Artagon

Artagon Identity Platform

Vision and Roadmap

Trusted Identity for Machines and Humans — Verified, Private, Attested

Executive Summary

01

The digital landscape is in the midst of a profound identity crisis. The foundational model of perimeter-based security has failed, giving way to an epidemic of data breaches fueled by compromised credentials.

The very concept of "identity" has become dangerously fragmented, split between human-centric systems (CIAM) and a separate, ad-hoc world of machine and device identity (M2M/IoT). This fragmentation, coupled with the erosion of consumer privacy, creates a landscape of significant risk, friction, and missed opportunity.

Artagon Identity Platform is architected to solve this crisis—a next-generation trust infrastructure platform designed from the ground up to unify the three most critical, and historically siloed, domains of digital trust.

🔐

High-Assurance Identity

A unified, passkey-primary foundation for phishing-resistant human authentication, built on the most secure, modern protocols (OIDC, GNAP).

Decentralized & Verifiable Identity

A complete Verifiable Credentials engine for issuing and verifying portable, holder-controlled, and privacy-preserving credentials.

Next-Generation Authorization

A high-performance, graph-based authorization engine that fuses relationship-based and policy-based access control for complex, fine-grained decisions.

Three Strategic Pillars

1

Verifiable Everything

Every identity, attribute, device, and software client can be cryptographically verified, moving the world from "asserted" identity to "proven" identity.

2

Zero-Friction Security

The most secure posture is delivered as the path of least resistance. This is achieved through passkey-primary authentication (simpler and more secure than passwords) and invisible, hardware-level device attestation.

3

Privacy-by-Design

Privacy is embedded at the protocol level, not as a compliance checkbox. The platform uses selective disclosure and zero-knowledge primitives, allowing users to prove facts about themselves without revealing underlying personal data.

For Enterprises: De-risk digital transformation, eliminate account takeover, and prove compliance with NIST 800-63 and eIDAS.
For Developers: A single, unified "trust API" that abstracts the complexity of modern cryptography, protocols, and policy.
For End-Users: A truly portable, private, and secure digital identity.

Product Vision & Value Proposition

02

Mission Breakdown

The Artagon mission is a deliberate, strategic synthesis of capabilities that are essential for the next era of digital interaction.

"Trusted Identity..."

A fundamental shift from "authentication" to establishing verifiable trust and assurance rooted in cryptographic proofs, not centralized databases.

"...for Machines and Humans..."

An explicit rejection of market fragmentation. The platform unifies CIAM (human) and M2M/IoT (machine) identity markets.

"...Verified, Private, Attested."

Three words mapping directly to the platform's core technical pillars and capabilities.

Architectural Principles

03

The Artagon platform architecture is a direct expression of its product vision, guided by five core principles that ensure security, scalability, and flexibility.

01

High-Assurance by Default

Security is not an optional feature or enterprise-tier add-on; it is the default posture for all tenants and all interactions.

02

Cryptographic Agility & Isolation

Built on a foundation agile to new cryptographic standards. Modular Rust sidecars for crypto operations (BBS+, ZKP) and native support for multiple VC formats (SD-JWT and BBS+).

03

Policy-as-Code & Verifiable Audit

All authorization and business logic expressed as explicit, human-readable, and auditable policy with a Git-backed Policy Administration Point (PAP).

04

Holder-Centric & Privacy-Preserving

The user (the "holder") is the ultimate owner of their identity—a fundamental shift away from the traditional "profile-in-a-database" CIAM model.

05

Developer-First Abstraction

Complexity of OIDC, GNAP, DIDs, VCs, and Zanzibar graph traversal abstracted behind a clean, unified API and idiomatic SDKs.

Core Components and Capabilities

04
4.1

Unified Identity & Authorization Core

Foundation for all identity transactions, serving as best-in-class provider for both human and machine identities.

  • Protocol Unification (OIDC 2.1 & GNAP)
  • Hardened Security Profiles (PAR, JAR, JARM, DPoP, RAR, mTLS)
  • Passkey-Primary Authentication
  • Cryptographic Multi-Tenancy
4.2

Decentralized Trust Layer

Activates "Verifiable Everything," transforming Artagon into a comprehensive trust-issuance and verification engine.

  • DID & VC Primitives (did:web, did:key, did:ion/peer)
  • VC Formats (SD-JWT, BBS+)
  • The OID4VC "On-Ramp" (OID4VCI, OID4VP)
  • Privacy & Revocation
4.3

Integrated Identity Proofing Pipeline

Solves the "cold start" problem: how to root a digital identity in the real world.

