§ Verifiable Public Registry v4 Specification

Latest draft: spec v4-draft21

Latest stable: spec v3

Editors:

Fabrice Rochette (The Verana Foundation)

Contributors:

Ariel Gentile

Mathieu Gauthron

Pratik Kumar

Participate:

GitHub repo

File a bug

Commit history

§ Abstract

Decentralized trust ecosystems need shared infrastructure to answer a fundamental question: who is authorized to issue, verify, or govern credentials in a given context? Without a common registry layer, each ecosystem operates in isolation, trust decisions depend on ad hoc configurations, and there is no interoperable way for Verifiable Services and Verifiable User Agents to resolve the legitimacy of a credential or its issuer.

The Verifiable Public Registry (VPR) is a decentralized “registry of registries” that provides this foundational infrastructure. It allows ecosystems to create and manage their own ecosystems, define credential schemas with fine-grained permission policies, and assign roles — issuers, verifiers, grantors — through a transparent, on-chain governance model.

The VPR exposes a standardized query API that Verifiable Services and Verifiable User Agents use during trust resolution to confirm, in real time, whether a given participant is authorized to perform a specific action under a specific credential schema. This is what makes the trust in Verifiable Trust actually verifiable.

The VPR is DID-method-agnostic — it stores registrations, not validations — leaving trust decisions and cryptographic verification where they belong: with the relying parties. It supports flexible permission management modes (open, ecosystem-controlled, or grantor-delegated), enabling ecosystems to tailor governance to their specific requirements.

This specification defines the data model, API, and normative requirements for implementing and interacting with a Verifiable Public Registry.

§ About this Document

In order to fully understand the concepts developed in this document, you should have some basic knowledge of DID, DIDComm, VS, ecosystem, ledger-based applications, and more generally, all terms present in the Terminology section.

NOTE

Before exploring this spec, it is highly recommended to first read the Verifiable Trust Spec.

§ Introduction

§ What is an Ecosystem?

This section is non-normative.

An ecosystem is an approved list of recognized participants, such as ecosystem operators, credential issuers and verifiers, that are authorized to onboard ecosystem participants, and or issue/verify certain credentials in an ecosystem.

An ecosystem typically expose APIs that are consumed by services that would like to query its database, and take decisions based on the returned result:

§ What is a Verifiable Public Registry?

This section is non-normative.

A Verifiable Public Registry (VPR) is a “registry of registries”, a public service that provides foundational infrastructure for decentralized trust ecosystems. It offers:

uml diagram

Participant directory is intended to be crawled by indexers, which resolve the listed DIDs, identify associated verifiable services, and index them.

Indexers may expose this data through APIs for querying the indexed services or use it to build a search engine for querying the database of indexed verifiable services.

§ Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative. The key words MAY, MUST, MUST NOT, OPTIONAL, RECOMMENDED, REQUIRED, SHOULD, and SHOULD NOT in this document are to be interpreted as described in BCP 14 RFC2119 RFC8174 when, and only when, they appear in all capitals, as shown here.

§ Terminology

account:
A verifiable public registry account.
applicant:
A account that starts a onboarding process.
corporation:
A legal/organizational entity that controls Participants in zero or more ecosystems and may itself be the controller of zero or more ecosystems. A Corporation extends a Cosmos SDK group with VPR-level attributes (DID, governance framework, lifecycle).
corporation governance framework:
The governance framework (GF) of a corporation.
corporation governance authority:
The governance authority (GA) of a corporation.
credential schema:
An VPR resource which represents a verifiable credential definition and the associated permissions and business rules for issuing, verifying or holding a credential linked to this credential schema.
credential schema participant:
A Participant entry, linked to a credential schema, that represents, in a given ecosystem, a grant for being issuer, verifier, issuer grantor, or verifier grantor of a credential schema.
decentralized identifier:
A decentralized identifier, as specified in [DID-CORE].
decentralized identifier communication:
DIDComm uses DIDs to establish confidential, ongoing connections.
denom:
Token that has been configured and is recognized in a VPR, example: uvna, USDC.
native denom:
Native token of a VPR, example: uvna.

ecosystem: a network of interacting entities, both technical and human, that work together to establish and maintain digital trust. It encompasses applications, credentials, governance frameworks, and the underlying technical infrastructure, all designed to facilitate trustworthy interactions.

ecosystem governance framework:
The governance framework (GF) of an ecosystem].
ecosystem governance authority:
The governance authority (GA) of an ecosystem.
entity:
An account controller.
estimated transaction fees:
Estimated fees required, in denom, that is passed when execute a transaction in an VPR. Usually, a estimated transaction fees are always slightly greater than transaction fees, to make sure the execution of the transaction will not be aborted for an out-of-gas situation. Unused gas is refunded to account.
governance framework:
The governance framework (GF) of a VPR.
governance authority:
The governance authority (GA) of a VPR.
grantor:
A role an entity is granted by an ecosystem for operating its ecosystem.
group:
The underlying Cosmos SDK group primitive that a corporation extends. Members and policies are managed by the group module; VPR-level attributes (DID, governance framework, lifecycle) live on the corresponding corporation entry.
holder:
A role an entity might perform by possessing one or more verifiable credentials and generating verifiable presentations from them. A holder is often, but not always, a subject of the verifiable credentials they are holding. Holders store their credentials in credential repositories. Example holders include organizations, persons, things.
issuer:
A role an entity is granted by an ecosystem or an issuer grantor for issuing credentials of a given credential schema to holders.
issuer grantor:
An ecosystem operator role an entity is granted by an ecosystem for a given credential schema for adding or revoking issuers.
json schema
a Json Schema, as specified in https://json-schema.org/specification.
keeper:
A storage map(key, value) in the ledger of an VPR.
linked-vp:
A presentation of a verifiable credential as specified in LINKED-VP.
participant:
An entity that is recognized by one or several ecosystem(s) in a VPR.
query:
A read-only action that perform some reading in an VPR and returns value.
subject:
A thing about which claims are made. Example subjects include human beings, animals, things, and organization, a DID
transaction:
An action that modifies the ledger of an VPR and which execution requires transaction fees.
transaction fees:
Fees required, in denom, to execute a transaction in an VPR.
trust deposit:
A financial deposit that is used as a trust guarantee. For a given corporation, its trust deposit is increased when running onboarding process (either as an applicant or as a validator).
trust fee:
Fees paid by a participant that are distributed to other participants.
network fee:
Fees paid by a participant that are distributed to network validators and trust deposit holders.
trust unit:
A fake denom that is not usable as a token (cannot be transferred, or used for paying in transactions). Trust unit is used to define fees in Permissions. Fees defined in trust units are automatically converted to native denom when a transaction is executed, using an exchange rate TU/[[ref: native denom]]. Trust unit is used to compensate native denom fluctuation.
ecosystem
An approved list of participants that are authorized to issue/verify certain credentials in an ecosystem.
URI
An Universal Resource Identifier, as specified in rfc3986.
active participant:
A participant of a given role, which effective_from timestamp is lower than current timestamp, and (effective_until timestamp is null or greater than current timestamp), and revoked is null and slashed is null.
future participant:
A participant of a given role, which effective_from timestamp is higher than current timestamp, and (effective_until timestamp is null or greater than effective_from timestamp), and revoked is null and slashed is null.
onboarding process:
A process run by applicants that want to, for a specific credential schema, be a issuer, be a verifier, or simply hold a verifiable credential linked to the credential schema.
validator:
A role an entity performs by participating in onboarding processes with applicants in order to register them as issuer, or verifier of a credential schema, or to deliver a verifiable credential to them.
verifiable public registry:
a public, normally decentralized, ledger-based network, which provides: ecosystem features, that can be used by all its participants: create ecosystems, for each ecosystem, define its credential schemas, who can issue, verify credential of a specific credential schema,… and a tokenized business model for charging/rewarding participants.
verifiable service:
A service, identified by a resolvable DID that can be deployed anywhere by its owner, and that is conforming to this spec and has a resolvable Proof-of-Trust. See VT Spec.
verifiable user agent:
A user agent for accessing and using VSs. To be considered a VUA, a user agent must conform and enforce this spec, such as presenting a proof of trust to end user before accepting connecting to VS compliant services, and refuse connecting to not compliant services. See VT Spec.
Verifiable Trust Specification:
see VT Spec.
verifier:
A role an entity is granted by an ecosystem or a verifier grantor for verifying credentials of a given credential schema.
verifier grantor:
An ecosystem operator role an entity is granted by an ecosystem for a given credential schema for adding or revoking verifiers.
verifiable credential:
A verifiable credential as defined in [VC-DATA-MODEL].

§ Naming Conventions

§ In this spec

§ In Implementations

§ Features of a Verifiable Public Registry (VPR)

§ Ecosystem Management

This section is non-normative.

In an VPR, any corporation can create an Ecosystem entry to represent an ecosystem it controls. Each Ecosystem entry MUST provide, at a minimum:

The Verifiable Public Registry (VPR) is agnostic to the specific DID methods used. Trust resolution is performed externally, outside the VPR, allowing flexibility and interoperability across ecosystems.

uml diagram

§ Credential Schemas and Participants

This section is non-normative.

Credential schemas are created and managed by ecosystems (i.e., by the corporation controlling each ecosystem). Each Credential schema includes, at a minimum:

uml diagram

Participant roles are defined in the table below:

Participant Role Description
Ecosystem Create and control ecosystems and credential schemas. Recognize other participants by validating them onto the schema (creating their Participant entries).
Issuer Grantor Ecosystem operator that creates ISSUER Participant entries for candidate issuers.
Verifier Grantor Ecosystem operator that creates VERIFIER Participant entries for candidate verifiers.
Issuer Can issue credentials of this schema.
Verifier Can request presentation of credentials of this schema.
Holder Holds a credential. HOLDER Participant entries carry credential status (active, revoked, …).

Example of a Json Schema credential schema:

{
  "$id": "vpr:verana:mainnet/cs/v1/js/VPR_CREDENTIAL_SCHEMA_ID", // ignored, will be generated
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "ExampleCredential",
  "description": "ExampleCredential using JsonSchema",
  "type": "object",
  "properties": {
    "credentialSubject": {
      "type": "object",
      "properties": {
        "id": {
          "type": "string",
          "format": "uri"
        },
        "firstName": {
          "type": "string",
          "minLength": 0,
          "maxLength": 256
        },
        "lastName": {
          "type": "string",
          "minLength": 1,
          "maxLength": 256
        },
        "expirationDate": {
          "type": "string",
          "format": "date"
        },
        "countryOfResidence": {
          "type": "string",
          "minLength": 2,
          "maxLength": 2
        }
      },
      "required": [
        "id",
        "lastName",
        "birthDate",
        "expirationDate",
        "countryOfResidence"
      ]
    }
  }
}

To participate in an ecosystem and assume a role associated with a specific credential schema:

The onboarding process involves two parties:

Running an onboarding process typically involves the payment of trust fees. The trust fee amount to be paid by the applicant is defined in the validator's Participant entry:

uml diagram

§ Corporation Management

This section is non-normative.

A corporation is the VPR-level entity that represents an authority acting in the registry. It extends a Cosmos SDK group (whose members and policies are managed by the group module) with VPR-specific attributes: a DID, a corporation governance framework (CGF), and lifecycle metadata. A Corporation entry has no id of its own — it is keyed by its underlying group (1:1).

A corporation interacts with the VPR in two complementary ways:

The two roles are independent: a corporation MAY control no ecosystem at all and only hold Participant entries in third-party ecosystems; or it MAY control several ecosystems and additionally hold Participant entries in others; or any combination of the two.

uml diagram

The same Corporation entry is the single entry point for the corporation’s governance (the CGF), authorization delegation (via OperatorAuthorization to one or more operator accounts), and trust-deposit accounting (TrustDeposit). See the Corporation Module for the methods that manage Corporation entries.

§ DID Indexing

This section is non-normative.

The Participant registry is the foundation for building searchable indexes of verifiable services and the verifiable metadata they expose. Crawlers iterate over Participant entries, resolve each service identifier (currently a DID, extensible in the future), verify that the service is a verifiable service, and extract its verifiable metadata — most notably the credentials presented through linked-vp — together with the ecosystem memberships, credential schema permissions, and trust deposit level associated with the controlling corporation.

Unlike a traditional web index, this index is trust-typed: every entry carries cryptographically verifiable claims about what the service is, who operates it, and under which governance frameworks it is accredited. This unlocks a class of discovery use cases that traditional search engines cannot serve.

§ AI agent discovery

AI agents are first-class consumers of the index. Before delegating a task or accepting a connection, an agent needs to find counterparts whose presented credentials match the capabilities required for the interaction. Querying the index, an AI agent can:

Because every indexed claim is anchored in the VPR, an AI agent can verify a counterpart end-to-end before initiating the interaction, avoiding spoofed services and unaccredited issuers.

§ Verifiable User Agent content discovery

Verifiable user agents (VUAs) — such as social browsers, agentic browsers, or CDN-aware clients — use the index to find content and services that are compatible with the user’s context: the credentials the user holds, the ecosystems the user trusts, the jurisdictions and languages that apply, and the schemas that the user’s wallet can satisfy.

Typical VUA queries include:

The result is a feed of VSs for which a proof of trust can be displayed to the user before connection, in line with the VUA enforcement obligations defined in this spec and in the VT Spec.

§ Other consumers

The same index serves additional consumers:

§ Indexing pipeline

uml diagram

§ Business models

§ Trust Deposit

This section is non-normative.

In a VPR, each corporation is associated with a trust deposit.

This trust deposit is automatically funded through transactions involving trust operations, such as onboarding processes, credential issuance, or presentation…

The trust deposit is fundamental to the “Proof-of-Trust” (PoT) mechanism of the Verifiable Trust Specification, and it operates as follows:

This system ensures that participation in the trust ecosystem is backed by economic accountability, reinforcing the integrity, governability and verifiability of the VPR.

§ Onboarding Process Trust Fees

This section is non-normative.

We’ve explained in the Credential Schemas and Participants section above what is an onboarding process.

The table below summarizes the possible combinations of applicants and validators:

Payee → Payer ↓ Ecosystem Issuer Grantor Verifier Grantor Issuer Verifier Holder
Issuer Grantor renewable subscription (1)
Verifier Grantor renewable subscription (2)
Issuer renewable subscription (3) renewable subscription (1)
Verifier renewable subscription (4) renewable subscription (2)
Holder renewable subscription (5)

Onboarding process is started by the applicant.

