KYNETRA AUTH · WEB 7.0 IDENTITY

Identity.
For Web 7.0.

The world's first enterprise IAM platform built natively for decentralized identity, verifiable credentials, and zero-knowledge proofs.

Decentralized identity · Verifiable credentials · Zero-knowledge proofs · AI-native risk · Self-sovereign identity.

7-layer

stack

W3C

compliant

Edge

native

13+

methods

Start Free →Explore Architecture

did-auth.flow● secure

$kynetra auth resolve did:kynetra:abc123...
>✓ DID Document fetched · 12ms
>✓ Verification methods: 2 keys
$kynetra auth challenge --did did:kynetra:abc123
>← challenge: 0xb4f...d9c2 (Ed25519)
$kynetra auth verify --sig 0x3f2a...e1b
>✓ Signature valid · risk-score: 0.04
>✓ VC presented: AgeOver18 (ZKP)
>✓ Session issued · 38ms total
$

EVOLUTION · WEB2 → WEB3 → WEB7

Three eras of identity.

Web2 trusted central providers. Web3 collapsed identity into a single wallet key. Web 7.0 makes identity verifiable, private, and sovereign — by design.

WEB 2.0

Managed Identity

Auth0 · Okta · WorkOS

You are a row in their database.

// Web 2.0 — central trust
const session = await auth0.login({
  email, password,
});
// → session.user_id on their server
// → if they leak, you leak

WEB 3.0

Wallet Identity

MetaMask · SIWE · WalletConnect

You are your wallet — and only that.

// Web 3.0 — wallet = identity
const sig = await wallet.signMessage(
  `Sign in: ${nonce}`
);
// → 0x address only
// → no verifiable claims, no privacy

WEB 7.0

Sovereign + Verifiable

Kynetra Auth

Verifiable. Private. Sovereign.

// Web 7.0 — DID + VC + ZKP
const proof = await kynetra.present({
  did: "did:kynetra:abc...",
  reveal: ["over18"],  // ZKP
  // → no DOB ever transmitted
});

SECTION 04 · ARCHITECTURE

The 7-layer identity stack.

From persistent storage to decentralized credentials, every concern lives at its own layer with clean contracts between them. Click any layer to expand.

Decentralized Identity Layer

DIDs, VCs, ZKPs and the W3C stack — the spine of Web 7.0 identity.

◆DID Resolution (did:kynetra:*)

◆VC Issuance & Verification (W3C VC 2.0)

◆Zero-Knowledge Proof Engine

◆OIDC4VCI · OIDC4VP

◆DIF Presentation Exchange

◆eIDAS 2.0 Wallet Compatibility

AI & Intelligence Layer

Every auth request is ML-scored in real time. Trust becomes adaptive.

◆ML Risk Scoring (sub-50ms)

◆Behavioral Biometrics

◆Anomaly Detection

◆Adaptive Step-Up Policies

◆VC Policy Evaluation Engine

Experience Layer

Pixel-perfect surfaces for admins, end-users and developers.

◆Next.js 15 Admin Console

◆End-User Identity Portal

◆iOS / Android Mobile SDKs

◆TypeScript SDK

◆React Components SDK

◆Developer Portal

API Gateway (Edge)

Verification at the edge — sub-50ms anywhere on Earth.

◆Cloudflare Workers

◆JWKS-verified JWT

◆Tenant Routing

◆Rate Limiting & Bot Detection

◆Request Signing (HMAC)

Identity Services

13+ identity methods — classical, modern, and Web 7.0.

◆Password · Magic Link

◆Social OAuth (Google, GitHub, MS, Apple, Discord)

◆SAML 2.0 · OIDC

◆WebAuthn / Passkeys

◆MFA (TOTP + Backup Codes)

◆DID Auth · VC-based Auth

◆SCIM 2.0 Provisioning

◆Org Invites & Lifecycle

Platform Services

Multi-tenant operations, audit, billing, hooks.

◆Multi-Tenant Management

◆RBAC + Wildcard Permissions

◆Hash-Chained Audit Logs

◆HMAC-Signed Webhooks

◆Stripe Billing

◆Notifications · Storage

Data & Persistence

The verifiable substrate — relational, cache, registry.

◆PostgreSQL (Drizzle ORM)

◆Redis (Sessions / Tokens)

◆DID Document Store

◆VC Registry

◆Revocation Lists

SECTION 05 · METHODS

14 identity methods. One API.

Classical, modern, and Web 7.0 — every authentication primitive your enterprise needs, from passwords to DID-based auth and verifiable credentials.

