did-web in minutes
Last updated
Was this helpful?
Last updated
Was this helpful?
Using DIDKit CLI to generate a did-web is a fairly simple process, although it might not be intuitive for some just from reading the and the did-web specification. For that reason, we've created this page to walk you through the steps.
Did-web identifiers can denote a complete web domain or subdomain (spruceid.com or demo.spruceid.com), OR a subdirectory of the web-space at a domain (demo.spruceid.com/path/to). In either case, the represented site is referred to below as the hosting site.
Note: as per the DID specification, pathnames must be entirely lowercase, regardless of the case-sensitivity of the web server in question. Similarly, in the case of identifiers that include a path, :s should be used instead of /s to conform to DID syntax, i.e. https://demo.spruceid.com/path/to would host the DID document for the DID did:web:demo.spruceid.com:path:to.
and any dependencies.
We recommend installing didkit-cli on the same server or virtual machine that will run the issuance service and/or website that will issue verifiable credentials signed by your did:web. This allows you to generate a JWK in situ in step 2 that will later by accessed locally by the instance of DIDKit that will sign VCs.
Generate a fresh Ed25519 key and save it locally as a JWK with the command:
You should see a DID that looks like this did:key:z6MkwJBFYK8vTVGeiMsLzcqbSRXW4aTg4PozGbekWtQNUnnW and the contents of the file issuer_key_did_doc.json should look like this:
4. In the text editor of your choice, open the DID document file above. Either manually in the editor or with CLI commands, you'll want to make the following changes to the file:
You'll want to change every instance of did:key:z6Mkw... to did:web:{hosting site} where {hosting site} is the full domain (with or without path) you picked above, without the https:// prefix. I.e.,sed -i -e "s/did:key:z6MkwJBFYK8vTVGeiMsLzcqbSRXW4aTg4PozGbekWtQNUnnW/did:web:{hosting site}/g" <my_file>.jsonCopy
2. Note that in the property verificationMethod.id, there is a query parameter #z6Mkw... defining the default (and only) "verification method" of the DID by that name. You'll want to replace this with #{mainKeyName} (the conventional default is #key1 or #owner).
3. By default, a did-web should have at least two verificationMethods: authentication and assertionMethod. If you'd like these both to be aliases for the key generated above, simply change the two verificationMethod-qualified DIDs from the respective sections as the bottom to the one created in the previous step. The changes in 2 & 3 can be executed with a single command:sed -i -e "s/#z6MkwJBFYK8vTVGeiMsLzcqbSRXW4aTg4PozGbekWtQNUnnW/#{mainKeyName}/g" <my_file>.jsonCopy
4. Save this edited DID document and publish it as /.well-known/did.json on the hosting site's web server. You may need to configure the server to host the file as content-type/json.
From a CLI installed on any web-connected computer, you can call
and get back the same DID document you published in step 5.
For example, didkit did-resolve did:web:demo.spruceid.com returns:
Adding any other properties to the DID document is discouraged, but adding unregistered properties and/or using keytypes other than Ed25519 may require inserting entries to an inline @Context definition. See for an example and the for more explanation.
If instead of your DID document you get a 404 error, you may want to double-check your work in step 5 above by typing https://{hosting site}/.well-known/did.json into a web-browser ().