{
"id": "zone.stratos.actor.enrollment",
"defs": {
"main": {
"key": "any",
"type": "record",
"record": {
"type": "object",
"required": [
"service",
"signingKey",
"attestation",
"createdAt"
],
"properties": {
"service": {
"type": "string",
"format": "uri",
"description": "The Stratos service endpoint URL where this user's private data is stored."
},
"createdAt": {
"type": "string",
"format": "datetime",
"description": "Timestamp when the enrollment was created."
},
"boundaries": {
"type": "array",
"items": {
"ref": "zone.stratos.boundary.defs#Domain",
"type": "ref"
},
"maxLength": 50,
"description": "List of boundaries the user has access to on this Stratos service."
},
"signingKey": {
"type": "string",
"description": "The user's P-256 public key as a did:key string, generated by the Stratos service for user-level record signing."
},
"attestation": {
"ref": "#serviceAttestation",
"type": "ref",
"description": "Service attestation vouching for the user's enrollment, boundaries, and signing key."
}
}
},
"description": "A record indicating the user is enrolled in a Stratos service. Published to the user's PDS during OAuth enrollment for endpoint discovery by AppViews. Multiple enrollment records are supported — one per Stratos service."
},
"serviceAttestation": {
"type": "object",
"required": [
"sig",
"signingKey"
],
"properties": {
"sig": {
"type": "bytes",
"description": "Raw signature bytes of the DAG-CBOR encoded attestation payload, signed by the service key."
},
"signingKey": {
"type": "string",
"description": "The Stratos service's public key as a did:key string, used to verify the attestation signature."
}
},
"description": "An attestation signed by the Stratos service key. The signed payload is DAG-CBOR encoded {boundaries, did, signingKey} with sorted keys."
}
},
"$type": "com.atproto.lexicon.schema",
"lexicon": 1
}