Example of a candidate issuer (applicant) that would like to obtain an ISSUER Participant entry for a credential schema of an ecosystem, validated by a validator that holds an ISSUER_GRANTOR Participant entry:

uml diagram

The total fees paid by the applicant consist of:

Example, using 20% for trust_deposit_rate:

uml diagram

Upon completion of the onboarding process, escrowed trust fees are distributed to the validator as follows:

uml diagram

§ “Pay-Per” trust fees

This section is non-normative.

Pay-per-issuance and pay-per-verification trust fees are defined on each Participant entry for each role within the ecosystem.

uml diagram

Corporations acting as issuers or verifiers for a given credential schema may be required to pay trust fees based on the schema’s configuration and Participant tree.

If trust fee payment is required, the entity must execute a transaction in the VPR to pay the appropriate trust fees before issuing or verifying a credential, else HOLDER agent will not accept the operation.

Key Points for “Pay-Per” Business Models

Fee Distribution Model

Trust fees are consistently distributed across participants:

NOTE

Agents that implement the VT spec must verify that the ISSUER or VERIFIER has fulfilled the required trust fee payment.
If not, they must reject the issuance or verification request.

Note: The User Agent and Wallet User Agent may refer to the same implementation.

Distribution example for the issuance by ISSUER #C of a credential, using the Participant tree above, 20% for trust_deposit_rate, 10% for wallet_user_agent_reward_rate and user_agent_reward_rate.

uml diagram

Distribution example for the verification by VERIFIER #E of a credential issued by ISSUER #C, using the Participant tree above, 20% for trust_deposit_rate, 10% for wallet_user_agent_reward_rate and user_agent_reward_rate.

uml diagram

§ Governance of a VPR

This section is non-normative.

A governance framework must define the governance rules that apply to a VPR.

A designated governance authority (aka a council) is responsible for enforcing these rules and, when necessary, applying financial sanctions to participants who violate the rules.

NOTE

Ecosystem Governance Frameworks (EGFs) operate independently from the VPR governance framework.

While the VPR governance framework defines the global rules for operating the Verifiable Public Registry (e.g., trust deposits, fee distribution, slashing conditions), each ecosystem must define its own EGF to govern roles, permissions, credential policies, and compliance within its specific domain.

This separation ensures that ecosystems remain autonomous and can tailor governance to their unique needs, without being constrained by the global rules of the VPR.

§ Data model

For simplicity, the data model is presented using an object-relational structure. However, this representation may not be optimal for all implementation scenarios.

Implementors are responsible for adapting the data model to suit their chosen architecture.
For example, a key-value store may be more appropriate for a ledger-based implementation than a relational model.

uml diagram

§ Corporation

A Corporation is the VPR-level entity that extends a Cosmos SDK group with a DID, a governance framework, and lifecycle attributes. A Corporation may control participants in zero or more ecosystems and may itself be the controller of zero or more ecosystems.

Corporation:

Note: a Corporation entry has no id of its own. Its primary key is the underlying Cosmos SDK group (1:1, see the group --- corp link in the diagram above): a Corporation entry is created, looked up, and referenced by the id of the group it extends. Members and policies of a Corporation are managed by the underlying Cosmos SDK group module; the Corporation entry adds VPR-level attributes only (DID, governance framework, lifecycle).

§ Ecosystem

Ecosystem:

§ GovernanceFrameworkVersion

A GovernanceFrameworkVersion represents a single version of either an EGF or a CGF. Its owning subject is identified by exactly one of ecosystem_id or corporation (XOR).

GovernanceFrameworkVersion:

Constraint: exactly one of ecosystem_id and corporation MUST be set.

§ GovernanceFrameworkDocument

GovernanceFrameworkDocument

§ CredentialSchema

CredentialSchema:

General Info:

§ SchemaAuthorizationPolicy

SchemaAuthorizationPolicy:

§ Participant

Participant:

Note: VS operator authorization settings (spend limits, feegrant, expiration, authorized message types) are no longer stored on Participant. They live in ParticipantAuthorizationRecord entries inside VSOperatorAuthorization, keyed by Participant.id. See [MOD-DE-MSG-5] and [AUTHZ-CHECK-3].

§ ParticipantSession

ParticipantSession:

§ ParticipantSessionRecord

ParticipantSessionRecord:

§ TrustDeposit

TrustDeposit:

§ DenomAmount

§ Digest

§ OperatorAuthorization

§ FeeGrant

FeeGrant:

§ VSOperatorAuthorization

A VSOperatorAuthorization groups all ParticipantAuthorizationRecord entries delegated by one corporation to one vs_operator. It is keyed by the (corporation, vs_operator) pair. The entry exists if, and only if, it has at least one record.

§ ParticipantAuthorizationRecord

A ParticipantAuthorizationRecord carries the per-permission authorization configuration that was previously stored on Participant.vs_operator_authz_* fields. Each record is globally unique by participant_id: for any Participant.id, at most one record exists system-wide, so (corporation, vs_operator) can be derived from participant_id via a direct lookup.

§ ExchangeRate

Represents an on-chain exchange rate between two assets.

ExchangeRate:

§ ExchangeRateAuthorization

Represents the authorization granted by network governance to a specific operator account to execute [MOD-XR-MSG-2] Update Exchange Rate on a given ExchangeRate entry.

Exchange rates are a protocol-level oracle: they are consumed by [MOD-XR-QRY-3] Get Price and used across the protocol (trust deposit pricing, fees). Therefore, ownership and update permission of an ExchangeRate is scoped to the network (governance), not to a corporation. ExchangeRateAuthorization is the on-chain record that designates which operator account is authorized to push fresh values for a given ExchangeRate, and under what runtime constraints.

ExchangeRateAuthorization:

§ GlobalVariables

GlobalVariables:

Credential Schema:

Trust Deposit:

§ Module Requirements

All VPR modules MUST, at least, provide:

Note about Query REST API:

Examples:

Get an Ecosystem

"ecosystem": {
  {
    "active_version": 0,
    "corporation": "string",
    "created": "2025-01-14T19:40:37.967Z",
    "deposit": "string",
    "did": "string",
    "id": "string",
    "language": "string",
    "modified": "2025-01-14T19:40:37.967Z",
    "versions": [
      {
        "active_since": "2025-01-14T19:40:37.967Z",
        "created": "2025-01-14T19:40:37.967Z",
        "id": "string",
        "ecosystem_id": "string",
        "version": 0,
        "documents": [
          {
            "created": "2025-01-14T19:40:37.967Z",
            "gfv_id": "string",
            "digest_sri": "string",
            "id": "string",
            "language": "string",
            "url": "string"
          }
        ]
      }
    ]  
  }

"ecosystems": [ {
  {
    "active_version": 0,
    "corporation": "string",
    "created": "2025-01-14T19:40:37.967Z",
    "deposit": "string",
    "did": "string",
    "id": "string",
    "language": "string",
    "modified": "2025-01-14T19:40:37.967Z",
    "versions": [
      {
        "active_since": "2025-01-14T19:40:37.967Z",
        "created": "2025-01-14T19:40:37.967Z",
        "id": "string",
        "ecosystem_id": "string",
        "version": 0,
        "documents": [
          {
            "created": "2025-01-14T19:40:37.967Z",
            "gfv_id": "string",
            "digest_sri": "string",
            "id": "string",
            "language": "string",
            "url": "string"
          }
        ]
      }
    ]  
  }, {
    "active_version": 0,
    "corporation": "string",
    "created": "2025-01-14T19:40:37.967Z",
    "deposit": "string",
    "did": "string",
    "id": "string",
    "language": "string",
    "modified": "2025-01-14T19:40:37.967Z",
    "versions": [
      {
        "active_since": "2025-01-14T19:40:37.967Z",
        "created": "2025-01-14T19:40:37.967Z",
        "id": "string",
        "ecosystem_id": "string",
        "version": 0,
        "documents": [
          {
            "created": "2025-01-14T19:40:37.967Z",
            "gfv_id": "string",
            "digest_sri": "string",
            "id": "string",
            "language": "string",
            "url": "string"
          }
        ],
      }
    ]  
  }
]
WARNING

For Msg methods, all precondition checks MUST be verified first for accepting the Msg, and MUST be verified again upon method execution

A VPR implementation MUST implement all the following requirements.

NOTE

The relative REST path is the path suffix. Implementer can set any prefix, like https://example/verana/ec/v1/get.

§ Authorization and Fee Grants

§ Delegable Module Messages

Most VPR module messages (Msg) support delegation and follow the pattern described below.

Delegable messages are defined as messages that can be executed by an operator account on behalf of a corporation group, provided that the appropriate authorization has been granted.

Such messages conceptually involve two roles:

When a delegable message is executed directly by an operator account, both roles are authenticated and enforced by the authorization system.

Using this model makes it possible to:

For the execution of delegable messages:

A corporation group is not required to delegate all message types to the same operator.
It is entirely up to the corporation group to decide which accounts may execute which messages.

§ Not Delegable Module Messages

Some module messages specify only a corporation:

Such messages cannot be delegated and MUST be executed exclusively through a corporation proposal.

§ Governance-Signed Module Messages

Some module messages can be executed only through a VPR council governance proposal.

These messages do not support delegation and are not executable by accounts, whether directly or via group authorization.

§ Fee Grants

A corporation MAY allow its operators to pay network transaction fees using the corporation’s funds.

Fee grants are not created directly.
They are created, updated, and revoked exclusively by Authorization module messages.
When an authorization is created or updated, it MAY optionally include an associated fee grant.

§ [AUTHZ-CHECK] Common Authorization and Fee Grant Precondition Checks

For any delegable message executed by an operator on behalf of a corporation, the following precondition checks MUST be performed before any method-specific checks. If any check fails, the transaction MUST abort.

§ [AUTHZ-CHECK-1] Operator Authorization checks
  1. An OperatorAuthorization oauthz MUST exist where oauthz.corporation = corporation, oauthz.operator = operator, and oauthz.msg_types includes the current message type.
  2. If oauthz.expiration is set:
    • if oauthz.period is set and now() >= oauthz.expiration:
      • if oauthz.spend_limit is set, set oauthz.remaining_spend := oauthz.spend_limit.
      • if oauthz.fee_spend_limit is set, set oauthz.remaining_fee_spend := oauthz.fee_spend_limit.
      • set oauthz.expiration := now() + oauthz.period.
    • else, oauthz.expiration MUST be strictly greater than now(). Abort otherwise.
  3. If oauthz.spend_limit is set, oauthz.remaining_spend MUST be sufficient for the operation. After successful execution, the consumed amount MUST be deducted from oauthz.remaining_spend (per matching denom entry).
§ [AUTHZ-CHECK-2] Fee Grant checks

If the transaction fees are paid by the corporation account (via fee grant) instead of the operator account:

  1. A FeeGrant fg MUST exist where fg.grantor = corporation, fg.grantee = operator, and fg.msg_types includes the current message type.
  2. If fg.expiration is set:
    • if fg.period is set and now() >= fg.expiration:
      • if fg.spend_limit is set, set fg.remaining_spend := fg.spend_limit.
      • set fg.expiration := now() + fg.period.
    • else, fg.expiration MUST be strictly greater than now(). Abort otherwise.
  3. If fg.spend_limit is set, fg.remaining_spend MUST be sufficient for the estimated transaction fees. After successful execution, the consumed fee amount MUST be deducted from fg.remaining_spend (per matching denom entry).
§ [AUTHZ-CHECK-3] VS Operator Authorization checks

A second authorization grant mode exists for vs-agents. It is used when a corporation delegates a specific permission (and a specific set of message types, scoped to that permission) to a vs_operator account. The authorization model differs from other delegable messages: it relies on VSOperatorAuthorization / ParticipantAuthorizationRecord instead of OperatorAuthorization.

Note: the set of messages a vs_operator is authorized to execute in the context of a permission is declared by the applicant at permission creation time (see [MOD-PP-MSG-1-1] and [MOD-PP-MSG-14-1]) and stored in record.msg_types. It is frozen for the lifetime of the record and can only be changed by revoking the permission and starting a new one.

Given a corporation, an operator (the vs_operator), a primary permission id participant_id (determined by the calling method), and the current message type msg_type:

  1. A ParticipantAuthorizationRecord record MUST exist for participant_id. Abort if not found.
  2. record MUST belong to VSOperatorAuthorization[corporation, operator], that is: the containing VSOperatorAuthorization MUST have corporation as its corporation and operator as its vs_operator. Abort otherwise.
  3. msg_type MUST be in record.msg_types. Abort otherwise.
  4. Cycle / expiration check:
    • if record.period is set and now() >= record.expiration:
      • if record.spend_limit is set, set record.remaining_spend := record.spend_limit.
      • if record.fee_spend_limit is set, set record.remaining_fee_spend := record.fee_spend_limit.
      • set record.expiration := now() + record.period.
    • else, record.expiration MUST be strictly greater than now(). Abort otherwise.
  5. If record.spend_limit is set, record.remaining_spend MUST be sufficient for the operation. After successful execution, the consumed amount MUST be deducted from record.remaining_spend (per matching denom entry).
§ [AUTHZ-CHECK-4] VS Operator Fee Grant checks

If the transaction fees are paid by the corporation account (via fee grant) instead of the operator account, using the same ParticipantAuthorizationRecord record looked up in [AUTHZ-CHECK-3]:

  1. record.with_feegrant MUST be true, else abort.
  2. The cycle / expiration check from [AUTHZ-CHECK-3] step 4 has already been performed against the same record; record.remaining_fee_spend is therefore current.
  3. If record.fee_spend_limit is set, record.remaining_fee_spend MUST be sufficient for the estimated transaction fees. After successful execution, the consumed fee amount MUST be deducted from record.remaining_fee_spend (per matching denom entry).
§ [AUTHZ-CHECK-5] Corporation Registration check

A Corporation entry MUST exist for the signing corporation (i.e., keyed by its underlying Cosmos SDK group). If none exists, the transaction MUST abort with an error indicating that the underlying group has not yet been registered as a corporation (see [MOD-CO-MSG-1]).

Exception: this check MUST NOT be applied for [MOD-CO-MSG-1], whose explicit purpose is to register a Cosmos SDK group as a new Corporation. That method enforces the inverse precondition (the entry MUST NOT yet exist) in its own basic checks.

This check applies to every delegable message that invokes [AUTHZ-CHECK]. As a result, all Create-* methods (and every other delegable Msg) implicitly require the signing corporation to be a registered Corporation.