•••

Password

✉

Magic Link

G

Google OAuth

◐

GitHub OAuth

▦

Microsoft OAuth

Apple OAuth

◉

Discord OAuth

S

SAML 2.0

O

OIDC

⚷

WebAuthn / Passkeys

⊞

MFA (TOTP)

ɖ

DID Auth

✓

VC-based Auth

↻

SCIM 2.0

W3C DID CORE 1.0 COMPLIANT

Decentralized Identifiers.

The did:kynetra method is a W3C-conformant DID method backed by Kynetra Auth's verifiable registry. Each identifier resolves to a DID Document containing public keys, service endpoints, and rotation history — fully owned by the subject.

DID FORMAT

did:kynetra:z6MkvSh...abc123

schemedid

methodkynetra (W3C registered)

identifiermultibase Ed25519 pubkey

resolves toDID Document (JSON-LD)

DID DOCUMENT (JSON-LD)

{
  "@context": "https://w3.org/ns/did/v1",
  "id": "did:kynetra:z6Mkv...abc123",
  "verificationMethod": [{
    "id": "#key-1",
    "type": "Ed25519VerificationKey2020",
    "controller": "did:kynetra:z6Mkv...",
    "publicKeyMultibase": "z6Mkv..."
  }],
  "authentication": ["#key-1"],
  "assertionMethod": ["#key-1"],
  "service": [{
    "id": "#kynetra-vc",
    "type": "VerifiableCredentialRegistry",
    "serviceEndpoint": "https://vc.kynetra.dev"
  }]
}

SECTION 07 · VERIFIABLE CREDENTIALS

Sign once. Verify anywhere.

W3C Verifiable Credentials 2.0 — cryptographically signed claims (JWT-LD) that can be presented selectively, verified offline, and revoked through a public registry. No phone-home required.

✎

Issuer · Sign VC

import { KynetraAuth } from "@kynetra/auth";

const vc = await kynetra.vc.issue({
  issuer: "did:kynetra:org-acme",
  subject: "did:kynetra:user-abc",
  type: ["VerifiableCredential",
         "EmployeeCredential"],
  claims: {
    role: "engineer",
    startDate: "2024-03-01",
    clearance: "secret",
  },
  format: "jwt_vc_json-ld",
});
// → JWT-LD signed with org Ed25519 key

✓

Verifier · Verify VC

const result = await kynetra.vc.verify(vc, {
  expectedIssuer: "did:kynetra:org-acme",
  expectedType: "EmployeeCredential",
  checkRevocation: true,
});

if (result.valid) {
  // ✓ signature verified
  // ✓ issuer DID resolved
  // ✓ revocation list checked
  // ✓ claims policy passed
  grantAccess(result.claims);
}

SECTION 08 · ZERO-KNOWLEDGE PROOFS

Prove everything.
Reveal nothing.

Zero-Knowledge Proofs let users prove facts without revealing the underlying data. Powered by Pedersen commitments and Merkle membership proofs — selective disclosure as a first-class API.

USE CASE 01

Prove age > 18

without revealing DOB

kynetra.zkp.prove({
  claim: "ageOver18",
  attr: "dob",
})

USE CASE 02

Prove balance > $X

without revealing balance

kynetra.zkp.prove({
  claim: "balanceOver",
  threshold: 50000,
})

USE CASE 03

Prove residency

without revealing address

kynetra.zkp.prove({
  claim: "residentOf",
  region: "EU",
})

PRIMITIVE 01

Pedersen Commitments

Bind a value to a public commitment without revealing it. Hide arbitrary attributes while still proving relations between them.

PRIMITIVE 02

Merkle Membership

Prove a leaf belongs to a set with a logarithmic-size proof — perfect for whitelist membership, geo, or org-graph proofs without disclosure.

SECTION 09 · COMPARISON

Beyond Auth0, Clerk, WorkOS, Okta.

Every classical auth feature, plus the full Web 7.0 identity stack. Side-by-side, the gap is the future.

Feature	Auth0	Clerk	WorkOS	Okta	Kynetra Auth
Decentralized Identity (DID)	❌	❌	❌	❌	✅ did:kynetra
Verifiable Credentials (W3C VC 2.0)	❌	❌	❌	❌	✅
Zero-Knowledge Proofs	❌	❌	❌	❌	✅
Self-Sovereign Identity	❌	❌	❌	❌	✅
Edge-Native (Workers)	❌	⚠️	❌	❌	✅
AI-Native Risk Scoring	⚠️	❌	❌	⚠️	✅
Hash-Chained Audit	❌	❌	❌	❌	✅
OIDC4VCI / OIDC4VP	❌	❌	❌	❌	✅
eIDAS 2.0 Ready	❌	❌	❌	❌	✅
Multi-Tenant	✅	✅	✅	✅	✅
SAML / OIDC / Social	✅	✅	✅	✅	✅
Passkeys / WebAuthn	✅	✅	✅	✅	✅
MFA (TOTP)	✅	✅	✅	✅	✅
SCIM	✅	⚠️	✅	✅	✅

✅ = full support · ⚠️ = partial / limited · ❌ = not available

SECTION 10 · AI-NATIVE RISK

Every request, ML-scored.

