Decentralized Identifier Resolution (DID Resolution) v0.3

Algorithms and guidelines for resolving DIDs and dereferencing DID URLs

W3C Editor's Draft 13 April 2026

Abstract

Decentralized identifier (DID) resolution is the process of obtaining the authoritative DID document and associated metadata, taking into account any query parameters that affect DID document selection. The resulting DID document contains information that enables cryptographically verifiable interactions with the DID controller related to the DID subject, including, e.g., cryptographic public keys. This specification covers the algorithms and guidelines to be used for DID resolution and dereferencing DID URLs, relying on the core DID specification Decentralized Identifiers (DIDs) v1.0 for DID and DID URL syntax and the DID document data format.

Status of This Document

This is a preview

Do not attempt to implement this version of the specification. Do not reference this version as authoritative in any way. Instead, see https://w3c.github.io/did-resolution/ for the Editor's draft.

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C standards and drafts index.

Comments regarding this document are welcome. Please file issues directly on GitHub, or send them to public-did-wg@w3.org (subscribe, archives).

Portions of the work on this specification have been funded by the United States Department of Homeland Security's Science and Technology Directorate under contracts HSHQDC-17-C-00019. The content of this specification does not necessarily reflect the position or the policy of the U.S. Government and no official endorsement should be inferred.

Work on this specification has also been supported by the Rebooting the Web of Trust community facilitated by Christopher Allen, Shannon Appelcline, Kiara Robles, Brian Weller, Betty Dhamers, Kaliya Young, Kim Hamilton Duffy, Manu Sporny, Drummond Reed, Joe Andrieu, and Heather Vescent.

This document was published by the Decentralized Identifier Working Group as an Editor's Draft.

Publication as an Editor's Draft does not imply endorsement by W3C and its Members.

This is a draft document and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to cite this document as other than a work in progress.

This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent that the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 18 August 2025 W3C Process Document.

DID Resolution is the first step in dereferencing a DID URL

Client software dereferences identifiers to retrieve the value of a reference and bring it into the current computational context. Dereferencing a DID URL is what a DID-enabled application does to bring the referent of that DID URL into the current context.

In programming languages like c and c++, dereferencing a pointer means accessing, interpreting, or applying the value pointed to by that pointer in the current computational context. On the Web, dereferencing a URL means retrieving a representation of a resource and returning it for interactions in the local context. For web pages, that means displaying the retrieved HTML in the browser, with an appropriate view. For asynchronous JavaScript, aka AJAX requests, it means bringing the result from an HTTP request into the current JavaScript context for processing, often to change the content of the page. Dereferencing a DID URL means retrieving the appropriate resource referred to by the DID URL and applying it in the current context.

Resolution acquires the authoritative metadata that enables resource retrieval. Resolving an HTTP URL means resolving the authority part (typically a host or domain name) to get the IP address to use for the HTTP request. Resolving a DID URL gets the DID document and associated metadata that defines the cryptographic material and service endpoints for securely interacting with the associated resource. The client dereferencing the DID URL uses the result returned from resolution to retrieve the actual resource and apply it to the current computational context, either by displaying the resulting resource or by extracting information from the DID document to perform some other function, such as evaluating a given proof against verification methods in the DID document.

DID URL resolution depends on method-specific interactions with the DID method's Verifiable Data Registry. Every DID method defines its own approach to retrieving DID state from a VDR. DID Resolvers provide a standard interface to abstract those VDR interactions away, enabling any DID-enabled application to rely on a consistent API, regardless of how the method interacts with a VDR.

DIDs can be used as identifiers for both subjects and issuers of Verifiable Credentials and can anchor any number of cryptographic verification relationships, such as assertion, authentication, capability invocation and delegation, and key agreement.

A discussion of Decentralized Identifier use cases can be found in the W3C's Use Cases and Requirements for Decentralized Identifiers.

This specification defines how DID URL enabled applications can dereference a DID URL into the current context, including how to resolve the DID URL to get the authoritative DID document used for retrieving the actual resource.

Note that while this specification defines base-level functionality for DID resolution, the actual steps required to communicate with a DID's verifiable data registry are defined by the applicable DID method specification and implemented by resolvers that support those methods.

This section is non-normative.

When using a DID URL to interact with a resource, first perform resolution, then apply that result to the relevant workflow.

By invoking a DID resolver using the standard resolve(didURL, resolutionOptions) interface (as defined in the DID Resolution section), one obtains the authoritative DID document and accompanying metadata.

With that DID document, clients can do any combination of zero or more of the following:

Further dereference the DID URL to retrieve a secondary resource. This is necessary when a DID URL contains a fragment or when a web server returns a redirect.
Return the DID document to another process.
Display the final dereferenced result to the current user, using the resource's media type.
If the final resource is a DID Document, interpret the DID document to evaluate verification methods or other properties.

The resolving client MAY choose any of these options depending on the context in which the DID URL is used.

For example, the following HTML snippet would cause the associated image to be shown in the browser displaying the HTML page containing it.

Example 1: A DID URL used to retrieve and display an image.

<img src="did:example:abc/image.png?service=pathService">

Alternatively, a verifier working with the following verifiable credential proof property would evaluate the proof using the #key-1 verification method from the DID document returned from passing the BASE DID URL did:example:abc to a resolver.

Example 2: A Data Integrity proof produced by did:example:abc#key-1

{
  "proof": {
  "type": "DataIntegrityProof",
  "cryptosuite": "eddsa-rdfc-2022",
  "created": "2021-11-13T18:19:39Z",
  "verificationMethod": "did:example:abc#key-1",
  "proofPurpose": "assertionMethod",
  "proofValue": "z58DAdFfa9SkqZMVPxAQp...jQCrfFPP2oumHKtz"
  }
}

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY, MUST, MUST NOT, NOT REQUIRED, OPTIONAL, RECOMMENDED, REQUIRED, and SHOULD in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

A conforming DID resolver is any algorithm realized as software and/or hardware that complies with the relevant normative statements in 7. DID Resolution.

A conforming network-based DID resolver is a conforming DID resolver that additionally complies with the normative statements in 13.1 HTTP(S) Binding.

A conforming DID URL client is any algorithm realized as software and/or hardware that complies with the relevant normative statements in 8. DID URL Dereferencing.

Note: Dereferencing is local

There is no network-based DID URL client as dereferencing is fundamentally a client-side function in which the software retrieves (or interacts with) a remote resource and applies it to the current context.

This section is non-normative.

This specification has three primary audiences: implementers of conformant DID methods; implementers of conformant DID resolvers; and implementers of systems and services that wish to resolve DIDs using DID resolvers. The intended audience includes, but is not limited to, software architects, data modelers, application developers, service developers, testers, operators, and user experience (UX) specialists. Other people involved in a broad range of standards efforts related to decentralized identity, verifiable credentials, and secure storage might also be interested in reading this specification.

This section is non-normative.

The DID resolution specification is intended to support a broad range of use cases by defining a standardized interface to resolve DIDs and dereference DID URLs independent of the DID method of any particular DID. These use cases include:

A decentralized address book: By using DIDs as identifiers for people and organizations within an address book, the controllers of those DIDs can independently update the contents of their DID documents. Through DID resolution, these DIDs can be resolved to obtain the current state of the DID document for any given contact, enabling persistent stable identifiers with updatable services and verification material necessary for continued verifiable interactions.
Verifying a Verifiable Credential: Verifiable Credentials are signed by an issuer and given to a holder. The holder can then create a Verifiable Presentation that is presented to a verifier. By using DIDs to identify issuers and holders within a credential, an issuer enables a verifier to use DID resolution to resolve the DID documents of the identified issuers and holders to obtain the verification material necessary to verify the signatures on the Verifiable Presentation.
Auditability: DID resolution can be used to obtain the historical state of a DID document either at a specific point in time or for a specific version. This can be used to audit the historical verifiable actions of a DID controller; for example, the issuance of a verifiable receipt or the signing of a contract.
DID URL based resource retrieval: A DID controller can add service endpoints to their DID document that point to resources they control; for example, a profile picture. If DID URLs are used to reference these resources, web applications can use DID resolution and DID URL dereferencing to retrieve the current version of the resource(s). The DID URL can be used as a persistent, dereferenceable identifier for these resources, while the DID controller can independently change the resource over time.

This section defines the terms used in this specification and throughout decentralized identifier infrastructure. A link to these terms is included whenever they appear in this specification.

binding

A concrete mechanism through which a client invokes a DID resolver. This could be a local binding such as a local command line tool or library API, or a remote binding such as the HTTP(S) binding. See Section 10.2 Resolver Architectures.

Base DID URL

A version of the input DID URL passed in the Resolve function call. This is the incoming DID URL stripped of any fragment part, as fragments are handled by the DID URL client and not sent to the Resolver.