§ Example

A corporation group corporationABC wants to authorize an operator account accountABC to execute the
mod-pp-msg-10-create-or-update-participant-session, mod-pp-msg-3-set-participant-op-to-validated, and mod-pp-msg-15-trigger-resolver messages.

Additionally, the corporation wants accountABC to pay the transaction fees for this message using the corporation’s funds.

To achieve this, corporationABC MUST:

As a result, accountABC is authorized to:

§ Method List

Module Method Name Relative REST API path Type Requirements Signers
Corporation Create New Corporation N/A (Tx) Msg [MOD-CO-MSG-1] corporation + operator
Update Corporation N/A (Tx) Msg [MOD-CO-MSG-2] corporation + operator
Archive Corporation N/A (Tx) Msg [MOD-CO-MSG-3] corporation + operator
Update Corporation Module Parameters N/A (Tx) Msg [MOD-CO-MSG-4] governance proposal
Get Corporation /co/v1/get Query [MOD-CO-QRY-1] N/A
List Corporations /co/v1/list Query [MOD-CO-QRY-2] N/A
List Corporation Module Parameters /co/v1/params Query [MOD-CO-QRY-3] N/A
Ecosystem Create an Ecosystem N/A (Tx) Msg [MOD-ES-MSG-1] corporation + operator
Update Ecosystem N/A (Tx) Msg [MOD-ES-MSG-2] corporation + operator
Archive Ecosystem N/A (Tx) Msg [MOD-ES-MSG-3] corporation + operator
Update Ecosystem Module Parameters N/A (Tx) Msg [MOD-ES-MSG-4] governance proposal
Get Ecosystem /ec/v1/get Query [MOD-ES-QRY-1] N/A
List Ecosystems /ec/v1/list Query [MOD-ES-QRY-2] N/A
List Ecosystem Module Parameters /ec/v1/params Query [MOD-ES-QRY-3] N/A
Governance Framework Add Governance Framework Document N/A (Tx) Msg [MOD-GF-MSG-1] corporation + operator
Increase Active Governance Framework Version N/A (Tx) Msg [MOD-GF-MSG-2] corporation + operator
Get Governance Framework Version /gf/v1/get Query [MOD-GF-QRY-1] N/A
List Governance Framework Versions /gf/v1/list Query [MOD-GF-QRY-2] N/A
Credential Schema Create a Credential Schema N/A (Tx) Msg [MOD-CS-MSG-1] corporation + operator
Update a Credential Schema N/A (Tx) Msg [MOD-CS-MSG-2] corporation + operator
Archive Credential Schema N/A (Tx) Msg [MOD-CS-MSG-3] corporation + operator
Update CS Module Parameters N/A (Tx) Msg [MOD-CS-MSG-4] governance proposal
Create Schema Authorization Policy N/A (Tx) Msg [MOD-CS-MSG-5] corporation + operator
Increase Active Schema Authorization Policy Version N/A (Tx) Msg [MOD-CS-MSG-6] corporation + operator
Revoke Schema Authorization Policy N/A (Tx) Msg [MOD-CS-MSG-7] corporation + operator
List Credential Schemas /cs/v1/list Query [MOD-CS-QRY-1] N/A
Get a Credential Schema /cs/v1/get Query [MOD-CS-QRY-2] N/A
Render Json Schema /cs/v1/js/ Query [MOD-CS-QRY-3] N/A
List CS Module Parameters /cs/v1/params Query [MOD-CS-QRY-4] N/A
Get Schema Authorization Policy /cs/v1/sap/get Query [MOD-CS-QRY-5] N/A
List Schema Authorization Policies /cs/v1/sap/list Query [MOD-CS-QRY-6] N/A
Participant Start Participant OP N/A (Tx) Msg [MOD-PP-MSG-1] corporation + operator
Renew a Participant OP N/A (Tx) Msg [MOD-PP-MSG-2] corporation + operator
Set Participant OP to Validated N/A (Tx) Msg [MOD-PP-MSG-3] corporation + operator
Cancel Participant OP Last Request N/A (Tx) Msg [MOD-PP-MSG-6] corporation + operator
Create Root Participant N/A (Tx) Msg [MOD-PP-MSG-7] corporation + operator
Set Participant Effective Until N/A (Tx) Msg [MOD-PP-MSG-8] corporation + operator
Revoke Participant N/A (Tx) Msg [MOD-PP-MSG-9] corporation + operator
Create or update Participant Session N/A (Tx) Msg [MOD-PP-MSG-10] corporation + operator
Update Participant Module Parameters N/A (Tx) Msg [MOD-PP-MSG-11] governance proposal
Slash Participant Trust Deposit N/A (Tx) Msg [MOD-PP-MSG-12] corporation + operator
Repay Participant Slashed Trust Deposit N/A (Tx) Msg [MOD-PP-MSG-13] corporation + operator
Self Create Participant (OPEN mode) N/A (Tx) Msg [MOD-PP-MSG-14] corporation + operator
Trigger Resolver N/A (Tx) Msg [MOD-PP-MSG-15] corporation + operator
List Participants /pp/v1/list Query [MOD-PP-QRY-1] N/A
Get a Participant /pp/v1/get Query [MOD-PP-QRY-2] N/A
Find Beneficiaries /pp/v1/beneficiaries Query [MOD-PP-QRY-4] N/A
Get Participant Session /pp/v1/session/get Query [MOD-PP-QRY-5] N/A
List Participant Module Parameters /pp/v1/params Query [MOD-PP-QRY-6] N/A
Trust Deposit Adjust Trust Deposit N/A (Tx) Msg [MOD-TD-MSG-1] module call
Reclaim Trust Deposit Yield N/A (Tx) Msg [MOD-TD-MSG-2] corporation + operator
Update TD Module Parameters N/A (Tx) Msg [MOD-TD-MSG-4] governance proposal
Slash Trust Deposit N/A (Tx) Msg [MOD-TD-MSG-5] governance proposal
Repay Slashed Trust Deposit N/A (Tx) Msg [MOD-TD-MSG-6] corporation + operator
Burn Ecosystem Slashed Trust Deposit N/A (Tx) Msg [MOD-TD-MSG-7] module call
Get Trust Deposit /td/v1/get Query [MOD-TD-QRY-1] N/A
List TD Module Parameters /td/v1/params Query [MOD-TD-QRY-2] N/A
Delegation Grant Fee Allowance N/A (Tx) Msg [MOD-DE-MSG-1] module call
Revoke Fee Allowance N/A (Tx) Msg [MOD-DE-MSG-2] module call
Grant Operator Authorization N/A (Tx) Msg [MOD-DE-MSG-3] corporation (group proposal) OR corporation + operator OR module call
Revoke Operator Authorization N/A (Tx) Msg [MOD-DE-MSG-4] corporation (group proposal) OR corporation + operator OR module call
Grant VS Operator Authorization N/A (Tx) Msg [MOD-DE-MSG-5] module call
Revoke VS Operator Authorization N/A (Tx) Msg [MOD-DE-MSG-6] module call
List Operator Authorizations /de/v1/authz/list Query [MOD-DE-QRY-1] N/A
List VS Operator Authorizations /de/v1/vs-authz/list Query [MOD-DE-QRY-2] N/A
Digests Store Digest N/A (Tx) Msg [MOD-DI-MSG-1] corporation + operator OR module call
Get Digest /di/v1/get Query [MOD-DI-QRY-1] N/A
Exchange Rate Create Exchange Rate Msg [MOD-XR-MSG-1] governance proposal
Update Exchange Rate Msg [MOD-XR-MSG-2] operator
Toggle Exchange Rate State Msg [MOD-XR-MSG-3] governance proposal
Grant Exchange Rate Authorization N/A (Tx) Msg [MOD-XR-MSG-4] governance proposal
Revoke Exchange Rate Authorization N/A (Tx) Msg [MOD-XR-MSG-5] governance proposal
Get Exchange Rate /xr/v1/get Query [MOD-XR-QRY-1] N/A
List Exchange Rates /xr/v1/list Query [MOD-XR-QRY-2] N/A
Get Price /xr/v1/price Query [MOD-XR-QRY-3] N/A
NOTE

Any method failure in the precondition/basic checks SHOULD lead to a CLI ERROR / HTTP BAD REQUEST error with a human readable message giving a clue of the reason why method failed.

§ Corporation Module

This module manages corporation entries — the VPR-level entity that extends a Cosmos SDK group with a DID, a governance framework, and lifecycle attributes. A Corporation entry MUST exist before its underlying group can be referenced as the corporation (group) in any other VPR Create-* method (see [MOD-CO-MSG-1]).

§ [MOD-CO-MSG-1] Create New Corporation

Any authorized operator CAN execute this method on behalf of a Cosmos SDK group to register a new Corporation entry for that group.

§ [MOD-CO-MSG-1-1] Create New Corporation parameters

An authorized operator that would like to register a Cosmos SDK group as a Corporation MUST call this method by specifying:

Provided document MUST be of the same language as the primary language of the Corporation.

§ [MOD-CO-MSG-1-2] Create New Corporation precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CO-MSG-1-2-1] Create New Corporation basic checks
§ [MOD-CO-MSG-1-2-2] Create New Corporation fee checks

Fee payer MUST have the required estimated transaction fees in its account.

§ [MOD-CO-MSG-1-3] Create New Corporation execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Subsequent governance framework documents and version activations for this Corporation MUST be managed through [MOD-GF-MSG-1] and [MOD-GF-MSG-2].

§ [MOD-CO-MSG-2] Update Corporation

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-CO-MSG-2-1] Update Corporation parameters

Note: language is set at creation time by [MOD-CO-MSG-1] and is immutable thereafter; it cannot be updated through this method.

§ [MOD-CO-MSG-2-2] Update Corporation precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CO-MSG-2-2-1] Update Corporation basic checks
§ [MOD-CO-MSG-2-2-2] Update Corporation fee checks

Fee payer MUST have available balance in its account to cover the required transaction fees.

§ [MOD-CO-MSG-2-3] Update Corporation execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-CO-MSG-3] Archive Corporation

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-CO-MSG-3-1] Archive Corporation parameters
§ [MOD-CO-MSG-3-2] Archive Corporation precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CO-MSG-3-2-1] Archive Corporation basic checks
§ [MOD-CO-MSG-3-2-2] Archive Corporation fee checks

Fee payer MUST have an available balance in its account to cover the required transaction fees.

§ [MOD-CO-MSG-3-3] Archive Corporation execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-CO-MSG-4] Update Module Parameters

Update Module Parameters.

Can only be executed through a governance proposal.

§ [MOD-CO-MSG-4-1] Update Module Parameters parameters
§ [MOD-CO-MSG-4-2] Update Module Parameters precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-CO-MSG-4-2-1] Update Module Parameters basic checks
§ [MOD-CO-MSG-4-2-2] Update Module Parameters fee checks

provided transaction fees MUST be sufficient for execution.

§ [MOD-CO-MSG-4-3] Update Module Parameters execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

for each parameter param <key, value> in parameters:

§ [MOD-CO-QRY-1] Get Corporation

Anyone CAN execute this method.

§ [MOD-CO-QRY-1-1] Get Corporation query parameters
§ [MOD-CO-QRY-1-2] Get Corporation query checks

If any of these checks fail, query MUST fail.

§ [MOD-CO-QRY-1-3] Get Corporation execution

Return the Corporation entry keyed by corporation (if any), as well as all its nested GovernanceFrameworkVersion and GovernanceFrameworkDocument entries. If active_gf_only is true, return only nested GovernanceFrameworkVersion and GovernanceFrameworkDocument entries for the active version.

§ [MOD-CO-QRY-2] List Corporations

§ [MOD-CO-QRY-2-1] List Corporations query parameters

The following parameters are optional:

§ [MOD-CO-QRY-2-2] List Corporations query checks

If any of these checks fail, query MUST fail.

§ [MOD-CO-QRY-2-3] List Corporations execution

If all precondition checks passed, query is executed and result (may be empty) returned. If modified_after is specified, order by modified desc.

§ [MOD-CO-QRY-3] List Module Parameters

Anyone CAN run this query.

§ [MOD-CO-QRY-3-3] List Module Parameters execution

Return the list of parameters of this module as a json file:

{
  "params": {
    "key1": "value1",
    "key2": "value2",
    ...
    ...
  }
}

§ Ecosystem Module

§ [MOD-ES-MSG-1] Create New Ecosystem

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-ES-MSG-1-1] Create New Ecosystem parameters

An authorized operator that would like to create a ecosystem MUST call this method by specifying:

Provided document must be of the same language that the primary language of the ecosystem.

§ [MOD-ES-MSG-1-2] Create New Ecosystem precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-ES-MSG-1-2-1] Create New Ecosystem basic checks
NOTE

Several Ecosystem entries MAY share the same ecosystem DID. The identifier of an Ecosystem is its id, and the Verifiable Trust Spec includes the id of the Ecosystem in the DID Document. Per-Ecosystem DID uniqueness is therefore NOT required: proof of control of the DID is verified by resolving the DID outside of the context of the VPR. However, all Ecosystem entries sharing the same did MUST be controlled by the same corporation — see the basic-check bullet above. Proof of control of the shared DID is, by construction, held by that single controlling Corporation, and the corresponding Corporation entry (if any whose own did equals this value) is unique by the per-Corporation did uniqueness invariant (although the Corporation that owns the DID per Corp.did and the Corporation that controls the Ecosystems claiming it need not coincide).

§ [MOD-ES-MSG-1-2-2] Create New Ecosystem fee checks

Fee payer MUST have an available balance to cover the estimated transaction fees.

§ [MOD-ES-MSG-1-3] Create New Ecosystem execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Subsequent governance framework documents and version activations for this ecosystem MUST be managed through [MOD-GF-MSG-1] and [MOD-GF-MSG-2].

§ [MOD-ES-MSG-2] Update Ecosystem

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-ES-MSG-2-1] Update Ecosystem parameters
§ [MOD-ES-MSG-2-2] Update Ecosystem precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-ES-MSG-2-2-1] Update Ecosystem basic checks
§ [MOD-ES-MSG-2-2-2] Update Ecosystem fee checks

Fee payer must have available balance in its account to cover the required transaction fees.

