Registry Platform reference
Use this page to identify which shared crate owns a primitive and which repo owns the product behavior around it.
The authoritative crate APIs live in the upstream registry-platform workspace.
Crate inventory
Section titled “Crate inventory”| Crate | Shared surface | Current consumers |
|---|---|---|
registry-platform-authcommon | Bearer parsing, API-key fingerprinting, static credential helpers | Relay, Notary |
registry-platform-audit | Audit envelopes, async sinks, chain verification, redaction helpers, audit hash secret handling | Relay, Notary |
registry-platform-crypto | Ed25519 JWK parsing/signing/verification, DID validation, JSON canonicalization | Relay, Notary, Platform OIDC and SD-JWT crates |
registry-platform-httpsec | CORS validation, security headers, body limits, RFC 7807 helpers | Relay, Notary |
registry-platform-httputil | Outbound HTTP clients, bounded reads, URL and fetch policy validation | Relay, Notary, Platform OIDC |
registry-platform-oidc | OIDC discovery, JWKS fetch/cache, JWT verification | Relay, Notary |
registry-platform-sdjwt | SD-JWT VC issuance, disclosure construction, holder-proof validation | Relay provenance helpers, Notary credential issuance |
registry-platform-testing | Mock IdP, mock HTTP upstream, key fixtures, audit chain assertions | Notary tests, Platform cross-crate tests |
Consumer boundary
Section titled “Consumer boundary”| Concern | Platform owns | Consumer owns |
|---|---|---|
| API-key auth | Fingerprint format, constant-time comparison helpers, Bearer parsing | Config shape, principal IDs, scopes, route enforcement |
| OIDC | Token verification, JWKS fetch/cache, standard claim validation | Accepted issuer/audience, scope mapping, allowed clients, auth mode selection |
| Audit | Envelope shape, chain state, sinks, verification, redaction helpers | Event schema, retention policy, sink configuration, operational monitoring |
| HTTP security | Middleware primitives and reusable problem responses | Which routes expose docs, CORS policy values, deployment proxy configuration |
| Outbound HTTP | URL policy, bounded reads, client construction | Which upstreams are trusted and what credentials are attached |
| SD-JWT VC | Issuance and holder-proof helper primitives | Credential profile config, claim selection, disclosure policy, issuing workflow |
| Crypto and DID | Shared Ed25519 JWK and DID helper behavior | Which DID methods and issuers are accepted by a product surface |
Consumption model
Section titled “Consumption model”Registry applications should pin Platform by git tag or revision, then depend only on the crates they need. Local development in this workspace currently uses sibling path dependencies beside Relay and Notary.
The shared crates are private workspace crates, not a standalone hosted service. No Platform OpenAPI document exists because Platform does not own HTTP routes.