OHNexus Protocol is the open infrastructure layer that lets regulated financial service providers gate access behind W3C Verifiable Credentials — without centralising identity data.
Financial institutions re-verify the same users across services. The result is duplicated KYC cost, stale data, and no user control. OHNexus fixes the infrastructure layer.
The protocol separates verification, eligibility evaluation, and execution — each as an auditable, isolated step.
Users hold W3C Verifiable Credentials issued by trusted KYC providers, the platform, or compliant third-party issuers. Stored in a browser-native SSI wallet.
User signs a Verifiable Presentation with their did:key identity. The VP is submitted directly to the verifier — the platform never stores the raw credential.
The protocol checks VP claim summaries against publisher-defined service requirements. GRANTED or DENIED — every decision persisted for compliance audit.
On AUTHORIZED, the provider API is invoked and an IssuedCredential is minted. Execution result hash is anchored on Ethereum as an immutable audit record.
Any actor in a credential-regulated workflow benefits — publishers creating gated services, issuers managing trust, and end users controlling their own identity.
Banks, fintechs, and asset managers that want to gate service access behind verified KYC/AML or MiFID suitability credentials without building their own identity stack.
Regulated identity providers and KYC bureaus whose issued credentials become trust anchors across the protocol — with DID-based issuer registry and verification logging.
Retail and institutional clients who complete identity verification once and present portable credentials across multiple services — maintaining full control and data minimisation.
Teams that need an end-to-end audit trail: every credential verification logged, every eligibility decision persisted, every execution anchored on-chain for immutable evidence.
Platforms aligning with EU Digital Identity Wallet mandates. OHNexus implements OID4VP and OID4VCI natively — the same standards mandated by the ARF.
Teams building on SSI primitives who need a production reference implementation of did:key generation, VP signing, credential issuance, and on-chain anchoring in Rust.
Three converging regulatory forces make credential-gated infrastructure mandatory for European financial services from 2026 onwards.
ARF 1.4 mandates OID4VP and OID4VCI as the interoperability protocols for the European Digital Identity Wallet. Every member state must offer compliant wallets by 2026. OHNexus is built on these exact standards.
MiCA requires CASPs to implement robust KYC/AML and investor suitability checks before granting access to crypto-asset services. Verifiable Credentials provide the cryptographic audit trail regulators require.
DORA mandates traceable audit records for all digital service access. OHNexus's on-chain anchoring and immutable eligibility logs directly satisfy DORA's evidence requirements for ICT incident reporting.
Built in Rust on AWS, with walt.id for W3C VC operations and Ethereum for immutable anchoring.
┌──────────────────────────────────┐ │ ohnexus.eu (CloudFront CDN) │ ├──────────────────────────────────┤ │ React SPA │ OID4VP / OID4VCI │ ├─────────────┴──────────────────┤ │ Rust API (AWS ECS · Fargate) │ ├──────────────┬───────────────────┤ │ walt.id │ DynamoDB │ │ Verifier │ Credentials │ ├──────────────┴───────────────────┤ │ Ethereum Sepolia (Anchoring) │ └──────────────────────────────────┘
Raw VC/VP JWTs are never stored. Claim-key indices only. SHA-256 hashes for audit correlation. GDPR Art. 25 data minimisation enforced at the protocol layer.
Every VP is verified against a DID-resolved issuer public key via walt.id's W3C VC verification engine. No self-reported credentials accepted.
Execution result hashes are registered on Ethereum via registerExecution() — creating a tamper-proof, time-stamped record of every credential-gated service invocation.
Verification, eligibility evaluation, and execution are three isolated protocol steps. Each is independently auditable, independently replaceable, and tested to 566 automated tests.
Core infrastructure is complete and deployed to AWS. Active development continues on enterprise integrations and multi-chain anchoring.
backend-core Rust library, DynamoDB models, JWT auth, SIWE login, service publication lifecycle.
Browser-native did:key generation, OID4VCI pre-auth code flow, Ed25519 VP signing, walt.id integration.
OID4VP direct_post flow, cryptographic VP verification, requirement matching, on-chain anchoring, 566 tests.
First regulated financial service publisher onboarded. Credential issuance & revocation webhook. Rate limiting & production hardening.
We are onboarding regulated financial service providers, KYC issuers, and strategic partners. Get in touch to discuss a pilot deployment.