DPDP Act 2023India’s data-protection law takes effect 13 May 2027.Read the Act
NamoID
Product

Developers

OverviewSDKs, quickstart, frameworksDocumentationSoonGuides & integrationAPI referenceSoonEndpoints & schemas
PricingCompliance

Company

AboutWho we are & why we build thisBlogProduct & engineering notesSecurityHow we protect your dataContacthello@namoid.in
Sign inComing soonBook a demo
All posts
NamoID Blog

Introducing NamoID: compliant onboarding for India

The NamoID Team2 min read

Ship a consumer product in a regulated market and you know the shape of the problem. You wire up an auth provider for login. A separate KYC vendor for Aadhaar and DigiLocker. An OTP carrier for SMS. A WhatsApp partner for delivery. Then you hand-roll an audit log, because none of their tools gives you something a DPDP regulator can actually read. Six contracts. Six failure modes. A compliance pass that takes a quarter to assemble.

We got tired of that. NamoID is what we wished existed when we started: a privacy-first identity platform that ships every India rail and the audit trail behind one secure issuer URL.

One issuer URL, every rail

You point your app at a single OIDC discovery document. Behind it sit the standards everyone expects (PKCE on every flow, refresh-token rotation, JWKS rotation, WebAuthn passkeys) and the rails most identity vendors stop short of:

  • Phone + OTP over SMS with a DLT-compliant template path
  • WhatsApp OTP for a channel users actually trust
  • DigiLocker for issuing-authority document checks
  • Aadhaar offline-XML with share-code unlock + signature verification
  • Truecaller signature-verified device payload

You don't pick a "social-only" or "OTP-only" tier. They're all available behind the same issuer, gated per environment by feature flag, and they all emit events into the same append-only audit log. Add a rail later and nothing in your client code changes; you flip a flag.

DPDP-grade from day one

The DPDP Act 2023 compliance window closes on 13 May 2027. We treat that as a hard deadline, not a someday-migration:

  • Every consent moment lands in the events table with timestamp, IP, scope, and provider
  • /v1/audit/export returns a user's full event history + connected providers for DSAR requests
  • Provider tokens are encrypted at rest with AES-256-GCM
  • Aadhaar full numbers are never persisted. We keep only the last-4, a name-hash, and the signature-verification result; the full XML is processed in memory and dropped

What's next

This blog is where we'll surface release notes, deep dives on the provider integrations, and the occasional "here's the bug that taught us X." Subscribe to the RSS feed so you don't miss them. The product ships soon.

Want to see it in action? Book a demo or say hello at hello@namoid.in.