Open source. Standards-based. Yours to run.

Sorcha is built on .NET 10 and .NET Aspire, MIT-licensed, and self-hostable with Docker. Eight single-responsibility services, a documented API, and more than 10,000 tests. Read it, run it, build on it.

The services

Eight single-responsibility services, each doing one job: Blueprint (workflow definitions), Wallet (keys and signing), Register (append-only Merkle ledgers), Validator (quorum consensus), Peer (decentralised replication), Tenant (multi-tenancy), the API Gateway (single external surface), and the HAIP service (the boundary to the OpenID4VC wallet ecosystem). Every protocol and primitive is a published standard.

Cryptography

• ML-DSA (FIPS 204) post-quantum signatures as the core, default signing path; ML-KEM (FIPS 203) key encapsulation; additional FIPS-205 (SLH-DSA) primitives present in the cryptography library.
• BIP-32/39/44 hierarchical deterministic wallets; ED25519, P-256 and RSA-4096 also supported.
• Per-recipient key wrapping for selective disclosure — each party's data is sealed to a key only they hold, so the operator cannot read what it was not given access to.
• Append-only registers with Merkle dockets and SHA-256 hash linkage.

Standards

OpenID4VCI (issuance), OpenID4VP (presentation), SD-JWT VC, W3C Verifiable Credentials 2.0, and the did:sorcha DID method. The HAIP service bridges the classical-signature requirement at the wallet boundary with a classical co-key derived alongside the post-quantum keys.

Run it

Self-host the whole platform with Docker Compose, or run it with .NET Aspire for local development. The quick-start gets you going in a few minutes.