Most request and responses are performed privately off-chain between the different parties to a flow.
Most off-chain messages consist of signed JWTs (JSON Web Tokens) as defined in RFC 7519.
We currently only support signatures using the secp256k1 ECDSA curve, which is also used by both Bitcoin and Ethereum.
The JOSE header indicates the signing algorithm used in the JWT. This MUST contain the following:
{"typ": "JWT", "alg": "ES256K"}The JWT spec calls these claims, but we use the term "claims" for identity-specific data. So in this document we will call these standard JWT "claims" "attributes" instead.
| Name | Description | Required |
|---|---|---|
iss |
The MNID of the signing identity | yes |
sub |
The MNID of the subject of the JWT | no |
aud |
The MNID or URL of the audience of the JWT. Our libraries or app will not accept any JWT that has someone else as the audience | no |
iat |
The time of issuance | yes |
exp |
Expiration time of JWT | no |
Non Standard attributes:
| Name | Description | Required |
|---|---|---|
callback |
Callback URL for returning the response to a request | no |
type |
Type of Message | no |
Each uPort compatible JWT must be signed using an secp256k1 curve. The public key is resolved for the iss using the uPort PKI.
Many apps that run 100% in the browser do not have a secure way of signing a request. Therefore we provide unsigned versions of certain requests.
There are certain standardized parameters that are provided using HTTP query params in the request. Some of these are based on parameters in the OAuth 2.0 RFC 6749 Spec:
| Name | Description | Required |
|---|---|---|
client_id |
The MNID of the requesting identity | no |
callback_url |
The URL that receives the response | no |
callback_type |
Valid values post or redirect. Determines if callback should be sent as a HTTP POST or open the link (redirect). If unspecified the mobile app will attempt to pick the correct one |
no |
label |
Plain text name of client to be displayed to user | no |
There are several standard message types that the uPort mobile app knows how to handle or create:
- Selective Disclosure Request for asking private data from a user
- Selective Disclosure Response signed by the app as a response to a Selective Disclosure Request
- Verification signed claim by one party about another party
- Private Chain Provisioning Message for provisioning an identity on a private Ethereum chain