§ Verifiable Public Registry v4 Specification

Latest draft: spec v4-draft11

Latest stable: spec v3

Editors:

Fabrice Rochette (The Verana Foundation)

Contributors:

Ariel Gentile

Mathieu Gauthron

Pratik Kumar

Participate:

GitHub repo

File a bug

Commit history

§ Abstract

Decentralized trust ecosystems need shared infrastructure to answer a fundamental question: who is authorized to issue, verify, or govern credentials in a given context? Without a common registry layer, each ecosystem operates in isolation, trust decisions depend on ad hoc configurations, and there is no interoperable way for Verifiable Services and Verifiable User Agents to resolve the legitimacy of a credential or its issuer.

The Verifiable Public Registry (VPR) is a decentralized “registry of registries” that provides this foundational infrastructure. It allows ecosystems to create and manage their own trust registries, define credential schemas with fine-grained permission policies, and assign roles — issuers, verifiers, grantors — through a transparent, on-chain governance model.

The VPR exposes a standardized query API that Verifiable Services and Verifiable User Agents use during trust resolution to confirm, in real time, whether a given participant is authorized to perform a specific action under a specific credential schema. This is what makes the trust in Verifiable Trust actually verifiable.

The VPR is DID-method-agnostic — it stores registrations, not validations — leaving trust decisions and cryptographic verification where they belong: with the relying parties. It supports flexible permission management modes (open, ecosystem-controlled, or grantor-delegated), enabling ecosystems to tailor governance to their specific requirements.

This specification defines the data model, API, and normative requirements for implementing and interacting with a Verifiable Public Registry.

§ About this Document

In order to fully understand the concepts developed in this document, you should have some basic knowledge of DID, DIDComm, VS, trust registry, ledger-based applications, and more generally, all terms present in the Terminology section.

NOTE

Before exploring this spec, it is highly recommended to first read the Verifiable Trust Spec.

§ Introduction

§ What is a Trust Registry?

This section is non-normative.

A trust registry is an approved list of recognized ecosystem participants, such as trust registry operators, credential issuers and verifiers that are authorized to onboard ecosystem participants, and or issue/verify certain credentials in an ecosystem.

A trust registry typically expose APIs that are consumed by services that would like to query its database, and take decisions based on the returned result:

§ What is a Verifiable Public Registry?

This section is non-normative.

A Verifiable Public Registry (VPR) is a “registry of registries”, a public service that provides foundational infrastructure for decentralized trust ecosystems. It offers:

uml diagram

Permission directory is intended to be crawled by indexers, which resolve the listed DIDs, identify associated verifiable services, and index them.

Indexers may expose this data through APIs for querying the indexed services or use it to build a search engine for querying the database of indexed verifiable services.

§ Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative. The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, REQUIRED, SHOULD, and SHOULD NOT in this document are to be interpreted as described in BCP 14 RFC2119 RFC8174 when, and only when, they appear in all capitals, as shown here.

§ Terminology

account:
A verifiable public registry account.
applicant:
A account that starts a validation process.
authority:
An group which is the owner of a specific resource in an VPR.
credential schema:
An VPR resource which represents a verifiable credential definition and the associated permissions and business rules for issuing, verifying or holding a credential linked to this credential schema.
credential schema permission:
A permission, linked to a credential schema, that represent, in a given ecosystem, a grant for being issuer, verifier, issuer grantor, or verifier grantor of a credential schema.
decentralized identifier:
A decentralized identifier, as specified in [DID-CORE].
decentralized identifier communication:
DIDComm uses DIDs to establish confidential, ongoing connections.
denom:
Token that has been configured and is recognized in a VPR, example: uvna, USDC.
native denom:
Native token of a VPR, example: uvna.

ecosystem: a network of interacting entities, both technical and human, that work together to establish and maintain digital trust. It encompasses applications, credentials, governance frameworks, and the underlying technical infrastructure, all designed to facilitate trustworthy interactions.

ecosystem governance framework:
The governance framework (GF) of an ecosystem].
ecosystem governance authority:
The governance authority (GA) of an ecosystem.
entity:
An account controller.
estimated transaction fees:
Estimated fees required, in denom, that is passed when execute a transaction in an VPR. Usually, a estimated transaction fees are always slightly greater than transaction fees, to make sure the execution of the transaction will not be aborted for an out-of-gas situation. Unused gas is refunded to account.
governance framework:
The governance framework (GF) of a VPR.
governance authority:
The governance authority (GA) of a VPR.
grantor:
A role an entity is granted by an ecosystem for operating its trust registry.
group:
A verifiable public registry group.
holder:
A role an entity might perform by possessing one or more verifiable credentials and generating verifiable presentations from them. A holder is often, but not always, a subject of the verifiable credentials they are holding. Holders store their credentials in credential repositories. Example holders include organizations, persons, things.
issuer:
A role an entity is granted by an ecosystem or an issuer grantor for issuing credentials of a given credential schema to holders.
issuer grantor:
A trust registry operator role an entity is granted by an ecosystem for a given credential schema for adding or revoking issuers.
json schema
a Json Schema, as specified in https://json-schema.org/specification.
keeper:
A storage map(key, value) in the ledger of an VPR.
linked-vp:
A presentation of a verifiable credential as specified in LINKED-VP.
participant:
An entity that is recognized by one or several ecosystem(s) in a VPR.
query:
A read-only action that perform some reading in an VPR and returns value.
subject:
A thing about which claims are made. Example subjects include human beings, animals, things, and organization, a DID
transaction:
An action that modifies the ledger of an VPR and which execution requires transaction fees.
transaction fees:
Fees required, in denom, to execute a transaction in an VPR.
trust deposit:
A financial deposit that is used as a trust guarantee. For a given authority, its trust deposit is increased when running validation process (either as an applicant or as a validator).
trust fee:
Fees paid by a participant that are distributed to other participants.
network fee:
Fees paid by a participant that are distributed to network validators and trust deposit holders.
trust unit:
A fake denom that is not usable as a token (cannot be transferred, or used for paying in transactions). Trust unit is used to define fees in Permissions. Fees defined in trust units are automatically converted to native denom when a transaction is executed, using an exchange rate TU/[[ref: native denom]]. Trust unit is used to compensate native denom fluctuation.
trust registry
An approved list of issuers and verifiers that are authorized to issue/verify certain credentials in an ecosystem.
URI
An Universal Resource Identifier, as specified in rfc3986.
active permission:
A credential schema permission of a given type, which effective_from timestamp is lower than current timestamp, and (effective_until timestamp is null or greater than current timestamp), and revoked is null and slashed is null.
future permission:
A credential schema permission of a given type, which effective_from timestamp is higher than current timestamp, and (effective_until timestamp is null or greater than effective_from timestamp), and revoked is null and slashed is null.
validation process:
A process run by applicants that want to, for a specific credential schema, be a issuer, be a verifier, or simply hold a verifiable credential linked to the credential schema.
validator:
A role an entity performs by participating in validation processes with applicants in order to register them as issuer, or verifier of a credential schema, or to deliver a verifiable credential to them.
verifiable public registry:
a public, normally decentralized, ledger-based network, which provides: trust registry features, that can be used by all its participants: create trust registries, for each trust registry, define its credential schemas, who can issue, verify credential of a specific credential schema,… and a tokenized business model for charging/rewarding participants.
verifiable service:
A service, identified by a resolvable DID that can be deployed anywhere by its owner, and that is conforming to this spec and has a resolvable Proof-of-Trust. See VT Spec.
verifiable user agent:
A user agent for accessing and using VSs. To be considered a VUA, a user agent must conform and enforce this spec, such as presenting a proof of trust to end user before accepting connecting to VS compliant services, and refuse connecting to not compliant services. See VT Spec.
Verifiable Trust Specification:
see VT Spec.
verifier:
A role an entity is granted by an ecosystem or a verifier grantor for verifying credentials of a given credential schema.
verifier grantor:
A trust registry operator role an entity is granted by an ecosystem for a given credential schema for adding or revoking verifiers.
verifiable credential:
A verifiable credential as defined in [VC-DATA-MODEL].

§ Naming Conventions

§ In this spec

§ In Implementations

§ Features of a Verifiable Public Registry (VPR)

§ Trust Registry Management

This section is non-normative.

In an VPR, any authority can create a TrustRegistry entry that represents a trust registry of an ecosystem. Each TrustRegistry entry must provide, at a minimum:

The Verifiable Public Registry (VPR) is agnostic to the specific DID methods used. Trust resolution is performed externally, outside the VPR, allowing flexibility and interoperability across ecosystems.

uml diagram

§ Credential Schemas and Permissions

This section is non-normative.

Credential schemas are created and managed by trust registry authority (ecosystems). Each Credential schema includes, at a minimum:

uml diagram

Participant roles are defined in the table below:

Participant Role Description
Ecosystem Create and control trust registries and credential Schemas. Recognize other participants by granting permission(s) to them.
Issuer Grantor Trust Registry operator that grants Issuer permissions to candidate issuers.
Verifier Grantor Trust Registry operator that grants Verifier permissions to candidate verifiers.
Issuer Can issue credentials of this schema.
Verifier Can request presentation of credentials of this schema.
Holder Holds a credential.

Example of a Json Schema credential schema:

{
  "$id": "vpr:verana:mainnet/cs/v1/js/VPR_CREDENTIAL_SCHEMA_ID", // ignored, will be generated
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "ExampleCredential",
  "description": "ExampleCredential using JsonSchema",
  "type": "object",
  "properties": {
    "credentialSubject": {
      "type": "object",
      "properties": {
        "id": {
          "type": "string",
          "format": "uri"
        },
        "firstName": {
          "type": "string",
          "minLength": 0,
          "maxLength": 256
        },
        "lastName": {
          "type": "string",
          "minLength": 1,
          "maxLength": 256
        },
        "expirationDate": {
          "type": "string",
          "format": "date"
        },
        "countryOfResidence": {
          "type": "string",
          "minLength": 2,
          "maxLength": 2
        }
      },
      "required": [
        "id",
        "lastName",
        "birthDate",
        "expirationDate",
        "countryOfResidence"
      ]
    }
  }
}

To participate in an ecosystem and assume a role associated with a specific credential schema:

The validation process involves two parties:

Running a validation process typically involves the payment of trust fees. Trust fee amount to be paid by the applicant is defined in the permission of the validator involved in the validation process:

uml diagram

§ DID Indexing

This section is non-normative.

The Permission registry is a can be used by crawlers to index the metadata associated with verifiable services.

Search engines can iterate over the permissions, and index VSs by resolving the service identifier (at the moment a DID, that could be extended in the future), verify if service is a verifiable service, and in such a case extracting their verifiable metadata, such as linked-vp presented credentials.

The index is particularly important for verifiable user agents, such as social browsers, CDN enabled browsers… However, it can also be leveraged by traditional, form-based search engines, which may return simple links for accessing VSs.

uml diagram

§ Business models

§ Trust Deposit

This section is non-normative.

In a VPR, each account is associated with a trust deposit.

This trust deposit is automatically funded through transactions involving trust operations, such as:

The trust deposit is fundamental to the “Proof-of-Trust” (PoT) mechanism of the Verifiable Trust Specification, and it operates as follows:

This system ensures that participation in the trust ecosystem is backed by economic accountability, reinforcing the integrity, governability and verifiability of the VPR.

§ Object creation

This section is non-normative.