DID resolution result

A data structure that represents the result of the DID resolution algorithm. May contain a DID document. See Section 11. DID Resolution Result.

resource

As defined by [RFC3986]: "...the term 'resource' is used in a general sense for whatever might be identified by a URI." Similarly, any resource might serve as a DID subject identified by a DID.

representation

As defined for HTTP by [RFC9110]: "information that is intended to reflect a past, current, or desired state of a given resource, in a format that can be readily communicated via the protocol. A representation consists of a set of representation metadata and a potentially unbounded stream of representation data." A DID document is a representation of information describing a DID subject. See Decentralized Identifiers (DIDs) v1.0.

local binding

A binding where the client invokes a DID resolver that runs on the same network host, e.g., via a local command line tool or library API. In this case, the DID resolver is sometimes also called a "local DID resolver". See Section 10.2 Resolver Architectures.

remote binding

A binding where the client invokes a DID resolver that runs on a different network host, e.g., via the HTTP(S) binding. In this case, the DID resolver is sometimes also called a "remote DID resolver". See Section 10.2 Resolver Architectures.

services

Means of communicating or interacting with the DID subject or associated entities via one or more DID service endpoints. Examples include discovery services, agent services, social networking services, file storage services, and verifiable credential repository services.

unverifiable resolution

A low confidence implementation of a DID method's "Resolve" operation between the DID resolver and the verifiable data registry, to obtain the DID document. There is no guarantee about the integrity and correctness of the result. See Section 10.1 Method Architectures.

verification method

A set of parameters that can be used together with a process to independently verify a proof. For example, a cryptographic public key can be used as a verification method with respect to a digital signature; in such usage, it verifies that the signer possessed the associated cryptographic private key.

"Verification" and "proof" in this definition are intended to apply broadly. For example, a cryptographic public key might be used during Diffie-Hellman key exchange to negotiate a shared symmetric key for encryption. This guarantees the integrity of the key agreement process. It is thus another type of verification method, even though descriptions of the process might not use the words "verification" or "proof."

verifiable resolution

A high confidence implementation of a DID method's "Resolve" operation between the DID resolver and the verifiable data registry, to obtain the DID document. There are guarantees about the integrity and correctness of the result to the extent possible under the applicable DID method. See Section 10.1 Method Architectures.

Universally Unique Identifier (UUID)

A type of globally unique identifier defined by [RFC4122]. UUIDs are similar to DIDs in that they do not require a centralized registration authority. UUIDs differ from DIDs in that they are not resolvable or cryptographically-verifiable.

Uniform Resource Identifier (URI)

The standard identifier format for all resources on the World Wide Web as defined by [RFC3986]. A DID is a type of URI scheme.

The DID URL syntax supports a simple format for parameters (see section Query in [DID-CORE]). Adding a DID parameter to a DID URL means that the parameter becomes part of the identifier for a resource.

Example 3: A DID URL with a 'versionTime' DID parameter

did:example:123?versionTime=2021-05-10T17:00:00Z

Example 4: A DID URL with a 'service' and a 'relativeRef' DID parameter

did:example:123?service=files&relativeRef=/resume.pdf

For each DID parameter that is present, its associated value MUST be a scalar value string serialized into ASCII according to section 3.1 of RFC3987.

Some DID parameters are completely independent of any specific DID method and function the same way for all DIDs. Other DID parameters are not supported by all DID methods. Where optional parameters are supported, they are expected to operate uniformly across the DID methods that do support them. The following table provides common DID parameters that function the same way across all DID methods. Support for all DID Parameters is OPTIONAL.

Parameter Name	Description
`service`	Identifies a service from the DID document by service ID.
`serviceType`	Identifies a set of one or more services from the DID document by service type.
`relativeRef`	A relative URL reference according to RFC3986 Section 4.2 that identifies a resource at a DID service endpoint, which is selected from a DID document by using the `service` parameter.
`versionId`	Identifies a specific version of a DID document to be resolved (the version ID could be sequential, or a UUID, or method-specific).
`versionTime`	Identifies a certain version timestamp of a DID document to be resolved. That is, the most recent version of the DID document that was valid for a DID before the specified `versionTime`. If present, the associated value MUST be represented in the datetime format as defined in 6.1 Datetime.

Implementers as well as DID method specification authors might use additional DID parameters that are not listed here. For maximum interoperability, it is RECOMMENDED that DID parameters use the DID Document Properties Extensions mechanism [DID-EXTENSIONS-PROPERTIES], to avoid collision with other uses of the same DID parameter with different semantics.

DID parameters might be used if there is a clear use case where the parameter needs to be part of a URL that references a resource with more precision than using the DID alone. It is expected that DID parameters are not used if the same functionality can be expressed by passing input metadata to a DID resolver.

Note: DID parameters and DID resolution

DID resolution can be influenced by passing 7.1 DID Resolution Options to a DID resolver that are not part of the DID URL. This is comparable to HTTP, where certain parameters could either be included in an HTTP URL, or alternatively passed as HTTP headers during the dereferencing process. The important distinction is that DID parameters that are part of the DID URL should be used to specify what resource is being identified, whereas input metadata that is not part of the DID URL should be used to control how that resource is resolved or dereferenced.

All datetime values in this specification MUST be an ASCII string which is a valid XML datetime value defined by the [VC-DATA-MODEL] in Verifiable Credentials Data Model v2.0. Additionally, timestamps used in DID Resolution MUST be adjusted to UTC without sub-second decimal precision. For example: 2020-12-20T19:17:47Z

The DID resolution function resolves a DID URL into the authoritative DID document by using the "Resolve" operation defined by the DID method identified in the DID itself. See Method Operations in the DID Core specification for more details.

All conforming DID resolvers implement the function below, which has the following abstract form:

resolve(didUrl, resolutionOptions) →
  « didResolutionMetadata, didDocument, didDocumentMetadata »

All conforming DID resolvers MUST implement the DID resolution function for at least one DID method and MUST be able to return a DID document.

Conforming DID resolver implementations do not alter the signature of this function in any way. DID resolver implementations might map the resolve function to a method-specific internal function to perform the actual DID resolution process. DID resolver implementations might implement and expose additional functions with different signatures in addition to the resolve function specified here.

The input variables of the resolve function are as follows:

didUrl

This is the DID URL to resolve. This input is REQUIRED and the value MUST be a conformant DID URL as defined in Decentralized Identifiers (DIDs) v1.0.

resolutionOptions

A metadata structure consisting of input options to the resolve function in addition to the did itself. This structure is further defined in 7.1 DID Resolution Options. This input is REQUIRED, but the structure MAY be empty.

This function returns multiple values, and no limitations are placed on how these values are returned together. The return values of resolve are didResolutionMetadata, didDocument, and didDocumentMetadata. These values are described below:

didResolutionMetadata: A metadata structure consisting of values relating to the results of the DID resolution process. This structure is REQUIRED, and in the case of an error in the resolution process, this MUST NOT be empty. This structure is further defined in 7.2 DID Resolution Metadata. If the resolution is unsuccessful, this structure MUST contain an error property describing the error. See Section 12. Errors.
didDocument: If the resolution is successful, this MUST be a DID document that is capable of being represented in one of the conformant representations of the Decentralized Identifiers (DIDs) v1.0 specification. The value of id in the resolved DID document MUST be string equal to the DID that was resolved. If the resolution is unsuccessful, this value MUST be empty.
didDocumentMetadata: If the resolution is successful, this MUST be a metadata structure. This structure contains metadata about the DID document contained in the didDocument property. If the resolution is unsuccessful, this output MUST be an empty metadata structure. This structure is further defined in 7.3 DID Document Metadata.

This is a metadata structure that contains input options for the DID Resolution process.

The possible properties within this structure and their possible values SHOULD be registered in the DID Resolution Extensions [DID-EXTENSIONS-RESOLUTION]. This specification defines the following common input options:

accept: The media type of the caller's preferred representation of the DID document. The value MUST be expressed according to the Accept header value as defined in HTTP Semantics, Section 12.5.1. The DID resolver implementation SHOULD use this value to determine the representation of the returned didDocument if such a representation is supported and available. This property is OPTIONAL.

expandRelativeUrls: A boolean flag which instructs a DID resolver to expand relative DID URLs in the DID document to absolute DID URLs conformant with DID URL Syntax.

versionId: See versionId for the definition.

versionTime: See versionTime for the definition.

This is a metadata structure that contains metadata about the DID Resolution process.

This metadata typically changes between invocations of the DID Resolution function as it represents data about the resolution process itself.

The source of this metadata is the DID resolver.

