DID Protocol Comparison
Decentralized Identity: Comparing DID Protocols and Infrastructure
Self-sovereign identity (SSI) promised users control over their own credentials without centralized intermediaries. The protocols that emerged, from Hyperledger Indy to Sovrin to Veramo, each solved parts of that problem but left critical gaps: no token economics to sustain node operators, no post-quantum security for long-lived credentials, and no native support for AI agent identity delegation. Autheo TheoID is built as a native OS layer to close all three.
DID Protocol Feature Comparison
| Feature | Hyperledger Indy | Sovrin Network | Veramo (uPort) | Autheo TheoID |
|---|---|---|---|---|
| Status | Active (maintenance mode) | Dissolved May 2025 | Active SDK | Active (Layer-0 OS) |
| Type | Permissioned ledger | Permissioned ledger (archive) | Developer SDK | Native OS layer |
| Post-Quantum Crypto | None | None | None | Yes (Kyber / Dilithium / Falcon) |
| Token Economics | None | None (collapsed) | None | THEO utility token |
| Native AI Integration | None | None | None | THEO AI (OS layer) |
| Smart Contracts | None | None | None | Yes (multi-language) |
| W3C DID Compliant | Yes (did:indy) | Yes (did:sov, archive) | Yes (multi-method) | Yes (TheoID) |
Protocol Deep Dives
Hyperledger Indy
Hyperledger Indy is an open-source distributed ledger built specifically for decentralized identity. Originally contributed by the Sovrin Foundation to the Linux Foundation's Hyperledger project in 2017, it provides the core primitives for W3C verifiable credentials: schemas, credential definitions, and revocation registries anchored on a permissioned ledger. The did:indy method is among the most widely deployed DID methods in production enterprise environments.
Indy's architecture centers on a Byzantine fault-tolerant consensus layer (Plenum BFT), a ledger of NYM transactions for DID registration, and an ATTRIB transaction type for arbitrary service endpoint metadata. The Hyperledger Aries framework provides the agent and protocol layer on top of Indy, handling credential exchange via DIDComm messaging.
Strengths include a well-specified anoncreds credential format, zero-knowledge proof support for selective disclosure, a large ecosystem of compatible wallets and agents, and significant adoption in government identity programs across Canada, the United States, and Europe. The codebase is mature and well understood by implementers.
Limitations: Indy uses classical elliptic curve cryptography (Ed25519 and X25519), which is vulnerable to quantum attacks. The ledger requires a consortium of known validators to operate, creating governance overhead. There is no native token economy, meaning node operators must be funded through grants or institutional budgets. The project is in maintenance mode, with no major feature development planned.
Sovrin Network
The Sovrin Foundation formally dissolved on May 21, 2025, making it the most significant governance failure in the decentralized identity space to date. Sovrin operated the first public production DID network, launched in 2017, and at its peak hosted millions of DIDs used in healthcare, education, and financial services credentials. The did:sov method was among the first registered in the W3C DID registry.
The collapse was structural rather than technical. Sovrin relied on a volunteer steward model: organizations paid to run nodes with no financial return. Sustaining infrastructure requires continuous operational funding, and the Foundation accumulated approximately $2 million in liabilities with no path to solvency. Without token economics to align steward incentives, the network had no self-sustaining revenue mechanism.
The Sovrin MainNet ledger remains readable in archive mode. Existing DIDs anchored on the ledger can still be resolved through community-maintained resolvers, but no new credential definitions or NYM transactions are being accepted. The governance framework, trust registry, and steward agreements are no longer operative.
Organizations that issued verifiable credentials on Sovrin must now migrate their schemas and credential definitions to an alternative network. The Sovrin collapse is a direct case study for why identity infrastructure requires economic sustainability mechanisms, not just technical correctness.
Veramo (formerly uPort)
Veramo is a JavaScript and TypeScript SDK for building applications that work with DIDs and verifiable credentials. Originally developed as the uPort project by ConsenSys, the codebase was refactored and relaunched as Veramo in 2020 by the team at Spruce ID's predecessor. Veramo takes a method-agnostic approach: it supports dozens of DID methods (did:ethr, did:key, did:web, did:ion, and others) through a plugin architecture.