The following operations only require payment of network fees (no trust deposit is involved):

§ Validation process trust fees

This section is non-normative.

We’ve explained in the Credential Schemas and Permissions section above what is a validation process.

The table below summarizes the possible combinations of applicants and validators:

Payee → Payer ↓ Ecosystem Issuer Grantor Verifier Grantor Issuer Verifier Holder
Issuer Grantor renewable subscription (1)
Verifier Grantor renewable subscription (2)
Issuer renewable subscription (3) renewable subscription (1)
Verifier renewable subscription (4) renewable subscription (2)
Holder renewable subscription

Validation process is started by the applicant.

Example of a candidate issuer (applicant) that would like to be granted an ISSUER permission for a credential schema of an ecosystem, by a validator that has a ISSUER_GRANTOR permission:

uml diagram

The total fees paid by the applicant consists of:

Example, using 20% for trust_deposit_rate:

uml diagram

Upon completion of the validation process, escrowed trust fees are distributed to the validator as follows:

uml diagram

§ “Pay-Per” trust fees

This section is non-normative.

Pay-per-issuance and pay-per-verification trust fees are defined at the permission level for each role within the ecosystem.

uml diagram

Entities acting as issuers or verifiers for a given credential schema may be required to pay trust fees based on the schema’s configuration and permission tree.

If trust fee payment is required, the entity must execute a transaction in the VPR to pay the appropriate trust fees before issuing or verifying a credential.

Key Points for “Pay-Per” Business Models

Fee Distribution Model

Trust fees are consistently distributed across participants:

NOTE

Wallet User Agents and User Agents that implement the VT spec must verify that the ISSUER or VERIFIER has fulfilled the required trust fee payment.
If not, they must reject the issuance or verification request.

Note: The User Agent and Wallet User Agent may refer to the same implementation.

Distribution example for the issuance by ISSUER #C of a credential, using the permission tree above, 20% for trust_deposit_rate, 10% for wallet_user_agent_reward_rate and user_agent_reward_rate.

uml diagram

Distribution example for the verification by VERIFIER #E of a credential issued by ISSUER #C, using the permission tree above, 20% for trust_deposit_rate, 10% for wallet_user_agent_reward_rate and user_agent_reward_rate.

uml diagram

§ Governance of a VPR

This section is non-normative.

A governance framework must define the governance rules that apply to a VPR.

A designated governance authority is responsible for enforcing these rules and, when necessary, applying financial sanctions to participants who violate the rules.

NOTE

Ecosystem Governance Frameworks (EGFs) operate independently from the VPR governance framework.

While the VPR governance framework defines the global rules for operating the Verifiable Public Registry (e.g., trust deposits, fee distribution, slashing conditions), each ecosystem must define its own EGF to govern roles, permissions, credential policies, and compliance within its specific domain.

This separation ensures that ecosystems remain autonomous and can tailor governance to their unique needs, without being constrained by the global rules of the VPR.

§ Data model

For simplicity, the data model is presented using an object-relational structure. However, this representation may not be optimal for all implementation scenarios.

Implementors are responsible for adapting the data model to suit their chosen architecture.
For example, a key-value store may be more appropriate for a ledger-based implementation than a relational model.

uml diagram

§ TrustRegistry

TrustRegistry:

§ GovernanceFrameworkVersion

GovernanceFrameworkVersion:

§ GovernanceFrameworkDocument

GovernanceFrameworkDocument

§ CredentialSchema

CredentialSchema:

General Info:

§ SchemaAuthorizationPolicy

SchemaAuthorizationPolicy:

§ Permission

Permission:

§ PermissionSession

PermissionSession:

§ PermissionSessionRecord

PermissionSessionRecord:

§ TrustDeposit

TrustDeposit:

§ DenomAmount

§ Digest

§ OperatorAuthorization

§ FeeGrant

FeeGrant:

§ VSOperatorAuthorization

§ ExchangeRate

Represents an on-chain exchange rate between two assets.

ExchangeRate:

§ GlobalVariables

GlobalVariables:

Credential Schema:

Trust Deposit:

§ Module Requirements

All VPR modules MUST, at least, provide:

Note about Query REST API:

Examples:

Get a TrustRegistry

"trust_registry": {
  {
    "active_version": 0,
    "aka": "string",
    "authority": "string",
    "created": "2025-01-14T19:40:37.967Z",
    "deposit": "string",
    "did": "string",
    "id": "string",
    "language": "string",
    "modified": "2025-01-14T19:40:37.967Z",
    "versions": [
      {
        "active_since": "2025-01-14T19:40:37.967Z",
        "created": "2025-01-14T19:40:37.967Z",
        "id": "string",
        "tr_id": "string",
        "version": 0,
        "documents": [
          {
            "created": "2025-01-14T19:40:37.967Z",
            "gfv_id": "string",
            "digest_sri": "string",
            "id": "string",
            "language": "string",
            "url": "string"
          }
        ]
      }
    ]  
  }

"trustRegistries": [ {
  {
    "active_version": 0,
    "aka": "string",
    "authority": "string",
    "created": "2025-01-14T19:40:37.967Z",
    "deposit": "string",
    "did": "string",
    "id": "string",
    "language": "string",
    "modified": "2025-01-14T19:40:37.967Z",
    "versions": [
      {
        "active_since": "2025-01-14T19:40:37.967Z",
        "created": "2025-01-14T19:40:37.967Z",
        "id": "string",
        "tr_id": "string",
        "version": 0,
        "documents": [
          {
            "created": "2025-01-14T19:40:37.967Z",
            "gfv_id": "string",
            "digest_sri": "string",
            "id": "string",
            "language": "string",
            "url": "string"
          }
        ]
      }
    ]  
  }, {
    "active_version": 0,
    "aka": "string",
    "authority": "string",
    "created": "2025-01-14T19:40:37.967Z",
    "deposit": "string",
    "did": "string",
    "id": "string",
    "language": "string",
    "modified": "2025-01-14T19:40:37.967Z",
    "versions": [
      {
        "active_since": "2025-01-14T19:40:37.967Z",
        "created": "2025-01-14T19:40:37.967Z",
        "id": "string",
        "tr_id": "string",
        "version": 0,
        "documents": [
          {
            "created": "2025-01-14T19:40:37.967Z",
            "gfv_id": "string",
            "digest_sri": "string",
            "id": "string",
            "language": "string",
            "url": "string"
          }
        ],
      }
    ]  
  }
]
WARNING

For Msg methods, all precondition checks MUST be verified first for accepting the Msg, and MUST be verified again upon method execution

A VPR implementation MUST implement all the following requirements.

NOTE

The relative REST path is the path suffix. Implementer can set any prefix, like https://example/verana/tr/v1/get.

§ Authorization and Fee Grants

§ Delegable Module Messages

Most VPR module messages (Msg) support delegation and follow the pattern described below.

Delegable messages are defined as messages that can be executed by an operator account on behalf of an authority group, provided that the appropriate authorization has been granted.

Such messages conceptually involve two roles:

When a delegable message is executed directly by an operator account, both roles are authenticated and enforced by the authorization system.

Using this model makes it possible to:

For the execution of delegable messages:

An authority group is not required to delegate all message types to the same operator.
It is entirely up to the authority group to decide which accounts may execute which messages.

§ Not Delegable Module Messages

Some module messages specify only an authority:

Such messages cannot be delegated and MUST be executed exclusively through a group proposal.

§ Governance-Signed Module Messages

Some module messages can be executed only through a governance proposal.

These messages do not support delegation and are not executable by accounts, whether directly or via group authorization.

§ Fee Grants

An authority group MAY allow its operators to pay network transaction fees using the authority’s funds.

Fee grants are not created directly.
They are created, updated, and revoked exclusively by Authorization module messages.
When an authorization is created or updated, it MAY optionally include an associated fee grant.

§ [AUTHZ-CHECK] Common Authorization and Fee Grant Precondition Checks

For any delegable message executed by an operator on behalf of an authority, the following precondition checks MUST be performed before any method-specific checks. If any check fails, the transaction MUST abort.

§ [AUTHZ-CHECK-1] Operator Authorization checks
  1. An OperatorAuthorization oauthz MUST exist where oauthz.authority = authority, oauthz.operator = operator, and oauthz.msg_types includes the current message type.
  2. If oauthz.expiration is set, it MUST be in the future.
  3. If oauthz.spend_limit is set, the remaining balance MUST be sufficient for the operation. After successful execution, the consumed amount MUST be deducted from the remaining balance.
  4. If oauthz.period is set and the current period has elapsed since the last reset, the remaining balance MUST be reset to oauthz.spend_limit before evaluating the check above.
§ [AUTHZ-CHECK-2] Fee Grant checks

If the transaction fees are paid by the authority account (via fee grant) instead of the operator account:

  1. A FeeGrant fg MUST exist where fg.grantor = authority, fg.grantee = operator, and fg.msg_types includes the current message type.
  2. If fg.expiration is set, it MUST be in the future.
  3. If fg.spend_limit is set, the remaining balance MUST be sufficient for the estimated transaction fees. After successful execution, the consumed fee amount MUST be deducted from the remaining balance.
  4. If fg.period is set and the current period has elapsed since the last reset, the remaining balance MUST be reset to fg.spend_limit before evaluating the check above.
§ [AUTHZ-CHECK-3] VS Operator Authorization checks

For CreateOrUpdatePermissionSession, the authorization model differs from other delegable messages: it relies on VSOperatorAuthorization and per-permission settings instead of OperatorAuthorization.

Given an authority, an operator (the vs_operator), and a primary permission perm (determined by the calling method):

  1. A VSOperatorAuthorization vso MUST exist where vso.authority = authority and vso.vs_operator = operator.
  2. vso.permissions MUST include perm.id.
  3. perm.vs_operator_authz_enabled MUST be true.
  4. If perm.vs_operator_authz_spend_period is set and the current period has elapsed since the last reset, the remaining balances for perm.vs_operator_authz_spend_limit and perm.vs_operator_authz_fee_spend_limit MUST be reset to their original values before evaluating the checks below.
  5. If perm.vs_operator_authz_spend_limit is set, the remaining balance MUST be sufficient for the operation. After successful execution, the consumed amount MUST be deducted from the remaining balance.
§ [AUTHZ-CHECK-4] VS Operator Fee Grant checks

If the transaction fees are paid by the authority account (via fee grant) instead of the operator account, using the same primary permission perm:

  1. perm.vs_operator_authz_with_feegrant MUST be true, else abort.
  2. If perm.vs_operator_authz_spend_period is set and the current period has elapsed since the last reset, the remaining balance for perm.vs_operator_authz_fee_spend_limit MUST be reset to its original value before evaluating the check below.
  3. If perm.vs_operator_authz_fee_spend_limit is set, the remaining balance MUST be sufficient for the estimated transaction fees. After successful execution, the consumed fee amount MUST be deducted from the remaining balance.

§ Example

An authority group authorityABC wants to authorize an operator account accountABC to execute the
mod-perm-msg-10-create-or-update-permission-session message.

Additionally, the authority wants accountABC to pay the transaction fees for this message using the authority’s funds.

