Who someone is can be verified. Whether they're authorized to act has not been possible — until now.

GLEIF — vLEI Authenticator

A supplier submits a request. The person is known, the user account active, the technical check positive. And yet the decisive piece of information is missing: is this person actually acting on behalf of the company? And in what capacity? This question goes unanswered in most systems — not because the answer does not exist, but because no one has made it verifiable.

The system knows the person. The company behind them it does not.

Classic IAM systems (Identity and Access Management) confirm identities. They say: this person exists, their account is active, authentication was successful. What they do not say: who is this person acting for? With what authorization? In what role?

This is not a technical failure. It is a structural gap. And it becomes costly wherever decisions depend not just on a person's identity, but on the legitimacy of their action.

Compliance checks, supplier onboarding, regulatory reporting, data access across company boundaries: all of these processes today require manual coordination. Documents, follow-up questions, waiting times. What could be decided in seconds takes hours or days — because corporate identity and authorization to act cannot be transferred in a directly verifiable way.

LEI and vLEI: corporate identity becomes a credential.

The Legal Entity Identifier (LEI) is a global standard for the unique identification of companies. It is anchored in financial market regulation and commercial law and is used worldwide to create transparency in digital transactions.

The verifiable Legal Entity Identifier (vLEI) is the cryptographically verifiable digital version of this standard. As a Verifiable Credential — a digitally issued, machine-verifiable proof — the vLEI does not just identify an organization. It also identifies which individuals are authorized to act on its behalf: as CFO, as compliance officer, as an authorized representative.

The credential is cryptographically secured, bound to GLEIF as a global trust anchor, and can be integrated into any process that requires it. For the first time, a claim becomes evidence.

How the vLEI Authenticator works.

esatus developed the vLEI Authenticator together with GLEIF and deployed it in a live enterprise environment. The authenticator integrates into Keycloak, the widely used open-source IAM system, via its service provider interface. Keycloak itself is not modified. The authentication flow receives an additional verification step without rebuilding the system and without a new architecture.

When a user selects "Login with vLEI", SOWL takes over. SOWL is the orchestration layer developed by esatus for Verifiable Credentials in enterprise environments. It coordinates the interaction between wallet, verifier, and IAM system. The KERIAuth browser extension retrieves the vLEI credential from the user's wallet. The GLEIF vLEI Verifier checks authenticity and validity along the KERI trust chain. The result is returned to Keycloak, which issues the access token.

Access is only granted when both the organizational vLEI and the role credential are valid, cryptographically signed, and traceable to an authorized issuer. From the user's perspective: select, confirm in the wallet, access granted. The rest runs in the background.

What the live deployment showed.

The integration into Keycloak was implemented in a modular way without extensive customization. The login process works without a password and without any breaks in the workflow. Verification runs in seconds. Organizations were able to verify both their corporate identity and the authorization of their employees to act. Data access was only granted after full verification. What previously required manual checks, taking hours or days, now runs automatically and cryptographically secured.

SOWL as the connecting layer.

SOWL performs three functions in the vLEI Authenticator. It coordinates the workflow between wallets, verifiers, and IAM systems without mixing trust domains. It provides standardized interfaces so that Keycloak can consume verification results as authentication decisions. And it ensures that every verification process is logged, reproducible, and aligned with GLEIF governance.

SOWL is aligned with the EU Architecture Reference Framework and supports standards such as OpenID4VCI and OpenID4VP as well as credential formats such as SD-JWT and mDoc. What was used in the vLEI context is transferable to future EUDI Wallet integrations.

The real question is not a technical one.

Many organizations verify multiple times today and still rarely verify the right thing. They know who is logging in. They do not know whether that person is authorized to do what they want to do.

This is not a weakness of individual systems. It is the result of an architectural decision that was considered sufficient for as long as transactions took place within a single organization. As soon as partners, suppliers, or external service providers enter the picture, identity alone is no longer enough.

Wherever people act on behalf of organizations and this authorization is today documented through paperwork, follow-up questions, or manual confirmations, the same question arises: why is this result not a verifiable credential?