Where Veramo excels is developer flexibility. Applications can combine DID methods, credential formats (JWT, JSON-LD, SD-JWT), and storage backends within a single agent instance. The plugin system makes it straightforward to add new methods or integrations without forking the core. This design suits projects that need to support multiple identity ecosystems from one codebase.
Limitations are equally structural. Veramo is a library, not infrastructure: it requires the developer to provision and maintain the underlying DID method ledgers, key management stores, and credential registries. Node operation, uptime, and governance remain the developer's responsibility. There is no native token model, no consensus layer, and no post-quantum algorithm support in the default configuration.
Veramo is a strong choice for prototyping multi-method identity applications or building credential wallets. It is not a complete identity infrastructure solution; it depends on external ledgers and registries to function.
Autheo TheoID
TheoID is Autheo's native identity layer, built directly into the Autheo OS rather than as a separate ledger or library. Every address, agent, and smart contract on Autheo has an associated TheoID, making identity a first-class primitive rather than an optional integration. The DID method is W3C compliant and resolves to DID documents containing both classical and post-quantum public keys.
Post-quantum security is native and non-optional. TheoID uses ML-KEM (Kyber) for key encapsulation, ML-DSA (Dilithium) for credential signatures, and SLH-DSA (FALCON) as an auxiliary signature scheme. These are the algorithms standardized by NIST in FIPS 203, 204, and 205, finalized in August 2024. Credentials signed by TheoID are designed to remain cryptographically valid for the 10 to 20 year lifespan that enterprise and government credentials typically require.
Token economics solve the Sovrin problem directly. THEO token holders who operate identity nodes receive staking rewards denominated in THEO, creating a self-sustaining incentive structure without reliance on grants or volunteer commitments. Node operators are economically aligned with network uptime and credential availability.
THEO AI integration enables a delegation model unique to TheoID: human principals can grant bounded, revocable DID authority to AI agents. An agent can hold a derived DID scoped to specific actions, resource types, or time windows, with the parent DID retaining full revocation rights. This makes TheoID the only production-grade identity layer designed from the ground up for both human and AI agent credentials.
Why Post-Quantum Cryptography Matters for Identity
NIST Finalization: August 2024
NIST published FIPS 203 (ML-KEM / Kyber), FIPS 204 (ML-DSA / Dilithium), and FIPS 205 (SLH-DSA / SPHINCS+) in August 2024, marking the first standardized post-quantum cryptographic algorithms for general use. These standards are now the baseline for new cryptographic systems that require long-term security. Any identity infrastructure built on classical algorithms (Ed25519, RSA, ECDSA) is operating below this baseline.
Harvest Now, Decrypt Later
The "harvest now, decrypt later" attack is specifically dangerous for credential infrastructure. An adversary can collect encrypted credential exchanges today and decrypt them once a sufficiently powerful quantum computer becomes available. For credentials containing health records, financial status, or government identity attributes, the confidentiality window extends far beyond the typical threat horizon organizations plan for.
10 to 20 Year Credential Lifespans
Credentials issued today by healthcare systems, universities, and government agencies are routinely expected to remain valid for 10 to 20 years. Cryptographic estimates place large-scale quantum computers within that same window. A credential signed with classical cryptography in 2025 and still in use in 2040 may be vulnerable to retroactive forgery or decryption by 2035. Post-quantum signing is not a future concern: it is a present requirement for any credential intended to remain valid beyond this decade.
Only TheoID Ships PQC Natively
Among the four protocols compared on this page, only Autheo TheoID includes post-quantum cryptography as a built-in, non-optional feature. Hyperledger Indy and Veramo both use classical Ed25519 / X25519 key pairs with no roadmap for post-quantum migration. Sovrin is no longer operational. TheoID's PQC implementation is not experimental: it is built on the finalized NIST standards and active in production.
AI Agent Identity: The New Frontier
Current DID protocols were designed for human subjects and organizational entities. The credential exchange models in Hyperledger Aries, the Sovrin governance framework, and Veramo's agent architecture all assume a human wallet holder who actively consents to each credential presentation. AI agents operating autonomously on behalf of users do not fit this model cleanly.
