Explore the tools, components, and architecture powering eSignet.
Please refer to the below sections to build, integrate, and enhance solutions with eSignet using comprehensive guides, tools, and resources:
Technology Stack – Learn about the technologies used in eSignet, including services, storage solutions, deployment tools, and testing frameworks.
Components – eSignet – Understand eSignet’s core components, functions, and integration methods.
Components - Signup Portal – Seamlessly register and verify identities with the Signup Portal’s robust components and secure eKYC integration.
– Refer here for all the APIs used by eSignet.
A Modern and Inclusive Digital Identity Authentication Solution
Digital identity is rapidly becoming the standard for citizen identificatio, Whether accessing services on government platforms or private service portals, user authentication is now a critical requirement. To ensure secure, private, and inclusive access, authentication mechanisms must adhere to established standards that guarantee data protection and build user trust.
eSignet plays a critical role by providing a secure, standards-compliant digital identity solution that empowers both users and service providers. It enables:
Trusted identity verification across platforms.
Flexible login and authentication methods tailored to various assurance levels.
Inclusive access designed to serve diverse user groups and device capabilities.
Consent-driven data and profile sharing, ensuring transparency and user control.
eSignet ensures that digital interactions are not only seamless but also secure, private, and user-centric. Built on trusted protocols and designed with a privacy-first approach, eSignet empowers both users and service providers with confidence and control.
eSignet comprises of 2 specific modules/parts:
is a powerful, open-source digital identity authentication module that enables secure and standardised access to online services. It is developed by MOSIP and built by implementing specific OpenID Connect (OIDC) RFCs to provide high assurance.
It is designed to be independent and be used as a standalone authentication module and can be easily integrated with any identity system or repository that supports authentication and attribute retrieval. While it includes reference integrations with MOSIP, its architecture is flexible and open enough to be adopted for a wide range of digital services ecosystems.
Whether you're building a citizen portal, a financial application, or any service that requires identity verification, eSignet can serve as your trusted, modular identity layer.
The Module is a self-contained, independent component that enables individuals to create and manage their digital identity profiles designed for seamless integration with eSignet auth module.
Beyond profile creation, the module also offers support for identity verification capabilities, including support for , ensuring that user identities can be reliably validated during signup. With a focus on inclusivity, low-barrier entry, and progressive trust building, it can be used to extend digital identity to under-served or unregistered populations.
Login with Trusted ID Enables users to authenticate using a secure identity issued by a government authority or a trusted provider.
Inclusive Support for Multiple Authentication Factors Accommodates a including biometrics, one-time passwords (OTP), and wallet-based authentication.
Frictionless Addition of New Authentication Factors Architected to seamlessly integrate emerging authentication technologies without requiring major system modifications.
Standards-Based Architecture utilizes , allowing seamless integration via widely supported libraries.
Scalable for Country-Wide Implementation Designed to deliver secure authentication and KYC verification at national scale, ensuring high reliability and performance.
Secure Biometric Integration Incorporates the to enable secure biometric data collection for identity verification.
Single Identity Credential Enables users to access integrated public and private sector services using a unified digital identity.
Mandatory Consent Enforcement Ensures that all data access is governed by an explicit, user-centric consent flow.
Support for Diverse Authentication Methods Accommodates various verification approaches to meet individual preferences and improve usability and liveness detection.
Fast and Secure Digital Verification Facilitates rapid user verification across multiple digital services.
Assurance Parity with Registration Maintains consistent verification quality using the same methods employed during initial user onboarding (OTP, biometrics, cryptographic keys).
Government Enablement for e-KYC Services Empowers governments to offer digital identity verification and e-KYC services, fostering broader access to financial and digital services.
eSignet is engineered to ensure inclusive access to digital identity verification, supporting multiple verification models and modalities to meet the varied needs of users and the devices they use.
Assisted Verification and Data Collection Enables identity verification with the assistance of an operator or at a physical kiosk.
Self-Identification for Online Services Allows users to independently verify their identity through remote digital channels.
OTP-Based Authentication (Feature Phone Users) Offers SMS-based OTP login for users with basic mobile devices.
Wallet-Based Facial Authentication (Smartphone Users) Enables face recognition authentication via digital wallets on smartphones.
Biometric Authentication (Non-Phone Users) Supports biometric verification for users without mobile access, via assisted modes or kiosks.
Government Agencies Offers a secure, standards-based identity verification layer for transforming existing IDs into interoperable digital identities.
Service Providers Enables efficient service delivery through secure identity verification, eKYC, and consent-based data access across sectors such as banking, telecommunications, and insurance.
Citizens and Residents Empowers individuals to prove their identity securely and conveniently while preserving privacy across a broad range of digital services.
Healthcare: Patients use OTP or biometrics to access health portals securely, ensuring inclusive access to medical services.
Education: Universities leverage face authentication for secure access to exams or hostel services, enhancing accessibility.
Social Welfare Programmes: Enables precise distribution of benefits to verified and eligible recipients.
