Hosted onhyper.mediavia theHypermedia Protocol

Develop Seed Hypermedia

Develop Seed Hypermedia

/Notes/UCANS
UCANS

Gabo H Beaumont

10 January 2026, 20:27

    UCANS: User Control Authorization Networks

    Open Source Project from Brooklyn Zelenka, github.com/expede

    The JSON you provided is the payload of a UCAN JWT. It describes who is granting a capability, to whom, for what, and under what conditions.

    It is a new Auth System for the decentralized web. It solves the Confused Deputy problem that ACLs schemas have in distributed systems. Basically, once we break from the Client-Server model, servers with ACLs get confused about who has authority.

    Who is using UCANS: CRDTS, flat file storage, databases, decentralized compute, name systems, email, etc. Distributed RPC framework.

      Certificate Capability Model

    Payload

      {
  "iss": "did:key:z6Mkr5aefin1DzjG7MBJ3nsFCsnvHKEvTb2C4YAJwbxt1jFS",
  "aud": "did:key:z6MkfQhLHB5FMuR7bQXTQeqe5kYUWi5lHpfZeaymgylzkP2jM",
  "exp": 9256939505,
  "att": [
    {
      "with": "did:key:z6Mkod5Jr3yd5SC7UDueqK4dAAw5xYJYjksy722tA9Boxc4z",
      "can": "store/add"
    }
  ],
  "prf": []
}

      Attributes

        iss - Issuer: the one granting the capability. "I, the issuer, grant this permission"

        aud - Audience: the one receiving the capability. "I grant this permission to you"

          The authorized party.

        exp - Expiration Time: the UCAN becomes invalid after this moment.

        att - Attenuations: the specific capabilities granted. This is the core of a UCAN:

        Each entry describes a singly capability consisting of:

          with — The resource being authorized. Usually a DID or namespace representing a storage space, object, or service.

          can - The action permitted.

            Capabilities follow a resource/action pattern. In this case, the audience is allowed to add items to this store.

        prf - Proofs: delegation chain.

      Invocations

      1

        A UCAN invocation is a signed request that uses a capability defined by a UCAN. While a UCAN itself is a proof that an actor has permission, an invocation is the act of exercising that permission—specifying who is making the request, which capability they are invoking, and any arguments needed for the action. Nodes receiving the invocation can independently verify both the caller’s signature and the UCAN proof chain, enabling secure, decentralized execution without relying on a central authority.

    Resources

Powered by Seed Hypermedia