Examples of DID Resolution Metadata include:

Media type of the returned content (contentType).
Error object (error) (see Section 12. Errors).
Proofs generated by the DID resolver, e.g., to establish trusted resolution (proof).
Duration of the DID resolution process.
Caching information (see Section 15.2 Caching).
URLs, IP addresses, and/or other networking information about the verifiable data registry that was used during the DID resolution process.

contentType

The Media Type of the returned didDocument. This property is OPTIONAL. If present, the value of this property MUST be an ASCII string that is the Media Type of the conformant representations. In this case, the caller of the resolve function MUST use this value when determining how to parse and process the didDocument.

error

An error data structure is defined in [RFC9457]. The errors defined by this specification can be found in Section 12. Errors. Additional errors SHOULD be registered in the DID Resolution Extensions [DID-EXTENSIONS-RESOLUTION].

proof

Some DID resolvers and DID URL dereferencers use proofs when executing the DID Resolution or DID URL Dereferencing functions. See 10.2 Resolver Architectures for details.

DID resolution metadata MAY include a proof property. If present, the value MUST be a set where each item is a map that represents a proof. The use of this property and the types of proofs are DID method-independent.

This is a metadata structure that contains metadata about the DID Resolution process.

This metadata typically does not change between invocations of the DID Resolution function unless the DID document changes, as it represents data about the DID document.

The sources of this metadata are the DID controller and/or the DID method. DID document metadata attested to by the DID controller comes with no inherent guarantee of accuracy. Clients are advised to proceed with caution when relying on DID document metadata to inform business logic.

Examples of DID document metadata include:

Timestamps when the DID and its associated DID document were created or updated (e.g., created, updated, nextUpdate).
Versioning information about the DID document (e.g., versionId, nextVersionId).
Proofs added by the DID controller or generated by the DID method's verifiable data registry, which might be used to establish control authority or to enable verifiable resolution (e.g., proof).
Metadata about controllers, capabilities, delegations, etc.
Method-specific metadata, such as block number, index, transaction hash, number of confirmations, etc., of a record in the blockchain or other verifiable data registry.

The possible properties within this structure and their possible values SHOULD be registered in the DID Document Properties Extensions [DID-EXTENSIONS-PROPERTIES]. This specification defines the following common metadata properties.

created

DID document metadata SHOULD include a created property to indicate the timestamp of the Create operation. The value of the property MUST be represented in the datetime format as defined in 6.1 Datetime.

updated

DID document metadata SHOULD include an updated property to indicate the timestamp of the last Update operation for the document version which was resolved. The value of the property MUST be represented in the datetime format as defined in 6.1 Datetime. The updated property is omitted if an Update operation has never been performed on the DID document. If an updated property exists, it can be the same value as the created property when the difference between the two timestamps is less than one second.

deactivated

If a DID has been deactivated, DID document metadata MUST include this property with the boolean value true. If a DID has not been deactivated, this property is OPTIONAL, but if included, MUST have the boolean value false.

nextUpdate

DID document metadata MAY include a nextUpdate property if the resolved document version is not the latest version of the document. It indicates the timestamp of the next Update operation. The value of the property MUST be represented in the datetime format as defined in 6.1 Datetime.

versionId

DID document metadata SHOULD include a versionId property to indicate the version of the last Update operation for the document version which was resolved. The value of the property MUST be an ASCII string.

nextVersionId

DID document metadata MAY include a nextVersionId property if the resolved document version is not the latest version of the document. It indicates the version of the next Update operation. The value of the property MUST be an ASCII string.

equivalentId

A DID method can define different forms of a DID that are logically equivalent. An example is when a DID takes one form prior to registration in a verifiable data registry and another form after such registration. In this case, the DID method specification might need to express one or more DIDs that are logically equivalent to the resolved DID as a property of the DID document. This is the purpose of the equivalentId property.

DID document metadata MAY include an equivalentId property. If present, the value MUST be a set where each item is a string that conforms to the rules in Section Decentralized Identifiers (DIDs) v1.0. The relationship is a statement that each equivalentId value is logically equivalent to the id property value and thus refers to the same DID subject. Each equivalentId DID value MUST be produced by, and a form of, the same DID method as the id property value. (e.g., did:example:abc == did:example:ABC)

A conforming DID method specification MUST guarantee that each equivalentId value is logically equivalent to the id property value.

A requesting party is expected to retain the values from the id and equivalentId properties to ensure any subsequent interactions with any of the values they contain are correctly handled as logically equivalent (e.g., retain all variants in a database so an interaction with any one maps to the same underlying account).

Note: Stronger equivalence

equivalentId is a much stronger form of equivalence than alsoKnownAs because the equivalence MUST be guaranteed by the governing DID method. The use of equivalentId means that the same DID document describes both the equivalentId DID and the id property DID.

If a requesting party does not retain the values from the id and equivalentId properties and ensure any subsequent interactions with any of the values they contain are correctly handled as logically equivalent, there might be negative or unexpected issues that arise. Implementers are strongly advised to observe the directives related to this metadata property.

canonicalId

The canonicalId property is identical to the equivalentId property except: a) it is associated with a single value rather than a set, and b) the DID is defined to be the canonical ID for the DID subject within the scope of the containing DID document.

DID document metadata MAY include a canonicalId property. If present, the value MUST be a string that conforms to the rules in Section Decentralized Identifiers (DIDs) v1.0. The relationship is a statement that the canonicalId value is logically equivalent to the id property value and that the canonicalId value is defined by the DID method to be the canonical ID for the DID subject in the scope of the containing DID document. A canonicalId value MUST be produced by, and a form of, the same DID method as the id property value. (e.g., did:example:abc == did:example:ABC).

A conforming DID method specification MUST guarantee that the canonicalId value is logically equivalent to the id property value.

A requesting party is expected to use the canonicalId value as its primary ID value for the DID subject and treat all other equivalent values as secondary aliases (e.g., update corresponding primary references in their systems to reflect the new canonical ID directive).

Note: Canonical equivalence

canonicalId is the same statement of equivalence as equivalentId except it is constrained to a single value that is defined to be canonical for the DID subject in the scope of the DID document. Like equivalentId, the use of canonicalId means that the same DID document describes both the canonicalId DID and the id property DID.

If a DID URL client does not use the canonicalId value as its primary ID value for the DID subject and treat all other equivalent values as secondary aliases, there might be negative or unexpected issues that arise related to user experience. Implementers are strongly advised to observe the directives related to this metadata property.

proof

Many DID methods use proofs when executing method operations. See 10.1 Method Architectures for details.

DID document metadata MAY include a proof property. If present, the value MUST be a set where each item is a map that represents a proof. The use of this property and the types of proofs are DID method-specific.

A DID resolver implements the following DID resolution algorithm.

Validate that the input DID conforms to the did rule of the DID Syntax. If not, the DID resolver MUST return the following result:
1. didResolutionMetadata: error object with type set to https://www.w3.org/ns/did#INVALID_DID
2. didDocument: null
3. didDocumentMetadata: «[ ]»
Determine whether the DID method of the input DID is supported by the DID resolver that implements this algorithm. If not, the DID resolver MUST return the following result:
1. didResolutionMetadata: error object with type set to https://www.w3.org/ns/did#METHOD_NOT_SUPPORTED
2. didDocument: null
3. didDocumentMetadata: «[ ]»
Determine whether the input DID resolution options are supported by the DID resolver that implements this algorithm. If not, the DID resolver MUST return the following result:
1. didResolutionMetadata: error object with type set to https://www.w3.org/ns/did#FEATURE_NOT_SUPPORTED
2. didDocument: null
3. didDocumentMetadata: «[ ]»
Determine whether the input DID resolution options are valid. If not, the DID resolver MUST return the following result:
1. didResolutionMetadata: error object with type set to https://www.w3.org/ns/did#INVALID_OPTIONS
2. didDocument: null
3. didDocumentMetadata: «[ ]»
Obtain the DID document for the input DID by executing the Resolve operation, as defined by the input DID method:
1. If the input DID does not exist, return the following result:
  1. didResolutionMetadata: error object with type set to https://www.w3.org/ns/did#NOT_FOUND
  2. didDocument: null
  3. didDocumentMetadata: «[ ]»
2. If the input DID has been deactivated, return the following result:
  1. didResolutionMetadata: «[ ... ]»
  2. didDocument: null
  3. didDocumentMetadata: «[ "deactivated" → true, ... ]»
3. Otherwise, the result of the Resolve operation is called the output DID document. This result MUST be represented in a conformant representation.
If the input DID resolution options contain the expandRelativeUrls option with a value of true:
1. Iterate over all services, verification methods, verification relationships and any extension-defined properties in the output DID document.
2. For each item, if the item is an object and the value of the id property is a relative DID URL, or if a verification relationship is a relative DID URL:
  1. Resolve the relative DID URL to an absolute DID URL conformant with DID URL Syntax, according to the rules of section Relative DID URLs in Decentralized Identifiers (DIDs) v1.0.
3. Update the output DID document by replacing the relative DID URLs with the resolved absolute DID URLs.
Return the following result:
1. didResolutionMetadata: «[ ... ]»
2. didDocument: output DID document
3. didDocumentMetadata: «[ "contentType" → output DID document media type, ... ]»

If the DID resolver encounters any unexpected errors during the execution of the DID Resolution algorithm, it MUST return the following result:

didResolutionMetadata: error object with type set to https://www.w3.org/ns/did#INTERNAL_ERROR
didDocument: null
didDocumentMetadata: «[ ]»

A DID URL client dereferences a DID URL into a resource for subsequent processing and display. The process may vary depending on on the DID URL's components, including the DID method, method-specific identifier, path, query, and fragment, as well as the client context in which dereferencing occurs, and properties in (a) the DID document, (b) document metadata, and (c) resolution metadata.

