LWS Protocol

W3C Editor's Draft 18

More details about this document
This version:
https://w3c.github.io/lws-protocol/
Latest published version:
https://www.w3.org/TR/@@/
Latest editor's draft:
https://w3c.github.io/lws-protocol/
History:
Commit history
Editors:
Pierre-Antoine Champin
ericP
Jesse Wright
Erich Bremer
Former editors:
Sarven Capadisli
Justin Bingham
Dmitri Zagidulin
Ruben Verborgh
Tim Berners-Lee
Kjetil Kjernsmo
Feedback:
GitHub w3c/lws-protocol ( pull requests , new issue , open issues )

Copyright © 2025 World Wide Web Consortium . W3C ® liability , trademark and permissive document license rules apply.

Abstract

[@@ from charter ]

The Linked Web Storage Protocol specification aims to provide applications with secure and permissioned access to externally stored data in an interoperable way.

The Linked Web Storage Protocol does/does not include protocol details for integration with identity layers and mechanisms; access management and data integrity; notifications about resource changes; and authorization mechanisms.

Status of This Document

This is a preview

Do not attempt to implement this version of the specification. Do not reference this version as authoritative in any way. Instead, see https://w3c.github.io/lws-protocol/ for the Editor's draft.

This section describes the status of this document at the time of its publication. A list of current W3C publications and the latest revision of this technical report can be found in the W3C standards and drafts index .

This is an unofficial proposal.

This document was published by the Linked Web Storage Working Group as an Editor's Draft.

Publication as an Editor's Draft does not imply endorsement by W3C and its Members.

This is a draft document and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to cite this document as other than a work in progress.

This document was produced by a group operating under the W3C Patent Policy . W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent that the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy .

This document is governed by the 18 August 2025 W3C Process Document .

For Editors

This section is non-normative.

List of TODO s and ideas in flux to enable editors to communicate asynchronously.

Resources

Tactics

1. Document Conventions

This section is non-normative.

2. Introduction

2.1 Resource Access

The LWS Protocol defines standard interactions by which a some party can make some resources available to some agents.

2.2 Security and Privacy

A resource manager may keep a served resource private, may make it publicly available to anyone, or may limited its visibility to a constrained set of requesting agents .

2.3 Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY , MUST , MUST NOT , RECOMMENDED , REQUIRED , and SHOULD in this document are to be interpreted as described in BCP 14 [ RFC2119 ] [ RFC8174 ] when, and only when, they appear in all capitals, as shown here.

A LWS REST Server is an HTTP server [ rfc9112 ] that complies with all of the relevant " MUST " statements in this specification. Specifically, the relevant normative " MUST " statements in Sections 999 REST Binding of this document MUST be respected.

A LWS REST Client is an HTTP client [ rfc9112 ] that complies with all of the relevant " MUST " statements in this specification. Specifically, the relevant normative " MUST " statements in Sections 999 REST Binding of this document MUST be respected.

3. Terminology

The terms "authorization server" and "client" are defined by the OAuth 2.0 Authorization Framework [ RFC6749 ].

The terms "end-user" and "issuer" are defined by OpenID Connect Core 1.0 [ OPENID-CONNECT-CORE ].

This specificaiton defines the following terms:

This specification defines operations on served resources , the resulting change of state, and a response indended to give the requesting agent requested infomation or inform them of the outcome of the operation . An operation is any of the following actions that can be performed on a served resource :

The folowing section will describe the semantics and responses of these operations but the following core responses apply to any operation:

4. Authentication

This section defines a mechanism for identifying agents and end users that interact with a linked web storage server. This specification does not mandate a particular format for end-user credentials, though it does describe how existing identity systems can be used in conjunction with the linked web storage authorization framework.

4.1 End-User Credential Data Model

The data model described in this section outlines the requirements for any concrete serialization of an end-user credential.

An end-user credential MUST include tamper evident claims about a subject, including:

4.2 End-User Credential Validation

Validation of an end-user credential requires a trust relationship between the verifier and issuer of the credential. This trust relationship MAY be established through an out-of-band mechanism. Any additional mechanisms for establishing trust between a verifier and an issuer are outlined in specific authentication suites.

