Registry Notary
Registry Notary answers configured claims about a person or entity by reading the minimum data from a source registry, without becoming a copy of that registry. Depending on the claim, it returns a claim result, renders a supported format, or issues a short-lived SD-JWT VC credential.
Pick your path below. New to Registry Notary? Start with the hosted walkthrough or a runnable local tutorial. If you are configuring or operating Notary, start with the architecture overview.
-
See it live: watch Notary issue a privacy-preserving credential against a hosted lab, with zero install.
-
Verify a claim with Registry Notary: add Notary to a local registry API project with
registryctl. Its final section, Run Notary standalone for an API you operate, covers creating a standalone Notary project for a source API you operate. -
Architecture overview: what Registry Notary is, the request lifecycle, and how the layers relate.
-
Capability matrix: which flows Notary supports today, by persona and system.
-
Identity and record matching: how Notary resolves the target entity to a source record, the outcome model, and matching policy.
Integrate
Section titled “Integrate”For application and wallet developers calling the API or the SDKs.
- Client SDK guide: evaluate claims and issue credentials from Rust, Python, and Node.js.
- API reference: the route-to-client-method matrix and the stable problem-code registry.
- Wallet interop with OID4VCI: the OpenID4VCI wallet facade contract and compatibility checklist.
- SD-JWT VC conformance: the supported credential wire contract and the explicit non-support list.
- OpenCRVS DCI tutorial: issue local demo SD-JWT VCs from OpenCRVS birth-record evidence.
- Scenario patterns: reusable evaluation, federation, and issuance flows with sequence diagrams.
Operate
Section titled “Operate”For operators deploying, configuring, and running a Registry Notary.
- Configuration reference: the config blocks for auth, evidence, sources, replay, status, self-attestation, OID4VCI, and federation.
- Model sources and claims: design source connectors, OpenFn sidecars, claim boundaries, disclosure, and batch reads.
- Signing key providers: SD-JWT VC signing-key configuration, rotation, and PKCS#11 setup.
- Self-attestation: citizen OIDC subject binding, token policy, allow-lists, and rollout.
- Federated evaluation: static-peer setup, environment variables, and the replay limitation.
- Credential lifecycle and status: short-lived credentials, optional live status, retention, and verifier caveats.
- Sidecar trust and secret handling: how the OpenFn sidecar verifies its configuration, how Notary pins the sidecar it trusts, how secrets are handled, and what that path does and does not protect against.
- Deployment hardening runbook: production-readiness checklist for network boundaries, secrets, Redis, audit, and rollback.
Build and maintain
Section titled “Build and maintain”For maintainers changing the code or reviewing design history.
- Workspace layout: the crates and bindings and what each owns.
- Command-line interface: the server binary and its subcommands.
- Design records: specifications and implementation traces, kept as design history.
- Security assurance: CI security gates, image publication and signing policy.