Signs DID documents, stores them and makes them available through did:web.
This service provides a POST endpoint to store DID documents. Before storing, documents are assigned an @id, which is
inferred from the request URL. The document is signed
and a suitable issuer, issuanceDate and verificationMethod is added. Note that existing documents are overwritten.
The signature is only updated if no signature is present.
Stored documents can be retrieved through a GET endpoint. The corresponding public key is served as well.
The did:web specification assumes that all documents are served via HTTPS. In addition, this service assumes to be
exposed on the default port 443. You will need to configure your load balancer accordingly. In addition, you should take
measures so that the POST API is not publicly accessible (e.g., by adding authentication through the load balancer).
The service is configured via environment variables.
| Configuration | Description |
|---|---|
KEY |
PEM-formatted private key (required) |
CERTIFICATE |
PEM-formatted certificate chain (required) |
ADD_ROOT_CERTIFICATE |
Enable to add root certificate to the certificate chain (defaults to true) |
DID_ISSUER_HOSTNAME |
By default, the hostname of the issuer and verification method is inferred from the request. This configuration allows to pin it to a specific hostname. |
DID_SUBJECT_HOSTNAME |
By default, the hostname of the did subject of stored documents is inferred from the request. This configuration allows to pin it to a specific hostname. |
DEFAULT_SIGNATURE_FLAVOUR |
The specification is not explicit about how the signature payload is assembled. As a consequence, services related to "Gaia-X" have implemented a suite that differs from other implementations. This setting configures which "flavour" to use. Possible values are "Specification" to match the provided test vectors and "Gaia-X". The default of the HTTP API is "Gaia-X", to not introduce a breaking change in this realm. The setting can be overridden per request by setting the X-Signature-Flavour header. |
PORT |
Port to expose the service (defaults to 3000) |
STORAGE_PATH |
Port to expose the service (defaults to ./did-documents) |
| Endpoint | did:web | Description |
|---|---|---|
GET https://<domain>/.well-known/did.json |
did:web:<domain> |
Returns the verification method |
POST https://<domain>/<did-path>/did.json |
did:web:<domain>:<did-path> |
Signs stores and returns the request body. |
GET https://<domain>/<did-path>/did.json |
did:web:<domain>:<did-path> |
Returns a previously stored document. |
If you use Docker, there is a prebuilt image available, which is kept up to date with this repository: fabisch/did-document-solution:latest
If you are looking to deploy this on Kubernetes, where you already have your TLS certificate stored in a secret, you may find this gist useful.