Manav.id
Brand4 min read

Why we are open-sourcing the core identity protocol

Why open source

The Manav core identity protocol — the cryptography, the schema, the verification logic — is open-source under Apache 2.0. The reference implementation is open-source. The hosted services, the SLAs, and the audited deployments are commercial. The boundary is deliberate, and explaining it matters.

What is open

The protocol specification, in plaintext and machine-readable form. The Rust, Python, Go, Node, and TypeScript reference implementations of issuer, holder, and verifier. The audit-trail schema. The revocation channel protocol. The PoHW emission formula. Test vectors. Conformance suites. Anyone, anywhere, can read the code, run the bench, fork the implementation, build a competitor.

What is closed

The hosted Manav verification service (with its 99.99% SLA, multi-region failover, and DDoS protection). The enterprise compliance dashboards. The customer-facing onboarding flows. The professional services. The intrusion-detection on our hosted endpoints. None of these are protocol; all of them are operational.

Why this boundary

Trust infrastructure that is closed becomes a single point of policy. Every identity vendor that has tried to be the sole authority over its category has either been broken open by a regulator, abandoned by an alternative, or quietly degraded into a checkbox. The protocols that lasted — TCP/IP, DNS, TLS, OAuth — were open. The implementations that profited beside them — Cisco, Verisign, Cloudflare, Auth0 — were commercial. The pattern works because the protocol layer cannot afford to be a vendor's secret, but the operations layer is plenty defensible.

The license choice

Apache 2.0 for the protocol. Permissive enough that any major cloud, any agent framework, any existing identity vendor, can integrate without lawyer-friction. Patent grant included. Trademark separately licensed; the protocol is "Manav-compatible" if it passes the conformance suite.

Governance

An open governance forum at governance.manav.id takes proposals via a structured RFC process. The Manav company writes most early proposals; the door is genuinely open and we have already accepted three substantial protocol changes from external contributors. Long-term, we expect the protocol to live with a foundation; we will donate it to one (likely the Linux Foundation's Agentic AI Foundation, where MCP went) once the protocol is stable enough.

The commercial play

Two products. The hosted verification service, where we charge per verification. The enterprise compliance suite, where we charge per seat. Both are operational layers, both are differentiated by SLA, audit posture, and integrations rather than by access to the protocol. The protocol stays free; the operations get easier the more you pay.

What this means for early integrators

You are integrating a protocol you can keep using even if Manav-the-company makes you angry tomorrow. The lock-in is operational, not protocol-level. Every claim Manav makes is auditable; every implementation choice is forkable. We win when the protocol wins, and the protocol wins when no one needs us specifically to use it.

Common objections

Two objections worth answering. Stated values do not survive growth pressure — true historically, which is why we put structural mechanisms (open-source, governance, protocol-enforced custody) behind the words rather than just the words. This sounds like marketing — the test will be the audit hashes, the protocol design, and the operating agreements, not the prose.

Frequently asked questions

What does this commitment cost us if we honor it? Real money in the years where the temptation would have been highest. We are pricing it in upfront because the commitment is structural, not aspirational.

Where do we publish this commitment? Here, on the protocol governance page, and in the operating agreements with our investors. Anyone can audit whether the commitment is being kept by reading the audit hashes we publish quarterly.

What if leadership changes? The commitment is structural enough that a new leadership cannot quietly reverse it. The protocol mechanics make the breach detectable; the legal commitments add a second layer; the cultural commitments add a third.

Where to start

For the wider posture, read manav manifesto and why no network effect. The values, the protocol, and the operating model only fit together when read in that order.

What open source costs us, and why we pay it

Open source costs us product velocity. Every line we ship is read, criticized, and forked. The competitive analysis is permanent and adversarial. Patents are harder to defend. Acquisition narratives are harder to control. We accept all of that because the alternative is worse. A closed identity protocol cannot be audited. A closed identity protocol cannot be self-hosted. A closed identity protocol cannot survive the death of its sponsor. The history of identity is littered with closed protocols that worked beautifully until the sponsor lost interest, and the users discovered they had built on rented land. Open source is the only legal structure that keeps the protocol available to the people who depend on it after we are gone. The cost of that durability is real, but the cost of not paying it is paid by users we will never meet, in conversations we will never hear, when we are no longer in the room.

Open the protocol. Charge for the operations. The trust layer that is plenty defensible is the one you do not own.

Keep reading

Definitional

The Manav manifesto
Brand

The company that doesn't want a network effect
Brand

The trust stack of every era