To achieve this, authorityABC MUST:

As a result, accountABC is authorized to:

§ Method List

Module Method Name Relative REST API path Type Requirements Signers
Trust Registry Create a Trust Registry N/A (Tx) Msg [MOD-TR-MSG-1] authority + operator
Add Governance Framework Document N/A (Tx) Msg [MOD-TR-MSG-2] authority + operator
Increase Active Governance Framework Version N/A (Tx) Msg [MOD-TR-MSG-3] authority + operator
Update Trust Registry N/A (Tx) Msg [MOD-TR-MSG-4] authority + operator
Archive Trust Registry N/A (Tx) Msg [MOD-TR-MSG-5] authority + operator
Update TR Module Parameters N/A (Tx) Msg [MOD-TR-MSG-6] governance proposal
Get Trust Registry /tr/v1/get Query [MOD-TR-QRY-1] N/A
List Trust Registries /tr/v1/list Query [MOD-TR-QRY-2] N/A
List TR Module Parameters /tr/v1/params Query [MOD-TR-QRY-3] N/A
Credential Schema Create a Credential Schema N/A (Tx) Msg [MOD-CS-MSG-1] authority + operator
Update a Credential Schema N/A (Tx) Msg [MOD-CS-MSG-2] authority + operator
Archive Credential Schema N/A (Tx) Msg [MOD-CS-MSG-3] authority + operator
Update CS Module Parameters N/A (Tx) Msg [MOD-CS-MSG-4] governance proposal
Create Schema Authorization Policy N/A (Tx) Msg [MOD-CS-MSG-5] authority + operator
Increase Active Schema Authorization Policy Version N/A (Tx) Msg [MOD-CS-MSG-6] authority + operator
Revoke Schema Authorization Policy N/A (Tx) Msg [MOD-CS-MSG-7] authority + operator
List Credential Schemas /cs/v1/list Query [MOD-CS-QRY-1] N/A
Get a Credential Schema /cs/v1/get Query [MOD-CS-QRY-2] N/A
Render Json Schema /cs/v1/js/ Query [MOD-CS-QRY-3] N/A
List CS Module Parameters /cs/v1/params Query [MOD-CS-QRY-4] N/A
Get Schema Authorization Policy /cs/v1/sap/get Query [MOD-CS-QRY-5] N/A
List Schema Authorization Policies /cs/v1/sap/list Query [MOD-CS-QRY-6] N/A
Permission Start Permission VP N/A (Tx) Msg [MOD-PERM-MSG-1] authority + operator
Renew a Permission VP N/A (Tx) Msg [MOD-PERM-MSG-2] authority + operator
Set Permission VP to Validated N/A (Tx) Msg [MOD-PERM-MSG-3] authority + operator
Cancel Permission VP Last Request N/A (Tx) Msg [MOD-PERM-MSG-6] authority + operator
Create Root Permission N/A (Tx) Msg [MOD-PERM-MSG-7] authority + operator
Adjust Permission N/A (Tx) Msg [MOD-PERM-MSG-8] authority + operator
Revoke Permission N/A (Tx) Msg [MOD-PERM-MSG-9] authority + operator
Create or update Permission Session N/A (Tx) Msg [MOD-PERM-MSG-10] authority + operator
Update Permission Module Parameters N/A (Tx) Msg [MOD-PERM-MSG-11] governance proposal
Slash Permission Trust Deposit N/A (Tx) Msg [MOD-PERM-MSG-12] authority + operator
Repay Permission Slashed Trust Deposit N/A (Tx) Msg [MOD-PERM-MSG-13] authority + operator
Self Create Permission (OPEN mode) N/A (Tx) Msg [MOD-PERM-MSG-14] authority + operator
List Permissions /perm/v1/list Query [MOD-PERM-QRY-1] N/A
Get a Permission /perm/v1/get Query [MOD-PERM-QRY-2] N/A
Find Beneficiaries /perm/v1/beneficiaries Query [MOD-PERM-QRY-4] N/A
Get Permission Session /perm/v1/session/get Query [MOD-PERM-QRY-5] N/A
List Permission Module Parameters /perm/v1/params Query [MOD-PERM-QRY-6] N/A
Trust Deposit Adjust Trust Deposit N/A (Tx) Msg [MOD-TD-MSG-1] module call
Reclaim Trust Deposit Yield N/A (Tx) Msg [MOD-TD-MSG-2] authority + operator
Update TD Module Parameters N/A (Tx) Msg [MOD-TD-MSG-4] governance proposal
Slash Trust Deposit N/A (Tx) Msg [MOD-TD-MSG-5] governance proposal
Repay Slashed Trust Deposit N/A (Tx) Msg [MOD-TD-MSG-6] authority + operator
Burn Ecosystem Slashed Trust Deposit N/A (Tx) Msg [MOD-TD-MSG-7] module call
Get Trust Deposit /td/v1/get Query [MOD-TD-QRY-1] N/A
List TD Module Parameters /td/v1/params Query [MOD-TD-QRY-2] N/A
Delegation Grant Fee Allowance N/A (Tx) Msg [MOD-DE-MSG-1] module call
Revoke Fee Allowance N/A (Tx) Msg [MOD-DE-MSG-2] module call
Grant Operator Authorization N/A (Tx) Msg [MOD-DE-MSG-3] authority (group proposal) OR authority + operator OR module call
Revoke Operator Authorization N/A (Tx) Msg [MOD-DE-MSG-4] authority (group proposal) OR authority + operator OR module call
Grant VS Operator Authorization N/A (Tx) Msg [MOD-DE-MSG-5] module call
Revoke VS Operator Authorization N/A (Tx) Msg [MOD-DE-MSG-6] module call
Grant Exchange Rate Authorization N/A (Tx) Msg [MOD-DE-MSG-7] governance proposal
Revoke Exchange Rate Authorization N/A (Tx) Msg [MOD-DE-MSG-8] governance proposal
List Operator Authorizations /de/v1/authz/list Query [MOD-DE-QRY-1] N/A
List VS Operator Authorizations /de/v1/vs-authz/list Query [MOD-DE-QRY-2] N/A
Digests Store Digest N/A (Tx) Msg [MOD-DI-MSG-1] authority + operator OR module call
Get Digest /di/v1/get Query [MOD-DI-QRY-1] N/A
Exchange Rate Create Exchange Rate Msg [MOD-XR-MSG-1] governance proposal
Update Exchange Rate Msg [MOD-XR-MSG-2] operator
Toggle Exchange Rate State Msg [MOD-XR-MSG-3] governance proposal
Get Exchange Rate /xr/v1/get Query [MOD-XR-QRY-1] N/A
List Exchange Rates /xr/v1/list Query [MOD-XR-QRY-2] N/A
Get Price /xr/v1/price Query [MOD-XR-QRY-3] N/A
NOTE

Any method failure in the precondition/basic checks SHOULD lead to a CLI ERROR / HTTP BAD REQUEST error with a human readable message giving a clue of the reason why method failed.

§ Trust Registry Module

§ [MOD-TR-MSG-1] Create New Trust Registry

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-TR-MSG-1-1] Create New Trust Registry parameters

An authorized operator that would like to create a trust registry MUST call this method by specifying:

Provided document must be of the same language that the primary language of the trust registry.

§ [MOD-TR-MSG-1-2] Create New Trust Registry precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-TR-MSG-1-2-1] Create New Trust Registry basic checks
NOTE

It is not a problem if several trust registries are created with the same ecosystem DID. Identifier of a TrustRegistry is its id, and the Verifiable Trust Spec includes the id of the TrustRegistry in the DID Document. DID unique constraint is then not needed: proof of control of the DID is verified by resolving the DID outside of the context of the VPR.

§ [MOD-TR-MSG-1-2-2] Create New Trust Registry fee checks

Fee payer MUST have an available balance to cover the estimated transaction fees.

§ [MOD-TR-MSG-1-3] Create New Trust Registry execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-TR-MSG-2] Add Governance Framework Document

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-TR-MSG-2-1] Add Governance Framework Document parameters

If for a given language, a document already exists, the execution of this transaction will replace the corresponding entry. Else, a new entry is created. It is only possible to edit future versions. Active version cannot be modified.

§ [MOD-TR-MSG-2-2] Add Governance Framework Document precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-TR-MSG-2-2-1] Add Governance Framework Document basic checks

if a mandatory parameter is not present, method MUST abort.

§ [MOD-TR-MSG-2-2-2] Add Governance Framework Document fee checks

Fee payer MUST have the required estimated transaction fees in its account.

§ [MOD-TR-MSG-2-3] Add Governance Framework Document execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

load GovernanceFrameworkVersion entry gfv for the requested version, or create a new GovernanceFrameworkVersion gfv if required:

§ [MOD-TR-MSG-3] Increase Active Governance Framework Version

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-TR-MSG-3-1] Increase Active Governance Framework Version parameters
§ [MOD-TR-MSG-3-2] Increase Active Governance Framework Version precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-TR-MSG-3-2-1] Increase Active Governance Framework Version basic checks
§ [MOD-TR-MSG-3-2-2] Increase Active Governance Framework Version fee checks

Fee payer MUST have the required estimated transaction fees in its account.

§ [MOD-TR-MSG-3-3] Increase Active Governance Framework Version execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-TR-MSG-4] Update Trust Registry

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-TR-MSG-4-1] Update Trust Registry parameters
§ [MOD-TR-MSG-4-2] Update Trust Registry precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-TR-MSG-4-2-1] Update Trust Registry basic checks
§ [MOD-TR-MSG-4-2-2] Update Trust Registry fee checks

Fee payer must have available balance in its account to cover the required transaction fees.

§ [MOD-TR-MSG-4-3] Update Trust Registry execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-TR-MSG-5] Archive Trust Registry

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-TR-MSG-5-1] Archive Trust Registry parameters
§ [MOD-TR-MSG-5-2] Archive Trust Registry precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-TR-MSG-5-2-1] Archive Trust Registry basic checks
§ [MOD-TR-MSG-5-2-2] Archive Trust Registry fee checks

Fee payer MUST have an available balance in its account to cover the required transaction fees.

§ [MOD-TR-MSG-5-3] Archive Trust Registry execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-TR-MSG-6] Update Module Parameters

Update Module Parameters.

Can only be executed through a governance proposal.

§ [MOD-TR-MSG-6-1] Update Module Parameters parameters
§ [MOD-TR-MSG-6-2] Update Module Parameters precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TR-MSG-6-2-1] Update Module Parameters basic checks
§ [MOD-TR-MSG-6-2-2] Update Module Parameters fee checks

provided transaction fees MUST be sufficient for execution

§ [MOD-TR-MSG-6-3] Update Module Parameters execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

for each parameter param <key, value> in parameters:

§ [MOD-TR-QRY-1] Get Trust Registry

Anyone CAN execute this method.

§ [MOD-TR-QRY-1-1] Get Trust Registry parameters
§ [MOD-TR-QRY-1-2] Get Trust Registry checks
§ [MOD-TR-QRY-1-3] Get Trust Registry execution

return found TrustRegistry entry (if any), as well as all its nested GovernanceFrameworkVersion and GovernanceFrameworkDocument entries. If active_gf_only is true, return only nested GovernanceFrameworkVersion and GovernanceFrameworkDocument entries for the active version.

§ [MOD-TR-QRY-2] List Trust Registries

§ [MOD-TR-QRY-2-1] List Trust Registries query parameters

The following parameters are optional:

§ [MOD-TR-QRY-2-2] List Trust Registries query checks

If any of these checks fail, query MUST fail.

§ [MOD-TR-QRY-2-3] List Trust Registries execution of the query

If all precondition checks passed, query is executed and result (may be empty) returned. If modified_after is specified, order by modified desc.