This process depends on DID resolution of the DID URL and might involve multiple steps (e.g., when the DID URL being dereferenced includes a fragment). The following figure depicts the relationship described above.

Note

This next figure and its long description should be replaced, but I've already done that in a different PR that I expect will get merged first.

DIDs resolve to DID documents; DID URLs contains a DID; DID URLs dereferenced to DID document fragments or
external resources. — Figure 1 Overview of DID URL dereference See also: narrative description.

The top left part of the diagram contains a rectangle with black outline, labeled "DID".

The bottom left part of the diagram contains a rectangle with black outline, labeled "DID URL". This rectangle contains four smaller black-outlined rectangles, aligned in a horizontal row adjacent to each other. These smaller rectangles are labeled, in order, "DID", "path", "query", and "fragment.

The top right part of the diagram contains a rectangle with black outline, labeled "DID document". This rectangle contains three smaller black-outlined rectangles. These smaller rectangles are labeled "id", "(property X)", and "(property Y)", and are surrounded by multiple series of three dots (ellipses). A curved black arrow, labeled "DID document - relative fragment dereference", extends from the rectangle labeled "(property X)", and points to the rectangle labeled "(property Y)".

The bottom right part of the diagram contains an oval shape with black outline, labeled "Resource".

A black arrow, labeled "resolves to a DID document", extends from the rectangle in the top left part of the diagram, labeled "DID", and points to the rectangle in the top right part of diagram, labeled "DID document".

A black arrow, labeled "refers to", extends from the rectangle in the top right part of the diagram, labeled "DID document", and points to the oval shape in the bottom right part of diagram, labeled "Resource".

A black arrow, labeled "contains", extends from the small rectangle labeled "DID" inside the rectangle in the bottom left part of the diagram, labeled "DID URL", and points to the rectangle in the top left part of diagram, labeled "DID".

A black arrow, labeled "dereferences to a DID document", extends from the rectangle in the bottom left part of the diagram, labeled "DID URL", and points to the rectangle in the top right part of diagram, labeled "DID document".

A black arrow, labeled "dereferences to a resource", extends from the rectangle in the bottom left part of the diagram, labeled "DID URL", and points to the oval shape in the bottom right part of diagram, labeled "Resource".

The inputs to the dereference algorithm are as follows:

didUrl: A conformant DID URL as a single string. This is the DID URL to dereference. This input is REQUIRED.

This algorithm may or may not return one or more values and may affect program state, depending on the context of use. For example, dereferencing in the context of web browsing may support any number of common URL usage patterns:

update the value of a JavaScript property
display an image on a web page
load a JavaScript script file into the DOM of the web page
apply information in the DID document to verify an input verifiable credential and auto-fill form fields on a web page

In other contexts the DID URL client may use the DID URL in other ways.

A DID URL Client implements the following DID URL dereferencing algorithm, consisting of the following five steps:

Prepare to resolve the DID URL
Resolve the DID URL
Determine Retrieval Strategy
Retrieve the Resource
Use the Resource

Validate that the input DID URL conforms to the did-url rule of the DID URL Syntax. If not, the DID URL Client MUST return without further processing, indicating a failure due to an https://www.w3.org/ns/did#INVALID_DID_URL
Select a resolver that is capable of handling the DID's method. This could be a [remote resolver], which would use HTTPS for communications, or a [local resolver], which does not (likely a local resolver will be invoked using standard linked library or interprocess communication). Implementers MUST enable users to choose the resolvers they trust for specific DID methods.
Remove any fragment part of the DID URL to create a base DID URL, e.g., did:ex:abc#key-1 becomes did:ex:abc .
Prepare resolution options. See the resolve algorithm for options.

Call the resolve function on theExpand commentComment on line R1209Resolved selected resolver, passing the prepared resolution options and the Base DID URL, to obtain the authoritative DID document for the input DID URL.
Interpret the response to resolve to consider any errors or warnings. If appropriate, return without further processing and return an error. Otherwise, continue processing if the response provided enough information to do so.
Repeat as necessary until the final resolution result is returned. A resolver may require more input, or in some cases, the client can heuristically attempt alternate resolver options to find a more appropriate DID document, such as requesting a version of the DID document from a particular point in time.

Using the result from resolution, execute the following steps until a retrieval strategy is determined.

Service If service parameter is present as a DID Parameter, use the service selection algorithm to select the appropriate service object for retrieval. The retrieval strategy is determined by the type property of the selected service. If multiple service parameters are present in the DID URL, stop further processing and return an error.
Service Type If serviceType parameter is present as a DID Parameter, use the service-type selection algorithm to select the appropriate service object for retrieval. The retrieval strategy is determined by the type property of the selected service.
Property If the DID document contains any properties known to affect dereferencing, the retrieval strategy is determined by that property. For example, linkedResource property uses its own retrieval strategy as described at Linked Resource in the [DID-EXTENSIONS-PROPERTIES] specification. If the did document contains multiple properties that affect dereferencing, stop further processing and return an error.
Document Metadata If the DID document metadata contains any properties known to affect dereferencing, the retrieval strategy is determined by that property. For example, the linkedResourceMetadata property uses its own retrieval strategy as described in the DID Linked Resource specification. If the did document metadata contains multiple properties that affect dereferencing, stop further processing and return an error.
Method Specific If the DID method defines a method-specific dereferencing strategy, use the retrieval strategy specified by the DID method.
If no other strategy has been determined, set the retrieval strategy to Return DID Document and use the Return DID Document Dereferencing Algorithm

Execute the determined retrieval strategy using the associated retrieval algorithm to get the resource referred to by the DID URL.
In the simplest case, retrieval is a simple HTTPS GET on a Retrieval URL. However, some DID methods or properties may provide alternate means for retrieving a resource, e.g., from on-chain data or from out-of-band communications rather than from a web service.

Use the final resource. This may mean displaying the resource based on it media type; it may also include scrolling a view of that resource to display an element indicated by a fragment. It may also mean returning the entire DID document or a subset of it to a calling process. The DID URL client knows which of these options is appropriate based on the context in which the DID URL is being dereferenced.

When a DID URL contains a service parameter use the following algorithm to determine which service should be used for dereferencing the DID URL.

Example 5

did:example:1234?service=files&relativeRef=%2Fmyresume%2Fdoc%3Fversion%3Dlatest

Select the service if its id property matches the value of the service DID parameter. If the id property or the service DID parameter or both contain relative references, the corresponding absolute URIs MUST be resolved and used for determining the match, using the rules specified in RFC3986 Section 5: Reference Resolution and in section Relative DID URLs in Decentralized Identifiers (DIDs) v1.0.
If the input DID URL also contains the relativeRef parameter, evaluate the Relative Ref Dereferencing Algorithm as the retrieval stategy.

When a DID URL contains a serviceType parameter use the following algorithm to determine which service should beExpand commentComment on line R1370Resolved used for dereferencing the DID URL.

Example 6

did:example:1234?serviceType=pathService&relativeRef=%2Fmyresume%2Fdoc%3Fversion%3Dlatest

If the input DID URL contains the DID parameter serviceType: Select the service if its type property matches the value of the serviceType DID parameter.
If the input DID URL also contains the relativeRef parameter, evaluate the Relative Ref Dereferencing Algorithm as the retrieval stategy.

Note

We need to say what we do when there are multiple services with the same type: pick the first, error out, or evaluate each service according to context.

If the input DID URL contains the DID parameter relativeRef and a service of type "PathService" is selected from either the service selection algorithm or the service-type selection algorithm, set the retrieval strategy to RelativeRef and use the following retrieval algorithm.

For the selected DID service endpoint URL, execute the algorithm specified in RFC3986 Section 5.2 Relative Resolution and 5.3 Component Recomposition to create a retrieval URL as follows:
1. The base URI value is the selected DID service endpoint URL.
2. The relative reference is the value of the DID parameter relativeRef.
3. Pass the result of Relative Resolution to Component Recomposition and set the [retrieval URL] to the result of the latter.
Note

Resolving a DID service endpoint—particularly one that is itself a DID—might result in a resolution cycle, which is a set of steps that result in an infinite loop. For example, a DID service endpoint might indirectly point back through a sequence of resolutions to a previously dereferenced identifier. A DID resolver recursively resolving a DID service endpoint is advised to detect and handle such a cycle to prevent an infinite loop or resolution failure. For further guidance, see Section Resolution Cycles.

When no other dereferencing strategy applies, simply return the DID Document as the final resource.