4.4

Device & Application Attestation Engine

Delivers on the "Machines" part of the mission, establishing verifiable trust in the client itself.

4.5

Next-Generation Authorization Engine

Fine-grained, high-performance engine answering: "What is this identity allowed to do?"

  • Hybrid Model: ReBAC + ABAC
  • Zanzibar Graph Store
  • Polyglot Policy Engine (Cedar, OPA, XACML)
4.6

Advanced Delegation & Authority Brokering Engine

The capstone—a powerful synthesis elevating Artagon from "Identity Provider" to true "Authority Broker."

Technology Stack

05

Architected for extreme performance, security, and scalability using a "best-of-both-worlds" technology stack.

Core: Java 25/26 LTS with Virtual Threads (Project Loom)
Hot Paths: Rust sidecars for crypto ops (BBS+, ZKP) and graph traversal
Primary Store: PostgreSQL for tenant config, policies, metadata
Hot Store: Redis/KeyDB for sessions, states, caches
Graph: In-memory, off-heap Zanzibar-style store
Secrets: KMS/HSM for all cryptographic material

Security & Privacy Model

06

Security: Phishing-Resistant, Zero-Trust

Passkey-primary authentication, DPoP token binding, device attestation, mTLS, and PAR—secure-by-default at every layer.

Privacy: Holder-Controlled, Minimum Disclosure

Zero-knowledge selective disclosure (SD-JWT, BBS+), unlinkable presentations, data portability, and privacy-preserving revocation.

Developer Experience

07

World-class, developer-first experience modeled after Stripe and Auth0.

SDKs: Java, Rust, TypeScript, Go, Swift
CLI: Full platform operations, policy testing, conformance
APIs: Dual GraphQL + REST
Playground: Live OAuth/GNAP/VC flows in-browser

Product Use Cases

08

Real-world scenarios demonstrating how Artagon transforms digital trust across industries.

01

High-Assurance Customer Support

Scenario: A customer service representative needs temporary access to a customer's account to resolve a billing issue.

Flow:

  1. Customer authenticates with passkey-based login (WebAuthn/FIDO2)
  2. Customer grants explicit, time-boxed delegation (15 minutes) to CSR via Authority Broker
  3. CSR receives a verifiable credential encoding the delegation scope (read billing, no PII access)
  4. Authorization engine validates credential + relationships + time constraints on each API call
  5. Delegation auto-expires; full audit trail captured in immutable log

Value: Zero standing privileges, cryptographic audit trail, customer control—eliminating insider threat vector.

02

Cross-Organization Healthcare Access

Scenario: A primary care physician needs to share specific patient records with a specialist for consultation.

Flow:

  1. Doctor authenticates with organizational credential + passkey
  2. Issues time-limited Verifiable Presentation (VP) with selective disclosure of patient file X
  3. Specialist receives VP at their organization (different IdP/domain)
  4. Specialist's system verifies VP signature, issuer DID, and revocation status via OID4VP
  5. Authorization engine checks: specialist has valid medical license VC + access relationship in graph
  6. Access granted; patient's PII minimized via selective disclosure (only relevant medical data exposed)

Value: Seamless cross-domain trust without brittle SAML federations; privacy-preserving; patient-centric consent model.

03

IAM for Autonomous AI Agents

Scenario: A CFO authorizes an AI agent to autonomously approve and sign vendor contracts under $50,000.

Flow:

  1. CFO authenticates and issues a Verifiable Credential to AI agent's DID
  2. VC encodes: authority scope (sign contracts), conditions (amount < $50k, vendor category = "SaaS"), expiration (30 days)
  3. AI agent stores VC in secure enclave (device attestation bound)
  4. When agent attempts contract signature, presents VC to contract API
  5. Authorization engine validates: VC signature, issuer authority (CFO role in graph), policy conditions, device attestation
  6. Action permitted or denied based on real-time policy evaluation; all decisions logged with context

Value: Human-delegated, cryptographically-bound authority with programmatic guardrails—the foundation for trusted AI agents.

04

Zero-Trust IoT Device Provisioning

Scenario: Manufacturing facility deploys 10,000 industrial IoT sensors that need secure, automated provisioning and lifecycle management.

Flow:

  1. Each device ships with hardware-backed key pair (TPM/secure element) and manufacturer DID
  2. On first boot, device performs hardware attestation (proving genuine hardware + unmodified firmware)
  3. Device requests bootstrap credential from Artagon via GNAP device flow
  4. Artagon validates attestation, issues device identity VC bound to hardware key
  5. Device uses VC + mTLS for all telemetry API calls; authorization graph defines device→gateway→cloud relationships
  6. Firmware updates trigger re-attestation; compromised devices auto-revoked via StatusList2021

Value: Hardware-rooted trust, automated lifecycle management, instant revocation—eliminating IoT's weakest link (credential management).