§ [MOD-TR-QRY-3] List Module Parameters

Anyone CAN run this query.

§ [MOD-TR-QRY-3-2] List Module Parameters parameters
§ [MOD-TR-QRY-3-2] List Module Parameters query checks
§ [MOD-TR-QRY-3-3] List Module Parameters execution of the query

Return the list of the existing parameters and their values.

§ [MOD-TR-QRY-3-4] List Module Parameters API result example
{
  "params": {
    "key1": "value1",
    "key2": "value2",
    ...
    ...
  }
}

§ Credential Schema Module

§ [MOD-CS-MSG-1] Create New Credential Schema

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-CS-MSG-1-1] Create New Credential Schema parameters

An account that would like to create a credential schema MUST call this method by specifying:

§ [MOD-CS-MSG-1-2] Create New Credential Schema precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-1-2-1] Create New Credential Schema basic checks
NOTE

When pricing_currency is set to FIAT, pricing_asset MUST be an ISO-4217 currency code. The number of decimals and minor unit semantics MUST follow the ISO-4217 standard for that currency. FIAT amounts MUST be expressed in minor units and MUST NOT be represented as on-chain coins. FIAT metadata SHOULD be pulled from a standard library. It MUST NOT be stored on chain.

§ [MOD-CS-MSG-1-2-2] Create New Credential Schema fee checks

Fee payer MUST have an available balance in its account, to cover the required estimated transaction fees.

§ [MOD-CS-MSG-1-3] Create New Credential Schema execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

NOTE

If needed, depending on configuration mode, Trust Registry controller MAY need to create a ECOSYSTEM Permission so that validation processes can be run.

§ [MOD-CS-MSG-2] Update Credential Schema

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-CS-MSG-2-1] Update Credential Schema parameters

An account that would like to update a credential schema MUST call this method by specifying:

other attributes are immutables and cannot be updated.

§ [MOD-CS-MSG-2-2] Update Credential Schema precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-2-2-1] Update Credential Schema basic checks
§ [MOD-CS-MSG-2-2-2] Update Credential Schema fee checks

Fee payer MUST have an available balance in its account to cover the required transaction fees.

§ [MOD-CS-MSG-2-3] Update Credential Schema execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-CS-MSG-3] Archive Credential Schema

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-CS-MSG-3-1] Archive Credential Schema parameters

An account that would like to archive or unarchive a credential schema MUST call this method by specifying:

§ [MOD-CS-MSG-3-2] Archive Credential Schema precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-3-2-1] Archive Credential Schema basic checks
§ [MOD-CS-MSG-3-2-2] Archive Credential Schema fee checks

Fee payer MUST have an available balance in its account to cover the required transaction fees.

§ [MOD-CS-MSG-3-3] Archive Credential Schema execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-CS-MSG-4] Update Module Parameters

Update Module Parameters.

Can only be executed through a governance proposal.

§ [MOD-CS-MSG-4-1] Update Module Parameters parameters
§ [MOD-CS-MSG-4-2] Update Module Parameters precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-CS-MSG-4-2-1] Update Module Parameters basic checks
§ [MOD-CS-MSG-4-2-2] Update Module Parameters fee checks

provided transaction fees MUST be sufficient for execution

§ [MOD-CS-MSG-4-3] Update Module Parameters execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

for each parameter param <key, value> in parameters:

§ [MOD-CS-MSG-5] Create Schema Authorization Policy

Any authorized operator CAN execute this method on behalf of an authority.

This message creates a draft SchemaAuthorizationPolicy for a given (schema_id, role), or overwrites the existing draft policy if one already exists.
A draft policy is defined as a policy with effective_from == null and MUST NOT be revoked.

Accordingly, if a credential schema defines one or more active policies for the ISSUER or VERIFIER role, the corresponding authority that grants the ISSUER or VERIFIER role for this schema (ISSUER_GRANTOR, VERIFIER_GRANTOR, or ECOSYSTEM, depending on how schema issuer and verifier modes have been configured) MUST issue an IAC or VAC credential to the candidate upon successful completion of the validation process. Refer to the Verifiable Trust spec for more information.

§ [MOD-CS-MSG-5-1] Create Schema Authorization Policy parameters
§ [MOD-CS-MSG-5-2] Create Schema Authorization Policy precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-5-2-1] Create Schema Authorization Policy basic checks
§ [MOD-CS-MSG-5-2-2] Create Schema Authorization Policy fee checks

Fee payer MUST have an available balance in its account to cover the required estimated transaction fees.

§ [MOD-CS-MSG-5-3] Create Schema Authorization Policy execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs:

§ [MOD-CS-MSG-6] Increase Active Schema Authorization Policy Version

Any authorized operator CAN execute this method on behalf of an authority.

This message activates the current draft SchemaAuthorizationPolicy for the given (schema_id, role) and deactivates any previously active version. Deactivation does not constitute revocation; credentials issued under earlier policies MAY continue to be considered valid.

§ [MOD-CS-MSG-6-1] Increase Active Schema Authorization Policy Version parameters
§ [MOD-CS-MSG-6-2] Increase Active Schema Authorization Policy Version precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-6-2-1] Basic checks
§ [MOD-CS-MSG-6-2-2] Fee checks

Fee payer MUST have an available balance in its account to cover the required estimated transaction fees.

§ [MOD-CS-MSG-6-3] Increase Active Schema Authorization Policy Version execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks atomically in a transaction:

§ [MOD-CS-MSG-7] Revoke Schema Authorization Policy

Any authorized operator CAN execute this method on behalf of an authority.

This message revokes a previously enabled SchemaAuthorizationPolicy version. Revoked means previously issued credential that refer to this policy are automatically considered revoked.

§ [MOD-CS-MSG-7-1] Revoke Schema Authorization Policy parameters
§ [MOD-CS-MSG-7-2] Revoke Schema Authorization Policy precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-7-2-1] Basic checks
§ [MOD-CS-MSG-7-2-2] Fee checks

Fee payer MUST have an available balance in its account to cover the required estimated transaction fees.

§ [MOD-CS-MSG-7-3] Revoke Schema Authorization Policy execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following task in a transaction:

§ [MOD-CS-QRY-1] List Credential Schemas

§ [MOD-CS-QRY-1-1] List Credential Schemas parameters
§ [MOD-CS-QRY-1-2] List Credential Schemas checks
§ [MOD-CS-QRY-1-3] List Credential Schemas execution

return a list of found entry, or an empty list if nothing found. Results MUST be ordered by modified DESC.

§ [MOD-CS-QRY-2] Get Credential Schema

Anyone CAN execute this method.

§ [MOD-CS-QRY-2-1] Get Credential Schema parameters
§ [MOD-CS-QRY-2-2] Get Credential Schema checks
§ [MOD-CS-QRY-2-3] Get Credential Schema execution

return found entry (if any).

§ [MOD-CS-QRY-3] Render Json Schema

Anyone CAN execute this method.

§ [MOD-CS-QRY-3-1] Render Json Schema parameters
§ [MOD-CS-QRY-3-2] Render Json Schema checks
§ [MOD-CS-QRY-3-3] Render Json Schema execution

Render found entry (if any). In case value is returned by a REST API, content type MUST be set to “application/schema+json”.

Schema MUST be rendered cononized, even if it was not created canonized using the JSON Canonicalization Scheme (JCS) as defined in RFC 8785.

§ [MOD-CS-QRY-4] List Module Parameters

Anyone CAN run this query.

§ [MOD-CS-QRY-4-2] List Module Parameters parameters
§ [MOD-CS-QRY-4-2] List Module Parameters query checks
§ [MOD-CS-QRY-4-3] List Module Parameters execution of the query

Return the list of the existing parameters and their values.

§ [MOD-CS-QRY-4-4] List Module Parameters API result example
{
  "params": {
    "key1": "value1",
    "key2": "value2",
    ...
    ...
  }
}

§ [MOD-CS-QRY-5] Get Schema Authorization Policy

This query returns a single SchemaAuthorizationPolicy identified by its unique id.

§ [MOD-CS-QRY-5-1] Get Schema Authorization Policy parameters
§ [MOD-CS-QRY-5-2] Get Schema Authorization Policy precondition checks

If any of these precondition checks fail, query MUST abort.

§ [MOD-CS-QRY-5-3] Get Schema Authorization Policy execution

If all precondition checks pass, the query MUST return the corresponding SchemaAuthorizationPolicy entry:

§ [MOD-CS-QRY-6] List Schema Authorization Policies

This query returns the list of SchemaAuthorizationPolicy entries associated with a given (schema_id, role) pair.

§ [MOD-CS-QRY-6-1] List Schema Authorization Policies parameters
§ [MOD-CS-QRY-6-2] List Schema Authorization Policies precondition checks

If any of these precondition checks fail, query MUST abort.

§ [MOD-CS-QRY-6-3] List Schema Authorization Policies execution

If all precondition checks pass, the query MUST return the list of SchemaAuthorizationPolicy entries matching (schema_id, role).

Returned entries MUST include at least the following fields:

Entries MUST be ordered by ascending version.

§ Permission Module

§ Permission Module Overview

This section is non-normative.

Permission are linked to a Credential Schema and representable as a tree.

uml diagram

The ECOSYSTEM type permissions are created by the Credential Schema owner. All other permissions are created by running a Validation Process (or by any account: - for ISSUER permissions if issuer_perm_management_mode is equal to OPEN, - for VERIFIER permissions if verifier_perm_management_mode is equal to OPEN).

A Validation Process (VP) is a process which involves an applicant (which is the authority of validation entry stored in a validation keeper), a validator permission, and optional validation fees plus transaction fees.

Validation is used by applicants that want to:

In all cases, the process is very similar. Example execution of a validation process:

  1. Applicant starts a validation process by running the [start new validation] transaction. Validation process may be subject to paying validation fees, as defined by validator.
  2. Validation process usually requires that applicant connects to a validation VS identified by its DID, and execute a some validation steps, required for the validation process to conclude.
  3. If applicant qualifies, validator updates the validation entry by running the [set to validated] transaction, and applicant is granted new permissions, and/or gets issued a credential.

Validation is valid for a specific period, for example 365 days, as configured in the credential schema for credential schema related validations, or set by trust registry for user-agent validation.

NOTE

In some cases, even if the validation is valid for a period of time, the resulting created permission or issued credential might have a shorter expiration timestamp because the validated attribute(s) might expire before validation expiration: in this case, the applicant must provide updated information to the validator before attribute expiration, in order to get issued an updated new permission and/or an updated credential.

If validation is set to expire, applicant that wishes to extend the expiration timestamp must renew its validation.

At any time, applicant can cancel the validation process.

Some special unexpected situation may arise and must be mitigated. Examples:

§ [MOD-PERM-MSG-1] Start Permission VP

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-PERM-MSG-1-1] Start Permission VP parameters

An Applicant that would like to start a permission validation process MUST execute this method by specifying:

Available compatible perms can be found by using an indexer and presented in a front-end so applicant can choose its validator.

§ [MOD-PERM-MSG-1-2] Start Permission VP precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-1-2-1] Start Permission VP basic checks

if a mandatory parameter is not present, transaction MUST abort.

NOTE

A holder MAY directly connect to the DID VS of an issuer in order to get issued a credential. It’s up to the issuer to decide if running the validation process is REQUIRED or not.