An end-user credential MUST be signed. It is RECOMMENDED that the signature uses asymmetric cryptography.

4.3 End-User Credential Type Identifiers

Each authentication suite MUST be associated with a token type URI. An authentication suite SHOULD use a URI defined in the IANA "OAuth URI" registry.

5. Authorization

Linked Web Storage describes a mechanism for persisting and managing protected data on the Web. Authorization is the mechanism by which agents request and present access tokens in order to access this protected data.

5.1 Roles

The roles in LWS authorization are the same as those defined by OAuth 2.0 Section 1.1 [ RFC6749 ]: resource owner , resource server , client (called in this specification authorization client to avoid ambiguity), and authorization server . A storage server is a type of resource server that also conforms to the LWS storage specification.

5.2 Protocol Flow

This specification describes the interaction between a client and an authorization server as well as the interaction between a client and a conforming storage server.

The interaction between the authorization server and the storage server is out of scope of this specification. The authorization server may be the same server as the storage server or it may be a separate entity.

5.2.1 Authorization Server Discovery

All protected resources managed by a storage server require a valid access token, generated by a trusted authorization server. A client can discover the location of a trusted authorization server by making an unauthorized HTTP request to a protected resource.

A storage server generating a 401 (Unauthorized) response MUST send a WWW-Authenticate header field containing at least one conforming challenge. A conforming challenge will include the parameters described below:

  • as_uri REQUIRED — The value of this parameter is an absolute URI identifying the authorization server where a client can retrieve an access token. The value of this parameter will be the same as the iss claim of a valid access token.
  • realm REQUIRED — The value of this parameter is an absolute URI indicating the scope of protection. This value will be included in the audience ( aud ) claim of an access token. A client MUST verify that the URI of the originating request is logically contained within the realm presented in this response.

Other headers and parameters MAY be included.

An example 401 response is included below.

Example 1 
HTTP/2 401 Unauthorized
Link: ; rel="storageDescription"
WWW-Authenticate: Bearer as_uri="https://authorization.example",
                realm="https://storage.example/storage_1",
                error="invalid_token"

5.2.2 Authorization Server Metadata

An authorization server MUST provide a metadata resource to allow clients to discover endpoint locations and capabilities as described in [ RFC8414 ]. This metadata resource MUST be available at a URL with the path /.well-known/lws-configuration .

An authorization server SHOULD advertise the subject tokens that it supports by including a subject_token_types_supported entry in the server metadata document. This entry is a JSON array containing a list of valid subject_token_type values that can be supplied at the authorization server's token endpoint.

An example authorization server metadata resource is included below.

Example 2 
{
    "issuer": "https://authorization.example",
    "grant_types_supported": [
        "urn:ietf:params:oauth:grant-type:token-exchange"],
    "token_endpoint": "https://authorization.example/token",
    "jwks_uri": "https://authorization.example/jwks",
    "claims_supported": [
        "sub",
        "iss",
        "client_id",
        "aud"],
    "response_types_supported": [
        "token"],
    "subject_token_types_supported": [
        "urn:ietf:params:oauth:token-type:jwt",
        "urn:ietf:params:oauth:token-type:id-token"]

}

5.2.3 Token Exchange

An LWS authorization server is a conforming OAuth 2.0 authorization server, capable of issuing access tokens to a client for use with a storage server. In order to issue an access token, a client must first present a valid subject token, such as an end-user credential, to the authorization server via OAuth 2.0 Token Exchange [ RFC8693 ].

5.2.3.1 Request

The authorization server's token endpoint MUST support the urn:ietf:params:oauth:grant-type:token-exchange grant type, as described in OAuth 2.0 Token Exchange [ RFC8693 ].