Taxation:
The use cases listed above are illustrative and not exhaustive, eSignet can be adapted to support a wide range of additional applications across both public and private sectors.
Refer below to know more about eSignet principles, standards and tech:
.
.
Simple Integration with Relying Parties (Service Providers) Streamlines the onboarding process for service providers requiring robust identity verification and facilitate integration with eSignet.
User Consent Management Incorporates a built-in mechanism to obtain explicit user consent for data access and usage.
Protection Against Unwanted Profiling Safeguards personal data by preventing unauthorized tracking or profiling of users.
Multiple Assurance Levels Supports varying levels of identity assurance, depending on the authentication method employed.
Digital Wallet Integration Enables secure, device-based authentication through integration with digital wallets.
Verified Claims Support: eSignet now includes verified claims in its identity response, enabling relying parties to consume high-assurance user attributes.
KYC-Verified Signup: eSignet’s Signup module allows user registration with Video eKYC, enabling identities to be onboarded with verified claims from the start.
FAPI 2.0 Compliance: eSignet now complies with the FAPI 2.0 Security Profile, offering higher security and improved interoperability.
Bridging the Digital Divide Offers flexible verification modes to cater to users across the digital access spectrum.
Voting Systems: Ensures secure and reliable voter authentication during elections.
Banking: Supports secure customer onboarding and transaction verification.
Insurance: Verified KYC data with high assurance levels enables faster, compliant onboarding, promoting financial inclusion.
Border Control: Enhances national security by verifying the identity of travelers and supporting secure cross-border movement.
Core principles that define eSignet.
eSignet is designed with the architectural principles mentioned below. These architecture principles are core to developing the system's features and greatly influence how and why specific software design patterns are used.
eSignet prioritizes user privacy by minimizing data exposure and ensuring secure interactions:
No PII Data Storage by eSignet: eSignet does not store any personally identifiable information (PII); sensitive data is processed transiently for authentication and never retained.
Privacy-Enabled Token (PSUT): Instead of sharing user IDs, eSignet issues a unique Partner Specific User Token (PSUT) for each user-relying party pair.
Protection of Sensitive Data: Sensitive information is never stored or logged in clear text.
User Controlled Consent: Users have full control over what data is shared with relying parties.
eSignet is built to be vendor-neutral and open-source, promoting maximum flexibility, interoperability, and independence:
Open Standards Across the Stack eSignet adheres to open standards across its entire architecture, enabling seamless integration with a wide range of identity systems and infrastructures.
No Dependence on Proprietary Solutions Organizations are free to use their preferred biometric devices, software components, and infrastructure without being tied to a specific vendor or ecosystem.
Open Source Foundation As an open-source product, eSignet provides full transparency and avoids proprietary lock-in, allowing adopters to customize, extend, and audit the solution based on their requirements.
eSignet is optimized for cost-efficiency and scalability:
Containerized Backend: All eSignet backend services run as Docker containers, eliminating dependencies on specialized hardware or specific cloud providers.
Multi-Platform Support: It can be deployed on any general-purpose virtual machine (VM) that supports Docker.
Avoids Vendor Lock-in: Organizations are free to use their existing cloud or on-premise infrastructure.
Security is a core principle of eSignet, ensuring end-to-end protection:
Trusted Integrations: eSignet only integrates with verified and trusted applications.
Fraud Prevention: Authentication is tied to specific transactions, reducing the risk of unauthorized access.
Centralized Key Management: A robust key management system ensures secure cryptographic operations.
API Security: All the data modification APIs (Client management end points) are protected using OAuth 2.0, ensuring secure access control.
All state-changing APIs are protected with OAuth 2.0, enforcing authenticated and authorized access.
Empowering users through transparent licensing.
The documentation is licensed under a Creative Commons Attribution 4.0 International License.
🔗 eSignet's Core Repositories:
All eSignet's core repositories are licensed under the terms of Mozilla Public License 2.0.
⚠️ Trademark Notice:
All trademarks are the property of their respective holders. Other products and company names mentioned here may be trademarks and/or service marks of their respective owners.
Building on the most trusted security protocols.
eSignet is built on industry-leading security standards, ensuring robust privacy and data protection. It implements OpenID Connect Core 1.0 and OAuth 2.0, leveraging the most secure and trusted authentication flows to safeguard user identities.
Biometric Integration via SBI eSignet integrates with the Secure Biometric Interface (SBI) to support a wide range of biometric service providers. Please refer the links below for the SBI library to enable the biometric auth with eSignet
- View the list of compatible biometric devices.
HSM Integration with PKCS #11 eSignet supports Hardware Security Module (HSM) integration using PKCS #11 for the secure storage and management of signing keys.
Verifiable Credentials & Wallet Integration eSignet adopts OpenID standards to support verifiable credentials and wallet-based identity verification, enabling seamless cross-platform interoperability.