§ [MOD-PERM-MSG-1-2-2] Start Permission VP permission checks

At the end, if a active permission validator_perm is not found, transaction MUST abort.

§ [MOD-PERM-MSG-1-2-3] Start Permission VP fee checks

If a conversion is needed below, use Get Price to convert amounts to native denom:

if (cs.pricing_asset_type, cs.pricing_asset) is set to (COIN, [[ref: native denom]]):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to (TU, "tu"):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to an arbitrary coin (COIN, [[ref: denom]]):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to an arbitrary coin (FIAT, [[ref: denom]]):

NOTE

Trust deposit MUST always be paid in native denom

§ [MOD-PERM-MSG-1-2-4] Start Permission VP overlap checks

We want to make sure that 2 validation processes cannot be active at the same time in the same context. This does not prevent an authority from running different VP with differents validators for the same schema_id, type.

Find all permission perms[] for schema_id, type, validator_perm_id, authority with vp_state = VALIDATED or PENDING.

if size of perms[] > 0, it means there is already an existing validation process in this context, so MUST abort.

note: this check was not present in v3.

§ [MOD-PERM-MSG-1-3] Start Permission VP execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ Connecting to the VS of the Validator

This section is non-normative, and provided for understanding only.

This action must be initiated by the applicant.

During a validation process, if the associated validator_perm includes a specific did, the applicant should establish a secure connection with the validator’s VS (Verifiable Service) using a secure communication protocol such as DIDComm.

Upon connecting to the VS, the applicant should be required by the validator to complete one or more of the following tasks:

  1. Prove control over the vs_operator account specifid in the permission (e.g., via blind signature or cryptographic challenge).
  2. Provide requested information, such as filling out forms, submitting documents, or other forms of disclosure as required by the validation VS.
  3. If the requested permission includes a VS DID, the applicant should prove control over the corresponding DID to the validator’s VS.

Once the validator determines that the process is complete, they may terminate the validation process and create the permission accordingly. This permission configuration usually include:

The validator may compile a summary file of the validation process, documenting exchanged data, proofs, and decisions, and share it with the applicant via the VS connection or another secure channel.

For audit or governance purposes, the validator should register a digest (e.g., hash or SRI) of this summary in applicant_perm.vp_summary_digest.

§ [MOD-PERM-MSG-2] Renew Permission VP

Any authorized operator CAN execute this method on behalf of an authority.

This section is non-normative.

§ [MOD-PERM-MSG-2-1] Renew Permission VP parameters
§ [MOD-PERM-MSG-2-2] Renew Permission VP precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-2-2-1] Renew Permission VP basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PERM-MSG-2-2-2] Renew Permission VP permission checks
§ [MOD-PERM-MSG-2-2-3] Renew Permission VP fee checks

If a conversion is needed below, use Get Price to convert amounts to native denom:

if (cs.pricing_asset_type, cs.pricing_asset) is set to (COIN, [[ref: native denom]]):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to (TU, "tu"):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to an arbitrary coin (COIN, [[ref: denom]]):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to an arbitrary coin (FIAT, [[ref: denom]]):

NOTE

Trust deposit MUST always be paid in native denom

§ [MOD-PERM-MSG-2-3] Renew Permission VP execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-PERM-MSG-3] Set Permission VP to Validated

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-PERM-MSG-3-1] Set Permission VP to Validated parameters

An account that would like to set a validation entry to VALIDATED MUST execute this method by specifying:

§ [MOD-PERM-MSG-3-2] Set Permission VP to Validated precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-3-2-1] Set Permission VP to Validated basic checks

if a mandatory parameter is not present, transaction MUST abort.

Calculation of vp_exp, the validation process expiration timestamp, required to verify provided effective_until:

Now, let’s verify effective_until:

§ [MOD-PERM-MSG-3-2-2] Set Permission VP to Validated validator perms

If validator_perm is not a active permission (expired, revoked, slashed…) then applicant MUST start a new validation process.

§ [MOD-PERM-MSG-3-2-3] Set Permission VP to Validated fee checks
§ [MOD-PERM-MSG-3-2-4] Set Permission VP to Validated overlap checks

We want to make sure that 2 permissions cannot be active at the same time for the same validator_perm_id. That should not occur in this method, but better do the check anyway.

Find all active permissions perms[] (not revoked, not slashed, not repaid) for schema_id, type, validator_perm_id, authority.

for each Permission entry p from perms[]:

note: this check was not present in v3.

§ [MOD-PERM-MSG-3-3] Set Permission VP to Validated execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Calculate vp_exp:

Change value of provided effective_until if needed, and abort if needed:

Fees and Trust Deposits:

Important: if applicant_perm.vp_current_fees is not in native denom, authority account MUST have applicant_perm.vp_current_deposit available for paying the trust deposit.

Update Permission applicant_perm:

If applicant_perm.type is ISSUER or VERIFIER: Create authorization for applicant_perm.vs_operator so that the Verifiable Service will be able to call CreateOrUpdatePermissionSession when issuing or verifying credentials:

§ [MOD-PERM-MSG-4] Void

§ [MOD-PERM-MSG-5] Void

§ [MOD-PERM-MSG-6] Cancel Permission VP Last Request

Any authorized operator CAN execute this method on behalf of an authority.

At any time, applicant of a permission validation process may request cancellation of the process, provided state is PENDING. Upon method execution, the pending validation is cancelled and escrewed trust fees are refunded. If vp_exp is not null, vp_state is set back to VALIDATED, else vp_state is set to TERMINATED.

§ [MOD-PERM-MSG-6-1] Cancel Permission VP Last Request parameters
§ [MOD-PERM-MSG-6-2] Cancel Permission VP Last Request precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-6-2-1] Cancel Permission VP Last Request basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PERM-MSG-6-2-2] Cancel Permission VP Last Request fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-PERM-MSG-6-3] Cancel Permission VP Last Request execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-PERM-MSG-7] Create Root Permission

Any authorized operator CAN execute this method on behalf of an authority.

This method is used by controller authorities of Trust Registries. When they create a Credential Schema, they need to create (a) permission(s) of type ECOSYSTEM so that other participants can run validation processes (if schema mode is ECOSYSTEM) or self create their permissions (schema mode set to OPEN).

§ [MOD-PERM-MSG-7-1] Create Root Permission parameters

An account that would like to create a Permission entry MUST call this method by specifying:

§ [MOD-PERM-MSG-7-2] Create Root Permission precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-7-2-1] Create Root Permission basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PERM-MSG-7-2-2] Create Root Permission permission checks

To execute this method, account MUST match at least one these rules, else transaction MUST abort.

§ [MOD-PERM-MSG-7-2-3] Create Root Permission fee checks

Fee payer MUST have the required estimated transaction fees available.

§ [MOD-PERM-MSG-7-2-4] Create Root Permission overlap checks

We want to make sure that 2 permissions cannot be active at the same time. If authority wishes to create a new permission but existing active one never expires (or expire too far from now), authority MUST use first the Extend Perm Msg to set or adjust the effective_until value.

Find all active permissions perms[] (not revoked, not slashed, not repaid) for schema_id, ECOSYSTEM, authority.

Note: unlike overlap checks from other methods, here we do not need to check for validator_perm_id, as for ECOSYSTEM type permissions it is NULL.

for each Permission entry p from perms[]:

note: this check was not present in v3.

§ [MOD-PERM-MSG-7-3] Create Root Permission execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

A new entry Permission perm MUST be created:

§ [MOD-PERM-MSG-8] Adjust Permission

Any authorized operator CAN execute this method on behalf of an authority.

This method can be called:

§ [MOD-PERM-MSG-8-1] Adjust Permission parameters
§ [MOD-PERM-MSG-8-2] Adjust Permission precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-8-2-1] Adjust Permission basic checks

if a mandatory parameter is not present, transaction MUST abort.

Note: This method can be used to both Extend or Reduce the effective_until, or set an effective_until if it was null, which was not the case in spec v3.

§ [MOD-PERM-MSG-8-2-2] Adjust Permission advanced checks
  1. ECOSYSTEM permissions
  1. Self-created permissions
  1. VP managed permissions
§ [MOD-PERM-MSG-8-2-3] Adjust Permission fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-PERM-MSG-8-2-4] Adjust Permission overlap checks

We want to make sure that 2 permissions cannot be active at the same time for the same validator_perm_id. If authority wishes to create a new permission but existing active one never expires (or expire too far from now), authority MUST use first the Extend Perm Msg to set or adjust the effective_until value.

Find all active permissions perms[] (not revoked, not slashed, not repaid) for schema_id, type, validator_perm_id, authority.

for each Permission entry p from perms[]:

note: this check was not present in v3.

§ [MOD-PERM-MSG-8-3] Adjust Permission execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

If applicant_perm.type is ISSUER or VERIFIER: Update authorization for applicant_perm.vs_operator so that the Verifiable Service will be able to call CreateOrUpdatePermissionSession when issuing or verifying credentials:

§ [MOD-PERM-MSG-9] Revoke Permission

Any authorized operator CAN execute this method on behalf of an authority.

This method can only be called:

§ [MOD-PERM-MSG-9-1] Revoke Permission parameters
§ [MOD-PERM-MSG-9-2] Revoke Permission precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-9-2-1] Revoke Permission basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PERM-MSG-9-2-2] Revoke Permission advanced checks

Either Option #1, #2 or #3 MUST return true, else abort.

Option #1: executed by a validator ancestor

if applicant_perm.validator_perm_id is defined:

Option #2: executed by TrustRegistry controller

Option #3: executed by applicant_perm.authority: return true.

Example:

In the following permission tree, “Verifier E” permission can be revoked:

uml diagram
§ [MOD-PERM-MSG-9-2-3] Revoke Permission fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-PERM-MSG-9-3] Revoke Permission execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

If applicant_perm.type is ISSUER or VERIFIER: Delete authorization for applicant_perm.vs_operator:

§ [MOD-PERM-MSG-10] Create or Update Permission Session

Any authorized operator CAN execute this method on behalf of an authority.

Any credential exchange that requires issuer or verifier to pay fees, register a digest_sri, or produce a proof implies the creation of a PermissionSession.

If the peer wants to issue a credential, the agent, the Verifiable User Agent or Verifiable Service that receive the request MUST send to peer:

If the peer wants to verify a credential, agent must send to peer:

payer MUST create a Permission Session using the above information, then, agent MUST check session has been created and is valid before accepting the action (receive and store issued credential, or accept a presentation request).

uml diagram

See VT spec.

§ [MOD-PERM-MSG-10-1] Create or Update Permission Session parameters

An account that would like to create or update a PermissionSession entry MUST send a Msg by specifying:

§ [MOD-PERM-MSG-10-2] Create or Update Permission Session precondition checks

If any of these precondition checks fail, transaction MUST abort.

if issuer_perm_id is null AND verifier_perm_id is null, MUST abort.

if issuer_perm_id is not null:

if verifier_perm_id is not null:

Define the primary permission perm: if verifier_perm is not null, perm = verifier_perm (the caller is the vs_operator of the verifier). Else, perm = issuer_perm (the caller is the vs_operator of the issuer).

[AUTHZ-CHECK-3] MUST pass for this (authority, operator, perm) tuple. [AUTHZ-CHECK-4] MUST pass for this (authority, operator, perm) tuple.

agent:

wallet_agent:

WARNING

we might want to check that credential schema of agent and wallet_agent perms is an Essential Credential Schema of type UserAgent. At the moment there is no way of doing it. We consider User Agent will not report a permission that is not controlled by its owner.

