did-web in minutes
Introduction
Using DIDKit CLI to generate a did-web is a fairly simple process, although it might not be intuitive for some just from reading the DIDKit-CLI documentation and the did-web specification. For that reason, we've created this page to walk you through the steps.
Picking a DID
Did-web identifiers can denote a complete web domain or subdomain (spruceid.com
or demo.spruceid.com
), OR a subdirectory of the web-space at a domain (demo.spruceid.com/path/to
). In either case, the represented site is referred to below as the hosting site
.
Note: as per the DID specification, pathnames must be entirely lowercase, regardless of the case-sensitivity of the web server in question. Similarly, in the case of identifiers that include a path, :
s should be used instead of /
s to conform to DID syntax, i.e. https://demo.spruceid.com/path/to
would host the DID document for the DID did:web:demo.spruceid.com:path:to
.
Setup
Install DIDKit-CLI and any dependencies.
We recommend installing didkit-cli on the same server or virtual machine that will run the issuance service and/or website that will issue verifiable credentials signed by your
did:web
. This allows you to generate a JWK in situ in step 2 that will later by accessed locally by the instance of DIDKit that will sign VCs.
Generate a fresh Ed25519 key and save it locally as a JWK with the command:
In this tutorial we assume a unique, fresh key but omit any backup or storage considerations. While re-using existing keys entails risks, so does storing a private key only on a mutable server; if a key is lost, no new credentials can be signed (i.e. issued), and updating the public key published on step5 will invalidate any credentials signed with the lost private key.
You should see a DID that looks like this did:key:z6MkwJBFYK8vTVGeiMsLzcqbSRXW4aTg4PozGbekWtQNUnnW
and the contents of the file issuer_key_did_doc.json
should look like this:
4. In the text editor of your choice, open the DID document file above. Either manually in the editor or with CLI commands, you'll want to make the following changes to the file:
You'll want to change every instance of
did:key:z6Mkw...
todid:web:{hosting site}
where{hosting site}
is the full domain (with or without path) you picked above, without thehttps://
prefix. I.e.,sed -i -e "s/did:key:z6MkwJBFYK8vTVGeiMsLzcqbSRXW4aTg4PozGbekWtQNUnnW/did:web:{hosting site}/g" <my_file>.jsonCopy
2. Note that in the property verificationMethod.id
, there is a query parameter #z6Mkw...
defining the default (and only) "verification method" of the DID by that name. You'll want to replace this with #{mainKeyName}
(the conventional default is #key1
or #owner
).
3. By default, a did-web should have at least two verificationMethod
s: authentication
and assertionMethod
. If you'd like these both to be aliases for the key generated above, simply change the two verificationMethod-qualified DIDs from the respective sections as the bottom to the one created in the previous step. The changes in 2 & 3 can be executed with a single command:sed -i -e "s/#z6MkwJBFYK8vTVGeiMsLzcqbSRXW4aTg4PozGbekWtQNUnnW/#{mainKeyName}/g" <my_file>.jsonCopy
Adding any other properties to the DID document is discouraged, but adding unregistered properties and/or using keytypes other than Ed25519 may require inserting entries to an inline @Context definition. See the did-web specification for an example and the JSON-LD spec for more explanation.
4. Save this edited DID document and publish it as /.well-known/did.json
on the hosting site's web server. You may need to configure the server to host the file as content-type/json
.
Testing
From a CLI installed on any web-connected computer, you can call
and get back the same DID document you published in step 5.
For example, didkit did-resolve did:web:demo.spruceid.com
returns:
If instead of your DID document you get a 404 error, you may want to double-check your work in step 5 above by typing https://{hosting site}/.well-known/did.json
into a web-browser (example).
Last updated