Stop asking who to trust. Start verifying.
Sorcha replaces asserted trust with cryptographic proof. Every action is signed by the participant who took it, every record is immutable, and every party can check the evidence for themselves — without trusting the platform.
Three ways in.
Digital systems run on assertion. AI just made assertion cheap to fake.
A document says it's real. A platform claims its data came from a trusted source. None of it is cryptographically anchored — so when forgery becomes fast and cheap, the whole edifice becomes unreliable. The systems that run society were built assuming the data they consume is honest. That assumption is breaking.
Deepfaked-selfie attacks rose 58% in 2025 — assertion-based identity checks have no defence against high-quality forgery.
Entrust, 2026 Identity Fraud ReportBy 2028, at least 80% of governments will deploy AI agents to automate routine decision-making — decisions that need inputs they can trust.
Gartner, 17 Mar 2026Cryptographic proof defends against forgery. Assertion does not. That is the gap Sorcha closes.
The Sorcha thesisProof, in four steps.
Sign
Each participant holds their own keys. Every action is signed by the person or organisation who took it — accountability is built in, not bolted on.
Record
Signed actions are written to an append-only register, each entry Merkle-chained to the last. Nothing can be altered or quietly removed.
Disclose
Each party sees only the fields they're entitled to — and each party's data is encrypted to a key only they hold (per-recipient key wrapping). The platform cannot read what it was not given access to.
Verify
Any party can check the signatures and the chain themselves. Trust comes from the evidence, not from us.
The DAD model: Disclosure, Alteration, Destruction.
Disclosure
Managed by schema. What each participant can see is defined and bounded.
Alteration
Recorded on an immutable ledger. Every change is signed and chained; history can't be rewritten.
Destruction
Eliminated by replication. Records are replicated across the peer network, so no single party can erase them.
Design a workflow. Rehearse it. Then go live.
The Designer walks you from a plain-language description to a running, signed workflow in four stages — and lets you test against sample data before anything goes live.
Say what the process does, in plain language.
See the participants, actions and disclosures the platform derived.
Run it against sample data; nothing is committed.
Publish only once rehearsal passes — gated server-side, so you can't skip it.
Your credentials, on your device, in your control.
The Sorcha Wallet is an app you install on your phone. It holds the credentials organisations issue to you, and lets you present exactly what's asked for — and only that. Whoever you show them to can check they're genuine, without phoning anyone to confirm.
Hold credentials offline
On your device, not a server you have to trust.
Present only what's requested
Selective disclosure by design — show one field, keep the rest private.
Built on open standards
OpenID4VP and SD-JWT VC — not a walled garden.
Nothing proprietary. Everything inspectable.
Every protocol, format and cryptographic primitive Sorcha uses is a published standard.
Built for records that outlive today's cryptography.
Some records have to stay verifiable for decades — a product passport, a property history, a regulatory audit trail. Sorcha uses ML-DSA (FIPS 204) post-quantum signatures and ML-KEM (FIPS 203) key encapsulation as a core part of the platform, not a side feature.
The honest boundary
The HAIP wallet boundary still requires classical signatures today; Sorcha bridges this with a classical co-key derived alongside the post-quantum keys.
What's on the roadmap
Zero-knowledge selective disclosure (BBS+) is on the roadmap, not shipped — today's selective disclosure is show/hide. We tell you what exists and what doesn't.
Where proof beats "trust me".
Sorcha fits domains where multiple parties must share data they each need to trust, under regulation that won't accept an operator's word for it.
Government-aligned identity
The same standards the EU Digital Identity Wallet and GOV.UK Wallet are converging on — Sorcha is the workflow and verifier layer above them.
Digital Product Passports
Tamper-evident, multi-party, selectively-disclosed lifecycle records — the proof substrate underneath DPP platforms, with signatures built to last a product's lifetime.
AI-decision audit trails
High-risk systems must document data provenance and log automatically. Signed, immutable register entries are exactly what an auditor needs.
SME trade finance
A buyer's wallet signature on an invoice is the trust anchor for a lender — no intermediary needs to vouch for the data, and no blockchain token is required.
Open source. Standards-based. Yours to run.
Sorcha is built on .NET 10 and .NET Aspire, MIT-licensed, and self-hostable with Docker. Eight single-responsibility services, a documented API, and more than 10,000 tests. Read it, run it, build on it.
Where we are — honestly.
Sorcha's core feature set is complete. It is not yet production-hardened — it's open source, standards-based, and ready to evaluate and pilot. If you want to test proof-based infrastructure for a regulated, multi-party workflow, this is the point to start a conversation.