RRID architecture
Modular platform for any perimeter
RRID is composed of four layers: issuance, verification, policy and telemetry. Each module can run as a managed service or self-hosted.
Trust Layer
Ed25519 signature, ZIP215 compatibility, offline verification. Supports hardware secure elements.
Policy Layer
Limits, geofencing, schedules, device binding. Authored as YAML/JSON and versioned in Git.
Integration Layer
SDK, REST/gRPC and CLI. CI/CD ready via GitHub Actions, GitLab and Terraform.
Data flow
End-to-end issuance and verification
Four stages explain how tokens move from issuer to verifier with optional telemetry.
Issuer
Signs payload, attaches policy and publishes JWKs. UI and CLI are available.
- HSM/CloudKMS
- Audit log
- Secrets rotation
Verifier
Mobile app, web client or device verifies the signature offline.
- WebCrypto
- Rust/WASM
- Edge fallback
Policy Engine
Online context checks with edge caching. Rules expressed in JSON/YAML.
- OPA compatible
- Multi-issuer
- Observability
Telemetry
Optional aggregated events and metrics without PII.
- Plausible
- BigQuery
- S3 lake
Infrastructure & security
- • HA: active-active regions, ready Terraform/Helm charts.
- • Secrets: HashiCorp Vault, AWS KMS, Azure Key Vault.
- • Observability: OpenTelemetry, Prometheus, Grafana.
- • Security: mTLS, JWT/OIDC, RBAC and audit trail.
- • Compliance: GDPR-ready, ISO 27001, SOC 2 for managed.
- • Performance: < 5 ms edge, p99 < 20 ms.