Securely attribute content to domain names
VeraId is a decentralised, user-friendly, offline-first authentication protocol.
Use cases
Workload authentication simplified
Kliento uses VeraId to simplify workload authentication, without long-lived secrets like API keys or public key distribution as needed by JWTs.

Artefact signing
Sign documents, apps, libraries, and other files on behalf of a domain name, without gatekeepers like Adobe or Microsoft.

Offline user authentication
Enable users of offline systems to authenticate with user-friendly, customisable identifiers. That's how Letro uses VeraId!

Next-gen decentralised systems
VeraId enables systems that are hard to imagine today, like peer-to-peer web hosting with contents reliably attributed to their respective domain names.
Key features
How it works
VeraId combines DNSSEC with a new Public Key Infrastructure (PKI) to produce signatures that can be linked to a domain name. Every signature contains enough data to be independently verified without external queries, like DNS lookups.
For example, this is how we'd verify a VeraId Signature Bundle attributing "Bazinga!"
to sheldon@caltech.edu
:
DNSSEC Chain
X.509 Certificate Chain
CMS SignedData
Any DNSSEC-enabled domain can be a trust anchor in the PKI, but it only has control over itself. This offers far better security than PKIs such as the Transport Layer Security (TLS), where many trust anchors (Certificate Authorities) can issue certificates for any domain.
Forged from necessity

I designed VeraId to provide Letro users with offline-compatible identifiers that are robust enough to withstand attacks by the nation-state actors that would target some of them.
Designing and implementing another auth protocol is not something I took lightly: I know it's hard to get them right and the consequences can be catastrophic. Unfortunately, no existing technology satisfied our needs.
Creator of VeraId, and former member of Auth0's core engineering team.