When performing the token exchange grant type, the following additional requirements apply:

  • The resource parameter is REQUIRED . The value of this parameter MUST be an absolute URI and will be used to populate the aud (audience) claim in the resulting access token. The supplied value will be the same as the realm parameter response in a WWW-Authenticate challenge. The authorization server MUST reject any request in which the resource parameter identifies an unknown or untrusted storage.
  • The subject_token parameter is REQUIRED . The value of this parameter MUST include a valid subject token, such as an end-user credential.
  • Before returning an access token to the client, the authorization server MUST successfully validate all presented tokens.

Non-normative example of a token request (the subject_token parameter has been truncated).

Example 3 
POST /token HTTP/1.1
Host: authorization.example
Content-Type: application/x-www-form-urlencoded
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange
&resource=https%3A%2F%2Fstorage.example%2Fstorage_1
&subject_token=eyJ0eXAiOiJhcytqd3QiLCJhbGciO...fiK51VwhsxJ-siBMR-YFiA
&subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aid_token
5.2.3.2 Response

If the token request is valid and the client is authorized to make the request, the authorization server response MUST conform to Section 5.1 from the OAuth 2.0 Authorization Framework [ RFC6749 ]. The resulting access token MUST conform to the JSON Web Token Profile for OAuth 2.0 Access Tokens [ RFC9068 ].

In addition, the access token must meet the following requirements:

  • sub (subject) — REQUIRED . This claim MUST be an absolute URI identifying the agent performing the operation
  • iss (issuer) — REQUIRED . This claim MUST be the absolute URI of the authorization server
  • client_id (client id) — REQUIRED . This claim MUST be an absolute URI identifying the client.
  • aud (audience) — REQUIRED . This claim MUST include the absolute URI supplied by the client in the resource parameter. This value will be used to restrict the entities for which the access token is valid. This will be the same value as provided by a storage server in the realm parameter of a WWW-Authenticate challenge.
  • exp (expiration) — REQUIRED . Authorization servers SHOULD issue tokens with short lifetimes ( RECOMMENDED : 300 seconds or less) to limit exposure from token theft.
  • iat (issued at) — REQUIRED .
  • jti (JWT ID) — REQUIRED .

A non-normative example of a successful token response is included below.

Example 4 
HTTP/1.1 200 OK
Content-Type: application/json
{
    "access_token":"eyJ0eXAiOiJhcytqd3QiLCJhbGciOiJFUzI1NiIs...DeWt4QuZXso",
    "token_type":"Bearer",
    "expires_in":3600

}

All invalid or unauthorized requests MUST result in an error response as described in Section 5.2 in the OAuth 2.0 Authorization Framework [ RFC6749 ].

Example 5 
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
    "error":"invalid_request"

}
5.2.3.3 Example access token

This section is non-normative.

An example access token issued by an authorization server is included below.

Example 6 
{
  "kid": "ec51c6b2",
  "kty": "EC",
  "alg": "ES256",
  "crv": "P-256",
  "typ": "at+jwt"
}
.
{
  "sub": "https://id.example/agent",
  "iss": "https://authorization.example",
  "client_id": "https://app.example/id",
  "aud": "https://storage.example",
  "exp": 1735686300,
  "iat": 1735686000,
  "jti": "550e8400-e29b-41d4-a716-446655440000"
}
.
signature

5.2.4 Token Validation by a Storage Server

Once a client is in possession of an access token, it will present this token to a storage server. The storage server is responsible for verifying this token before performing any operation.

5.2.4.1 Presentation

A client MUST present an access token to a storage server using the Authorization header with an authentication scheme as defined in [ RFC6750 ].

Example 7 


Authorization

:

Bearer
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...
5.2.4.2 Validation

A storage server MUST validate an access token by performing the following checks, rejecting the request upon any failure:

  • JWT Signature Validation: Verify the JWT signature using the authorization server's public key retrieved from the jwks_uri specified in the authorization server metadata. Storage servers SHOULD cache these keys and MUST support key rotation.
  • Issuer Validation: Verify the iss claim matches the expected authorization server identifier.
  • Audience Validation: Verify the aud claim contains exactly one value and this value is an absolute URI identifying the storage server which logically contains the target resource.
  • Temporal Validation, subject to an allowable clock skew between systems.
    • Verify the current time is before the exp (expiration) claim.
    • Verify the current time is not before the nbf (not before) claim, if present.
    • Verify that the iat (issued at) claim is not in the future.

