Skip to main content
Version: v0.25.0 (Latest)

Signing Keys and the did:web Identifier

The tenant needs an ES256 key pair for signing credentials (the assertionMethod key) and one for authentication, anchored in a did:web identifier that external parties can resolve. Key operations live on the KMS service (KMS API reference); DID operations on the DID service (DID API reference).

Generate the keys

Keys are generated inside the KMS and never leave it. ECDSA_SHA256 produces a P-256 key, the ES256 JOSE algorithm:

01 Generate assertion key

Endpoint: POST /api/kms/v1/keys

Captured response: 201 Created

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

02 Generate authentication key

Endpoint: POST /api/kms/v1/keys

Captured response: 201 Created

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

Create the did:web identifier

did:web identifiers are not derived from key material: the domain is the identifier. The domain must be the public host that serves the DID document, because resolvers turn did:web:example.com into https://example.com/.well-known/did.json:

03 Create did-web identifier

Endpoint: POST /api/did/v1/identifiers

Captured response: 201 Created

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

The authentication key from keyInfo becomes the first verification method. Add the assertion key with the assertionMethod relationship; this is the key that signs issued credentials:

04 Add assertion verification method

Endpoint: POST /api/did/v1/identifiers/did%3Aweb%3Alocalhost%253A18082/verification-methods

Captured response: 201 Created

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

Resolve and host

The management API returns the full record:

05 Resolve DID

Endpoint: GET /api/did/v1/identifiers/did%3Aweb%3Alocalhost%253A18082

Captured response: 200 OK

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

The public hosting surface serves the DID document at the standard well-known location, unauthenticated and cacheable. This is the URL external resolvers use (DID Hosting API reference):

06 Fetch hosted did.json

Endpoint: GET /.well-known/did.json

Captured response: 200 OK

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

Next, bind the issuing identity to this DID.