version 0.12



Create a trust between users and nodes.

Users and nodes can authorize other identities to take specific actions on their behalf. This is done by publishing a resource which references the identity, and lists the actions that identity can take.


Trusts are resources created by identities, and list the actions authorized by the trust.

The trust resource must be signed by the user key, or by any node previously authorized by the user to create new trusts.

Trust Action

The following trust actions may be given to any trust:


When a node requests a resource published by another user, that resource should only be given if the node or user has been given the read_resource authorization by the user.


When verifying published resources claiming to originate from another user, only those resources signed by keys authorized with publish_resource should be accepted as valid.

The publish_resource authorization does not include authorization to create or revoke trusts. See later in this document for those additional authorization types.

E.g. if user A authorizes node B with publish_resource, a user information resource signed by node B should be considered equivalent in authority to those signed directly by user A.


When sending encrypted data to another user, the encryption key should be encrypted to all public keys which have been given this authorization by the recipient user.

E.g., if user A gives node B and C the read_encrypted authorization, sending an encrypted message to user A would involve encrypting that message to all three public keys.


This authorization allows the trusted key to create additional trusts on behalf of the one signing the trust.

For a trust resource to be valid, the key signing the trust must either be a user identity key, or a node key given the create_trust authorization.


By default a node can revoke resources it publishes. This additional authorization allows the trusted key to revoke resources published by the one signing the trust.


This object holds the information used to create a trust, and to authorize the trustee to take specific actions on behalf of the one signing the trust.

This object contains the following properties:

trust (object)

Holds the properties used to create the trust.

This contains the following reserved properties:

trust.trustee (string, required)

The key fingerprint of the user or node being given the trust.

trust.authorization (array of strings, required)

Lists the authorizations given to the trust. Must have at least one entry.

Each entry of this array must be one of the supported trust authorizations:

trust.expires (string, optional)

After this timestamp, the trust must not be considered valid. The timestamp must be in UTC, formatted using ISO 8601, with granularity to the millisecond. E.g., 2015-07-26T15:48:37.703Z.

An application should treat this trust as revoked after the date specified.


  "$schema": "",
  "type": "object",
  "properties": {
    "create_trust": {
      "type": "object",
      "properties": {
        "trustee": {
          "type": "string"
        "authorization": {
          "type": "array",
          "items": {
            "enum": [
        "expires": {
          "type": "string",
          "pattern": "^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{3}Z$"
      "required": [ "trustee", "authorization" ]
  "required": [ "create_trust" ]