If validation fails, the storage server MUST return 401 Unauthorized with a WWW-Authenticate header containing an appropriate error parameter (e.g., invalid_token, invalid_request, or insufficient_scope).

If the token is otherwise valid but an authorization policy does not allow the requested operation, the storage server MUST reject the request.

6. Discovery

Define how requesting agents discover served resources and their capabilities.

7. Operations

7.1 create resource

Create resource

In addition to the core responses , a create operation may produce any of:

7.2 read resource

The read resource operation requests a resource representation . Draw from Solid Protocol - Reading Resources .

7.3 update resource

The update resource modifies the contents of a served resource . Draw from Solid Protocol - Reading Resources .

7.4 delete resource

Delete resource

8. Logical Resource Organization

Define the data model for logical resource organization within LWS, including how containers are structured, hierarchical relationships between resources, container semantics, containment rules, and the mechanisms for organizing and navigating collections of related resources. This should cover container creation, membership management, and the relationship between containers and the resources they contain.

9. REST Binding

This strawman mapping of the operations and responses defined above allows LWS REST Servers and LWS REST Clients to communicate over HTTP using REST conventions.

The following table maps LWS response to an HTTP status code and payload:

LWS response HTTP status code HTTP payload
success 200 resource representation
not permitted ...
unknown requester ...
unknown error ...
created 201

10. Resource Identification

Define how resources are identified and addressed within the LWS Protocol, including URI schemes, resource naming conventions, and resolution mechanisms. This section may be moved within another section; e.g. Resource Access

this left intentionally blank

11. Unstable Features

The features described in this section are being drafted to ground discussions and may be removed if there is:

this left intentionally blank

11.1 Profile Negotiation on Resources

Define mechanisms for content negotiation based on profiles, allowing clients to request specific representations or views of resources (e.g., JSON-LD contexts, different RDF serializations, or application-specific profiles).

this left intentionally blank

11.2 Notifications

Define notification mechanisms that allow clients to be informed of changes to resources, including subscription models, event formats, and delivery mechanisms.

this left intentionally blank

11.3 Inbox

Define inbox resources with specific semantics within LWS, including message posting, retrieval, and management capabilities for asynchronous communication patterns.

this left intentionally blank

12. Portability Considerations

Describe considerations for ensuring LWS implementations can work across different platforms, environments, and storage backends while maintaining interoperability - and provide affordances to enable change in storage providers

this left intentionally blank

13. Security Considerations

Formal security considerations section covering threat models, security requirements, and implementation guidance for secure LWS deployments.

13.1 Authentication Security

All communications related to requesting, retrieving and presenting end-user credentials between clients and servers must use TLS-protected connections.

End-user credentials are vulnerable to theft and replay. Tokens should have a reasonably short lifetime, such as 3600 seconds (1 hour).

Clients that persist end-user credentials must take great care to store these tokens securely. Tokens should never be stored unencrypted in a browser's localStorage, in URLs or in logs.

13.2 Authorization Security

The recommendations described in Best Current Practice for OAuth 2.0 Security [ RFC9700 ] apply to this specification.

13.2.1 Transport Security

An Authorization Server implementation MUST support TLS. When using TLS, the client MUST perform a TLS/SSL server certificate check, per RFC 6125 [ RFC6125 ]. Implementation security considerations can be found in "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)" [ BCP195 ].

13.2.2 Token Security

Bearer tokens are vulnerable to theft and replay. Required mitigations include:

  • Short Lifetimes: Tokens SHOULD have lifetimes of 300 seconds (5 minutes) or less
  • Audience Binding: Tokens MUST be bound to a specific storage server via the aud claim
  • Secure Storage: Clients MUST store tokens securely in memory when possible, never in localStorage, URLs, or logs

13.2.3 End-User Credential Protection

End-user credentials with unrestricted audiences MUST NOT be provided to untrusted authorization servers.