Given the following input DID URL:

Example 7

did:example:123456789abcdefghi#keys-1

... and the following resolved DID document:

Example 8

{
  "@context":[
    "https://www.w3.org/ns/did/v1.1",
    "https://didcomm.org/messaging/contexts/v2",
    "https://identity.foundation/linked-vp/contexts/v1"
  ],
  "id": "did:example:123456789abcdefghi",
  "verificationMethod": [{
    "id": "did:example:123456789abcdefghi#keys-1",
    "type": "Multikey",
    "controller": "did:example:123456789abcdefghi",
    "publicKeyMultibase": "z6MkmM42vxfqZQsv4ehtTjFFxQ4sQKS2w6WR7emozFAn5cxu"
  }],
  "service": [{
    "id": "did:example:123456789abcdefghi#messages",
    "type": "DIDCommMessaging",
    "serviceEndpoint": "https://example.com/messages/8377464"
  }, {
    "id": "did:example:123456789abcdefghi#linkedvp",
    "type": "LinkedVerifiablePresentation",
    "serviceEndpoint": "https://example.com/verifiable-presentation.jsonld"
  }]
}

... then the result of the 8. DID URL Dereferencing algorithm is the evaluating the proof in the credential with the verification method #keys-1.

Given the following input DID URL:

Example 9

did:example:123456789abcdefghi?service=messages&relativeRef=%2Fsome%2Fpath%3Fquery#frag

... and the same resolved DID document as in the previous section.

... then the result of the 8. DID URL Dereferencing algorithm is the following selected DID service endpoint URL and applying that to the current context:

Example 10

https://example.com/messages/8377464/some/path?query#frag

Diagram showing how a DID URL can be dereferenced to a service endpoint URL — Figure 2 Dereferencing a DID URL to a service endpoint URL.

Input and output metadata is often involved during the DID Resolution. The structure used to communicate this metadata MUST be a map of properties. Each property name MUST be a string. Each property value, and each value within any complex data structure such as a map or list, MUST be a string, number, map, list, set, boolean, or null. The entire metadata structure MUST be serializable according to the JSON serialization rules in the [INFRA] specification. Implementations MAY serialize the metadata structure to other data formats.

Note

Numeric representations vary across platforms and serializations (for example, IEEE-754 floating-point vs. fixed-width integers vs. “bigint”/bignum types). The Infra standard does not yet provide comprehensive guidance for numbers. Implementers are advised to avoid metadata numbers that are likely to be represented differently on different platforms — notably the following:

non-integer values such as floating-point numbers or fractions
integers outside common fixed-width ranges, such as those larger than a 32-bit unsigned integer (maximum 2³² - 1 or 4,294,967,295)

Where such values are needed for interoperability, a good practice for property is definitions to use a canonical string serialization (for example, a string formatted as a floating-point number using a clearly defined precision and rounding strategy) and to document any expected range or format.

All implementations of functions that use metadata structures as either input or output are able to fully represent all data types described here in a deterministic fashion. As inputs and outputs using metadata structures are defined in terms of data types and not their serialization, the method for representation is internal to the implementation of the function and is out of scope of this specification.

The following example demonstrates a JSON-encoded metadata structure that might be used as DID resolution input metadata.

Example 11: JSON-encoded DID resolution input metadata example

{
"accept": "application/did"
}

This example corresponds to a metadata structure of the following format:

Example 12: DID resolution input metadata example

«[
"accept" → "application/did"
]»

The next example demonstrates a JSON-encoded metadata structure that might be used as DID resolution metadata if a DID was not found.

Example 13: JSON-encoded DID resolution metadata example

{
"error": "notFound"
}

This example corresponds to a metadata structure of the following format:

Example 14: DID resolution metadata example

«[
"error" → "notFound"
]»

The next example demonstrates a JSON-encoded metadata structure that might be used as DID document metadata to describe timestamps associated with the DID document.

Example 15: JSON-encoded DID document metadata example

{
"created": "2019-03-23T06:35:22Z",
"updated": "2023-08-10T13:40:06Z"
}

This example corresponds to a metadata structure of the following format:

Example 16: DID document metadata example

«[
"created" → "2019-03-23T06:35:22Z",
"updated" → "2023-08-10T13:40:06Z"
]»

The DID resolution algorithm involves executing the Resolve operation on a DID according to its DID method (see 7. DID Resolution).

Every DID method defines this method operation, i.e., how a DID resolver can obtain a DID document from a DID. The underlying data formats, protocols, technical infrastructures, and processes can vary considerably among DID methods.

Examples of DID method considerations include the following:

A DID method might use an immutable blockchain, distributed ledger, distributed file system, peer-to-peer network, or other decentralized infrastructure as (part of) its verifiable data registry.
A DID method might use DNS, HTTP, or web servers as (part of) its verifiable data registry.
A DID method might use any combination of the above technical infrastructures.
A DID method might store an actual DID document in plain-text form in a verifiable data registry and might simply retrieve that document during the "Resolve" operation.
A DID method might define its "Resolve" operation in a more complex way that could involve intermediate, partial, or temporary DID documents, and use multi-step processes that construct the DID document "on-the-fly".
A DID method might require interaction with remote servers or networks during execution of the "Resolve" operation.
A DID method might execute the "Resolve" operation in an entirely local way that does not require any interaction with remote servers or networks. For example, in the [DID-KEY] method, the DID itself wraps a public key, and the "Resolve" operation is simply a trivial, local transformation process.

Based on the above considerations combined with the nature of a DID method's "Resolve" operation, the interaction between a DID resolver and the verifiable data registry could be considered either a verifiable resolution or an unverifiable resolution:

Diagram showing a 'verifiable resolution' implementation of a DID method. — Figure 3 A verifiable resolution implementation of a DID method.

Diagram showing an 'unverifiable resolution' implementation of a DID method. — Figure 4 An unverifiable resolution implementation of a DID method.

A verifiable resolution maximizes confidence in the integrity and correctness of the result of the "Resolve" operation, to the extent possible under the applicable DID method. This can be accomplished in a number of ways, such as the following:

A verifiable resolution can be accomplished if access to the verifiable data registry is possible in a local, trusted network environment.
- For example, in blockchain-based DID methods, a verifiable resolution might be accomplished if a blockchain full node is deployed on a local server.
If access to the verifiable data registry happens via a remote server, a verifiable resolution might still be accomplished if the remote server is trusted, and if it can be accessed via a secure channel.
If access to the verifiable data registry happens via a remote server, a verifiable resolution might be accomplished if the DID resolver has some way of verifying the DID document and DID document metadata returned by the DID method.
- For example, in blockchain-based DID methods, even if direct access to a blockchain full node is not available, a verifiable resolution may still be possible by using a light client that processes metadata to verify the data.

An unverifiable resolution does not have such guarantees and is therefore less desirable, for example:

An unverifiable resolution takes place if access to the verifiable data registry happens via a remote, untrusted intermediary.
- For example, in the case of blockchain-based DID methods, a remote blockchain explorer API operated by an third party may be used to look up data from the blockchain.

Note: Implementation Details

Whether or not a verifiable resolution is possible depends not only on a DID method itself, but also on the way a DID resolver implements that DID method. DID methods MAY allow multiple ways of implementing their "Resolve" operation, and SHOULD offer guidance regarding at least one way to implement a verifiable resolution.

Note: Limitations of Verifiable Data Registries

The guarantees associated with a verifiable resolution are always limited by the architecture(s), protocol(s), cryptographic element(s), and other aspects of the DID method's underlying verifiable data registry. The forms of verifiable resolution implementation that are considered strongest are those that require no interaction with any remote network (for example, see [DID-KEY]), and those that minimize dependencies on specific network infrastructure, reducing the "root of trust" to proven entropy and cryptography (for example, see [KERI]).

To enable verifiable resolutions, many DID methods use digital signatures, state proofs, proofs of inclusion in Merkle trees, cryptographic event logs, or other types of proof. If a DID method uses such proofs, it MUST specify in its DID method specification how they are used for verification of the correctness of the result of a "Resolve" operation.

A DID method MAY also include such proofs in the DID document itself, or in a proof property of the DID document metadata. This can potentially enable a client to independently verify the results of a DID Resolution process, even if it does not trust the DID resolver.

Note that proofs originating from the DID method are DID method-specific and must be understood within the technology of the applicable DID method. A simple signature on a DID document or DID document metadata does not necessarily prove control of a DID, nor guarantee that the DID document is the correct one for the DID. These proofs help to verify the integrity and authenticity of the results of a DID Resolution process as far as the DID method itself is concerned. However, they do not guarantee that the binding between a client and the DID resolver is secure. See also 10.2 Resolver Architectures.

The algorithms for DID resolution is defined as a the abstract function resolving.

Those algorithms are implemented by DID resolvers, are are invoked by a DID URL client via a binding. Bindings define how the abstract functions are accessed using concrete programming or communication interfaces.

