization
- Hierarchical resources with derived permissions
- Role-based access control across users, agents, and applications
- Consent management with user-facing review
-
Developer Experience
- Console UI, REST APIs, and SDKs
- MCP server for managing and querying IAM from AI agents
-
Declarative and GitOps-Ready
- YAML resource definitions for every entity
- Immutable runtime
Please refer to the Contributing Guide for the different ways to contribute to this project and the relevant guidelines.
For code contributions, refer to the Contributing Code section for details on the prerequisites and instructions for running ThunderID in development mode.
Licenses this source under the Apache License, Version 2.0 (LICENSE), You may not use this file except in compliance with the License.
(c) Copyright 2026 WSO2 LLC.