# tech.lenooby09.kvcs.signingKey > Published by [lenooby09.tech](https://lexicon.garden/identity/did:plc:xocoka6dmx74ciqskczoh6ci) ✓ This is the authoritative definition for this NSID. ## Description An atproto identity (did:plc / did:web) endorses a local kvcs patch-signing key (did:key / did:jwk) by hosting this record on its PDS. Existence of the record over an OAuth-authenticated write proves the atproto DID consented to the binding; the inner JWS proves the local key consented in turn. ## Links - [View on Lexicon Garden](https://lexicon.garden/lexicon/did:plc:xocoka6dmx74ciqskczoh6ci/tech.lenooby09.kvcs.signingKey) - [Documentation](https://lexicon.garden/lexicon/did:plc:xocoka6dmx74ciqskczoh6ci/tech.lenooby09.kvcs.signingKey/docs) - [Examples](https://lexicon.garden/lexicon/did:plc:xocoka6dmx74ciqskczoh6ci/tech.lenooby09.kvcs.signingKey/examples) ## Definitions ### `tech.lenooby09.kvcs.signingKey` **Type**: `record` A bidirectional binding between this repo's atproto DID and a kvcs local signing key. Verifiers MUST check that `jws` is a valid compact JWS produced by `localDid` over the canonical JSON `{atprotoDid, localDid, jwk}`; records without a verifying inner JWS are ignored. **Key**: `any` | Property | Type | Required | Description | |----------|------|----------|-------------| | `jwk` | `unknown` | Yes | The localDid's verification method as a JWK (`kty`, `crv`, `x`, optionally `y` / `kid`). Public-only; never includes the private `d` coordinate. | | `jws` | `string` | Yes | Detached compact JWS by `localDid` over the canonical JSON `{atprotoDid, localDid, jwk}`, where `atprotoDid` is the repo this record lives under. 8192 chars covers Ed25519 / ES256 / ES256K compact-JWS sizes with a comfortable margin. | | `localDid` | `string` | Yes | The local kvcs signing DID being endorsed (did:key:... or did:jwk:...). Capped at 2048 chars to accommodate did:jwk values whose method-specific id embeds a base64url-encoded JWK. | | `createdAt` | `string` (datetime) | Yes | ISO-8601 timestamp at which the endorsement was issued. | ## Raw Schema ```json { "id": "tech.lenooby09.kvcs.signingKey", "defs": { "main": { "key": "any", "type": "record", "record": { "type": "object", "required": [ "localDid", "jwk", "jws", "createdAt" ], "properties": { "jwk": { "type": "unknown", "description": "The localDid's verification method as a JWK (`kty`, `crv`, `x`, optionally `y` / `kid`). Public-only; never includes the private `d` coordinate." }, "jws": { "type": "string", "maxLength": 8192, "description": "Detached compact JWS by `localDid` over the canonical JSON `{atprotoDid, localDid, jwk}`, where `atprotoDid` is the repo this record lives under. 8192 chars covers Ed25519 / ES256 / ES256K compact-JWS sizes with a comfortable margin." }, "localDid": { "type": "string", "maxLength": 2048, "description": "The local kvcs signing DID being endorsed (did:key:... or did:jwk:...). Capped at 2048 chars to accommodate did:jwk values whose method-specific id embeds a base64url-encoded JWK." }, "createdAt": { "type": "string", "format": "datetime", "description": "ISO-8601 timestamp at which the endorsement was issued." } } }, "description": "A bidirectional binding between this repo's atproto DID and a kvcs local signing key. Verifiers MUST check that `jws` is a valid compact JWS produced by `localDid` over the canonical JSON `{atprotoDid, localDid, jwk}`; records without a verifying inner JWS are ignored." } }, "$type": "com.atproto.lexicon.schema", "lexicon": 1, "description": "An atproto identity (did:plc / did:web) endorses a local kvcs patch-signing key (did:key / did:jwk) by hosting this record on its PDS. Existence of the record over an OAuth-authenticated write proves the atproto DID consented to the binding; the inner JWS proves the local key consented in turn." } ```