Skip to main content

What identity looks like in code

Two layers — the oracle’s persistent identity, set once at boot via env vars; and per-user identity, validated on every request via UCAN headers.
The OracleConfig type lives in packages/oracle-runtime/src/plugin-api/types.ts — plugins read the resolved identity off ctx.identity (a OracleIdentity).

One-time oracle setup

1

Run the CLI to create the oracle's on-chain entity and Matrix account

This creates a blockchain entity (did:ixo:entity:...), registers linked resources, provisions a Matrix bot account, and writes both oracle.config.json and .env. Run once per deployment — subsequent deploys reuse the identity.
create-entity registers --api-url http://localhost:4000 by default, but the runtime’s own default PORT is 3000 (the example above pins the URL to :3000 to match). If you take the default URL instead, make your oracle reachable at it: either set PORT=4000 in .env, or change the registered URL later with qiforge-cli update-oracle-api-url.
See the CLI reference for every flag.
2

Provision the encryption key for per-room secrets

Sets up the P-256 keyAgreement on the oracle’s Matrix account room. Without this, the secrets read path returns nothing (acceptable degraded mode for routes that don’t need it).
3

Verify .env has every identity var

After CLI setup, .env contains the core identity vars validated by baseEnvSchema:
The runtime validates all of these at boot via baseEnvSchema; missing vars fail with a clear message.Two auth-tuning vars have safe defaults — set them only to override:
UCAN_AUTH_MAX_TTL_SECONDS bounds the replay window server-side regardless of the TTL the client declares; UCAN_REAUTH_PROMPT_THROTTLE_SECONDS keeps a de-authorized user from being nagged on every message.

What the runtime loads on boot

After Matrix init completes in the background, the runtime reads two further pieces of secret material from the oracle’s Matrix account room:
  1. UCAN signing mnemonic — used by UcanService to mint downstream-service invocations.
  2. P-256 encryption key — used by SecretsService to decrypt per-room secrets.
If a key is missing, boot logs a warning naming the CLI command to fix it. Auth-requiring routes return 401 until provisioned; non-authenticated routes (/, /health, /docs, any host or plugin authExcludedRoutes) stay reachable.

Per-request user auth

Two distinct concerns, two distinct artifacts — AuthHeaderMiddleware verifies both on every protected route:
  • Authentication (who is calling) = a user-signed UCAN invocation. Short-lived, replay-bounded, sent as Authorization: Bearer <invocation> + X-Auth-Type: ucan. This is the primary auth path.
  • Authorization (what the oracle may do downstream) = the user→oracle delegation, sent as x-ucan-delegation. Plugins read it to mint downstream-service invocations on the user’s behalf.
A bare x-ucan-delegation (no invocation) is still accepted as a migration fallback for clients that haven’t moved to invocation auth yet. New clients should send both: the invocation to authenticate, the delegation for downstream authorization.
When neither an invocation nor a delegation is present, the middleware returns 401 with:
A malformed or expired invocation returns 401 Invalid UCAN invocation. AuthHeaderMiddleware:
1

Validates the invocation (primary)

When X-Auth-Type: ucan + Authorization: Bearer … are present, validateUcanInvocation verifies the signature and audience (the oracle’s ORACLE_DID) and rejects any invocation whose lifetime exceeds UCAN_AUTH_MAX_TTL_SECONDS (default 900s). Results are cached by the token’s SHA-256 hash with TTL = the invocation’s own expiry, so reusing the same token until it expires (JWT-style) doesn’t re-hit Blocksync. The invocation’s signer becomes req.authData.did.
2

Falls back to the delegation (migration only)

When no invocation is sent, validateUcanDelegation authenticates the request from x-ucan-delegation instead. Delegation results cache with TTL = the delegation’s expiry (or a 3-minute fallback when it declares none).
3

Trusts the delegation downstream only when it's the caller's own

A delegation is public and shareable, so the middleware acts on it downstream only when its issuer DID equals the authenticated DID. When they differ, the delegation is ignored downstream — req.authData.ucanDelegation.raw is set to '', and plugins branch on raw.length === 0. This stops a client from pairing their own invocation with someone else’s delegation to make the oracle act on that person’s behalf.
4

Attaches RuntimeUserContext to the request

The next middleware (RuntimeContextBuilder) reads req.authData to build the rtCtx.user field handed to every tool handler — see the Runtime context reference.

Opt routes out of auth

Two mechanisms to expose public routes — host-level and plugin-level. Both merge onto the runtime’s built-in exclusion list: / (the JSON landing payload), /health, /docs, and /docs/(.*).
1

From the host — pass authExcludedRoutes to createOracleApp

Reference: apps/qiforge-example/src/main.ts.
2

From a plugin — implement getAuthExcludedRoutes

Reference: weather.plugin.ts.
Any other plugin or host route returns 401 without a UCAN header — exclusion is path-and-method specific.

Mint downstream UCAN invocations

When a plugin calls a downstream service on the user’s behalf, it does not reuse the user’s invocation — it mints a fresh one signed by the oracle’s SECP_MNEMONIC, derived from the user’s stored delegation. The minted invocation goes out to the downstream service the same way the user authenticates to this oracle: Authorization: Bearer <invocation> + X-Auth-Type: ucan.
The full UCAN helper surface on rtCtx.ucan: See packages/oracle-runtime/src/modules/ucan/ for the service implementation.

What plugins can and cannot do

  • Can: read rtCtx.user.did, rtCtx.user.matrixUserId, rtCtx.user.ucanDelegation, rtCtx.user.timezone.
  • Can: call rtCtx.secrets.getIndex() / getValues() to read per-room secrets.
  • Can: mint downstream invocations via rtCtx.ucan.mintInvocation.
  • Cannot: override the oracle’s identity per request.
  • Cannot: issue UCANs as anyone other than the oracle itself.

API endpoints

Which routes are auth-protected and which are public.

CLI reference

create-entity, setup-encryption-key, and the rest of identity setup.

Runtime context

The full rtCtx.user, rtCtx.ucan, rtCtx.secrets surface.

Environment variables

Every identity-related env var, declared and validated.