§ [MOD-ES-MSG-2-3] Update Ecosystem execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-ES-MSG-3] Archive Ecosystem

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-ES-MSG-3-1] Archive Ecosystem parameters
§ [MOD-ES-MSG-3-2] Archive Ecosystem precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-ES-MSG-3-2-1] Archive Ecosystem basic checks
§ [MOD-ES-MSG-3-2-2] Archive Ecosystem fee checks

Fee payer MUST have an available balance in its account to cover the required transaction fees.

§ [MOD-ES-MSG-3-3] Archive Ecosystem execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-ES-MSG-4] Update Module Parameters

Update Module Parameters.

Can only be executed through a governance proposal.

§ [MOD-ES-MSG-4-1] Update Module Parameters parameters
§ [MOD-ES-MSG-4-2] Update Module Parameters precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-ES-MSG-4-2-1] Update Module Parameters basic checks
§ [MOD-ES-MSG-4-2-2] Update Module Parameters fee checks

provided transaction fees MUST be sufficient for execution

§ [MOD-ES-MSG-4-3] Update Module Parameters execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

for each parameter param <key, value> in parameters:

§ [MOD-ES-QRY-1] Get Ecosystem

Anyone CAN execute this method.

§ [MOD-ES-QRY-1-1] Get Ecosystem parameters
§ [MOD-ES-QRY-1-2] Get Ecosystem checks
§ [MOD-ES-QRY-1-3] Get Ecosystem execution

return found Ecosystem entry (if any), as well as all its nested GovernanceFrameworkVersion and GovernanceFrameworkDocument entries. If active_gf_only is true, return only nested GovernanceFrameworkVersion and GovernanceFrameworkDocument entries for the active version.

§ [MOD-ES-QRY-2] List Ecosystems

§ [MOD-ES-QRY-2-1] List Ecosystems query parameters

The following parameters are optional:

§ [MOD-ES-QRY-2-2] List Ecosystems query checks

If any of these checks fail, query MUST fail.

§ [MOD-ES-QRY-2-3] List Ecosystems execution of the query

If all precondition checks passed, query is executed and result (may be empty) returned. If modified_after is specified, order by modified desc.

§ [MOD-ES-QRY-3] List Module Parameters

Anyone CAN run this query.

§ [MOD-ES-QRY-3-2] List Module Parameters parameters
§ [MOD-ES-QRY-3-2] List Module Parameters query checks
§ [MOD-ES-QRY-3-3] List Module Parameters execution of the query

Return the list of the existing parameters and their values.

§ [MOD-ES-QRY-3-4] List Module Parameters API result example
{
  "params": {
    "key1": "value1",
    "key2": "value2",
    ...
    ...
  }
}

§ Governance Framework Module

This module handles governance framework documents and version activation for both ecosystems and corporations. Methods are polymorphic over the owning subject: every message takes an optional ecosystem_id parameter to designate whose governance framework is being modified — if set, the target subject is that Ecosystem (and the signing corporation MUST be its controller); if not set, the target subject is the signing corporation’s own CGF (a Corporation may only edit its own CGF, so no extra parameter is needed).

The initial GovernanceFrameworkVersion and its first GovernanceFrameworkDocument are created atomically by Create New Ecosystem (and, by parallel construction, by Create New Corporation). After that, subsequent versions and documents are added through this module.

§ [MOD-GF-MSG-1] Add Governance Framework Document

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-GF-MSG-1-1] Add Governance Framework Document parameters

If for a given language, a document already exists, the execution of this transaction will replace the corresponding entry. Else, a new entry is created. It is only possible to edit future versions. Active version cannot be modified.

§ [MOD-GF-MSG-1-2] Add Governance Framework Document precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-GF-MSG-1-2-1] Add Governance Framework Document basic checks

if a mandatory parameter is not present, method MUST abort.

§ [MOD-GF-MSG-1-2-2] Add Governance Framework Document fee checks

Fee payer MUST have the required estimated transaction fees in its account.

§ [MOD-GF-MSG-1-3] Add Governance Framework Document execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-GF-MSG-2] Increase Active Governance Framework Version

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-GF-MSG-2-1] Increase Active Governance Framework Version parameters
§ [MOD-GF-MSG-2-2] Increase Active Governance Framework Version precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-GF-MSG-2-2-1] Increase Active Governance Framework Version basic checks
§ [MOD-GF-MSG-2-2-2] Increase Active Governance Framework Version fee checks

Fee payer MUST have the required estimated transaction fees in its account.

§ [MOD-GF-MSG-2-3] Increase Active Governance Framework Version execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-GF-QRY-1] Get Governance Framework Version

Anyone CAN execute this method.

§ [MOD-GF-QRY-1-1] Get Governance Framework Version query parameters
§ [MOD-GF-QRY-1-2] Get Governance Framework Version query checks

If any of these checks fail, query MUST fail.

§ [MOD-GF-QRY-1-3] Get Governance Framework Version execution

Return the GovernanceFrameworkVersion entry with id, including its owning subject reference (ecosystem_id or corporation) and its nested GovernanceFrameworkDocument entries (filtered by preferred_language if set).

§ [MOD-GF-QRY-2] List Governance Framework Versions

Anyone CAN execute this method.

§ [MOD-GF-QRY-2-1] List Governance Framework Versions query parameters

Exactly one of ecosystem_id and corporation MUST be set:

§ [MOD-GF-QRY-2-2] List Governance Framework Versions query checks

If any of these checks fail, query MUST fail.

§ [MOD-GF-QRY-2-3] List Governance Framework Versions execution

Return the list of GovernanceFrameworkVersion entries matching the filter, with their nested GovernanceFrameworkDocument entries (filtered as above). Entries MUST be ordered by ascending version.

§ Credential Schema Module

§ [MOD-CS-MSG-1] Create New Credential Schema

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-CS-MSG-1-1] Create New Credential Schema parameters

An account that would like to create a credential schema MUST call this method by specifying:

§ [MOD-CS-MSG-1-2] Create New Credential Schema precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-1-2-1] Create New Credential Schema basic checks
NOTE

When pricing_currency is set to FIAT, pricing_asset MUST be an ISO-4217 currency code. The number of decimals and minor unit semantics MUST follow the ISO-4217 standard for that currency. FIAT amounts MUST be expressed in minor units and MUST NOT be represented as on-chain coins. FIAT metadata SHOULD be pulled from a standard library. It MUST NOT be stored on chain.

§ [MOD-CS-MSG-1-2-2] Create New Credential Schema fee checks

Fee payer MUST have an available balance in its account, to cover the required estimated transaction fees.

§ [MOD-CS-MSG-1-3] Create New Credential Schema execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

NOTE

If needed, depending on configuration mode, Ecosystem controller MAY need to create a ECOSYSTEM Participant so that onboarding processes can be run.

§ [MOD-CS-MSG-2] Update Credential Schema

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-CS-MSG-2-1] Update Credential Schema parameters

An account that would like to update a credential schema MUST call this method by specifying:

other attributes are immutables and cannot be updated.

§ [MOD-CS-MSG-2-2] Update Credential Schema precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-2-2-1] Update Credential Schema basic checks
§ [MOD-CS-MSG-2-2-2] Update Credential Schema fee checks

Fee payer MUST have an available balance in its account to cover the required transaction fees.

§ [MOD-CS-MSG-2-3] Update Credential Schema execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-CS-MSG-3] Archive Credential Schema

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-CS-MSG-3-1] Archive Credential Schema parameters

An account that would like to archive or unarchive a credential schema MUST call this method by specifying:

§ [MOD-CS-MSG-3-2] Archive Credential Schema precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-3-2-1] Archive Credential Schema basic checks
§ [MOD-CS-MSG-3-2-2] Archive Credential Schema fee checks

Fee payer MUST have an available balance in its account to cover the required transaction fees.

§ [MOD-CS-MSG-3-3] Archive Credential Schema execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-CS-MSG-4] Update Module Parameters

Update Module Parameters.

Can only be executed through a governance proposal.

§ [MOD-CS-MSG-4-1] Update Module Parameters parameters
§ [MOD-CS-MSG-4-2] Update Module Parameters precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-CS-MSG-4-2-1] Update Module Parameters basic checks
§ [MOD-CS-MSG-4-2-2] Update Module Parameters fee checks

provided transaction fees MUST be sufficient for execution

§ [MOD-CS-MSG-4-3] Update Module Parameters execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

for each parameter param <key, value> in parameters:

§ [MOD-CS-MSG-5] Create Schema Authorization Policy

Any authorized operator CAN execute this method on behalf of a corporation.

This message creates a draft SchemaAuthorizationPolicy for a given (schema_id, role), or overwrites the existing draft policy if one already exists.
A draft policy is defined as a policy with effective_from == null and MUST NOT be revoked.

Accordingly, if a credential schema defines one or more active policies for the ISSUER or VERIFIER role, the corresponding corporation that grants the ISSUER or VERIFIER role for this schema (ISSUER_GRANTOR, VERIFIER_GRANTOR, or ECOSYSTEM, depending on how schema issuer and verifier modes have been configured) MUST issue an IAC or VAC credential to the candidate upon successful completion of the onboarding process. Refer to the Verifiable Trust spec for more information.

§ [MOD-CS-MSG-5-1] Create Schema Authorization Policy parameters
§ [MOD-CS-MSG-5-2] Create Schema Authorization Policy precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-5-2-1] Create Schema Authorization Policy basic checks
§ [MOD-CS-MSG-5-2-2] Create Schema Authorization Policy fee checks

Fee payer MUST have an available balance in its account to cover the required estimated transaction fees.

§ [MOD-CS-MSG-5-3] Create Schema Authorization Policy execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs:

§ [MOD-CS-MSG-6] Increase Active Schema Authorization Policy Version

Any authorized operator CAN execute this method on behalf of a corporation.

This message activates the current draft SchemaAuthorizationPolicy for the given (schema_id, role) and deactivates any previously active version. Deactivation does not constitute revocation; credentials issued under earlier policies MAY continue to be considered valid.

§ [MOD-CS-MSG-6-1] Increase Active Schema Authorization Policy Version parameters
§ [MOD-CS-MSG-6-2] Increase Active Schema Authorization Policy Version precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-6-2-1] Basic checks
§ [MOD-CS-MSG-6-2-2] Fee checks

Fee payer MUST have an available balance in its account to cover the required estimated transaction fees.

§ [MOD-CS-MSG-6-3] Increase Active Schema Authorization Policy Version execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks atomically in a transaction:

§ [MOD-CS-MSG-7] Revoke Schema Authorization Policy

Any authorized operator CAN execute this method on behalf of a corporation.

This message revokes a previously enabled SchemaAuthorizationPolicy version. Revoked means previously issued credential that refer to this policy are automatically considered revoked.

§ [MOD-CS-MSG-7-1] Revoke Schema Authorization Policy parameters
§ [MOD-CS-MSG-7-2] Revoke Schema Authorization Policy precondition checks

If any of these precondition checks fail, method MUST abort.

§ [MOD-CS-MSG-7-2-1] Basic checks
§ [MOD-CS-MSG-7-2-2] Fee checks

Fee payer MUST have an available balance in its account to cover the required estimated transaction fees.

§ [MOD-CS-MSG-7-3] Revoke Schema Authorization Policy execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following task in a transaction:

§ [MOD-CS-QRY-1] List Credential Schemas

§ [MOD-CS-QRY-1-1] List Credential Schemas parameters
§ [MOD-CS-QRY-1-2] List Credential Schemas checks
§ [MOD-CS-QRY-1-3] List Credential Schemas execution

return a list of found entry, or an empty list if nothing found. Results MUST be ordered by modified DESC.

§ [MOD-CS-QRY-2] Get Credential Schema

Anyone CAN execute this method.

§ [MOD-CS-QRY-2-1] Get Credential Schema parameters
§ [MOD-CS-QRY-2-2] Get Credential Schema checks
§ [MOD-CS-QRY-2-3] Get Credential Schema execution

return found entry (if any).

§ [MOD-CS-QRY-3] Render Json Schema

Anyone CAN execute this method.

§ [MOD-CS-QRY-3-1] Render Json Schema parameters
§ [MOD-CS-QRY-3-2] Render Json Schema checks
§ [MOD-CS-QRY-3-3] Render Json Schema execution

Render found entry (if any). In case value is returned by a REST API, content type MUST be set to “application/schema+json”.

Schema MUST be rendered cononized, even if it was not created canonized using the JSON Canonicalization Scheme (JCS) as defined in RFC 8785.

§ [MOD-CS-QRY-4] List Module Parameters

Anyone CAN run this query.

§ [MOD-CS-QRY-4-2] List Module Parameters parameters
§ [MOD-CS-QRY-4-2] List Module Parameters query checks
§ [MOD-CS-QRY-4-3] List Module Parameters execution of the query

Return the list of the existing parameters and their values.

§ [MOD-CS-QRY-4-4] List Module Parameters API result example
{
  "params": {
    "key1": "value1",
    "key2": "value2",
    ...
    ...
  }
}

§ [MOD-CS-QRY-5] Get Schema Authorization Policy

This query returns a single SchemaAuthorizationPolicy identified by its unique id.

§ [MOD-CS-QRY-5-1] Get Schema Authorization Policy parameters
§ [MOD-CS-QRY-5-2] Get Schema Authorization Policy precondition checks

If any of these precondition checks fail, query MUST abort.

§ [MOD-CS-QRY-5-3] Get Schema Authorization Policy execution

If all precondition checks pass, the query MUST return the corresponding SchemaAuthorizationPolicy entry:

§ [MOD-CS-QRY-6] List Schema Authorization Policies

This query returns the list of SchemaAuthorizationPolicy entries associated with a given (schema_id, role) pair.

§ [MOD-CS-QRY-6-1] List Schema Authorization Policies parameters
§ [MOD-CS-QRY-6-2] List Schema Authorization Policies precondition checks

If any of these precondition checks fail, query MUST abort.

§ [MOD-CS-QRY-6-3] List Schema Authorization Policies execution

If all precondition checks pass, the query MUST return the list of SchemaAuthorizationPolicy entries matching (schema_id, role).

Returned entries MUST include at least the following fields:

Entries MUST be ordered by ascending version.

§ Participant Module

§ Participant Module Overview

This section is non-normative.

Participants are linked to a Credential Schema and representable as a tree.

uml diagram

ECOSYSTEM Participants are created directly by the credential schema owner. All other Participants are created by running an onboarding process — except when onboarding mode is set to OPEN for ISSUER and/or VERIFIER Participants, which any account CAN create directly:

An onboarding process (OP) involves an applicant (the corporation of a given Participant entry) and a validator Participant. It MAY require the applicant to pay validation_fees in addition to transaction fees.