Examples of bindings include the following:

A DID resolver might be invoked within an application by calling a software library or SDK.
A DID resolver might be invoked as a command line tool.
A DID resolver might be invoked over an HTTP(S) API or other network protocol, e.g., see 13.1 HTTP(S) Binding.

Based on the above considerations combined with the nature of the binding, the interaction between a client and the DID resolver could be considered either a local binding or a remote binding:

Diagram showing a DID resolver with a 'local binding'. — Figure 5 A local binding for a DID resolver.

Diagram showing a DID resolver with a 'remote binding'. — Figure 6 A remote binding for a DID resolver.

Whenever possible, local bindings are preferred, as they minimize dependencies on third parties and intermediaries, reduce security risks, and maximize confidence in the integrity and correctness of the result of DID resolution.

In some cases, it might not be possible to use a local binding; for example, in constrained IoT (Internet of Things) environments, or when a DID method requires complex infrastructure, or when many different DID methods should be supported.

If a client uses a remote binding, the following considerations apply:

The remote binding SHOULD use a trusted instance of a DID resolver, ideally under the control of the client itself (e.g., self-hosted).
The remote binding SHOULD use a secure channel such as VPN and/or TLS with mutual authentication.
The client could query multiple DID resolvers over a remote binding and compare results.

A DID resolver MAY also include proofs in a proof property of the DID resolution metadata.

Note that proofs originating from a DID resolver are DID method-independent and can be universally applied by a DID resolver, across all DID methods. These proofs help to verify the integrity and authenticity of the results of a DID Resolution process as far as the DID resolver itself is concerned. However, they do not guarantee that the result from the "Resolve" operation of the applicable DID method is itself correct. See also 10.1 Method Architectures.

A DID resolver might support the DID resolution algorithm for multiple DID methods:

Diagram showing a DID resolver that supports multiple DID methods. — Figure 7 A DID resolver that supports multiple DID methods.

In this case, the above considerations in 10.1 Method Architectures about verifiable resolution and unverifiable resolution implementations apply to each supported DID method individually.

A DID resolver MAY invoke another DID resolver, which serves as a proxy that executes the DID resolution algorithm as defined in 7. DID Resolution.

The first DID resolver then acts as a client and chooses a suitable binding for invoking the second DID resolver. For example, a DID resolver may be invoked via a local binding (such as a command line tool), which in turn invokes another DID resolver via a remote binding (such as the HTTP(S) binding).

When using proxied resolution, a "downstream" resolver SHOULD preserve all DID resolution metadata and DID document metadata from an "upstream" resolver in a transparent manner, including any proofs that may be present. In this process, the "downstream" resolver MAY add its own DID resolution metadata, including any metadata about the proxied resolution process itself.

Diagram showing two DID resolvers, one invoked via 'local binding', the other invoked via 'remote binding'. — Figure 8 A client invokes a DID resolver via local binding, which invokes another DID resolver via remote binding, which in turn executes the resolution operation of the DID method.

Note: Comparison to DNS

This is similar to a "stub resolver" invoking a "recursive resolver" in DNS architecture, although the concepts are not entirely comparable (DNS Resolution uses a single concrete protocol, whereas DID resolution is an abstract function realized by different DID methods and different bindings).

Given the DID URL did:xyz:1234#keys-1, a DID resolver could be invoked via local binding for Dereferencing the Resource (i.e., the DID document), and the client could complete the DID URL dereferencing algorithm by Dereferencing the Fragment (i.e., a part of the DID document).

Diagram showing client-side dereferencing of a DID URL by a DID resolver and a client — Figure 9 Client-side dereferencing of a DID URL by a DID resolver and a client.

Given the DID URL did:xyz:1234?service=agent&relativeRef=%2Fsome%2Fpath%3Fquery#frag, a DID resolver could be invoked for Dereferencing the Resource (i.e., a DID service endpoint URL), and the client could complete the DID URL dereferencing algorithm by Dereferencing the Fragment (i.e., a DID service endpoint URL with a fragment).

Given the DID URL did:xyz:1234#keys-1, a DID resolver could be invoked via local binding, which invokes another DID resolver via remote binding for Dereferencing the Resource (i.e., the DID document), and the client could complete the DID URL dereferencing algorithm by Dereferencing the Fragment (i.e., a part of the DID document).

Diagram showing client-side dereferencing of a DID URL by two DID resolvers and a client — Figure 11 Client-side dereferencing (in combination with Proxied Resolution) of a DID URL by two DID resolvers and a client.

This section defines a JSON data structure that represents the result of the algorithm described in 7. DID Resolution. A DID resolution result contains the DID document as well as DID resolution metadata and DID document metadata.

The media type of this data structure is defined to be application/did-resolution.

Example 17: Example DID resolution result

{
  "didDocument": {
    "@context": "https://www.w3.org/ns/did/v1",
    "id": "did:example:123456789abcdefghi",
    "authentication": [{
      "id": "did:example:123456789abcdefghi#keys-1",
      "type": "Ed25519VerificationKey2018",
      "controller": "did:example:123456789abcdefghi",
      "publicKeyBase58": "H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV"
    }],
    "service": [{
      "id":"did:example:123456789abcdefghi#vcs",
      "type": "VerifiableCredentialService",
      "serviceEndpoint": "https://example.com/vc/"
    }]
  },
  "didResolutionMetadata": {
    "contentType": "application/did",
    "retrieved": "2024-06-01T19:73:24Z",
  },
  "didDocumentMetadata": {
    "created": "2019-03-23T06:35:22Z",
    "updated": "2023-08-10T13:40:06Z",
    "method": {
      "nymResponse": {
        "result": {
          "data": "{\"dest\":\"WRfXPg8dantKVubE3HX8pw\",\"identifier\":\"V4SGRU86Z58d6TV7PBUe6f\",\"role\":\"0\",\"seqNo\":11,\"txnTime\":1524055264,\"verkey\":\"H3C2AVvLMv6gmMNam3uVAjZpfkcJCwDwnZn6z3wXmqPV\"}",
          "type": "105",
          "txnTime": 1.524055264E9,
          "seqNo": 11.0,
          "reqId": 1.52725687080231475E18,
          "identifier": "HixkhyA4dXGz9yxmLQC4PU",
          "dest": "WRfXPg8dantKVubE3HX8pw"
        },
        "op": "REPLY"
      },
      "attrResponse": {
        "result": {
          "identifier": "HixkhyA4dXGz9yxmLQC4PU",
          "seqNo": 12.0,
          "raw": "endpoint",
          "dest": "WRfXPg8dantKVubE3HX8pw",
          "data": "{\"endpoint\":{\"xdi\":\"http://127.0.0.1:8080/xdi\"}}",
          "txnTime": 1.524055265E9,
          "type": "104",
          "reqId": 1.52725687092557056E18
        },
        "op": "REPLY"
      }
    }
  }
}

The algorithms described in this specification throw specific types of errors. Implementers might find it useful to convey these errors to other libraries or software systems. This section provides specific URLs and descriptions for the errors, such that an ecosystem implementing technologies described by this specification might interoperate more effectively when errors occur. Additionally, this specification uses some errors defined in Section 3.5 Processing Errors of the [CID] specification.

Implementers SHOULD use [RFC9457] to encode the error data structure. If [RFC9457] is used:

The type value of the error object MUST be a URL. Where the values listed in the section below do not define a URL, the values MUST be prepended with the URL https://www.w3.org/ns/did#.
The title value SHOULD provide a short but specific human-readable string for the error.
The detail value SHOULD provide a longer human-readable string for the error.

INVALID_DID: An invalid DID was detected during DID Resolution. See Section 7.4 DID Resolution Algorithm.
https://www.w3.org/ns/did#INVALID_DID
INVALID_DID_DOCUMENT: The DID document was malformed. See Section 7.4 DID Resolution Algorithm.
https://www.w3.org/ns/did#INVALID_DID_DOCUMENT
NOT_FOUND: The DID resolver was unable to find the DID document resulting from this resolution request. See Section 7.4 DID Resolution Algorithm.
https://www.w3.org/ns/did#NOT_FOUND
REPRESENTATION_NOT_SUPPORTED: The representation requested via the accept input metadata property is not supported by the DID method and/or DID resolver implementation. See Section 7.4 DID Resolution Algorithm.
https://www.w3.org/ns/did#REPRESENTATION_NOT_SUPPORTED
INVALID_DID_URL: An invalid DID URL was detected during DID URL dereferencing. See Section 8.1 DID URL Dereferencing Algorithm
https://www.w3.org/ns/did#INVALID_DID_URL
METHOD_NOT_SUPPORTED: The DID method of the DID is not supported by the DID resolver. See Section 7.4 DID Resolution Algorithm.
https://www.w3.org/ns/did#METHOD_NOT_SUPPORTED
INVALID_OPTIONS: One or more of the options provided for DID Resolution or DID URL dereferencing are invalid.
https://www.w3.org/ns/did#INVALID_OPTIONS
INTERNAL_ERROR: An unexpected error occured during DID Resolution or DID URL dereferencing.
https://www.w3.org/ns/did#INTERNAL_ERROR
FEATURE_NOT_SUPPORTED: The DID resolver does not support the requested feature. The value of the detail field SHOULD provide a longer description of the feature that is not supported by the resolver.
https://www.w3.org/ns/did#FEATURE_NOT_SUPPORTED

This section defines bindings for the abstract algorithms in sections 7. DID Resolution.