If an end-user credential issuer is unable to restrict the audience of a token, clients SHOULD use a mechanism such as OAuth 2.0 Token Exchange [ RFC8693 ] to create audience-restricted credentials before interacting with authorization servers.

14. Privacy Considerations

This section is non-normative.

Privacy implications of the LWS Protocol, including data minimization, user consent, and privacy-preserving implementation patterns.

14.1 Authentication Privacy

End-user credentials Credentials carry information about users. users and agents. While digital signatures can protect end-user credentials against tampering, it is possible for clients or other third parties to read the values inside an unencrypted credential.

As a result, credential issuers should are encouraged to create end-user credentials tokens that contain only the information necessary for authentication. Avoid including sensitive attributes unless required. Implementations should not log the full contents of an end-user credential. If logging is necessary, tokens should be truncated authentication or hashed. 14.2 Authorization Privacy Minimal Disclosure: Authorization servers should issue tokens containing only information necessary for authorization. Avoid authorization, and to avoid including sensitive subject attributes unless required.

Logging: Implementations should not log full token contents. If logging In general, it is an anti-pattern to write unencrypted credential data to a log. In cases where this is necessary, tokens should be truncated implementations can truncate or hashed. hash a credential to preserve the privacy of the credential subject.

When using pseudonymous identifiers in JWTs, a storage server may still be able to correlate requests from the same agent over time. To preserve user privacy in this case, a client applications should application can request a batch issuance of JWTs and where each JWT should be is used only one time against the storage server. This makes it harder for a storage server to use pseudonymous identifiers to correlate requests. time. This does not prevent the storage server from using other information such as similarities in JWT content or originating IP address to correlate requests. When using pseudonymous identifiers, the authorization server should will need to be careful not to issue the same pseudonymous identifier more than once.

15. IANA Considerations

This section is non-normative.

15.1 well-known URI Registry

This specification adds the following value to the "Well-Known URIs" registry [ IANA.well-known ] established by RFC 5785 [ RFC5785 ].

15.2 OAuth Authorization Server Metadata Registry

This specification adds the following value to the "OAuth Authorization Server Metadata" registry [ IANA.OAuth.Parameters ] established by [ RFC8414 ].

A. References

A.1 Normative references

[BCP195]
Reference not found.
[OPENID-CONNECT-CORE]
OpenID Connect Core 1.0 incorporating errata set 2 . N. Sakimura; J. Bradley; M. Jones; B. de Medeiros; C. Mortimore. OpenID Foundation. 15 December 2023. Final. URL: https://openid.net/specs/openid-connect-core-1_0.html
[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels . S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC6125]
Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) . P. Saint-Andre; J. Hodges. IETF. March 2011. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6125
[RFC6749]
The OAuth 2.0 Authorization Framework . D. Hardt, Ed. IETF. October 2012. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6749
[RFC6750]
The OAuth 2.0 Authorization Framework: Bearer Token Usage . M. Jones; D. Hardt. IETF. October 2012. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc6750
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words . B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174
[RFC8414]
OAuth 2.0 Authorization Server Metadata . M. Jones; N. Sakimura; J. Bradley. IETF. June 2018. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8414
[RFC8693]
OAuth 2.0 Token Exchange . M. Jones; A. Nadalin; B. Campbell, Ed.; J. Bradley; C. Mortimore. IETF. January 2020. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc8693
[RFC9068]
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens . V. Bertocci. IETF. October 2021. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc9068
[rfc9112]
HTTP/1.1 . R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed. IETF. June 2022. Internet Standard. URL: https://httpwg.org/specs/rfc9112.html
[RFC9700]
Best Current Practice for OAuth 2.0 Security . T. Lodderstedt; J. Bradley; A. Labunets; D. Fett. IETF. January 2025. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc9700

A.2 Informative references

[IANA.OAuth.Parameters]
Reference not found.
[IANA.well-known]
Reference not found.
[RFC5785]
Defining Well-Known Uniform Resource Identifiers (URIs) . M. Nottingham; E. Hammer-Lahav. IETF. April 2010. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc5785