An onboarding process is run by applicants that want to:

In all cases, the process is very similar. Example execution of an onboarding process:

  1. The applicant starts an onboarding process by running [MOD-PP-MSG-1]. The process MAY be subject to paying validation_fees, as defined in the validator's Participant entry.
  2. The applicant connects to the validator's VS (identified by its DID) and executes the validation steps required for the onboarding process to conclude.
  3. If the applicant qualifies, the validator runs [MOD-PP-MSG-3] to update the Participant entry; the applicant is then granted the new Participant entries and/or issued a credential.

Once in the VALIDATED state, a Participant entry remains valid for a specific period (e.g., 365 days), configured in the credential schema for credential-schema-related onboarding, or set by the ecosystem for user-agent onboarding.

NOTE

Even when the Participant entry remains in the VALIDATED state for the configured period, the resulting Participant entry or issued credential MAY have a shorter expiration timestamp because the validated attribute(s) might expire earlier. In this case, the applicant MUST provide updated information to the validator before attribute expiration in order to be issued an updated Participant entry and/or credential.

If the VALIDATED state is set to expire, an applicant that wishes to extend the expiration timestamp MUST renew its onboarding process (see [MOD-PP-MSG-2]).

At any time, the applicant CAN cancel the onboarding process (see [MOD-PP-MSG-6]).

Some unexpected situations may arise and MUST be mitigated. Examples:

§ [MOD-PP-MSG-1] Start Participant OP

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-PP-MSG-1-1] Start Participant OP parameters

An Applicant that would like to start an onboarding process MUST execute this method by specifying:

The following VS Operator Authorization parameters are optional and collectively define the initial ParticipantAuthorizationRecord that will be created for this Participant entry. Presence of vs_operator_authz_msg_types is the trigger: if it is not provided, no authorization record is created and the Participant entry operates in manual mode (the corporation signs and pays for its own Participant-related transactions directly). VSOA configuration is frozen at creation time and cannot be modified later; to change it, the Participant entry MUST be revoked and re-created.

Permitted message types to be set in vs_operator_authz_msg_types depends on role.

Participant role Permitted Messages
HOLDER TriggerResolver
ISSUER CreateOrUpdateParticipantSession, SetParticipantOPtoValidated
VERIFIER CreateOrUpdateParticipantSession
ISSUER_GRANTOR SetParticipantOPtoValidated
VERIFIER_GRANTOR SetParticipantOPtoValidated
ECOSYSTEM SetParticipantOPtoValidated

Available compatible perms can be found by using an indexer and presented in a front-end so applicant can choose its validator.

§ [MOD-PP-MSG-1-2] Start Participant OP precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-1-2-1] Start Participant OP basic checks

if a mandatory parameter is not present, transaction MUST abort.

NOTE

A holder MAY directly connect to the DID VS of an issuer in order to get issued a credential. It’s up to the issuer to decide if running the onboarding process is REQUIRED or not.

§ [MOD-PP-MSG-1-2-2] Start Participant OP permission checks

At the end, if a active participant validator_participant is not found, transaction MUST abort.

§ [MOD-PP-MSG-1-2-3] Start Participant OP fee checks

If a conversion is needed below, use Get Price to convert amounts to native denom:

if (cs.pricing_asset_type, cs.pricing_asset) is set to (COIN, [[ref: native denom]]):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to (TU, "tu"):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to an arbitrary coin (COIN, [[ref: denom]]):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to an arbitrary coin (FIAT, [[ref: denom]]):

NOTE

Trust deposit MUST always be paid in native denom

§ [MOD-PP-MSG-1-2-4] Start Participant OP overlap checks

We want to make sure that 2 onboarding processes cannot be active at the same time in the same context. This does not prevent a corporation from running different OP with differents validators for the same schema_id, role.

Find all Participant entries participants[] for schema_id, role, validator_participant_id, corporation with op_state = VALIDATED or PENDING.

if size of participants[] > 0, it means there is already an existing onboarding process in this context, so MUST abort.

note: this check was not present in v3.

§ [MOD-PP-MSG-1-3] Start Participant OP execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

If vs_operator_authz_msg_types is provided, create the ParticipantAuthorizationRecord in disabled state (expiration = now) by calling [MOD-DE-MSG-5] Grant VS Operator Authorization with:

Note: the record is created with expiration = now so authorization is not yet active. [AUTHZ-CHECK-3] will reject any attempt to use it until [MOD-PP-MSG-3] updates expiration to applicant_participant.effective_until. No on-chain FeeGrant object is created at this stage even if with_feegrant is true (the recompute subroutine in [MOD-DE-MSG-5-5] requires expiration > now).

§ Connecting to the VS of the Validator

This section is non-normative, and provided for understanding only.

This action must be initiated by the applicant.

During an onboarding process, if the associated validator_participant includes a specific did, the applicant should establish a secure connection with the validator’s VS (Verifiable Service) using a secure communication protocol such as DIDComm.

Upon connecting to the VS, the applicant should be required by the validator to complete one or more of the following tasks:

  1. Prove control over the vs_operator account specified in the Participant entry (e.g., via blind signature or cryptographic challenge).
  2. Provide requested information, such as filling out forms, submitting documents, or other forms of disclosure as required by the validation VS.
  3. If the requested Participant entry includes a VS DID, the applicant should prove control over the corresponding DID to the validator’s VS.

Once the validator determines that the process is complete, they may terminate the onboarding process and create the Participant entry accordingly. This Participant-entry configuration usually includes:

The validator may compile a summary file of the onboarding process, documenting exchanged data, proofs, and decisions, and share it with the applicant via the VS connection or another secure channel.

For audit or governance purposes, the validator should register a digest (e.g., hash or SRI) of this summary in applicant_participant.op_summary_digest.

§ [MOD-PP-MSG-2] Renew Participant OP

Any authorized operator CAN execute this method on behalf of a corporation.

This section is non-normative.

§ [MOD-PP-MSG-2-1] Renew Participant OP parameters
§ [MOD-PP-MSG-2-2] Renew Participant OP precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-2-2-1] Renew Participant OP basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PP-MSG-2-2-2] Renew Participant OP permission checks
§ [MOD-PP-MSG-2-2-3] Renew Participant OP fee checks

If a conversion is needed below, use Get Price to convert amounts to native denom:

if (cs.pricing_asset_type, cs.pricing_asset) is set to (COIN, [[ref: native denom]]):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to (TU, "tu"):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to an arbitrary coin (COIN, [[ref: denom]]):

else if (cs.pricing_asset_type, cs.pricing_asset) is set to an arbitrary coin (FIAT, [[ref: denom]]):

NOTE

Trust deposit MUST always be paid in native denom

§ [MOD-PP-MSG-2-3] Renew Participant OP execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-PP-MSG-3] Set Participant OP to Validated

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-PP-MSG-3-1] Set Participant OP to Validated parameters

An account that would like to set a validation entry to VALIDATED MUST execute this method by specifying:

§ [MOD-PP-MSG-3-2] Set Participant OP to Validated precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-3-2-1] Set Participant OP to Validated basic checks

if a mandatory parameter is not present, transaction MUST abort.

either (executed by any operator of corporation): [AUTHZ-CHECK-1] MUST pass for this (corporation, operator) tuple and SetParticipantOPtoValidated message. [AUTHZ-CHECK-2] MUST pass for this (corporation, operator) tuple and SetParticipantOPtoValidated message. OR (executed by vs-agent account defined in validator Participant): [AUTHZ-CHECK-3] MUST pass for this (corporation, operator, validator_participant) tuple. [AUTHZ-CHECK-4] MUST pass for this (corporation, operator, validator_participant) tuple. else MUST abort.

Calculation of op_exp, the onboarding process expiration timestamp, required to verify provided effective_until:

Now, let’s verify effective_until:

§ [MOD-PP-MSG-3-2-2] Set Participant OP to Validated validator perms

If validator_participant is not a active participant (expired, revoked, slashed…) then applicant MUST start a new onboarding process.

§ [MOD-PP-MSG-3-2-3] Set Participant OP to Validated fee checks
§ [MOD-PP-MSG-3-2-4] Set Participant OP to Validated overlap checks

We want to make sure that 2 Participant entries cannot be active at the same time for the same validator_participant_id. That should not occur in this method, but better do the check anyway.

Find all active participants participants[] (not revoked, not slashed, not repaid) for schema_id, role, validator_participant_id, corporation.

for each Participant entry p from participants[]:

note: this check was not present in v3.

§ [MOD-PP-MSG-3-3] Set Participant OP to Validated execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Calculate op_exp:

Change value of provided effective_until if needed, and abort if needed:

Fees and Trust Deposits:

Important: if applicant_participant.op_current_fees is not in native denom, corporation account MUST have applicant_participant.op_current_deposit available for paying the trust deposit.

Update Participant applicant_participant:

Activate VS Operator Authorization, if any. Call [MOD-DE-MSG-9] Update VS Operator Authorization Expiration with:

This call is a no-op if no record was created at [MOD-PP-MSG-1] (i.e., the applicant did not declare vs_operator_authz_msg_types). If a record exists, its expiration is updated from now (disabled) to applicant_participant.effective_until, and the on-chain FeeGrant for the containing VSOA is granted for the first time (or refreshed) via [MOD-DE-MSG-5-5].

§ [MOD-PP-MSG-4] Void

§ [MOD-PP-MSG-5] Void

§ [MOD-PP-MSG-6] Cancel Participant OP Last Request

Any authorized operator CAN execute this method on behalf of a corporation.

At any time, applicant of an onboarding process may request cancellation of the process, provided state is PENDING. Upon method execution, the pending validation is cancelled and escrewed trust fees are refunded. If op_exp is not null, op_state is set back to VALIDATED, else op_state is set to TERMINATED.

§ [MOD-PP-MSG-6-1] Cancel Participant OP Last Request parameters
§ [MOD-PP-MSG-6-2] Cancel Participant OP Last Request precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-6-2-1] Cancel Participant OP Last Request basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PP-MSG-6-2-2] Cancel Participant OP Last Request fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-PP-MSG-6-3] Cancel Participant OP Last Request execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

If applicant_participant.op_state was set to TERMINATED (i.e. applicant_participant.op_exp was null so validation never completed), call [MOD-DE-MSG-6] Revoke VS Operator Authorization with participant_id = applicant_participant.id to remove any disabled authorization record created at [MOD-PP-MSG-1]. The call is a no-op if no record exists. If applicant_participant.op_state was set back to VALIDATED, no VSOA changes are needed (the existing record’s expiration remains at the value set by the previous successful validation).

§ [MOD-PP-MSG-7] Create Root Participant

Any authorized operator CAN execute this method on behalf of a corporation.

This method is used by controller authorities of Ecosystems. When they create a Credential Schema, they need to create (a) Participant entry(ies) of role ECOSYSTEM so that other participants can run onboarding processes (if schema mode is ECOSYSTEM) or self create their Participant entries (schema mode set to OPEN).

§ [MOD-PP-MSG-7-1] Create Root Participant parameters

An account that would like to create a Participant entry MUST call this method by specifying:

The following VS Operator Authorization parameters are optional and collectively define the initial ParticipantAuthorizationRecord for this Participant entry. Presence of vs_operator_authz_msg_types is the trigger: if it is not provided, no authorization record is created and the Participant entry operates in manual mode. VSOA configuration is frozen at creation time and cannot be modified later; to change it, the Participant entry MUST be revoked and re-created.

Permitted message types to be set in vs_operator_authz_msg_types depends on role. Since Create Root Participant always creates an ECOSYSTEM Participant entry, only the following is allowed:

Participant role Permitted Messages
ECOSYSTEM SetParticipantOPtoValidated
§ [MOD-PP-MSG-7-2] Create Root Participant precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-7-2-1] Create Root Participant basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PP-MSG-7-2-2] Create Root Participant permission checks

To execute this method, account MUST match at least one these rules, else transaction MUST abort.

§ [MOD-PP-MSG-7-2-3] Create Root Participant fee checks

Fee payer MUST have the required estimated transaction fees available.

§ [MOD-PP-MSG-7-2-4] Create Root Participant overlap checks

We want to make sure that 2 Participant entries cannot be active at the same time. If corporation wishes to create a new Participant entry but the existing one never expires (or expires too far from now), corporation MUST use first the Set Participant Effective Until to set or adjust the effective_until value.

Find all active participants participants[] (not revoked, not slashed, not repaid) for schema_id, ECOSYSTEM, corporation.

Note: unlike overlap checks from other methods, here we do not need to check for validator_participant_id, as for ECOSYSTEM-role Participant entries it is NULL.

for each Participant entry p from participants[]:

note: this check was not present in v3.

§ [MOD-PP-MSG-7-3] Create Root Participant execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

A new entry Participant perm MUST be created:

If vs_operator_authz_msg_types is provided, create the ParticipantAuthorizationRecord in active state by calling [MOD-DE-MSG-5] Grant VS Operator Authorization with:

Note: like [MOD-PP-MSG-14], the record is created with expiration = participant.effective_until and is therefore immediately active. If with_feegrant is true and participant.effective_until > now, [MOD-DE-MSG-5-5] grants the on-chain FeeGrant as part of this execution.

§ [MOD-PP-MSG-8] Set Participant Effective Until

Any authorized operator CAN execute this method on behalf of a corporation.

This method can be called:

§ [MOD-PP-MSG-8-1] Set Participant Effective Until parameters
§ [MOD-PP-MSG-8-2] Set Participant Effective Until precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-8-2-1] Set Participant Effective Until basic checks

if a mandatory parameter is not present, transaction MUST abort.

Note: This method can be used to both Extend or Reduce the effective_until, or set an effective_until if it was null, which was not the case in spec v3.

§ [MOD-PP-MSG-8-2-2] Set Participant Effective Until advanced checks
  1. ECOSYSTEM Participant entries
  1. Self-created Participant entries
  1. OP-managed Participant entries
§ [MOD-PP-MSG-8-2-3] Set Participant Effective Until fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-PP-MSG-8-2-4] Set Participant Effective Until overlap checks

We want to make sure that 2 Participant entries cannot be active at the same time for the same validator_participant_id. If corporation wishes to create a new Participant entry but the existing one never expires (or expires too far from now), corporation MUST use first the Set Participant Effective Until to set or adjust the effective_until value.