This section defines a DID resolver binding which exposes the DID resolution function (including all resolution options and metadata) via an HTTP(S) endpoint. See 10.2 Resolver Architectures.

The HTTP(S) binding requires a known HTTP(S) URL where a DID resolver can be invoked. This URL is called the DID resolver HTTP(S) endpoint.

This binding is generally considered a remote binding, but could also be a local binding if the HTTP(S) endpoint is run in a local environment, such as on localhost.

All conforming DID resolvers MUST implement the GET version of the HTTPS binding and MAY implement the POST version. All HTTPS bindings MUST use TLS. Use of DNS names in certificates is NOT REQUIRED; resolvers MAY use TLS certificates issued for IP addresses.

Using this binding, the DID resolution function (see 7. DID Resolution) function can be executed as follows:

Initialize a request HTTP(S) URL with the DID resolver HTTP(S) endpoint.
Example 18
```
https://resolver.example/1.0/identifiers/
```
For the DID resolution function:
1. Append the input DID to the request HTTP(S) URL.
  Example 19
```
https://resolver.example/1.0/identifiers/did:example:1234
```
2. Set the Accept HTTP request header to application/did-resolution to request a complete 11. DID Resolution Result, OR
3. set the Accept HTTP request header to the value of the accept resolution option to request only the didDocument value of the result.
For the HTTP(S) GET binding:
1. If any other resolution options other than accept are provided:
  1. The input DID URL MUST be URL-encoded (as specified in RFC3986 Section 2.1).
  2. Encode all resolution options except accept as query parameters in the request HTTP(S) URL.
2. Execute an HTTP GET request on the request HTTP(S) URL. This invokes the DID resolution or function at the remote DID resolver.
  Example 20
```
GET https://resolver.example/1.0/identifiers/did%3Aexample%3A1234?option1=value1&option2=value2 HTTP/1.1
  Accept: application/did-resolution
```
For the HTTP(S) POST binding:
1. If any resolution options other than accept are provided:
  1. Encode all resolution options except accept as a JSON structure in the HTTP request's POST body.
2. Execute an HTTP POST request on the request HTTP(S) URL. This invokes the DID resolution function at the remote DID resolver.
  Example 21
```
POST https://resolver.example/1.0/identifiers/did:example:1234 HTTP/1.1
  Accept: application/did-resolution

  {
      "option1": "value1",
      "option2": "value2"
  }
```

If the DID resolution function returns an error metadata property in the didResolutionMetadata, then the HTTP response status code MUST correspond to the type property of the error object, according to the following table:

error `type` URI	HTTP status code
`https://www.w3.org/ns/did#INVALID_DID`	`400`
`https://www.w3.org/ns/did#INVALID_DID_URL`	`400`
`https://www.w3.org/ns/did#INVALID_OPTIONS`	`400`
`https://www.w3.org/ns/did#NOT_FOUND`	`404`
`https://www.w3.org/ns/did#REPRESENTATION_NOT_SUPPORTED`	`406`
`https://www.w3.org/ns/did#INVALID_DID_DOCUMENT`	`500`
`https://www.w3.org/ns/did#METHOD_NOT_SUPPORTED`	`501`
`https://www.w3.org/ns/did#FEATURE_NOT_SUPPORTED`	`501`
`https://www.w3.org/ns/did#INTERNAL_ERROR`	`500`
(any other error URI)	`500`

If the DID resolution function returns a deactivated metadata property with the value true in the didDocumentMetadata or contentMetadata:
1. The HTTP response status code MUST be 410.
For the DID resolution function:
1. If the value of the Content-Type HTTP response header is application/did-resolution:
  1. The HTTP body MUST contain a DID resolution result (see 11. DID Resolution Result) that is the result of the DID resolution function.
2. If the function is successful and returns a didDocument:
  1. The HTTP response status code MUST be 200.
  2. The HTTP response MUST contain a Content-Type HTTP response header. Its value MUST be the value of the contentType metadata property in the didResolutionMetadata (see 7.2 DID Resolution Metadata).
  3. The HTTP response body MUST contain the didDocument that is the result of the DID resolution function, in the representation corresponding to the Content-Type HTTP response header.

Note

See here for an OpenAPI definition corresponding to the HTTP(S) binding.

Given the following DID resolver HTTP(S) endpoint:

https://resolver.example/1.0/identifiers/

And given the following input DID:

did:example:123

Then the request HTTP(S) URL is:

https://resolver.example/1.0/identifiers/did:example:123

The resolve() function can be invoked over the HTTP(S) binding as follows:

Example 22: Example request to a DID resolver via HTTP(S) binding

GET https://resolver.example/1.0/identifiers/did:example:123 HTTP/1.1
Accept: application/did-resolution

The response is as follows:

Example 23: Example response from a DID resolver via HTTP(S) binding

HTTP 200 OK
Content-Type: application/did-resolution

{
  "didDocument": {
    "@context": [ "https://www.w3.org/ns/did/v1.1" ],
    "id": "did:example:123",
    "verificationMethod": [{
      ...
    }],
    "service": [{
      ...
    }]
  },
  "didResolutionMetadata": {
    "contentType": "application/did"
  },
  "didDocumentMetadata": {
    ...
  }
}

The resolve() function can be invoked over the HTTP(S) binding as follows:

Example 24: Example request to a DID resolver via HTTP(S) binding

GET https://resolver.example/1.0/identifiers/did:example:123 HTTP/1.1
Accept: application/did

The response is as follows:

Example 25: Example response from a DID resolver via HTTP(S) binding

HTTP 200 OK
Content-Type: application/did

{
  "@context": [ "https://www.w3.org/ns/did/v1.1" ],
  "id": "did:example:123",
  "verificationMethod": [{
    ...
  }],
  "service": [{
    ...
  }]
}

The dereference() function can be invoked over the HTTP(S) binding as follows:

Example 26: Example request to a DID URL dereferencer via HTTP(S) binding

GET https://resolver.example/1.0/identifiers/did:example:123?versionId=2 HTTP/1.1
Accept: application/did-url-dereferencing

The response is as follows:

Example 27: Example response from a DID URL dereferencer via HTTP(S) binding

HTTP 200 OK
Content-Type: application/did-url-dereferencing

{
  "content": {
    "@context": [ "https://www.w3.org/ns/did/v1.1" ],
    "id": "did:example:123",
    "verificationMethod": [{
      ...
    }],
    "service": [{
      ...
    }]
  },
  "dereferencingMetadata": {
    "contentType": "application/did"
  },
  "contentMetadata": {
    ...
  }
}

The dereference() function can be invoked over the HTTP(S) binding as follows:

Example 28: Example request to a DID URL dereferencer via HTTP(S) binding

GET https://resolver.example/1.0/identifiers/did:example:123?versionId=2 HTTP/1.1
Accept: application/did

The response is as follows:

Example 29: Example response from a DID URL dereferencer via HTTP(S) binding

HTTP 200 OK
Content-Type: application/did

{
  "@context": [ "https://www.w3.org/ns/did/v1.1" ],
  "id": "did:example:123",
  "verificationMethod": [{
    ...
  }],
  "service": [{
    ...
  }]
}

This section contains a variety of security considerations that people using DID Resolution in production settings are advised to consider. Readers are urged to familiarize themselves with the general security advice provided in the Security Considerations section of the Decentralized Identifiers specification before reading this section.

DID resolution and DID URL dereferencing do not involve any authentication or authorization functionality. Similar to DNS resolution, anybody can perform the process, without requiring any credentials or non-public knowledge.

A DID resolver may maintain a generic cache of DID documents. It may also maintain caches specific to certain DID methods.

The noCache resolution option can be used to request a certain kind of caching behavior.

This resolution option is OPTIONAL.

Possible values of this property are:

"false" (default value): Caching of DID documents is allowed.
"true": Request that caching is disabled and a fresh DID document is retrieved from the verifiable data registry.

Caching behavior can be controlled by configuration of the DID resolver, by the noCache resolution option, or by contents of the DID document (e.g., a cacheMaxTtl field), or by a combination of these properties.

Resolvers that implement noCache might be more vulnerable to denial of service attacks, as malicious clients can bypass caching to force expensive network requests and resource consumption. Clients requesting resolution with noCache expect that some resolvers will reject resolution requests that bypass caching. Resolvers that deny resolution without caching MUST respond with a FEATURE_NOT_SUPPORTED error that makes it clear that bypassing the cache was not permitted so the client can attempt to resolve without using noCache.

