VPAT Standard Privacy-preserving identity layer

Verified Person & Age Token for digital platforms.

VPAT is an open, cryptographically verifiable token standard that proves a user is a real person and belongs to a specific age group — without revealing their name, date of birth or ID number.

↗ View specification on GitHub ⬇ Download VPAT 1.1 Draft (PDF)

Alignment

eIDAS 2.0 · EU Digital Identity Wallet

Use cases

Social networks, marketplaces, youth safety, anti-bot

The problem

Platforms collect more data than they need.

Social networks, marketplaces and content platforms must answer simple questions: Is this a real person? and Is this user old enough?. But current solutions require full identity checks, ID document uploads and long-term storage of sensitive data.

Three critical challenges

Fake & bot accounts scale faster than manual checks can handle.
Youth safety requires reliable age checks without invasive identity collection.
Regulations (e.g. eIDAS 2.0, DSA, AML) demand higher assurance and better privacy.

                Key question
                Platforms do not need your full identity to answer “is this a verified person aged 18+?” –
                yet today they often collect and store far more data than required.
              

The VPAT approach

A minimal, standardized proof instead of full identity.

VPAT defines how trusted Identity Providers issue a compact, verifiable token that proves personhood and age group – without exposing personal details to the relying platform.

What VPAT introduces

Verified Person Token – proves that the subject is a real, verified human.
Age Token – provides age bands (13+, 15+, 18+, 21+) instead of birth dates.
Service-scoped proofs – every platform receives a unique, non-linkable token.
Governance model – defines trusted IdPs, LoA and compliance expectations.

                Designed for compatibility
                VPAT is designed to work with state eID, EU Digital Identity Wallets, regulated KYC providers,
                banks and telcos – as issuing Identity Providers.
              

Core principles

Privacy-preserving by design.

VPAT follows a small set of principles that make it suitable for global platforms, EU deployments and independent security review.

Minimal data disclosure

Service-specific, non-linkable tokens

Cryptographic verifiability

Decentralized trust model

Alignment with eIDAS 2.0

Open standard and review

Minimal data disclosure. Platforms only receive information needed for access decisions – such as “age_over_18: true” – and nothing else.
Standardized token format. VPAT defines a predictable JSON/JWT structure that is easy to implement, audit and interoperate with.
Decentralized trust. Multiple Identity Providers (state, bank, telco, KYC) can issue VPAT tokens under a shared governance model.
User-centric control. Users can hold multiple VPAT tokens, renew them and choose where they are presented.
Built for scale. Token validation is lightweight, cacheable and compatible with large-scale CDNs and edge architectures.

Flow

How VPAT works in four steps.

VPAT can be layered on top of existing identity flows without requiring platforms to store identity data themselves.

Protocol overview

1

Identity Provider verifies the user.
Using eID, bank ID, telco SIM registration or another regulated mechanism, the IdP confirms personhood and date of birth.
2

IdP issues a VPAT token.
A signed JWT is created containing personhood and age band claims, scoped to a specific relying party (platform).
3

The platform validates the token.
The relying party fetches the IdP’s public key, verifies the signature and checks expiry, audience and assurance level.
4

Access is granted with minimal data.
The platform learns only what is necessary (e.g. “verified_person = true”, “age_over_18 = true”), enabling safe onboarding and policy enforcement.

Why it matters

How VPAT differs from typical KYC or age checks.

VPAT is not another onboarding product – it is a protocol proposal that platforms, IdPs and regulators can align on.

High-level comparison

Capability	VPAT	Typical solutions
Zero identity disclosure to platform	Yes	Often no
Standardized, open token format	Yes	Rarely
Compatible with eIDAS 2.0 / EUDI	Yes	Partially
Real person (bot resistance) proof	Yes	Limited
Platform-agnostic, multi-IdP model	Yes	Vendor-specific
Designed for independent security review	Yes	Varies

                Intent
                VPAT is proposed as a neutral, open standard that can be adopted by multiple Identity Providers and
                platforms – not as a proprietary product.
              

Project status

Open draft, seeking review and collaboration.

VPAT is currently published as a public working draft, open to feedback from platforms, Identity Providers, regulators and security researchers.

Specification

VPAT core v1.1 – Public Working Draft

EU profile

Draft profile for eIDAS 2.0 & EUDI Wallet – Available

Implementation

Prototype implementation and demo relying party – In progress

Contact & collaboration

Author: Vojtěch Sejkora
Architect of the VPAT Standard and reference implementation.

VPAT is shared as an open proposal. If you work on trust & safety, digital identity, eIDAS 2.0, EUDI Wallets or youth safety, your feedback and collaboration are very welcome.

📩 Email the author 🔗 Connect on LinkedIn 💻 GitHub repository

For security or protocol review, you can also reference this page (vpat.dev) in your documentation or internal tickets.