Find all active participants participants[] (not revoked, not slashed, not repaid) for schema_id, role, validator_participant_id, corporation.

for each Participant entry p from participants[]:

note: this check was not present in v3.

§ [MOD-PP-MSG-8-3] Set Participant Effective Until execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Synchronise VS Operator Authorization expiration, if any. Call [MOD-DE-MSG-9] Update VS Operator Authorization Expiration with:

This call is a no-op if no record exists for applicant_participant.id. If a record exists, its expiration is updated and the on-chain FeeGrant for the containing VSOA is refreshed via [MOD-DE-MSG-5-5]. Set Participant Effective Until does not accept VSOA parameters and cannot modify any other field of the record; VSOA configuration is frozen at record creation (see [MOD-PP-MSG-1] and [MOD-PP-MSG-14]). This method also cannot create a record that does not already exist.

§ [MOD-PP-MSG-9] Revoke Participant

Any authorized operator CAN execute this method on behalf of a corporation.

This method can only be called:

§ [MOD-PP-MSG-9-1] Revoke Participant parameters
§ [MOD-PP-MSG-9-2] Revoke Participant precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-9-2-1] Revoke Participant basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PP-MSG-9-2-2] Revoke Participant advanced checks

Either Option #1, #2 or #3 MUST return true, else abort.

Option #1: executed by a validator ancestor

if applicant_participant.validator_participant_id is defined:

Option #2: executed by Ecosystem controller

Option #3: executed by applicant_participant.corporation: return true.

Example:

In the following Participant tree, the “Verifier E” Participant entry can be revoked:

uml diagram
§ [MOD-PP-MSG-9-2-3] Revoke Participant fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-PP-MSG-9-3] Revoke Participant execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Call [MOD-DE-MSG-6] Revoke VS Operator Authorization with participant_id = applicant_participant.id to remove any authorization record for this Participant entry. The call is a no-op if no record exists.

§ [MOD-PP-MSG-10] Create or Update Participant Session

Any authorized operator CAN execute this method on behalf of a corporation.

Any credential exchange that requires issuer or verifier to pay fees, register a digest_sri, or produce a proof implies the creation of a ParticipantSession.

If the peer wants to issue a credential, the agent, the Verifiable User Agent or Verifiable Service that receive the request MUST send to peer:

If the peer wants to verify a credential, agent must send to peer:

In case peer is a Verifiable Service and illegaly set agent_participant_id and/or wallet_agent_participant_id, the other end MUST refuse the request.

payer MUST create a Participant Session using the above information, then, agent MUST check session has been created and is valid before accepting the action (receive and store issued credential, or accept a presentation request).

uml diagram

See VT spec.

§ [MOD-PP-MSG-10-1] Create or Update Participant Session parameters

An account that would like to create or update a ParticipantSession entry MUST send a Msg by specifying:

§ [MOD-PP-MSG-10-2] Create or Update Participant Session precondition checks

If any of these precondition checks fail, transaction MUST abort.

if issuer_participant_id is null AND verifier_participant_id is null, MUST abort.

if issuer_participant_id is not null:

if verifier_participant_id is not null:

Define the primary Participant perm: if verifier_participant is not null, perm = verifier_participant (the caller is the vs_operator of the verifier). Else, perm = issuer_participant (the caller is the vs_operator of the issuer).

[AUTHZ-CHECK-3] MUST pass for this (corporation, operator, perm) tuple. [AUTHZ-CHECK-4] MUST pass for this (corporation, operator, perm) tuple.

agent:

wallet_agent:

WARNING

we might want to check that credential schema of agent and wallet_agent perms is an Essential Credential Schema of type UserAgent. At the moment there is no way of doing it. We consider User Agent will not report a Participant entry that is not controlled by its owner.

§ [MOD-PP-MSG-10-3] Create or Update Participant Session fee checks

For trust fees, corporation account MUST have sufficient available balance as explained below.

Step 1: Calculate total beneficiary fees in credential schema pricing asset

Use “Find Beneficiaries” query method to get the set of beneficiary Participant entries found_participant_set (all ancestors in the Participant tree).

If Credential Issuance (issuer_participant is NOT null):

If Credential Verification (verifier_participant is NOT null):

Note: total_beneficiary_fees is expressed in the credential schema pricing asset (cs.pricing_asset_type, cs.pricing_asset).

Step 2: Calculate amounts payer must have available

Based on the credential schema pricing configuration, calculate the total amounts the payer (corporation) must have available.

Define the following variables:

Variable Description
total_fees_in_pricing_asset Total fees to be distributed to beneficiaries (in pricing asset)
total_fees_in_native_denom Total fees converted to native denom (if needed)
total_payer_trust_deposit Trust deposit payer must stake for themselves
total_payees_trust_deposit Trust deposit payer must stake on behalf of payees
total_payees_fees_to_account Fees to be transferred to payees’ accounts
total_user_agent_reward Reward for user agent (in native denom)
total_wallet_agent_reward Reward for wallet agent (in native denom)

Initialize:

If a conversion is needed below, use Get Price to convert amounts.

Case A: (cs.pricing_asset_type, cs.pricing_asset) = (COIN, [[ref: native denom]])

Pricing is in native token. No conversion needed.

Calculate:

if agent_participant_id is set:

if wallet_agent_participant_id is set:

Required balance check:

Case B: (cs.pricing_asset_type, cs.pricing_asset) = (TU, "tu")

Pricing is in Trust Units. Convert to native denom for all on-chain payments.

Calculate:

if agent_participant_id is set:

if wallet_agent_participant_id is set:

Required balance check:

Case C: (cs.pricing_asset_type, cs.pricing_asset) = (COIN, <arbitrary_denom>)

Pricing is in an arbitrary on-chain coin (e.g., USDC). Fees to payees are paid in that coin; deposits and agent rewards are converted to native denom.

Calculate:

if agent_participant_id is set:

if wallet_agent_participant_id is set:

Required balance check:

Case D: (cs.pricing_asset_type, cs.pricing_asset) = (FIAT, <fiat_denom>)

Pricing is in fiat currency (e.g., USD). Fiat fees are settled off-chain; only deposits and agent rewards are paid on-chain in native denom.

Calculate:

if agent_participant_id is set:

if wallet_agent_participant_id is set:

Required balance check:

WARNING
  • Trust deposits MUST always be paid in native denom.
  • When paying with COIN ≠ native denom or with FIAT, payer pays trust deposits on behalf of payees (since payees receive non-native assets that cannot be directly staked).
§ [MOD-PP-MSG-10-4] Create or Update Participant Session execution

If all precondition checks passed, method is executed.

Note: All funds are transferred from the corporation account executing the method. The steps below describe what each recipient must receive. Implementation details (batching, order of transfers) are left to the implementer.

Step 1: Process fee distribution to each beneficiary

Initialize accumulators for agent rewards:

Determine the operation type and applicable discount:

For each beneficiary Participant perm in found_participant_set:

If participant.[fee_field] > 0:

  1. Calculate the discounted fee for this beneficiary:

    • beneficiary_fee_in_pricing_asset = participant.[fee_field] × (1 - discount)

  2. Calculate amounts based on pricing configuration (same logic as fee checks):

    Case A: (cs.pricing_asset_type, cs.pricing_asset) = (COIN, [[ref: native denom]])

    • fee_in_native_denom = beneficiary_fee_in_pricing_asset
    • payer_trust_deposit = fee_in_native_denom × GlobalVariables.trust_deposit_rate
    • payee_trust_deposit = payer_trust_deposit
    • payee_fees_to_account = fee_in_native_denom × (1 - GlobalVariables.trust_deposit_rate)

if agent_participant_id is set: - user_agent_reward_portion = fee_in_native_denom × GlobalVariables.user_agent_reward_rate

if wallet_agent_participant_id is set: - wallet_agent_reward_portion = fee_in_native_denom × GlobalVariables.wallet_user_agent_reward_rate

Case B: (cs.pricing_asset_type, cs.pricing_asset) = (TU, "tu")

if agent_participant_id is set: - user_agent_reward_portion = fee_in_native_denom × GlobalVariables.user_agent_reward_rate

if wallet_agent_participant_id is set: - wallet_agent_reward_portion = fee_in_native_denom × GlobalVariables.wallet_user_agent_reward_rate

Case C: (cs.pricing_asset_type, cs.pricing_asset) = (COIN, <arbitrary_denom>)

if agent_participant_id is set: - user_agent_reward_portion = fee_in_native_denom × GlobalVariables.user_agent_reward_rate

if wallet_agent_participant_id is set: - wallet_agent_reward_portion = fee_in_native_denom × GlobalVariables.wallet_user_agent_reward_rate

Case D: (cs.pricing_asset_type, cs.pricing_asset) = (FIAT, <fiat_denom>)

if agent_participant_id is set: - user_agent_reward_portion = fee_in_native_denom × GlobalVariables.user_agent_reward_rate

if wallet_agent_participant_id is set: - wallet_agent_reward_portion = fee_in_native_denom × GlobalVariables.wallet_user_agent_reward_rate

  1. Execute transfers and deposits for this beneficiary:

    • If payee_fees_to_account > 0: transfer payee_fees_to_account to participant.corporation (in the appropriate denom).
    • Use [MOD-TD-MSG-1] to increase the trust deposit of participant.corporation by payee_trust_deposit. Increase participant.deposit by the same value.
    • Use [MOD-TD-MSG-1] to increase the trust deposit of corporation (payer) by payer_trust_deposit. Increase payer_participant.deposit by the same value.

  2. Accumulate agent rewards:

    • accumulated_user_agent_reward = accumulated_user_agent_reward + user_agent_reward_portion
    • accumulated_wallet_agent_reward = accumulated_wallet_agent_reward + wallet_agent_reward_portion

Step 2: Process agent rewards

After processing all beneficiaries, distribute accumulated rewards to agents.

User Agent Reward:

If agent_participant_id is set AND accumulated_user_agent_reward > 0:

Wallet Agent Reward:

If wallet_agent_participant_id is set AND accumulated_wallet_agent_reward > 0:

Step 3: Create or update session records

Now that all transfers have been done, we can create the entries

Create a ParticipantSessionRecord cspsr:

If new, create entry ParticipantSession session:

Else update:

then, add the cspsr to session.session_records

if current transaction if for issuance of a credential, persist the digest SRI by calling [MOD-DI-MSG-1].

WARNING

session.authz[] can contain null issuer_participant_id OR verifier_participant_id

§ [MOD-PP-MSG-11] Update Participant Module Parameters

Update Participant Module Parameters.

Can only be executed through a governance proposal.

§ [MOD-PP-MSG-11-1] Update Participant Module Parameters parameters
§ [MOD-PP-MSG-11-2] Update Participant Module Parameters precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-11-2-1] Update Participant Module Parameters basic checks
§ [MOD-PP-MSG-11-2-2] Update Participant Module Parameters fee checks

provided transaction fees MUST be sufficient for execution

§ [MOD-PP-MSG-11-3] Update Participant Module Parameters execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

for each parameter param <key, value> in parameters:

§ [MOD-PP-MSG-12] Slash Participant Trust Deposit

This method can only be called by either:

§ [MOD-PP-MSG-12-1] Slash Participant Trust Deposit parameters
§ [MOD-PP-MSG-12-2] Slash Participant Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-12-2-1] Slash Participant Trust Deposit basic checks

if a mandatory parameter is not present, transaction MUST abort.

NOTE

Even if the Participant entry has expired or is revoked, it is still possible to slash it.

§ [MOD-PP-MSG-12-2-2] Slash Participant Trust Deposit validator perms

Either Option #1, or #2 MUST return true, else abort.

Option #1: executed by a validator ancestor

if applicant_participant.validator_participant_id is defined:

Option #2: executed by Ecosystem controller

§ [MOD-PP-MSG-12-2-3] Slash Participant Trust Deposit fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-PP-MSG-12-3] Slash Participant Trust Deposit execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

use MOD-TD-MSG-7 to burn the slashed amount from the trust deposit of applicant_participant.corporation.

Call [MOD-DE-MSG-6] Revoke VS Operator Authorization with participant_id = applicant_participant.id to remove any authorization record for this Participant entry. The call is a no-op if no record exists.

§ [MOD-PP-MSG-13] Repay Participant Slashed Trust Deposit

This method can only be called by the corporation that wants to repay the deposit of a slashed Participant entry they own. This won’t make the Participant entry re-usable: it will be needed for the corporation associated to this Participant entry to request a new Participant entry, as slashed Participant entries cannot be revived (same happens for revoked, etc.).

Nevertheless, to get a new Participant entry for a given ecosystem, it is needed, using this method, to repay the deposit of a slashed Participant entry first.

§ [MOD-PP-MSG-13-1] Repay Participant Slashed Trust Deposit parameters
§ [MOD-PP-MSG-13-2] Repay Participant Slashed Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-13-2-1] Repay Participant Slashed Trust Deposit basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PP-MSG-13-2-2] Repay Participant Slashed Trust Deposit fee checks
§ [MOD-PP-MSG-13-3] Repay Participant Slashed Trust Deposit execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

use Adjust Trust Deposit to transfer applicant_participant.slashed_deposit to trust deposit of applicant_participant.corporation.

§ [MOD-PP-MSG-14] Self Create Participant

Any authorized operator CAN execute this method on behalf of a corporation.

This simple Participant-creation method can be used to self-create an ISSUER (resp. VERIFIER) Participant entry if issuance mode (resp. verification mode) is set to OPEN for a given schema. As Participant entries are the anchor of ecosystem trust deposit operations, it is required for an issuer/verifier candidate to self-create a Participant entry for being issuer or verifier of a given schema.

NOTE

Even if a schema is OPEN, candidate MUST make sure they comply with the EGF else their Participant entry may be revoked by ecosystem governance authority and their deposit slashed.

§ [MOD-PP-MSG-14-1] Self Create Participant parameters

The following VS Operator Authorization parameters are optional and collectively define the initial ParticipantAuthorizationRecord for this Participant entry. Presence of vs_operator_authz_msg_types is the trigger: if it is not provided, no authorization record is created and the Participant entry operates in manual mode. VSOA configuration is frozen at creation time and cannot be modified later; to change it, the Participant entry MUST be revoked and re-created.

Permitted message types to be set in vs_operator_authz_msg_types depends on role.