Behavioral biometrics, device fingerprinting, and contextual signals fuse into a real-time risk score. Adaptive step-up policies trigger MFA only when risk warrants it.

BEHAVIORAL BIOMETRICS

<50ms

p99 scoring

Keystroke dynamics, mouse trajectories, scroll cadence — every login is shaped by a thousand signals.

ANOMALY DETECTION

99.7%

true-positive rate

Continuous learning across geo, device, time-of-day, and credential lineage. Stops account takeover at the door.

ADAPTIVE STEP-UP

0.04

median risk score

Step-up policies fire only when needed. Low-risk users stay frictionless; high-risk gets challenged.

SECTION 11 · EDGE-NATIVE

Verified at the edge.

Cloudflare Workers + a JWKS KV cache mean JWT and DID verification happen at the PoP nearest your user. No datacenter round-trip. Sub-50ms p99 verification, globally.

SFO

ORD

IAD

MIA

LHR

AMS

FRA

DXB

BOM

SIN

HKG

TYO

SYD

GRU

MAD

<50ms

p99 globally

300+

PoP locations

datacenter hops

JWKS

KV-cached

SECTION 12 · AUDIT

Tamper-evident. Always.

Every audit event is hashed with the prior event's hash — a cryptographic chain that breaks visibly if any record is altered. SOC 2, ISO 27001, GDPR Article 25 by default.

SHA-256 CHAIN

0x01user.signinad7…f0112:04:17

0x02session.refresh9c2…b8e12:04:22

0x03vc.presentf10…71d12:04:31

0x04role.grant33a…ce412:04:48

COMPLIANCE

SOC 2 Type II

ISO 27001

GDPR Art. 25

HIPAA-ready

PCI DSS

eIDAS 2.0

Audit logs export to your SIEM (Splunk, Datadog, Elastic) over webhook, S3, or pull API. Each event is signed and hash-chained to the prior event — making silent edits cryptographically impossible.

SECTION 13 · DEVELOPER EXPERIENCE

SDKs that just work.

Drop-in TypeScript, React components, mobile SDKs. Replace your existing Auth0 / Clerk integration in 30 minutes.

TypeScript SDK

auth.ts

import { KynetraAuth } from "@kynetra/auth";

const auth = new KynetraAuth({
  tenantId: process.env.KYNETRA_TENANT,
  apiKey:   process.env.KYNETRA_KEY,
});

const session = await auth.signIn({
  method: "passkey",
  identifier: "user@acme.com",
});

if (session.risk.score < 0.3) {
  return session;
}
await auth.stepUp("totp");

React Components

App.tsx

import {
  KynetraProvider,
  KynetraSignIn,
  useKynetra,
} from "@kynetra/react";

export default function App() {
  return (
    <KynetraProvider tenantId="...">
      <KynetraSignIn
        methods={["passkey", "did", "magic"]}
        onSuccess={(s) => router.push("/app")}
      />
    </KynetraProvider>
  );
}

Mobile SDK · iOS

AuthView.swift

import KynetraAuth

let kynetra = KynetraAuth(
  tenantId: "acme",
  apiKey: Bundle.main.kynetraKey
)

Task {
  let session = try await kynetra.signIn(
    method: .passkey
  )
  if session.vcs.contains("Employee") {
    showAdminScreen()
  }
}

SECTION 14 · STANDARDS

Open. Interoperable.

We don't lock anyone in. Kynetra Auth speaks every relevant identity standard — old, new, and emerging.

◆ W3C DID Core 1.0

◆ W3C VC 2.0

◆ OIDC4VCI

◆ OIDC4VP

◆ DIF Presentation Exchange

◆ eIDAS 2.0

◆ SAML 2.0

◆ SCIM 2.0

◆ OAuth 2.1

◆ OpenID Connect

◆ FIDO2 / WebAuthn

◆ JWT-LD

READY TO SHIP

Replace Auth0 in 30 minutes.

Every classical method + the full Web 7.0 stack. Drop-in SDK, sub-50ms edge verification, and hash-chained audit logs from day one.

Start Free →Read Docs

FREE TIER · 10,000 MAU · NO CREDIT CARD

Identity.For Web 7.0.