As autonomous agents become capable of negotiating contracts, accessing services, and executing multi-step workflows, they need identifiers that carry bounded, auditable authority. An AI agent booking a medical appointment on behalf of a user needs to demonstrate that it is authorized to act for that specific person, for that specific type of action, within a specific time window. Classical DID delegation mechanisms were not designed for this granularity.
TheoID's agent delegation model allows a human DID holder to issue derived agent credentials that specify action scope, resource types, time bounds, and revocation conditions. The derived DID is cryptographically linked to the parent DID, creating a verifiable chain of authority. Revocation by the parent is instant and does not require coordination with the agent or any third party.
THEO AI operates natively within this identity model: every inference request, tool call, and external service interaction made by a THEO AI agent is associated with a scoped TheoID, creating a complete and auditable identity trail for agent actions. This is the only deployed implementation of AI agent identity at the infrastructure layer currently available.
Agent DIDs are scoped to specific actions and resource types. Agents cannot exceed the permissions granted by the parent DID holder.
Parent DID holders can revoke agent credentials immediately. No coordination with the agent or third parties is required.
Every agent action is associated with a scoped TheoID, creating a complete, verifiable record of what each agent did and under whose authority.
Frequently Asked Questions
What is a decentralized identifier (DID)?
A decentralized identifier (DID) is a globally unique identifier that is created, owned, and controlled by the subject without relying on a central registry or authority. DIDs are defined by the W3C DID Core specification and resolve to DID documents containing public keys and service endpoints. Unlike traditional identifiers such as email addresses or usernames, DIDs cannot be revoked or reassigned by a third party.
What happened to the Sovrin Network?
The Sovrin Foundation formally dissolved on May 21, 2025, after years of financial difficulty rooted in its volunteer-run, grant-funded governance model. The network had accumulated approximately $2 million in debt and could no longer sustain node operator costs without a viable revenue model. The Sovrin ledger is now in archive mode: existing DIDs may still resolve, but no new credentials are being issued and the governance structure no longer exists.
How does Hyperledger Indy compare to Autheo TheoID?
Hyperledger Indy is a permissioned ledger purpose-built for self-sovereign identity, offering a proven did:indy method and a strong credential exchange ecosystem via the Aries framework. Autheo TheoID operates at the OS layer rather than as a standalone ledger, adding post-quantum cryptography (Kyber, Dilithium, Falcon), THEO token economics to sustain node operators, and native integration with THEO AI for agent-level identity delegation. Indy has a larger existing deployment base; TheoID is designed for credentials that need to remain secure beyond the quantum era.
Is TheoID post-quantum secure?
Yes. TheoID is built on NIST-standardized post-quantum algorithms: ML-KEM (Kyber) for key encapsulation, ML-DSA (Dilithium) for digital signatures, and SLH-DSA (FALCON) as a secondary signature scheme. These algorithms were finalized in FIPS 203, 204, and 205 in August 2024. Credentials issued through TheoID are designed to remain cryptographically valid even if large-scale quantum computers become available within the next two decades.
Can AI agents use TheoID for identity?
Yes. TheoID includes a delegation model that allows human principals to grant bounded, revocable identity authority to AI agents. An agent operating under THEO AI can hold a derived DID scoped to specific actions, time windows, or resource types, with the parent DID retaining full revocation rights. This makes TheoID the only production-grade identity layer currently designed for autonomous agent workflows.
What is the did:indy DID method?
The did:indy method is a W3C-registered DID method that resolves identifiers anchored on any Hyperledger Indy-compatible ledger, including the Sovrin MainNet (now archived), IDUnion, and CANdy. A did:indy DID encodes both the network namespace and the NYM transaction identifier, enabling cross-network resolution with a single method name. The method is maintained by the Hyperledger Aries community and remains the most widely deployed self-sovereign identity method in production.
Build with Post-Quantum Identity
TheoID is available to developers building on Autheo today. Integrate post-quantum verifiable credentials, AI agent delegation, and THEO-token-sustained identity infrastructure into your application.