Participant role Permitted Messages
HOLDER TriggerResolver
ISSUER CreateOrUpdateParticipantSession, SetParticipantOPtoValidated
VERIFIER CreateOrUpdateParticipantSession
§ [MOD-PP-MSG-14-2] Self Create Participant precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-14-2-1] Self Create Participant basic checks

if a mandatory parameter is not present, transaction MUST abort.

Load Participant validator_participant from validator_participant_id.

§ [MOD-PP-MSG-14-2-2] Self Create Participant permission checks

To execute this method, account MUST match at least one these rules, else transaction MUST abort.

§ [MOD-PP-MSG-14-2-3] Self Create Participant fee checks

Fee payer MUST have the required estimated transaction fees available.

§ [MOD-PP-MSG-14-2-4] Self Create Participant overlap checks

We want to make sure that 2 Participant entries cannot be active at the same time for the same validator_participant_id. If corporation wishes to create a new Participant entry but the existing one never expires (or expires too far from now), corporation MUST use first the Set Participant Effective Until to set or adjust the effective_until value.

Find all active participants participants[] (not revoked, not slashed, not repaid) for cs.id, role, validator_participant_id, corporation.

for each Participant entry p from participants[]:

note: this check was not present in v3.

§ [MOD-PP-MSG-14-3] Self Create Participant execution

If all precondition checks passed, method is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

A new entry Participant perm MUST be created:

If vs_operator_authz_msg_types is provided, create the ParticipantAuthorizationRecord in active state by calling [MOD-DE-MSG-5] Grant VS Operator Authorization with:

Note: unlike [MOD-PP-MSG-1], the record is created with expiration = participant.effective_until and is therefore immediately active. If with_feegrant is true and participant.effective_until > now, [MOD-DE-MSG-5-5] grants the on-chain FeeGrant as part of this execution.

§ [MOD-PP-MSG-15] Trigger Resolver

This method CAN be executed by:

This method is intended to be used by external services (such as the Verana indexer) to be notified that a trust resolution must be performed for the did registered in the Participant entry. Typical use cases include:

The method does not modify the VPR state; it only emits an event that off-chain components MAY consume.

§ [MOD-PP-MSG-15-1] Trigger Resolver parameters
§ [MOD-PP-MSG-15-2] Trigger Resolver precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-PP-MSG-15-2-1] Trigger Resolver basic checks

if a mandatory parameter is not present, transaction MUST abort.

§ [MOD-PP-MSG-15-2-2] Trigger Resolver authorization checks

At least one of the two authorization paths below MUST pass, else transaction MUST abort.

Path 1 — vs_operator of the target Participant entry

Path 2 — ancestor validator in the Participant tree

The target perm itself is excluded from this walk; only its ancestors (from the direct parent up to the root) are considered. Walk the tree:

If the walk terminates without a match, Path 2 fails.

§ [MOD-PP-MSG-15-2-3] Trigger Resolver fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-PP-MSG-15-3] Trigger Resolver execution

If all precondition checks passed, transaction is executed.

This method does not modify the state of the VPR. It MUST emit an event signaling that a trust resolution has been triggered for perm. The event MUST include at least:

Note: the identity of the signers (corporation, operator), the fee payer, the block height and timestamp, and the full Msg payload are already observable from the transaction itself. Indexers MAY use the Participant entry queried by participant_id to resolve did, corporation, vs_operator, and ancestor chain without duplicating them in the event payload.

§ [MOD-PP-QRY-1] List Participants

Anyone CAN execute this method.

Generic query used for (at least):

§ [MOD-PP-QRY-1-1] List Participants parameters
§ [MOD-PP-QRY-1-2] List Participants checks

Basic type check arg SHOULD be applied.

If any of these checks fail, query MUST fail.

§ [MOD-PP-QRY-1-3] List Participants execution

return a list of found entries, or an empty list if nothing found. Ordered by modified asc.

§ [MOD-PP-QRY-2] Get Participant

Anyone CAN execute this method.

§ [MOD-PP-QRY-2-1] Get Participant parameters
§ [MOD-PP-QRY-2-2] Get Participant checks
§ [MOD-PP-QRY-2-3] Get Participant execution

return found entry (if any).

§ [MOD-PP-QRY-3] Void

Obsoleted by [MOD-PP-QRY-1].

§ [MOD-PP-QRY-4] Find Beneficiaries

Anyone can execute this method.

To calculate the fees required for paying the beneficiaries, it is needed to recurse all involved perms until the root of the Participant tree (which is the ecosystem perm), starting from the 2 branches issuer_participant and verifier_participant. As both branches may have common ancestors, we can create a Set (unordered collection with no duplicates), and recurse over the 2 branches, adding found perms. If verifier_participant is null, issuer_participant is never added to the set. If verifier_participant is NOT null, issuer_participant is added to the set if it exists but verifier_participant is not added to the set.

Example 1: verifier_participant: is not set: it’s a credential offer, schema configured to have Issuer Grantors.

uml diagram

Example 2: verifier_participant: is not set: it’s a credential offer. Schema configured to NOT have Issuer Grantors.

uml diagram

Example 3: verifier_participant is set, it’s a presentation request. Schema configured to have Verifier and Issuer Grantors.

uml diagram
§ [MOD-PP-QRY-4-1] Find Beneficiaries parameters
§ [MOD-PP-QRY-4-2] Find Beneficiaries checks
§ [MOD-PP-QRY-4-3] Find Beneficiaries execution

Example: Let’s build the set. Revoked and slashed Participant entries will not be added to the set. Expired Participant entries, if not revoked/slashed, will be considered.

if issuer_participant is not null:

Additionally, if verifier_participant is not null:

return found_perms.

NOTE

This works even is schema is open to any issuer or open to any verifier.

§ [MOD-PP-QRY-5] Get ParticipantSession

§ [MOD-PP-QRY-5-1] Get ParticipantSession parameters
§ [MOD-PP-QRY-5-2] Get ParticipantSession checks
§ [MOD-PP-QRY-5-3] Get ParticipantSession execution

return ParticipantSession entry if found, else return not found.

§ [MOD-PP-QRY-6] List Participant Module Parameters
§ [MOD-PP-QRY-6-2] List Participant Module Parameters parameters
§ [MOD-PP-QRY-6-2] List Participant Module Parameters query checks
§ [MOD-PP-QRY-6-3] List Participant Module Parameters execution of the query

Return the list of the existing parameters and their values.

§ [MOD-PP-QRY-6-4] List Participant Module Parameters API result example
{
  "params": {
    "key1": "value1",
    "key2": "value2",
    ...
    ...
  }
}

§ Validation Examples

§ Getting a Credential from an Authorized Issuer

This section is non-normative.

Example of an Applicant that would like to get issued a credential (HOLDER):

uml diagram
§ Add a DID to the List of Granted Issuers of a Credential Schema

This section is non-normative.

uml diagram

§ Trust deposit module

§ Trust deposit module overview

This section is non-normative.

Concept: the trust deposit is used to lock trust value as a stake. To process application messages that perform state changes, several modules methods are requiring a trust deposit to be sent, from the executing account, to the trust deposit module.

We will use a similar method than the one described here to manage trust deposit and yield calculation and easy way.

Example:

In our example, we suppose a VPR is just starting and no trust transaction have taken place yet. For this reason:

Operation #1:

an account account1 wants to create a transaction that requires:

First, the Trust Deposit: execution of the method will perform the following (we consider this account had no TrustDeposit entry yet):

Second, fee distribution: let’s suppose that trust_deposit_block_reward_share is set to 0.30 so that 70% of transaction fees are distributed to validators, and 30% of transaction fees are distributed to trust deposit holders. For this specific transaction:

Now, account1 can (optionally) reclaim the difference between the GlobalVariables.trust_deposit_share_value * tt.share minus tt.denom, which represents the trust (yield) gains.

Operation #2:

Another account account2 wants to create a transaction that requires:

First, Trust Deposit:

Second, fee distribution: let’s suppose trust_deposit_block_reward_share is set to 0.30 so that 70% of transaction fees are distributed to validators, and 30% of transaction fees are distributed to trust deposit holders. For this specific transaction:

After the 2 operations:

§ Trust Deposit Yield

The following global parameters are used to tune the Trust Deposit yield generation, in case the VPR is implemented as a ledger:

Each time there is a block reward to be distributed, trust_deposit_block_reward_share percent MUST be directed to trust deposit holders, based on their trust deposit share.

Implementers MUST make sure, for each processed block reward, that the yearly effective yield is lower or equal than trust_deposit_max_yield_rate.

§ [MOD-TD-MSG-1] Adjust Trust Deposit

This method is used to increase or decrease the trust deposit of a specific corporation account.

Only the modules that require trust deposit manipulation CAN call this method. If trust deposit has been slashed and not repaid, method execution MUST abort.

§ [MOD-TD-MSG-1-1] Adjust Trust Deposit method parameters
§ [MOD-TD-MSG-1-2] Adjust Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-1-2-1] Adjust Trust Deposit basic checks

Value checks:

§ [MOD-TD-MSG-1-2-2] Adjust Trust Deposit fee checks

Additionally:

§ [MOD-TD-MSG-1-3] Adjust Trust Deposit execution of the method

If all precondition checks passed, method is executed in a transaction.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

The last case, augend < 0, is to refund trust deposit (e.g. when canceling an onboarding process). The refunded amount is added to td.refunded and is reused for the next trust deposit spending.

§ [MOD-TD-MSG-2] Reclaim Trust Deposit Yield

This method is used to reclaim yield. If trust deposit has been slashed and not repaid, method execution MUST abort.

For a given TrustDeposit entry td, claimable yield is calculated like this:

claimable_yield = td.share * GlobalVariables.trust_deposit_share_value - td.deposit.

If claimable_yield is positive, it can be claimed.

§ [MOD-TD-MSG-2-1] Reclaim Trust Deposit Yield method parameters
§ [MOD-TD-MSG-2-2] Reclaim Trust Deposit Yield precondition checks
§ [MOD-TD-MSG-2-2-1] Reclaim Trust Deposit Yield basic checks
§ [MOD-TD-MSG-2-2-2] Reclaim Trust Deposit Yield fee checks

Fee payer running the transaction MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-TD-MSG-2-3] Reclaim Trust Deposit Yield execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

For the TrustDeposit entry td linked to corporation:

§ [MOD-TD-MSG-3] Void

§ [MOD-TD-MSG-4] Update Module Parameters

Update Module Parameters.

Can only be executed through a governance proposal.

§ [MOD-TD-MSG-4-1] Update Module Parameters parameters
§ [MOD-TD-MSG-4-2] Update Module Parameters precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-4-2-1] Update Module Parameters basic checks
§ [MOD-TD-MSG-4-2-2] Update Module Parameters fee checks

provided transaction fees MUST be sufficient for execution

§ [MOD-TD-MSG-4-3] Update Module Parameters execution

If all precondition checks passed, transaction is executed.

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

for each parameter param <key, value> in parameters:

§ [MOD-TD-MSG-5] Slash Trust Deposit

This method is used by the network governance authority to globally slash a corporation account trust deposit.

This method can only be called by a governance proposal. A globally slashed account MUST repay the slashed deposit in order to continue to use the services provided by the VPR. When and account is slashed, and while slashed deposit has not been repaid, all account linked permissions MUST be considered non trustable.

This method is for network governance authority slash. For ecosystem slash, see Slash Participant Trust Deposit.

§ [MOD-TD-MSG-5-1] Slash Trust Deposit method parameters
§ [MOD-TD-MSG-5-2] Slash Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-5-2-1] Slash Trust Deposit basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-TD-MSG-5-2-2] Slash Trust Deposit fee checks

Fee payer MUST have the required estimated transaction fees in its account, else transaction MUST abort.

§ [MOD-TD-MSG-5-3] Slash Trust Deposit execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

For the TrustDeposit entry td linked to corporation:

§ [MOD-TD-MSG-6] Repay Slashed Trust Deposit

Any authorized operator CAN execute this method on behalf of a corporation.

§ [MOD-TD-MSG-6-1] Repay Slashed Trust Deposit method parameters
§ [MOD-TD-MSG-6-2] Repay Slashed Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-6-2-1] Repay Slashed Trust Deposit basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-TD-MSG-6-2-2] Repay Slashed Trust Deposit fee checks
§ [MOD-TD-MSG-6-3] Repay Slashed Trust Deposit execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

For the TrustDeposit entry td linked to corporation account:

§ [MOD-TD-MSG-7] Burn Ecosystem Slashed Trust Deposit

Burn the portion of the trust deposit of a given account. This method can only be called by the permission module when performing an ecosystem-related slash.

WARNING

Make sure to properly protect access to the execution of this method else it may lead to very destructive actions.

§ [MOD-TD-MSG-7-1] Burn Ecosystem Slashed Trust Deposit method parameters
WARNING

Alternative approach: For security and consistency, implementers MAY choose to reference the ID of the slashed permission, load it and use its defined slashed_deposit value as the slashing amount. The decision between this method and specifying the amount directly is left to implementers.

§ [MOD-TD-MSG-7-2] Burn Ecosystem Slashed Trust Deposit precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-TD-MSG-7-2-1] Burn Ecosystem Slashed Trust Deposit basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-TD-MSG-7-2-2] Burn Ecosystem Slashed Trust Deposit fee checks

Fee payer running the transaction MUST have the required estimated transaction fees in its account else transaction MUST abort.

§ [MOD-TD-MSG-7-3] Burn Ecosystem Slashed Trust Deposit execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

For the TrustDeposit entry td linked to account:

§ [MOD-TD-QRY-1] Get Trust Deposit

Any account CAN run this query. As this method does not modify data, it does not require a transaction.

§ [MOD-TD-QRY-1-1] Get Trust Deposit query parameters
§ [MOD-TD-QRY-1-2] Get Trust Deposit query checks

If any of these checks fail, query MUST fail.

§ [MOD-TD-QRY-1-3] Get Trust Deposit execution of the query

If found, returns trust deposit, else return not found.

§ [MOD-TD-QRY-2] List Module Parameters

Anyone CAN run this query.

§ [MOD-TD-QRY-2-2] List Module Parameters parameters
§ [MOD-TD-QRY-2-2] List Module Parameters query checks
§ [MOD-TD-QRY-2-3] List Module Parameters execution of the query

Return the list of the existing parameters and their values.

