WSO2 Is Selling Quantum-Ready AI Identity. The Code Says Otherwise.

WSO2 says its new identity system is ready for the post-quantum era. A look at the actual code raises some questions.

WSO2 unveiled ThunderID at WSO2Con North America 2026, positioning it as an open-source identity runtime purpose-built for AI agents — with "post-quantum cryptography ready" listed as a feature in the announcement. The press release names no specific algorithms. A review of the ThunderID GitHub repository, which has 3,658 commits and 199 stars, shows a backend organized around OAuth 2.0 and OIDC server endpoints — authorization, token, introspect, userinfo, JWKS, dynamic client registration. The architecture documentation lists no ML-KEM, Kyber, ML-DSA, Dilithium, SLH-DSA, or Falcon implementations anywhere in the documented structure.

The distinction matters. "Post-quantum cryptography ready" and "post-quantum cryptography deployed" are not the same claim. The first means the system is designed to accept new algorithms when they're validated and integrated. The second means the algorithms are already in the code. WSO2's own README frames ThunderID as built on "crypto-agility" — the ability to swap algorithms, key types, signing methods, and token protection mechanisms as standards evolve. That is a legitimate architectural goal. It is not the same as having already swapped them in.

"Ready for quantum without naming an algorithm is the most honest comment in any repo," the researcher who reviewed the codebase told type0, speaking on condition of anonymity because they were not authorized to discuss the work publicly. "Crypto-agility is a roadmap property. What you actually have right now is an OAuth 2.0 server."

The post-quantum cryptography landscape was settled in 2024 when NIST finalized its first three standard algorithms: ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA for stateless hash-based signatures. Falcon was added shortly after. Any vendor claiming quantum-readiness without referencing these standards is making an unsubstantiated claim — the kind that sounds forward-looking until a cryptographer looks under the hood.

The WSO2 blog on quantum safeness, which does not carry a publication date, states that WSO2 products are "quantum safe" and that the company monitors NIST developments. It does not claim any of the standard algorithms are currently deployed in ThunderID. The OpenWallet Foundation, where ThunderID is slated for contribution pending completion of the donation process, has 43 repositories in its GitHub organization — none of them a thunder-id repository at time of publication.

ThunderID's architecture also includes a Model Context Protocol endpoint, which handles agent-facing interactions. That part is real: the MCP spec is the emerging interface standard for AI agent tool use, and a production-grade OIDC server purpose-built for agent identity is a sensible bet. The question is whether "quantum-ready" describes a current property or a future one. The evidence in the repository does not resolve that question in WSO2's favor.

WSO2 has more than $100 million in annual recurring revenue, according to the same announcement, placing it among the larger independent infrastructure vendors in the enterprise software market. ThunderID was previously developed under the name Thunder within the Asgardeo organization before being renamed and repositioned for the agentic enterprise moment. The rebranding suggests the prior product did not gain significant traction under that name.

WSO2 was recently accepted into the AWS ISV Accelerate program and secured a Cloud Solution Designation for Financial Services with Microsoft, according to the announcement. The company also announced a Forward Deployed Engineering model embedding engineers with strategic customers, alongside WSO2 Integrator 5.0 with AI-augmented integration capabilities.

The agent identity space is becoming crowded. As AI agents begin operating autonomously in enterprise environments — accessing resources, approving transactions, signing documents — the question of how to authenticate them is real and unresolved. Current OAuth 2.0 patterns were designed for human-backed applications. Agent identity needs to handle non-repudiation, scoped delegation, and machine-speed revocation in ways that existing M2M identity patterns don't fully address. ThunderID is attempting to fill that gap.

Whether it fills it with post-quantum protection or just a new label on an existing OAuth stack is the question WSO2 has not yet answered. The code is there to answer it. So far, it hasn't.

The identity layer has historically captured enormous value in enterprise software. OAuth 2.0 became the substrate for API access in the 2010s, and the companies that owned that layer — Auth0, Okta, Ping Identity — became foundational infrastructure. Agentic AI is attempting the same migration: from human-backed sessions to machine-speed, autonomous, scoped delegations of authority. ThunderID is WSO2's attempt to own that layer before hyperscalers build their own. AWS, Microsoft, and Google all have identity products. None have a purpose-built agent identity runtime with MCP integration and an open governance model under active contribution. That gap is what WSO2 is trying to occupy. The problem is that owning the trust layer for AI agents is only valuable if the trust layer actually holds — and a trust layer built on crypto-agility rather than deployed post-quantum cryptography may hold less long than the marketing suggests.

Daniel Goldscheider, founder and executive director of the OpenWallet Foundation, was quoted in the WSO2 announcement supporting the contribution. The donation process had not been completed at time of publication.