Competitive Differentiation

09

Artagon's defensible "moat": The only platform architected from the ground up to unify three distinct, typically siloed identity markets.

Bridges the developer-first experience of modern CIAM, the enterprise-grade capabilities of legacy IAM, and the next-generation privacy and portability of the decentralized world.

Market Positioning

vs. Modern CIAM (Auth0, Okta CIC)

  • + Native Verifiable Credentials (not bolted-on)
  • + Machine identity parity with human identity
  • + Graph-native authorization (not role explosion)
  • + Authority delegation as first-class primitive

vs. Legacy IAM (Ping, ForgeRock)

  • + Developer-first API/SDK experience
  • + Cloud-native, elastic scale
  • + Modern protocols (GNAP, OID4VC) not legacy retrofits
  • + Privacy-by-design vs compliance checkbox

vs. Decentralized Identity (SSI vendors)

  • + Production-ready OIDC/SAML bridge for legacy apps
  • + Enterprise SLAs, support, and compliance frameworks
  • + Integrated authorization (not just authentication)
  • + Pragmatic hybrid approach (not ideology-first)

Multi-phase Roadmap

10

A pragmatic, five-phase execution plan delivering incremental, compounding value over 18 months.

V1: Core Trust Layer

0–3 months

Foundation for high-assurance authentication and authorization.

  • OIDC 2.1 + GNAP server with PAR, JAR, JARM, DPoP token binding
  • Passkey-primary authentication (WebAuthn/FIDO2)
  • Multi-tenant architecture with cryptographic isolation
  • Device attestation MVP (iOS/Android platform attestation)
  • Basic ReBAC authorization with in-memory graph

Success Metrics: <50ms token issuance latency; 99.9% uptime; 10 design partner tenants

V2: Verifiable Credentials Engine

3–6 months

Full W3C VC issuance and verification with privacy-preserving primitives.

  • SD-JWT VC format support (selective disclosure)
  • OID4VCI (credential issuance) and OID4VP (presentation) flows
  • DID methods: did:web, did:key, did:ion (pilot)
  • StatusList2021 revocation mechanism
  • VC-to-OIDC bridge (legacy app compatibility)

Success Metrics: Issue 100k+ VCs; 3+ VC wallet integrations; healthcare pilot deployment

V3: Policy & Authorization Graph

6–9 months

Production-grade, hybrid authorization engine with policy-as-code.

  • Zanzibar-style graph store (persistent, replicated)
  • Cedar + OPA policy engines with XACML compatibility
  • Git-backed Policy Administration Point (PAP)
  • PEP SDKs (Java, TypeScript, Go, Rust)
  • Real-time policy testing and conformance harness

Success Metrics: <10ms authorization decisions; 1M+ tuples in graph; 50+ policy repos managed

V4: Identity Proofing & Compliance

9–12 months

Regulated-industry readiness with identity proofing and compliance frameworks.

  • Identity proofing pipeline (document verification, liveness detection)
  • NIST 800-63 IAL2/AAL2 certification path
  • eIDAS compliance for EU market
  • Proofing VC issuance with assurance levels
  • Trust registry for issuer/verifier discovery

Success Metrics: NIST certification achieved; 2+ regulated industry customers (finance, healthcare)

V5: Federation & AI-Native Features

12–18 months

Advanced delegation, cross-domain trust, and first-class AI agent support.

  • BBS+ signature support (unlinkable credentials)
  • Advanced Authority Brokering Engine (delegation chains, transitive trust)
  • Multi-issuer trust framework and federation protocol
  • AI agent identity primitives (autonomous signing keys, policy-bound agents)
  • Zero-knowledge proof integration (age verification, compliance checks)

Success Metrics: 10+ federated trust domains; 1000+ AI agents managed; enterprise SOC 2 Type II

Vision 2030

11

From "Identity" to "Authority"

Evolving from IdP to Authority Broker—answering "What authority do you have?" not "Who are you?"

AI Agents as First-Class Citizens

Artagon will be the "IAM for AI"—trust, governance, and audit for autonomous economic actors.

The "Verifiable Web"

GNAP + VCs + OID4VP: the engine for frictionless, portable, verifiable identity across services.

Artagon's mission is to build the trust layer for the next two decades of digital interaction.

By unifying the identity of humans and machines, by building in privacy and zero-friction security from the protocol level, and by grounding all trust in cryptographic verification, we are not just building a product—we are architecting the future of digital trust.