§ [MOD-TD-QRY-2-4] List Module Parameters API result example
{
  "params": {
    "key1": "value1",
    "key2": "value2",
    ...
    ...
  }
}

§ [MOD-DE-MSG-1] Grant Fee Allowance

This method can only be called directly by the following methods:

§ [MOD-DE-MSG-1-1] Grant Fee Allowance method parameters
§ [MOD-DE-MSG-1-2] Grant Fee Allowance basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-DE-MSG-1-3] Grant Fee Allowance fee checks
§ [MOD-DE-MSG-1-4] Grant Fee Allowance execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Create (or update if it already exist) FeeGrant feegrant:

§ [MOD-DE-MSG-2] Revoke Fee Allowance

This method can only be called directly by the following methods:

§ [MOD-DE-MSG-2-1] Revoke Allowance method parameters
§ [MOD-DE-MSG-2-2] Revoke Fee Allowance basic checks

MUST abort if one of these conditions fails:

§ [MOD-DE-MSG-2-3] Revoke Fee Allowance fee checks
§ [MOD-DE-MSG-2-4] Revoke Fee Allowance execution of the method

If FeeGrant entry for this (corporation, grantee) exist, delete it, else do nothing.

§ [MOD-DE-MSG-3] Grant Operator Authorization

§ [MOD-DE-MSG-3-1] Grant Operator Authorization method parameters
§ [MOD-DE-MSG-3-2] Grant Operator Authorization basic checks

if any of these conditions is not satisfied, transaction MUST abort.

WARNING

An Operator Authorization CAN be granted ONLY IF no VS Operator Authorization exists for participant.corporation and participant.vs_operator. Operator Authorization and VS Operator Authorization are mutually exclusive for a given grantee.

§ [MOD-DE-MSG-3-3] Grant Operator Authorization fee checks
§ [MOD-DE-MSG-3-4] Grant Operator Authorization execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Create (or update if it already exist) Authorization authz:

if with_feegrant is false:

else if with_feegrant is true:

§ [MOD-DE-MSG-4] Revoke Operator Authorization

§ [MOD-DE-MSG-4-1] Revoke Operator Authorization method parameters
§ [MOD-DE-MSG-4-2] Revoke Operator Authorization basic checks

MUST abort if one of these conditions fails:

§ [MOD-DE-MSG-4-3] Revoke Operator Authorization fee checks
§ [MOD-DE-MSG-4-4] Revoke Operator Authorization execution of the method

§ [MOD-DE-MSG-5] Grant VS Operator Authorization

This method can only be called directly by the following Participant module methods, with no signer check:

It creates a new ParticipantAuthorizationRecord inside VSOperatorAuthorization[corporation, vs_operator] and, if the record enables a fee grant and its expiration is in the future, synchronises the on-chain FeeGrant for the containing VSOA.

This method does NOT read Participant state. All authorization configuration is provided by the caller.

§ [MOD-DE-MSG-5-1] Grant VS Operator Authorization method parameters
§ [MOD-DE-MSG-5-2] Grant VS Operator Authorization basic checks

If any of these conditions is not satisfied, transaction MUST abort.

WARNING

A VS Operator Authorization record CAN be granted ONLY IF no OperatorAuthorization exists for the same (corporation, vs_operator) pair. VS Operator Authorization and Operator Authorization are mutually exclusive for a given grantee.

§ [MOD-DE-MSG-5-3] Grant VS Operator Authorization fee checks
§ [MOD-DE-MSG-5-4] Grant VS Operator Authorization execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

§ [MOD-DE-MSG-5-5] Recompute VS Operator Fee Allowance

This is a shared subroutine invoked by [MOD-DE-MSG-5], [MOD-DE-MSG-6] and [MOD-DE-MSG-9] after they mutate vsoa.records.

Note: max_expire is bounded by the farthest record.expiration among feegrant-enabled records. The chain-level FeeGrant msg_types is the union of all such records’ msg_types. Per-record spend limits are enforced at [AUTHZ-CHECK-4] time; they are not replicated on the FeeGrant object.

§ [MOD-DE-MSG-6] Revoke VS Operator Authorization

This method can only be called directly by the following Participant module methods, with no signer check:

It removes the unique ParticipantAuthorizationRecord identified by participant_id and recomputes the on-chain FeeGrant of its containing VSOA. No-op if no such record exists.

This method does NOT read Participant state.

§ [MOD-DE-MSG-6-1] Revoke VS Operator Authorization method parameters
§ [MOD-DE-MSG-6-2] Revoke VS Operator Authorization basic checks

Note: absence of a record for participant_id is NOT an error. The method is a no-op in that case (the permission was never VS-operator-authorized, or was already revoked).

§ [MOD-DE-MSG-6-3] Revoke VS Operator Authorization fee checks
§ [MOD-DE-MSG-6-4] Revoke VS Operator Authorization execution of the method

§ [MOD-DE-MSG-9] Update VS Operator Authorization Expiration

This method can only be called directly by the following Participant module methods, with no signer check:

It updates the expiration of the unique record identified by participant_id and recomputes the on-chain FeeGrant of its containing VSOA. No-op if no record exists for participant_id.

This method does NOT read Participant state; the caller supplies the new expiration value directly.

§ [MOD-DE-MSG-9-1] Update VS Operator Authorization Expiration method parameters
§ [MOD-DE-MSG-9-2] Update VS Operator Authorization Expiration basic checks

Note: absence of a record for participant_id is NOT an error. The method is a no-op in that case (the permission does not enable VS operator authorization).

§ [MOD-DE-MSG-9-3] Update VS Operator Authorization Expiration fee checks
§ [MOD-DE-MSG-9-4] Update VS Operator Authorization Expiration execution of the method

§ [MOD-DE-QRY-1] List Operator Authorizations

Anyone CAN execute this method.

§ [MOD-DE-QRY-1-1] List Operator Authorizations parameters
§ [MOD-DE-QRY-1-2] List Operator Authorizations checks

Basic type check arg SHOULD be applied.

If any of these checks fail, query MUST fail.

§ [MOD-DE-QRY-1-3] List Operator Authorizations execution

Return a list of OperatorAuthorization entries matching the filter criteria, or an empty list if nothing found.

§ [MOD-DE-QRY-2] List VS Operator Authorizations

Anyone CAN execute this method.

§ [MOD-DE-QRY-2-1] List VS Operator Authorizations parameters
§ [MOD-DE-QRY-2-2] List VS Operator Authorizations checks

Basic type check arg SHOULD be applied.

If any of these checks fail, query MUST fail.

§ [MOD-DE-QRY-2-3] List VS Operator Authorizations execution

Return a list of VSOperatorAuthorization entries matching the filter criteria, or an empty list if nothing found.

§ [MOD-DI-MSG-1] Store Digest

§ [MOD-DI-MSG-1-1] Store Digest method parameters
§ [MOD-DI-MSG-1-2] Store Digest precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-DI-MSG-1-2-1] Store Digest basic checks

if any of these conditions is not satisfied, transaction MUST abort.

§ [MOD-DI-MSG-1-2-2] Store Digest fee checks
§ [MOD-DI-MSG-1-3] Store Digest execution of the method

Method execution MUST perform the following tasks in a transaction, and rollback if any error occurs.

Create Digest digest:

§ [MOD-DI-QRY-1] Get Digest

Anyone CAN execute this method.

§ [MOD-DI-QRY-1-1] Get Digest parameters
§ [MOD-DI-QRY-1-2] Get Digest checks

If any of these checks fail, query MUST fail.

§ [MOD-DI-QRY-1-3] Get Digest execution

If all checks passed, query is executed.

Return found Digest entry (if any) matching digest.

§ [MOD-DI-QRY-1-4] Get Digest API result example
{
  "digest": {
    "digest": "sha384-MzNNbQTWCSUSi0bbz7dbua+RcENv7C6FvlmYJ1Y+I727HsPOHdzwELMYO9Mz68M26",
    "created": "2025-01-14T19:40:37.967Z"
  }
}

§ [MOD-XR-MSG-1] Create Exchange Rate

The Create Exchange Rate method allows creating an ExchangeRate entry for a given (base_asset_type, base_asset, quote_asset_type, quote_asset) pair.

§ [MOD-XR-MSG-1] Create Exchange Rate method parameters
§ [MOD-XR-MSG-1] Create Exchange Rate precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-XR-MSG-1] Create Exchange Rate basic checks

If any of the following conditions is not satisfied, transaction MUST abort.

§ [MOD-XR-MSG-1] Create Exchange Rate fee checks

Fee payer MUST have sufficient estimated transaction fees.

§ [MOD-XR-MSG-1] Create Exchange Rate execution of the method

Create ExchangeRate entry xr:

§ [MOD-XR-MSG-2] Update Exchange Rate

The Update Exchange Rate method allows an operator authorized by network governance (via an ExchangeRateAuthorization) to push a fresh rate for a given ExchangeRate entry.

§ [MOD-XR-MSG-2] Update Exchange Rate method parameters
§ [MOD-XR-MSG-2] Update Exchange Rate precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-XR-MSG-2] Update Exchange Rate basic checks

If any of the following conditions is not satisfied, transaction MUST abort.

§ [MOD-XR-MSG-2] Update Exchange Rate fee checks

Fee payer MUST have sufficient estimated transaction fees.

§ [MOD-XR-MSG-2] Update Exchange Rate execution of the method

Load ExchangeRate xr.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State

The Toggle Exchange Rate State method allows an authorized actor to enable or disable an exchange rate.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State method parameters
§ [MOD-XR-MSG-3] Toggle Exchange Rate State precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State basic checks

If any of the following conditions is not satisfied, transaction MUST abort.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State fee checks

Fee payer MUST have sufficient estimated transaction fees.

§ [MOD-XR-MSG-3] Toggle Exchange Rate State execution of the method

Load ExchangeRate xr.

§ [MOD-XR-MSG-4] Grant Exchange Rate Authorization

The Grant Exchange Rate Authorization method creates (or updates) an ExchangeRateAuthorization record designating a network-level operator allowed to push fresh rates for a given ExchangeRate via [MOD-XR-MSG-2].

§ [MOD-XR-MSG-4] Grant Exchange Rate Authorization method parameters
§ [MOD-XR-MSG-4] Grant Exchange Rate Authorization precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-XR-MSG-4] Grant Exchange Rate Authorization basic checks

If any of the following conditions is not satisfied, transaction MUST abort.

§ [MOD-XR-MSG-4] Grant Exchange Rate Authorization fee checks

Fee payer MUST have sufficient estimated transaction fees.

§ [MOD-XR-MSG-4] Grant Exchange Rate Authorization execution of the method

Create (or update if it already exists) ExchangeRateAuthorization xrauthz keyed by (xr_id, operator):

§ [MOD-XR-MSG-5] Revoke Exchange Rate Authorization

The Revoke Exchange Rate Authorization method deletes an existing ExchangeRateAuthorization record, immediately preventing the designated operator from executing further [MOD-XR-MSG-2] calls on the target ExchangeRate.

§ [MOD-XR-MSG-5] Revoke Exchange Rate Authorization method parameters
§ [MOD-XR-MSG-5] Revoke Exchange Rate Authorization precondition checks

If any of these precondition checks fail, transaction MUST abort.

§ [MOD-XR-MSG-5] Revoke Exchange Rate Authorization basic checks

If any of the following conditions is not satisfied, transaction MUST abort.

§ [MOD-XR-MSG-5] Revoke Exchange Rate Authorization fee checks

Fee payer MUST have sufficient estimated transaction fees.

§ [MOD-XR-MSG-5] Revoke Exchange Rate Authorization execution of the method

§ [MOD-XR-QRY-1] Get Exchange Rate

Any account CAN run this query.

§ [MOD-XR-QRY-1-1] Get Exchange Rate query parameters

AND:

(

OR:

§ [MOD-XR-QRY-1-2] Get Exchange Rate query checks

If any of these checks fail, query MUST fail.

OR

an ExchangeRate entry with base_asset_type, base_asset, quote_asset_type, quote_asset MUST exist.

§ [MOD-XR-QRY-1-3] Get Exchange Rate execution of the query

If found, returns ExchangeRate entry, else return not found.

§ [MOD-XR-QRY-2] List Exchange Rates

Any account CAN run this query. As this method does not modify data, it does not require a transaction.

§ [MOD-XR-QRY-2-1] List Exchange Rates query parameters
§ [MOD-XR-QRY-2-2] List Exchange Rates query checks
§ [MOD-XR-QRY-2-3] List Exchange Rates execution of the query

If found, returns a list of found ExchangeRates, else return an empty list.

§ [MOD-XR-QRY-3] Get Price

Anyone CAN run this query, throgh module call or using the API.

§ [MOD-XR-QRY-3] Get Price Example

base_asset_type = TU base_asset = “tu” quote_asset_type = COIN quote_asset = “uvna” rate = R rate_scale = S

If a valid ExchangeRate entry exists with:

then the price of amount Trust Unit expressed in uvna MUST be computed using the following formula:

price_uvna = floor(amount * rate / 10^rate_scale)

Where:

If the corresponding ExchangeRate entry is expired or missing, the conversion MUST fail.

§ [MOD-XR-QRY-3-1] Get Price parameters
§ [MOD-XR-QRY-3-2] Get Price query checks

If the corresponding ExchangeRate entry is expired or missing, the conversion MUST fail and an error is returned

§ [MOD-XR-QRY-3-3] Get Price execution of the query
WARNING
  • Conversions use base units only.
  • Integer arithmetic MUST be used.
  • quote_amount = floor(base_amount × rate / 10^rate_scale).
  • Expired rates MUST NOT be used.

§ Initial Data Requirements

§ [GLO] Global Variables

Global variables CAN only be changed by the governance authority through proposals.

Default values MUST be set at VPR initialization (genesis). Below you’ll find some possible values. These values will have to be defined in the governance framework.

Credential Schema:

Trust Deposit:

§ References

§ Normative References

DID-CORE
Decentralized Identifiers (DIDs) v1.0. Manu Sporny; Amy Guy; Markus Sabadello; Drummond Reed; 2022-07-19. Status: REC.
RFC3986
Uniform Resource Identifier (URI): Generic Syntax. T. Berners-Lee; R. Fielding; L. Masinter; 2005-01. Status: Internet Standard.
VC-DATA-MODEL
Verifiable Credentials Data Model v1.1. Manu Sporny; Grant Noble; Dave Longley; Daniel Burnett; Brent Zundel; Kyle Den Hartog; 2022-03-03. Status: REC.

Table of Contents
undefined