§ [MOD-PERM-MSG-10-3] Create or Update Permission Session fee checks

For trust fees, authority account MUST have sufficient available balance as explained below.

Step 1: Calculate total beneficiary fees in credential schema pricing asset

Use “Find Beneficiaries” query method to get the set of beneficiary permissions found_perm_set (all ancestors in the permission tree).

If Credential Issuance (issuer_perm is NOT null):

If Credential Verification (verifier_perm is NOT null):

Note: total_beneficiary_fees is expressed in the credential schema pricing asset (cs.pricing_asset_type, cs.pricing_asset).

Step 2: Calculate amounts payer must have available

Based on the credential schema pricing configuration, calculate the total amounts the payer (authority) must have available.

Define the following variables:

Variable Description
total_fees_in_pricing_asset Total fees to be distributed to beneficiaries (in pricing asset)
total_fees_in_native_denom Total fees converted to native denom (if needed)
total_payer_trust_deposit Trust deposit payer must stake for themselves
total_payees_trust_deposit Trust deposit payer must stake on behalf of payees
total_payees_fees_to_account Fees to be transferred to payees’ accounts
total_user_agent_reward Reward for user agent (in native denom)
total_wallet_agent_reward Reward for wallet agent (in native denom)

Initialize:

If a conversion is needed below, use Get Price to convert amounts.

Case A: (cs.pricing_asset_type, cs.pricing_asset) = (COIN, [[ref: native denom]])

Pricing is in native token. No conversion needed.

Calculate:

Required balance check:

Case B: (cs.pricing_asset_type, cs.pricing_asset) = (TU, "tu")

Pricing is in Trust Units. Convert to native denom for all on-chain payments.

Calculate:

Required balance check:

Case C: (cs.pricing_asset_type, cs.pricing_asset) = (COIN, <arbitrary_denom>)

Pricing is in an arbitrary on-chain coin (e.g., USDC). Fees to payees are paid in that coin; deposits and agent rewards are converted to native denom.

Calculate:

Required balance check:

Case D: (cs.pricing_asset_type, cs.pricing_asset) = (FIAT, <fiat_denom>)

Pricing is in fiat currency (e.g., USD). Fiat fees are settled off-chain; only deposits and agent rewards are paid on-chain in native denom.

Calculate:

Required balance check:

WARNING
  • Trust deposits MUST always be paid in native denom.
  • When paying with COIN ≠ native denom or with FIAT, payer pays trust deposits on behalf of payees (since payees receive non-native assets that cannot be directly staked).
§ [MOD-PERM-MSG-10-4] Create or Update Permission Session execution

If all precondition checks passed, method is executed.

Note: All funds are transferred from the authority account executing the method. The steps below describe what each recipient must receive. Implementation details (batching, order of transfers) are left to the implementer.

Step 1: Process fee distribution to each beneficiary

Initialize accumulators for agent rewards:

Determine the operation type and applicable discount:

For each beneficiary permission perm in found_perm_set:

If perm.[fee_field] > 0:

  1. Calculate the discounted fee for this beneficiary:

    • beneficiary_fee_in_pricing_asset = perm.[fee_field] × (1 - discount)

  2. Calculate amounts based on pricing configuration (same logic as fee checks):

    Case A: (cs.pricing_asset_type, cs.pricing_asset) = (COIN, [[ref: native denom]])

    • fee_in_native_denom = beneficiary_fee_in_pricing_asset
    • payer_trust_deposit = fee_in_native_denom × GlobalVariables.trust_deposit_rate
    • payee_trust_deposit = payer_trust_deposit
    • payee_fees_to_account = fee_in_native_denom × (1 - GlobalVariables.trust_deposit_rate)
    • user_agent_reward_portion = fee_in_native_denom × GlobalVariables.user_agent_reward_rate
    • wallet_agent_reward_portion = fee_in_native_denom × GlobalVariables.wallet_user_agent_reward_rate

    Case B: (cs.pricing_asset_type, cs.pricing_asset) = (TU, "tu")

    • fee_in_native_denom = getPrice(TU, "tu", COIN, [[ref: native denom]], beneficiary_fee_in_pricing_asset)
    • payer_trust_deposit = fee_in_native_denom × GlobalVariables.trust_deposit_rate
    • payee_trust_deposit = payer_trust_deposit
    • payee_fees_to_account = fee_in_native_denom × (1 - GlobalVariables.trust_deposit_rate)
    • user_agent_reward_portion = fee_in_native_denom × GlobalVariables.user_agent_reward_rate
    • wallet_agent_reward_portion = fee_in_native_denom × GlobalVariables.wallet_user_agent_reward_rate

    Case C: (cs.pricing_asset_type, cs.pricing_asset) = (COIN, <arbitrary_denom>)

    • fee_in_native_denom = getPrice(COIN, <arbitrary_denom>, COIN, [[ref: native denom]], beneficiary_fee_in_pricing_asset)
    • payer_trust_deposit = fee_in_native_denom × GlobalVariables.trust_deposit_rate
    • payee_trust_deposit = payer_trust_deposit
    • payee_fees_to_account = beneficiary_fee_in_pricing_asset × (1 - GlobalVariables.trust_deposit_rate) (in <arbitrary_denom>)
    • user_agent_reward_portion = fee_in_native_denom × GlobalVariables.user_agent_reward_rate
    • wallet_agent_reward_portion = fee_in_native_denom × GlobalVariables.wallet_user_agent_reward_rate

    Case D: (cs.pricing_asset_type, cs.pricing_asset) = (FIAT, <fiat_denom>)

    • fee_in_native_denom = getPrice(FIAT, <fiat_denom>, COIN, [[ref: native denom]], beneficiary_fee_in_pricing_asset)
    • payer_trust_deposit = fee_in_native_denom × GlobalVariables.trust_deposit_rate
    • payee_trust_deposit = payer_trust_deposit
    • payee_fees_to_account = 0 (FIAT payments are managed off-chain)
    • user_agent_reward_portion = fee_in_native_denom × GlobalVariables.user_agent_reward_rate
    • wallet_agent_reward_portion = fee_in_native_denom × GlobalVariables.wallet_user_agent_reward_rate

  3. Execute transfers and deposits for this beneficiary:

    • If payee_fees_to_account > 0: transfer payee_fees_to_account to perm.authority (in the appropriate denom).
    • Use [MOD-TD-MSG-1] to increase the trust deposit of perm.authority by payee_trust_deposit. Increase perm.deposit by the same value.
    • Use [MOD-TD-MSG-1] to increase the trust deposit of authority (payer) by payer_trust_deposit. Increase payer_perm.deposit by the same value.

  4. Accumulate agent rewards:

    • accumulated_user_agent_reward = accumulated_user_agent_reward + user_agent_reward_portion
    • accumulated_wallet_agent_reward = accumulated_wallet_agent_reward + wallet_agent_reward_portion

Step 2: Process agent rewards

After processing all beneficiaries, distribute accumulated rewards to agents.

User Agent Reward:

If accumulated_user_agent_reward > 0:

Wallet Agent Reward:

If accumulated_wallet_agent_reward > 0:

Step 3: Create or update session records

Now that all transfers have been done, we can create the entries

Create a PermissionSessionRecord cspsr:

If new, create entry PermissionSession session:

Else update:

then, add the cspsr to session.session_records

if current transaction if for issuance of a credential, persist the digest SRI by calling [MOD-DI-MSG-1].

WARNING

session.authz[] can contain null issuer_perm_id OR verifier_perm_id

§ [MOD-PERM-MSG-11] Update Permission Module Parameters

Update Permission Module Parameters.

Can only be executed through a governance proposal.

§ [MOD-PERM-MSG-11-1] Update Permission Module Parameters parameters
§ [MOD-PERM-MSG-11-2] Update Permission Module Parameters precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-11-2-1] Update Permission Module Parameters basic checks
§ [MOD-PERM-MSG-11-2-2] Update Permission Module Parameters fee checks

provided transaction fees MUST be sufficient for execution

§ [MOD-PERM-MSG-11-3] Update Permission Module Parameters execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

for each parameter param <key, value> in parameters:

§ [MOD-PERM-MSG-12] Slash Permission Trust Deposit

This method can only be called by either:

§ [MOD-PERM-MSG-12-1] Slash Permission Trust Deposit parameters
§ [MOD-PERM-MSG-12-2] Slash Permission Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-12-2-1] Slash Permission Trust Deposit basic checks

if a mandatory parameter is not present, transaction MUST abort.

NOTE

Even if the permission has expired or is revoked, it is still possible to slash it.

§ [MOD-PERM-MSG-12-2-2] Slash Permission Trust Deposit validator perms

Either Option #1, or #2 MUST return true, else abort.

Option #1: executed by a validator ancestor

if applicant_perm.validator_perm_id is defined:

Option #2: executed by TrustRegistry controller

§ [MOD-PERM-MSG-12-2-3] Slash Permission Trust Deposit fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-PERM-MSG-12-3] Slash Permission Trust Deposit execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

use MOD-TD-MSG-7 to burn the slashed amount from the trust deposit of applicant_perm.authority.

If applicant_perm.type is ISSUER or VERIFIER: Delete authorization for applicant_perm.vs_operator:

§ [MOD-PERM-MSG-13] Repay Permission Slashed Trust Deposit

This method can only be called by the authority that want to repay the deposit of a slashed perm they own. This won’t make the perm re-usable: it will be needed for the authority associated to this permission to request a new permission, as slashed permissions cannot be revived (same happen for revoked, etc…).

Nevertheless, to get a new permission for a given ecosystem, it is needed, using this method, to repay the deposit of a slashed permission first.

§ [MOD-PERM-MSG-13-1] Repay Permission Slashed Trust Deposit parameters
§ [MOD-PERM-MSG-13-2] Repay Permission Slashed Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-13-2-1] Repay Permission Slashed Trust Deposit basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PERM-MSG-13-2-2] Repay Permission Slashed Trust Deposit fee checks
§ [MOD-PERM-MSG-13-3] Repay Permission Slashed Trust Deposit execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

use Adjust Trust Deposit to transfer applicant_perm.slashed_deposit to trust deposit of applicant_perm.authority.

§ [MOD-PERM-MSG-14] Self Create Permission

Any authorized operator CAN execute this method on behalf of an authority.

This simple permission creation method can be used to self-create an ISSUER (resp. VERIFIER) permission if issuance mode (resp. verification mode) is set to OPEN for a given schema. As permissions are the anchor of ecosystem trust deposit operations, it is required for an issuer/verifier candidate to self-create a permission for being issuer or verifier of a given schema.

NOTE

Even if a schema is OPEN, candidate MUST make sure they comply with the EGF else their permission may be revoked by ecosystem governance authority and their deposit slashed.

§ [MOD-PERM-MSG-14-1] Self Create Permission parameters
§ [MOD-PERM-MSG-14-2] Self Create Permission precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PERM-MSG-14-2-1] Self Create Permission basic checks

if a mandatory parameter is not present, transaction MUST abort.

Load Permission validator_perm from validator_perm_id.

§ [MOD-PERM-MSG-14-2-2] Self Create Permission permission checks

To execute this method, account MUST match at least one these rules, else transaction MUST abort.

§ [MOD-PERM-MSG-14-2-3] Self Create Permission fee checks

Fee payer MUST have the required estimated transaction fees available.

