{
"id": "tech.lenooby09.kvcs.signingKey",
"defs": {
"main": {
"key": "any",
"type": "record",
"record": {
"type": "object",
"required": [
"localDid",
"jwk",
"jws",
"createdAt"
],
"properties": {
"jwk": {
"type": "unknown",
"description": "The localDid's verification method as a JWK (`kty`, `crv`, `x`, optionally `y` / `kid`). Public-only; never includes the private `d` coordinate."
},
"jws": {
"type": "string",
"maxLength": 8192,
"description": "Detached compact JWS by `localDid` over the canonical JSON `{atprotoDid, localDid, jwk}`, where `atprotoDid` is the repo this record lives under. 8192 chars covers Ed25519 / ES256 / ES256K compact-JWS sizes with a comfortable margin."
},
"localDid": {
"type": "string",
"maxLength": 2048,
"description": "The local kvcs signing DID being endorsed (did:key:... or did:jwk:...). Capped at 2048 chars to accommodate did:jwk values whose method-specific id embeds a base64url-encoded JWK."
},
"createdAt": {
"type": "string",
"format": "datetime",
"description": "ISO-8601 timestamp at which the endorsement was issued."
}
}
},
"description": "A bidirectional binding between this repo's atproto DID and a kvcs local signing key. Verifiers MUST check that `jws` is a valid compact JWS produced by `localDid` over the canonical JSON `{atprotoDid, localDid, jwk}`; records without a verifying inner JWS are ignored."
}
},
"$type": "com.atproto.lexicon.schema",
"lexicon": 1,
"description": "An atproto identity (did:plc / did:web) endorses a local kvcs patch-signing key (did:key / did:jwk) by hosting this record on its PDS. Existence of the record over an OAuth-authenticated write proves the atproto DID consented to the binding; the inner JWS proves the local key consented in turn."
}