macula_ucan_nif (macula v1.4.25)
View SourceUCAN (User Controlled Authorization Networks) token operations.
This module provides creation, verification, and manipulation of UCAN tokens for decentralized authorization in the Macula mesh. UCANs are self-contained capability tokens that support delegation.
Token Structure
UCAN tokens follow JWT format: header.payload.signature
Header: - alg: "EdDSA" (Ed25519) - typ: "JWT" - ucv: "0.10.0" (UCAN version)
Payload: - iss: Issuer DID (did:macula:io.macula.org) - aud: Audience DID - cap: Capabilities [{with, can}, ...] - exp: Expiration (optional, unix timestamp) - nbf: Not before (optional, unix timestamp) - nnc: Nonce (optional, for uniqueness) - fct: Facts (optional, metadata) - prf: Proof chain (CIDs of parent tokens)
Summary
Functions
Compute the CID (Content ID) of a UCAN token. Used for proof chains.
Equivalent to create(Issuer, Audience, Capabilities, PrivateKey, #{}).
Create a new UCAN token with options.
Decode a UCAN token without verification. WARNING: This does NOT verify the signature!
Get the audience DID from a UCAN token.
Get capabilities from a UCAN token.
Get expiration timestamp from a UCAN token.
Get the issuer DID from a UCAN token.
Get proof chain from a UCAN token.
Check if a UCAN token is expired.
Check if the NIF is loaded.
Verify a UCAN token. Checks signature, expiration, and not-before. Returns the decoded payload on success.
Types
-type did() :: binary().
-type ucan_opts() :: #{exp => non_neg_integer(), nbf => non_neg_integer(), nnc => binary(), fct => map(), prf => [binary()]}.
Functions
Compute the CID (Content ID) of a UCAN token. Used for proof chains.
-spec create(Issuer :: did(), Audience :: did(), Capabilities :: [capability()], PrivateKey :: binary()) -> {ok, Token :: binary()} | {error, term()}.
Equivalent to create(Issuer, Audience, Capabilities, PrivateKey, #{}).
Create a new UCAN token.
-spec create(Issuer :: did(), Audience :: did(), Capabilities :: [capability()], PrivateKey :: binary(), Opts :: ucan_opts()) -> {ok, Token :: binary()} | {error, term()}.
Create a new UCAN token with options.
Options: - exp: Expiration timestamp (unix seconds) - nbf: Not before timestamp (unix seconds) - nnc: Nonce (for uniqueness) - fct: Facts map (metadata) - prf: Proof chain (list of CIDs of parent tokens)
Decode a UCAN token without verification. WARNING: This does NOT verify the signature!
Get the audience DID from a UCAN token.
-spec get_capabilities(Token :: binary()) -> {ok, [capability()]} | {error, term()}.
Get capabilities from a UCAN token.
-spec get_expiration(Token :: binary()) -> {ok, non_neg_integer() | null} | {error, term()}.
Get expiration timestamp from a UCAN token.
Get the issuer DID from a UCAN token.
Get proof chain from a UCAN token.
Check if a UCAN token is expired.
-spec is_nif_loaded() -> boolean().
Check if the NIF is loaded.
Verify a UCAN token. Checks signature, expiration, and not-before. Returns the decoded payload on success.