§ [MOD-PERM-MSG-14-2-4] Self Create Permission overlap checks

We want to make sure that 2 permissions cannot be active at the same time for the same validator_perm_id. If authority wishes to create a new permission but existing active one never expires (or expire too far from now), authority MUST use first the Extend Perm Msg to set or adjust the effective_until value.

Find all active permissions perms[] (not revoked, not slashed, not repaid) for cs.id, type, validator_perm_id, authority.

for each Permission entry p from perms[]:

note: this check was not present in v3.

§ [MOD-PERM-MSG-14-3] Create Permission execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

A new entry Permission perm MUST be created:

Create authorization for vs_operator so that the Verifiable Service will be able to call CreateOrUpdatePermissionSession when issuing or verifying credentials:

§ [MOD-PERM-QRY-1] List Permissions

Anyone CAN execute this method.

Generic query used for (at least):

§ [MOD-PERM-QRY-1-1] List Permissions parameters
§ [MOD-PERM-QRY-1-2] List Permissions checks

Basic type check arg SHOULD be applied.

If any of these checks fail, query MUST fail.

§ [MOD-PERM-QRY-1-3] List Permissions execution

return a list of found entries, or an empty list if nothing found. Ordered by modified asc.

§ [MOD-PERM-QRY-2] Get Permission

Anyone CAN execute this method.

§ [MOD-PERM-QRY-2-1] Get Permission parameters
§ [MOD-PERM-QRY-2-2] Get Permission checks
§ [MOD-PERM-QRY-2-3] Get Permission execution

return found entry (if any).

§ [MOD-PERM-QRY-3] Void

Obsoleted by [MOD-PERM-QRY-1].

§ [MOD-PERM-QRY-4] Find Beneficiaries

Anyone can execute this method.

To calculate the fees required for paying the beneficiaries, it is needed to recurse all involved perms until the root of the permission tree (which is the trust registry perm), starting from the 2 branches issuer_perm and verifier_perm. As both branches may have common ancestors, we can create a Set (unordered collection with no duplicates), and recurse over the 2 branches, adding found perms. If verifier_perm is null, issuer_perm is never added to the set. If verifier_perm is NOT null, issuer_perm is added to the set if it exists but verifier_perm is not added to the set.

Example 1: verifier_perm: is not set: it’s a credential offer, schema configured to have Issuer Grantors.

uml diagram

Example 2: verifier_perm: is not set: it’s a credential offer. Schema configured to NOT have Issuer Grantors.

uml diagram

Example 3: verifier_perm is set, it’s a presentation request. Schema configured to have Verifier and Issuer Grantors.

uml diagram
§ [MOD-PERM-QRY-4-1] Find Beneficiaries parameters
§ [MOD-PERM-QRY-4-2] Find Beneficiaries checks
§ [MOD-PERM-QRY-4-3] Find Beneficiaries execution

Example: Let’s build the set. Revoked and slashed permissions will not be added to the set. Expired permissions, if not revoked/slashed, will be considered.

if issuer_perm is not null:

Additionally, if verifier_perm is not null:

return found_perms.

NOTE

This works even is schema is open to any issuer or open to any verifier.

§ [MOD-PERM-QRY-5] Get PermissionSession

§ [MOD-PERM-QRY-5-1] Get PermissionSession parameters
§ [MOD-PERM-QRY-5-2] Get PermissionSession checks
§ [MOD-PERM-QRY-5-3] Get PermissionSession execution

return PermissionSession entry if found, else return not found.

§ [MOD-PERM-QRY-6] List Permission Module Parameters
§ [MOD-PERM-QRY-6-2] List Permission Module Parameters parameters
§ [MOD-PERM-QRY-6-2] List Permission Module Parameters query checks
§ [MOD-PERM-QRY-6-3] List Permission Module Parameters execution of the query

Return the list of the existing parameters and their values.

§ [MOD-PERM-QRY-6-4] List Permission Module Parameters API result example
{
  "params": {
    "key1": "value1",
    "key2": "value2",
    ...
    ...
  }
}

§ Validation Examples

§ Getting a Credential from an Authorized Issuer

This section is non-normative.

Example of an Applicant that would like to get issued a credential (HOLDER):

uml diagram
§ Add a DID to the List of Granted Issuers of a Credential Schema

This section is non-normative.

uml diagram

§ Trust deposit module

§ Trust deposit module overview

This section is non-normative.

Concept: the trust deposit is used to lock trust value as a stake. To process application messages that perform state changes, several modules methods are requiring a trust deposit to be sent, from the executing account, to the trust deposit module.

We will use a similar method than the one described here to manage trust deposit and yield calculation and easy way.

Example:

In our example, we suppose a VPR is just starting and no trust transaction have taken place yet. For this reason:

Operation #1:

an account account1 wants to create a transaction that requires:

First, the Trust Deposit: execution of the method will perform the following (we consider this account had no TrustDeposit entry yet):

Second, fee distribution: let’s suppose that trust_deposit_block_reward_share is set to 0.30 so that 70% of transaction fees are distributed to validators, and 30% of transaction fees are distributed to trust deposit holders. For this specific transaction:

Now, account1 can (optionally) reclaim the difference between the GlobalVariables.trust_deposit_share_value * tt.share minus tt.denom, which represents the trust (yield) gains.

Operation #2:

Another account account2 wants to create a transaction that requires:

First, Trust Deposit:

Second, fee distribution: let’s suppose trust_deposit_block_reward_share is set to 0.30 so that 70% of transaction fees are distributed to validators, and 30% of transaction fees are distributed to trust deposit holders. For this specific transaction:

After the 2 operations:

§ Trust Deposit Yield

The following global parameters are used to tune the Trust Deposit yield generation, in case the VPR is implemented as a ledger:

Each time there is a block reward to be distributed, trust_deposit_block_reward_share percent MUST be directed to trust deposit holders, based on their trust deposit share.

Implementers MUST make sure, for each processed block reward, that the yearly effective yield is lower or equal than trust_deposit_max_yield_rate.

§ [MOD-TD-MSG-1] Adjust Trust Deposit

This method is used to increase or decrease the trust deposit of a specific authority account.

Only the modules that require trust deposit manipulation CAN call this method. If trust deposit has been slashed and not repaid, method execution MUST abort.

§ [MOD-TD-MSG-1-1] Adjust Trust Deposit method parameters
§ [MOD-TD-MSG-1-2] Adjust Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-1-2-1] Adjust Trust Deposit basic checks

Value checks:

§ [MOD-TD-MSG-1-2-2] Adjust Trust Deposit fee checks

Additionally:

§ [MOD-TD-MSG-1-3] Adjust Trust Deposit execution of the method

If all precondition checks passed, method is executed in a transaction.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

The last case, augend < 0, is to free trust deposit (ej when canceling a validation process).

§ [MOD-TD-MSG-2] Reclaim Trust Deposit Yield

This method is used to reclaim yield. If trust deposit has been slashed and not repaid, method execution MUST abort.

For a given TrustDeposit entry td, claimable yield is calculated like this:

claimable_yield = td.share * GlobalVariables.trust_deposit_share_value - td.deposit.

If claimable_yield is positive, it can be claimed.

§ [MOD-TD-MSG-2-1] Reclaim Trust Deposit Yield method parameters
§ [MOD-TD-MSG-2-2] Reclaim Trust Deposit Yield precondition checks
§ [MOD-TD-MSG-2-2-1] Reclaim Trust Deposit Yield basic checks
§ [MOD-TD-MSG-2-2-2] Reclaim Trust Deposit Yield fee checks

Fee payer running the transaction MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-TD-MSG-2-3] Reclaim Trust Deposit Yield execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

For the TrustDeposit entry td linked to authority:

§ [MOD-TD-MSG-3] Void

§ [MOD-TD-MSG-4] Update Module Parameters

Update Module Parameters.

Can only be executed through a governance proposal.

§ [MOD-TD-MSG-4-1] Update Module Parameters parameters
§ [MOD-TD-MSG-4-2] Update Module Parameters precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-4-2-1] Update Module Parameters basic checks
§ [MOD-TD-MSG-4-2-2] Update Module Parameters fee checks

provided transaction fees MUST be sufficient for execution

§ [MOD-TD-MSG-4-3] Update Module Parameters execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

for each parameter param <key, value> in parameters:

§ [MOD-TD-MSG-5] Slash Trust Deposit

This method is used by the network governance authority to globally slash an authority account trust deposit.

This method can only be called by a governance proposal. A globally slashed account MUST repay the slashed deposit in order to continue to use the services provided by the VPR. When and account is slashed, and while slashed deposit has not been repaid, all account linked permissions MUST be considered non trustable.

This method is for network governance authority slash. For ecosystem slash, see Slash Permission Trust Deposit.

§ [MOD-TD-MSG-5-1] Slash Trust Deposit method parameters
§ [MOD-TD-MSG-5-2] Slash Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-5-2-1] Slash Trust Deposit basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-TD-MSG-5-2-2] Slash Trust Deposit fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-TD-MSG-5-3] Slash Trust Deposit execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

For the TrustDeposit entry td linked to authority:

§ [MOD-TD-MSG-6] Repay Slashed Trust Deposit

Any authorized operator CAN execute this method on behalf of an authority.

§ [MOD-TD-MSG-6-1] Repay Slashed Trust Deposit method parameters
§ [MOD-TD-MSG-6-2] Repay Slashed Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-6-2-1] Repay Slashed Trust Deposit basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-TD-MSG-6-2-2] Repay Slashed Trust Deposit fee checks
§ [MOD-TD-MSG-6-3] Repay Slashed Trust Deposit execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

For the TrustDeposit entry td linked to authority account:

§ [MOD-TD-MSG-7] Burn Ecosystem Slashed Trust Deposit

Burn the portion of the trust deposit of a given account. This method can only be called by the permission module when performing an ecosystem-related slash.

WARNING

Make sure to properly protect access to the execution of this method else it may lead to very destructive actions.

§ [MOD-TD-MSG-7-1] Burn Ecosystem Slashed Trust Deposit method parameters
WARNING

Alternative approach: For security and consistency, implementers MAY choose to reference the ID of the slashed permission, load it and use its defined slashed_deposit value as the slashing amount. The decision between this method and specifying the amount directly is left to implementers.

§ [MOD-TD-MSG-7-2] Burn Ecosystem Slashed Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-7-2-1] Burn Ecosystem Slashed Trust Deposit basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-TD-MSG-7-2-2] Burn Ecosystem Slashed Trust Deposit fee checks

Fee payer running the transaction MUST have the required estimated transaction fees in its account else transaction MUST abort.

§ [MOD-TD-MSG-7-3] Burn Ecosystem Slashed Trust Deposit execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

For the TrustDeposit entry td linked to account:

§ [MOD-TD-QRY-1] Get Trust Deposit

Any account CAN run this query. As this method does not modify data, it does not require a transaction.

§ [MOD-TD-QRY-1-1] Get Trust Deposit query parameters
§ [MOD-TD-QRY-1-2] Get Trust Deposit query checks

If any of these checks fail, query MUST fail.

§ [MOD-TD-QRY-1-3] Get Trust Deposit execution of the query

If found, returns trust deposit, else return not found.

§ [MOD-TD-QRY-2] List Module Parameters

Anyone CAN run this query.

