idOS Documentation
  • OVERVIEW
  • What is idOS?
  • Why is idOS needed?
  • Market focus
  • The idOS Consortium
  • HOW IT WORKS
    • What data is stored, how?
    • System design
      • Roles (main stakeholders)
      • Decentralized storage
      • Access management
      • Encryption & idOS Enclave
      • Data flows
  • COMPLIANCE
    • idOS Regulatory approach
    • KYC Re-usability
      • Passporting
      • Data ingestion
      • Case studies for KYC re-usability
    • Compliance overview
      • idOS & Regulatory frameworks
    • idOS Compliance partners
  • INTEGRATE
    • Integration overview
    • SDKs
    • Applications
    • Hosted integrations
    • Integration guides
      • Neobank/wallet integration
      • Financial module integration
      • Web2 -> Web3 integration
    • Legal Considerations
  • ADDITIONAL RESOURCES
    • Official links
Powered by GitBook
On this page
  • Access Management in idOS
  • Authentication: Verifying Identity Before Granting Access
  • Authorization: Controlling What Actions Can Be Performed
  • Granting Access to Third Parties
  • Types of Access Grants
  • Continuous Data Availability, Even When Users Are Offline
  • Revoking Access and Time-Locked Permissions
  1. HOW IT WORKS
  2. System design

Access management

Access Management in idOS

The Access Management Protocol defines how access rights to user data are managed, ensuring that all requests are both authenticated and authorized before any data is shared. This protocol governs who has permission to access data stored in idOS, providing a structured and secure method for managing personal information while maintaining user control.

Authentication: Verifying Identity Before Granting Access

To grant access, users must first authenticate themselves, proving that they own the relevant identity and data. Authentication answers the question, “Who are you?” and is performed through a cryptographic wallet signature. This step ensures that only legitimate users can interact with idOS nodes. To protect against replay attacks, every authentication request includes an incrementing nonce, ensuring that past authentication signatures cannot be reused maliciously.

Authorization: Controlling What Actions Can Be Performed

Beyond authentication, all queries must be authorized to determine “What can you do?”. Authorization works by verifying the wallet signature and recovering the associated address, which is then injected into structured queries. This mechanism ensures that only those with legitimate permissions can perform actions on stored data, preventing unauthorized access and modification.

Granting Access to Third Parties

Once authentication and authorization are confirmed, users can grant access to their data to third parties, such as neobank apps, regulated financial modules or other individuals and entities. If access is requested through an app, the idOS SDK simplifies the process by automatically inserting the correct recipient’s wallet address. If the user grants access manually via the idOS Dashboard, they must input the recipient’s details themselves.

In both cases, the process remains secure and private: the user decrypts their own data, re-encrypts it using the recipient’s public key, and then uploads the encrypted data back to the idOS network. This ensures that only the intended recipient can access the data, preventing unauthorized parties from intercepting or decrypting it.

Types of Access Grants

Grant Type
Description

(Delegated) Access Grants

An Access Grant gives an idOS Consumer access to one credential within and idOS User Profile. Access Grants can be revoked by the user at anytime, unless they were associated with a regulatory time-lock during the time of issuance.

(Delegated) Write Grants

A Write Grant gives an idOS Issuer the ability to issue exactly one credential into a idOS User Profile. In addition to adding the credential, the Issuer also has the option to provide additional Access Grants to themselves or are 3rd party. This information is conveyed to the User before signing a Write Grant.

Delegated Version: Permits an authorized recipient to grant limited and controlled access to third parties on behalf of the original user. This is particularly useful for use cases involving brokers, aggregators, or platforms that verify credentials once and subsequently authorize selected trusted entities, simplifying repeated authorization workflows while preserving user-defined boundaries.

Continuous Data Availability, Even When Users Are Offline

A major advantage of the idOS Access Management system is that data remains continuously available, even if the original user is offline. Once an access grant has been issued, the recipient can retrieve the authorized data at any time, provided that the grant remains active. This eliminates reliance on user availability and allows businesses and services to securely access user data without requiring permanent downloads or redundant storage.

This persistent availability enables organizations to use the idOS as a decentralized, privacy-preserving customer relationship management (CRM) tool for verified users. Businesses and service providers can access user data on demand, maintaining a live and up-to-date identity verification process without storing unnecessary copies of user data, reducing compliance risks.

Revoking Access and Time-Locked Permissions

At any time, users retain full control over their data and can revoke access, immediately disabling the recipient’s ability to retrieve or decrypt the information. If a data recipient no longer requires access, or if a user changes their mind, revocation ensures that data permissions are always dynamic and adjustable.

For cases where regulatory compliance requires specific retention periods, access grants can be time-locked, ensuring that data remains accessible for a predefined duration before revocation is possible. For example, a financial institution may require a five-year data retention period due to compliance regulations. In such cases, revocation will only be possible once the time lock expires, ensuring compliance with data governance policies.

PreviousDecentralized storageNextEncryption & idOS Enclave

Last updated 14 days ago