Identity Assurance (Introduced in v1.5.0) From version v1.5.0, eSignet includes support for under OpenID Connect, allowing retrieval of verified user claims and associated metadata.
well-knowns eSignet implements well-known to publish the URI for metadata discovery. Below are the supporting standardized .well-known endpoints for dynamic service configuration and discovery.
eSignet provides a limited implementation of the OpenID protocol, supporting the following RFCs and standards:
a. OAuth 2.0 Standards:
- Authorization code flow support
- Authorization Framework: Bearer Token Usage
- JWT profile for client authentication
- PKCE security extension
b. Token and Discovery Standards:
- JSON Web Signature
- JSON Web Keys
- JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
- ID token and access token as JWT
c. Identity Proofing and security:
d. FAPI 2.0 Security Profile:
eSignet adopts key OpenID requirements. This combination mitigates authorization request tampering, authorization code interception, bearer token replay, and authorization server mix-up attacks, significantly strengthening OAuth 2.0 security.
- Pushed Authorization Request (PAR)
- Demonstrate Proof of Possession (Dpop)
- Authorization Server issuer Metadata
As eSignet incorporates OpenID Connect, a wide range of client libraries are available for seamless integration. Therefore, it is recommended to avoid creating custom code for the integration process.
eSignet implements and supports only the flows mentioned below:
Note: eSignet supports confidential clients only, adhering to the principle of security by design.
Authorization Code Flow – Exchanges an authorization code for a token, requiring client authentication.
Private-key-jwt - Our supported client authentication method is private-key-jwt only which ensures that the token is given to a legitimate client.
PKCE - We also support the (Proof Key for Code Exchange) security extension for exchanging an authorization code for a token, which guarantees that the authorization code was obtained by the same client application performing the code exchange.
Note: eSignet currently supports the S256 challenge method in its PKCE implementation.
eSignet’s OAuth 2.0 implementation is a lightweight solution designed specifically for OIDC authentication flows. It does not function as a full-fledged authorization server but provides the essential capabilities required for identity verification and kyc. Additionally, eSignet:
Does not support role-based access control - As it is designed for integration with national-level identity solutions, where predefined roles are not necessary for residents.
OAuth 2.0 RFC 8414 - Authorization Server Metadata
RFC 5785 - Followed for both openid and oauth well-knowns
Name
URL Paths
OpenID Configuration
/.well-known/openid-configuration
Jwks Json
/.well-known/jwks.json
Authorization Server
/.well-known/oauth-authorization-server
Standards
Flow
Client Authentication
OAuth 2.0
Authorization Code with PKCE
private-key-jwt
OIDC
Authorization Code with PKCE
private-key-jwt
Identity Assurance 1.0
Authorization Code with PKCE
private-key-jwt
OpenJDK 11
Java is a high-level, class-based, object-oriented programming language that is designed to have as few implementation dependencies as possible.
2.3.6
Spring Framework provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.
1.18.24
Project Lombok is a java library that automatically plugs into your editor and build tools, spicing up your java.
1.2.3
Logback is a logging framework that provides a fast, reliable, and highly configurable solution for generating logs in Java applications.
1.6.9
The OpenAPI Specification is a specification language for HTTP APIs that provides a standardized means to define your API to others.
1.2.1.0
The Key Manager Service provides secure storage, provisioning and management of secret data. It provides all the cryptographic operations like encryption/decryption and digital signature/verification making one trust store for all partner trust path validation.
18.2v
React lets you build user interfaces out of individual pieces called components.
eSignet utilizes high-performance storage solutions for managing structured and real-time data.
15
PostgreSQL also known as Postgres, is a free and open-source relational database management system (RDBMS) emphasizing extensibility and SQL compliance.
17.3.14
Redis is a open source, in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker. Redis can be replaced with any cache compatible with spring-cache.
18.3.1
Apache Kafka is an open-source distributed event streaming platform used by thousands of companies for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications.
eSignet is designed for containerized and automated deployments, leveraging modern DevOps tools.
3.6
Apache Maven is a software project management and comprehension tool. Based on the concept of a project object model (POM), Maven can manage a project's build, reporting and documentation from a central piece of information.
20.4 and above
Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers.
18-alpine
npm is the package manager for the Node JavaScript platform. It puts modules in place so that node can find them, and manages dependency conflicts intelligently.
eSignet ensures reliability and stability through automated testing frameworks and API testing tools.
JUnit is a unit testing framework for the Java programming language.JUnit has been important in the development of test-driven development, and is one of a family of unit testing frameworks which is collectively known as xUnit that originated with SUnit.
Newman is a command-line tool that allows you to run Postman collections and automate API tests. It is ideal for integrating API testing into CI/CD pipelines and provides detailed test reports for automated workflows.
Postman is an API platform that simplifies the API lifecycle and streamlines collaboration. You can browse the largest network of public APIs, create and share your own workspaces, and access governance rules for API quality.
master branch
All workflows necessary to build the project is kept here
depends on eSignet version
Helm helps you manage Kubernetes applications - helps define, install, and upgrade even the most complex Kubernetes application. Charts are easy to create, version, share, and publish — so start using Helm and stop the copy-and-paste.