§ [MOD-TD-QRY-2-2] List Module Parameters parameters
§ [MOD-TD-QRY-2-2] List Module Parameters query checks
§ [MOD-TD-QRY-2-3] List Module Parameters execution of the query

Return the list of the existing parameters and their values.

§ [MOD-TD-QRY-2-4] List Module Parameters API result example
{
  "params": {
    "key1": "value1",
    "key2": "value2",
    ...
    ...
  }
}

§ [MOD-DE-MSG-1] Grant Fee Allowance

This method can only be called directly by the following methods:

§ [MOD-DE-MSG-1-1] Grant Fee Allowance method parameters
§ [MOD-DE-MSG-1-2] Grant Fee Allowance basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-DE-MSG-1-3] Grant Fee Allowance fee checks
§ [MOD-DE-MSG-1-4] Grant Fee Allowance execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Create (or update if it already exist) FeeGrant feegrant:

§ [MOD-DE-MSG-2] Revoke Fee Allowance

This method can only be called directly by the following methods:

§ [MOD-DE-MSG-2-1] Revoke Allowance method parameters
§ [MOD-DE-MSG-2-2] Revoke Fee Allowance basic checks

MUST abort if one of these conditions fails:

§ [MOD-DE-MSG-2-3] Revoke Fee Allowance fee checks
§ [MOD-DE-MSG-2-4] Revoke Fee Allowance execution of the method

If FeeGrant entry for this (authority, grantee) exist, delete it, else do nothing.

§ [MOD-DE-MSG-3] Grant Operator Authorization

§ [MOD-DE-MSG-3-1] Grant Operator Authorization method parameters
§ [MOD-DE-MSG-3-2] Grant Operator Authorization basic checks

if any of these conditions is not satisfied, transaction MUST abort.

WARNING

An Operator Authorization CAN be granted ONLY IF no VS Operator Authorization exists for perm.authority and perm.vs_operator. Operator Authorization and VS Operator Authorization are mutually exclusive for a given grantee.

§ [MOD-DE-MSG-3-3] Grant Operator Authorization fee checks
§ [MOD-DE-MSG-3-4] Grant Operator Authorization execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Create (or update if it already exist) Authorization authz:

if with_feegrant is false:

else if with_feegrant is true:

§ [MOD-DE-MSG-4] Revoke Operator Authorization

§ [MOD-DE-MSG-4-1] Revoke Operator Authorization method parameters
§ [MOD-DE-MSG-4-2] Revoke Operator Authorization basic checks

MUST abort if one of these conditions fails:

§ [MOD-DE-MSG-4-3] Revoke Operator Authorization fee checks
§ [MOD-DE-MSG-4-4] Revoke Operator Authorization execution of the method

§ [MOD-DE-MSG-5] Grant VS Operator Authorization

This method can only be called directly by the following methods with no signer check:

Note: This methid can only grant authorization for the CreateOrUpdatePermissionSession Msg.

§ [MOD-DE-MSG-5-1] Grant VS Operator Authorization method parameters
§ [MOD-DE-MSG-5-2] Grant VS Operator Authorization basic checks

if any of these conditions is not satisfied, transaction MUST abort.

WARNING

A VS Operator Authorization CAN be granted ONLY IF no Operator Authorization exists for perm.authority and perm.vs_operator. VS Operator Authorization and Operator Authorization are mutually exclusive for a given grantee.

§ [MOD-DE-MSG-5-3] Grant VS Operator Authorization fee checks
§ [MOD-DE-MSG-5-4] Grant VS Operator Authorization execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Load Permission perm with perm_id.

Create VSOperatorAuthorization vs_operator_authz if it doesn’t exist yet:

then, add the perm_id to the list of authorized permissions:

Then check for feegrant:

NOTE

We MUST align to the farthest effective_until for the feegrant, for the permissions that have current_perm.effective_until set.

§ [MOD-DE-MSG-6] Revoke VS Operator Authorization

This method can only be called by the following methods with no signer check:

§ [MOD-DE-MSG-6-1] Revoke VS Operator Authorization method parameters
§ [MOD-DE-MSG-6-2] Revoke VS Operator Authorization basic checks

MUST abort if one of these conditions fails:

§ [MOD-DE-MSG-6-3] Revoke VS Operator Authorization fee checks
§ [MOD-DE-MSG-6-4] Revoke VS Operator Authorization execution of the method
NOTE

When a permission is removed from authorization, and the removed permission had a feegrant, new expire of the feegrant is the biggest effective_until of all associated permissions that have feegrant enabled.

NOTE

In the case of VS Operator Authorizations, spending limit are managed by the Permission module.

§ [MOD-DE-QRY-1] List Operator Authorizations

Anyone CAN execute this method.

§ [MOD-DE-QRY-1-1] List Operator Authorizations parameters
§ [MOD-DE-QRY-1-2] List Operator Authorizations checks

Basic type check arg SHOULD be applied.

If any of these checks fail, query MUST fail.

§ [MOD-DE-QRY-1-3] List Operator Authorizations execution

Return a list of OperatorAuthorization entries matching the filter criteria, or an empty list if nothing found.

§ [MOD-DE-QRY-2] List VS Operator Authorizations

Anyone CAN execute this method.

§ [MOD-DE-QRY-2-1] List VS Operator Authorizations parameters
§ [MOD-DE-QRY-2-2] List VS Operator Authorizations checks

Basic type check arg SHOULD be applied.

If any of these checks fail, query MUST fail.

§ [MOD-DE-QRY-2-3] List VS Operator Authorizations execution

Return a list of VSOperatorAuthorization entries matching the filter criteria, or an empty list if nothing found.

§ [MOD-DI-MSG-1] Store Digest

§ [MOD-DI-MSG-1-1] Store Digest method parameters
§ [MOD-DI-MSG-1-2] Store Digest precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-DI-MSG-1-2-1] Store Digest basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-DI-MSG-1-2-2] Store Digest fee checks
§ [MOD-DI-MSG-1-3] Store Digest execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Create Digest digest:

§ [MOD-DI-QRY-1] Get Digest

Anyone CAN execute this method.

§ [MOD-DI-QRY-1-1] Get Digest parameters
§ [MOD-DI-QRY-1-2] Get Digest checks

If any of these checks fail, query MUST fail.

§ [MOD-DI-QRY-1-3] Get Digest execution

If all checks passed, query is executed.

Return found Digest entry (if any) matching digest.

§ [MOD-DI-QRY-1-4] Get Digest API result example
{
  "digest": {
    "digest": "sha384-MzNNbQTWCSUSi0bbz7dbua+RcENv7C6FvlmYJ1Y+I727HsPOHdzwELMYO9Mz68M26",
    "created": "2025-01-14T19:40:37.967Z"
  }
}

§ [MOD-XR-MSG-1] Create Exchange Rate

The Create Exchange Rate method allows creating an ExchangeRate entry for a given (base_asset_type, base_asset, quote_asset_type, quote_asset) pair.

§ [MOD-XR-MSG-1] Create Exchange Rate method parameters
§ [MOD-XR-MSG-1] Create Exchange Rate precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-XR-MSG-1] Create Exchange Rate basic checks

If any of the following conditions is not satisfied, transaction MUST abort.

§ [MOD-XR-MSG-1] Create Exchange Rate fee checks

Fee payer MUST have sufficient estimated transaction fees.

§ [MOD-XR-MSG-1] Create Exchange Rate execution of the method

Create ExchangeRate entry xr:

§ [MOD-XR-MSG-2] Update Exchange Rate

Only an authorized operator that has an ExchangeRateAuthorization can execute this method.

§ [MOD-XR-MSG-2] Update Exchange Rate method parameters
§ [MOD-XR-MSG-2] Update Exchange Rate precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-XR-MSG-2] Update Exchange Rate basic checks

If any of the following conditions is not satisfied, transaction MUST abort.

Only an authorized operator that has an ExchangeRateAuthorization can execute this method.

§ [MOD-XR-MSG-2] Update Exchange Rate fee checks

Fee payer MUST have sufficient estimated transaction fees.

§ [MOD-XR-MSG-2] Update Exchange Rate execution of the method

Load ExchangeRate xr.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State

The Toggle Exchange Rate State method allows an authorized actor to enable or disable an exchange rate.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State method parameters
§ [MOD-XR-MSG-3] Toggle Exchange Rate State precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State basic checks

If any of the following conditions is not satisfied, transaction MUST abort.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State fee checks

Fee payer MUST have sufficient estimated transaction fees.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State execution of the method

Load ExchangeRate xr.

§ [MOD-XR-QRY-1] Get Exchange Rate

Any account CAN run this query.

§ [MOD-XR-QRY-1-1] Get Exchange Rate query parameters

AND:

(

OR:

§ [MOD-XR-QRY-1-2] Get Exchange Rate query checks

If any of these checks fail, query MUST fail.

OR

an ExchangeRate entry with base_asset_type, base_asset, quote_asset_type, quote_asset MUST exist.

§ [MOD-XR-QRY-1-3] Get Exchange Rate execution of the query

If found, returns ExchangeRate entry, else return not found.

§ [MOD-XR-QRY-2] List Exchange Rates

Any account CAN run this query. As this method does not modify data, it does not require a transaction.

§ [MOD-XR-QRY-2-1] List Exchange Rates query parameters
§ [MOD-XR-QRY-2-2] List Exchange Rates query checks
§ [MOD-XR-QRY-2-3] List Exchange Rates execution of the query

If found, returns a list of found ExchangeRates, else return an empty list.

§ [MOD-XR-QRY-3] Get Price

Anyone CAN run this query, throgh module call or using the API.

§ [MOD-XR-QRY-3] Get Price Example

base_asset_type = TU base_asset = “tu” quote_asset_type = COIN quote_asset = “uvna” rate = R rate_scale = S

If a valid ExchangeRate entry exists with:

then the price of amount Trust Unit expressed in uvna MUST be computed using the following formula:

price_uvna = floor(amount * rate / 10^rate_scale)

Where:

If the corresponding ExchangeRate entry is expired or missing, the conversion MUST fail.

§ [MOD-XR-QRY-3-1] Get Price parameters
§ [MOD-XR-QRY-3-2] Get Price query checks

If the corresponding ExchangeRate entry is expired or missing, the conversion MUST fail and an error is returned

§ [MOD-XR-QRY-3-3] Get Price execution of the query
WARNING
  • Conversions use base units only.
  • Integer arithmetic MUST be used.
  • quote_amount = floor(base_amount × rate / 10^rate_scale).
  • Expired rates MUST NOT be used.

§ Initial Data Requirements

§ [GLO] Global Variables

Global variables CAN only be changed by the governance authority through proposals.

Default values MUST be set at VPR initialization (genesis). Below you’ll find some possible values. These values will have to be defined in the governance framework.

Credential Schema:

Trust Deposit:

§ References

§ Normative References

DID-CORE
Decentralized Identifiers (DIDs) v1.0. Manu Sporny; Amy Guy; Markus Sabadello; Drummond Reed; 2022-07-19. Status: REC.
RFC3986
Uniform Resource Identifier (URI): Generic Syntax. T. Berners-Lee; R. Fielding; L. Masinter; 2005-01. Status: Internet Standard.
VC-DATA-MODEL
Verifiable Credentials Data Model v1.1. Manu Sporny; Grant Noble; Dave Longley; Daniel Burnett; Brent Zundel; Kyle Den Hartog; 2022-03-03. Status: REC.

Table of Contents
undefined