OpenVPT Standard Privacy-preserving identity layer

Verified Person & Age Token for digital platforms.

OpenVPT™ defines an open, cryptographically verifiable token that proves a user is a real person and belongs to a specific age group — without revealing their name, date of birth or ID number.

↗ View specification on GitHub ⬇ Download Draft (PDF)

Alignment

eIDAS 2.0 · EU Digital Identity Wallet

Use cases

Social networks, marketplaces, youth safety, anti-bot

The problem

Platforms collect more data than they need.

Social networks, marketplaces and content platforms must answer simple questions: Is this a real person? and Is this user old enough?. But current solutions require full identity checks, ID document uploads and long-term storage of sensitive data.

Three critical challenges

Fake & bot accounts scale faster than manual checks can handle.
Youth safety requires reliable age checks without invasive identity collection.
Regulations (e.g. eIDAS 2.0, DSA, AML) demand higher assurance and better privacy.

                Key question
                Platforms do not need your full identity to answer “is this a verified person aged 18+?” –
                yet today they often collect and store far more data than required.
              

The OpenVPT approach

A minimal, standardized proof instead of full identity.

OpenVPT defines how trusted Identity Providers issue a compact, verifiable token that proves personhood and age group – without exposing personal details to the relying platform.

What OpenVPT introduces

Verified Person Token – proves that the subject is a real, verified human.
Age Token – provides age bands (13+, 15+, 18+, 21+) instead of birth dates.
Service-scoped proofs – every platform receives a unique, non-linkable token.
Governance model – defines trusted IdPs, LoA and compliance expectations.

                Designed for compatibility
                OpenVPT is designed to work with state eID, EU Digital Identity Wallets, regulated KYC providers,
                banks and telcos – as issuing Identity Providers.
              

Core principles

Privacy-preserving by design.

OpenVPT follows a small set of principles that make it suitable for global platforms, EU deployments and independent security review.

Minimal data disclosure

Service-specific, non-linkable tokens

Cryptographic verifiability

Decentralized trust model

Alignment with eIDAS 2.0

Open standard and review

Minimal data disclosure. Platforms only receive information needed for access decisions – such as “age_over_18: true” – and nothing else.
Standardized token format. OpenVPT defines a predictable JSON/JWT structure that is easy to implement, audit and interoperate with.
Decentralized trust. Multiple Identity Providers (state, bank, telco, KYC) can issue OpenVPT tokens under a shared governance model.
User-centric control. Users can hold multiple OpenVPT tokens, renew them and choose where they are presented.
Built for scale. Token validation is lightweight, cacheable and compatible with large-scale CDNs and edge architectures.

Flow

How OpenVPT works in four steps.

OpenVPT can be layered on top of existing identity flows without requiring platforms to store identity data themselves.

Protocol overview

1

Identity Provider verifies the user.
Using eID, bank ID, telco SIM registration or another regulated mechanism, the IdP confirms personhood and date of birth.
2

IdP issues an OpenVPT token.
A signed JWT is created containing personhood and age band claims, scoped to a specific relying party (platform).
3

The platform validates the token.
The relying party fetches the IdP’s public key, verifies the signature and checks expiry, audience and assurance level.
4

Access is granted with minimal data.
The platform learns only what is necessary (e.g. “verified_person = true”, “age_over_18 = true”), enabling safe onboarding and policy enforcement.

Why it matters

How OpenVPT differs from typical KYC or age checks.

OpenVPT is not another onboarding product – it is a protocol proposal that platforms, IdPs and regulators can align on.

High-level comparison

Capability	OpenVPT	Typical solutions
Zero identity disclosure to platform	Yes	Often no
Standardized, open token format	Yes	Rarely
Compatible with eIDAS 2.0 / EUDI	Yes	Partially
Real person (bot resistance) proof	Yes	Limited
Platform-agnostic, multi-IdP model	Yes	Vendor-specific
Designed for independent security review	Yes	Varies

                Intent
                OpenVPT is proposed as a neutral, open standard that can be adopted by multiple Identity Providers and
                platforms – not as a proprietary product.
              

Integration example

How a platform calls an OpenVPT verification API.

OpenVPT defines the token format and trust model. Implementations such as a reference implementation can expose a simple verification API, so platforms do not need to parse or store identity data themselves.

Example request & response

Request from the platform (Relying Party):

{
  "platform": "facebook",
  "handle": "@john_doe"
}

Response from an OpenVPT-aware verification service (e.g. OpenVPT reference implementation):

{
  "status": "valid",
  "reason": "Token is cryptographically valid and active.",
  "claims": {
    "issuer": "https://openvpt.example",
    "issuer_country": "CZ",
    "issuer_type": "kyc_provider",
    "assurance_level": "eidas-high",
    "policy_profile": "openvpt-eu-1.0",
    "real_person": true,
    "age_bracket": "18+",
    "trust_level": 3
  },
  "context": {
    "platform": "facebook",
    "handle": "@john_doe",
    "device_bound": true
  }
}

Project status

Open draft, seeking review and collaboration.

OpenVPT is currently published as a public working draft, open to feedback from platforms, Identity Providers, regulators and security researchers.

Specification

OpenVPT core v1.1 – Public Working Draft

EU profile

Draft profile for eIDAS 2.0 & EUDI Wallet – Available

Implementation

Prototype implementation and demo relying party – In progress

Contact & collaboration

Author: Vojtěch Sejkora
Architect of the OpenVPT Standard and reference implementation.

OpenVPT is shared as an open proposal. If you work on trust & safety, digital identity, eIDAS 2.0, EUDI Wallets or youth safety, your feedback and collaboration are very welcome.

📩 Email the author 🔗 Connect on LinkedIn 💻 GitHub repository

For security or protocol review, you can also reference this page (OpenVPT.dev) in your documentation or internal tickets.