If JSON-LD Context files are fetched from a remote location, an attacker could alter the context file (for example, by compromising the server or intercepting the request via a man-in-the-middle attack).

Therefore, any DID resolver which performs remote retrieval of JSON-LD Context URLs is strongly advised to use a registry of context files and corresponding hashes (or a functionally equivalent mechanism) to help ensure end-to-end security. Implementations are expected to throw errors if the cryptographic hash value for a resource does not match the expected hash value.

If a versionId or versionTime DID parameter is provided, the DID resolution algorithm returns a specific version of the DID document.

The DID parameters versionId and versionTime are mutually exclusive.

The use of the versionId DID parameter is specific to the DID method. Its possible values may include sequential numbers, random UUIDs, content hashes, etc..

DID document metadata MAY contain a versionId property that changes with each Update operation that is performed on a DID document.

Note

While most DID methods support the Update operation, there is no requirement for DID methods to keep all previous DID document versions, therefore not all DID methods support versioning.

DID methods that use a distributed system (such as a distributed ledger) as a VDR (verifiable data registry) need to manage the potential that network forks may occur. Therefore, the specification of a DID method that uses a distributed system as a VDR SHOULD specify a means by which the VDR they are using can be disambiguated from such forks.

When a DID resolver client dereferences identifiers and linked resources in a DID document — especially fields like verificationMethod, controller, or alsoKnownAs — it might encounter a resolution cycle. These can occur when a DID document references another DID (or URL) that eventually leads back to a previously dereferenced identifier, forming a loop. A DID resolver can also encounter such a situation when dereferencing a DID URL that references a DID service endpoint.

did:example:alice
      └── verificationMethod.controller → did:example:bob
        └── verificationMethod.controller → did:example:alice

DID resolvers and their clients that perform recursive dereferencing are expected to expect, detect, and handle such cycles.

Security and performance risks: If cycles are not detected and mitigated, recursive dereferencing could lead to:

Infinite loops or stack overflows in software.
Resource exhaustion (e.g., memory, network, or CPU).
Denial-of-service (DoS) vulnerabilities in clients or intermediaries.

Mitigation guidance: Components that recursively follow external DID document references are encouraged to track identifiers that have already been dereferenced and to detect when a cycle has occurred and take appropriate action. In addition, developers might wish to limit recursion depth or breadth to reduce the potential attack surface.

This section details the privacy considerations specific to DID Resolution. Readers are urged to familiarize themselves with the general privacy advice provided in the Privacy Considerations section of the Decentralized Identifiers specification before reading this section.

DID resolvers and DID URL dereferencers will be able to log requests to their services for resolution and dereferencing. Over time, these logs could be used to track and profile the clients making requests for these services. To mitigate this privacy risk, clients should make such requests to services they trust, for example, because of an existing business relationship or because the service is running on infrastructure they control. Clients can also take steps to obfuscate their requests to a service in order to limit the possibilities of correlation and profiling.

One of the most common mechanisms used to resolve an identifier to an address on the Internet is the global Domain Name System (DNS) described in [RFC1034]. The DNS and the processes and systems used to map a Domain Name to an Internet Protocol address is a common requirement for hosting a website.

The Decentralized Identifiers (DIDs) v1.0 specification introduced a new type of identifier that lacks any dependency on the global Domain Name System and introduced the concept of an identifier resolution process that does not require the centralization of any part of the architecture. This new architecture allows the decentralized creation and management of globally-resolvable identifiers that combat identifier rent-seeking and censorship. It enables individuals to fully own and control their identifiers instead of renting the identifiers from a third party.

Individuals that acquire DID URLs use them in their software much like they continue to use DNS-based URLs. The software uses a DID resolver interface (defined in this specification) to determine the location of the resources to be retrieved. The process of DID resolution, much like the process of DNS resolution, is opaque to the individual and happens within the software without needing any direct involvement of the individual.

The research related to DNS centralization and the corresponding invention of DIDs and DID resolution is documented by the Decentralized Identifiers (DIDs) v1.0 specification in the section related to the history of DIDs.

[CID]: Controlled Identifiers v1.0. Michael Jones; Manu Sporny. W3C. 15 May 2025. W3C Recommendation. URL: https://www.w3.org/TR/cid-1.0/
[DID-CORE]: Decentralized Identifiers (DIDs) v1.0. Manu Sporny; Amy Guy; Markus Sabadello; Drummond Reed. W3C. 19 July 2022. W3C Recommendation. URL: https://www.w3.org/TR/did-core/
[DID-EXTENSIONS-PROPERTIES]: DID Document Property Extensions. Manu Sporny; Markus Sabadello. W3C. 11 December 2025. W3C Working Group Note. URL: https://www.w3.org/TR/did-extensions-properties/
[INFRA]: Infra Standard. Anne van Kesteren; Domenic Denicola. WHATWG. Living Standard. URL: https://infra.spec.whatwg.org/
[local resolver]: Reference not found.
[remote resolver]: Reference not found.
[retrieval URL]: Reference not found.
[RFC2119]: Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC3986]: Uniform Resource Identifier (URI): Generic Syntax. T. Berners-Lee; R. Fielding; L. Masinter. IETF. January 2005. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc3986
[RFC3987]: Internationalized Resource Identifiers (IRIs). M. Duerst; M. Suignard. IETF. January 2005. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc3987
[RFC8174]: Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words. B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[RFC9110]: HTTP Semantics. R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed. IETF. June 2022. Internet Standard. URL: https://httpwg.org/specs/rfc9110.html
[RFC9457]: Problem Details for HTTP APIs. M. Nottingham; E. Wilde; S. Dalal. IETF. July 2023. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc9457
[VC-DATA-MODEL]: Verifiable Credentials Data Model v2.0. Ivan Herman; Michael Jones; Manu Sporny; Ted Thibodeau Jr; Gabe Cohen. W3C. 15 May 2025. W3C Recommendation. URL: https://www.w3.org/TR/vc-data-model-2.0/

[DID-EXTENSIONS-RESOLUTION]: DID Resolution Extensions. Manu Sporny; Markus Sabadello. W3C. 19 November 2024. W3C Working Group Note. URL: https://www.w3.org/TR/did-extensions-resolution/
[DID-KEY]: The did:key Method. Manu Sporny; Dmitri Zagidulin; Dave Longley. 26 March 2025. CG-DRAFT. URL: https://w3c-ccg.github.io/did-key-spec/
[KERI]: Key Event Receipt Infrastructure (KERI). Samuel M. Smith. July 2019. URL: https://arxiv.org/abs/1907.02143
[RFC1034]: Domain names - concepts and facilities. P. Mockapetris. IETF. November 1987. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc1034
[RFC4122]: A Universally Unique IDentifier (UUID) URN Namespace. P. Leach; M. Mealling; R. Salz. IETF. July 2005. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc4122

Decentralized Identifier Resolution (DID Resolution) v0.3

Algorithms and guidelines for resolving DIDs and dereferencing DID URLs

Abstract

Status of This Document

1. Introduction

1.1 Implementer Overview

2. Conformance

2.1 Conformance

3. Audience

4. Use Cases

5. Terminology

6. DID Parameters

6.1 Datetime

7. DID Resolution

7.1 DID Resolution Options

7.2 DID Resolution Metadata

7.3 DID Document Metadata

7.4 DID Resolution Algorithm

8. DID URL Dereferencing

8.1 DID URL Dereferencing Algorithm

8.1.1 Prepare to Resolve the DID URL

8.1.2 Resolve the DID URL

8.1.3 Determine Retrieval Strategy

8.1.4 Retrieve the resource

8.1.5 Use the resource

8.2 Service Selection Algorithm

8.3 Service Type Selection Algorithm

8.4 Relative Ref Dereferencing Algorithm

8.5 Return DID Document Dereferencing Algorithm

8.6 Examples

8.6.1 Example: Dereferencing to verification method

8.6.2 Example: Dereferencing to service endpoint URL

9. Metadata Structure

10. DID Resolution Architectures

10.1 Method Architectures

10.2 Resolver Architectures

10.2.1 Multiple Methods

10.2.2 Proxied Resolution

10.2.3 Examples

11. DID Resolution Result

11.1 Example

12. Errors

13. Bindings

13.1 HTTP(S) Binding

13.2 DID Resolution Examples

13.2.1 Example: Returning a DID Resolution Result

13.2.2 Example: Returning a DID Document

14. DID URL Dereferencing Examples

14.1 Example: Returning a DID URL Dereferencing Result

14.2 Example: Returning a resource

15. Security Considerations

15.1 Authentication/Authorization

15.2 Caching

15.3 JSON-LD Context Integrity

15.4 Versioning

15.5 VDR Network Forks

15.6 Resolution Cycles

16. Privacy Considerations

16.1 Profiling of DID Resolution and Dereferencing Requesters

A. Relationship to Other Technologies

B. DID Resolution Resources

C. References

C.1 Normative references

C.2 Informative references