Expand description
Client-side did:key generation.
Replaces the server-side POST /auth/credentials endpoint for flows where
an operator or consumer wants an admin identity bound to a context. The
key never crosses the wire:
- Caller mints a random 32-byte Ed25519 seed locally.
- Derives
did:key:...from the public half. - Sends
POST /aclwith the public DID + desired role/contexts. - Keeps the private half in the returned
CredentialBundle— either to use locally or to seal viasealed_producerfor transport.
The VTA never sees the private key. Contrast with the pre-5c6 flow where
POST /auth/credentials generated the key server-side and returned it in
a base64 JSON field — a private key in flight over plaintext JSON.
Functions§
- generate_
admin_ did_ key - Generate a fresh Ed25519 keypair, derive a
did:key, and package the result as aCredentialBundlebound to the given VTA DID/URL. - generate_
unbound_ admin_ did_ key - Mint a fresh Ed25519
did:keywith no VTA binding.