The W3 Revocations Check protocol provides a public API endpoint for checking if specific delegation CIDs have been revoked and retrieving cryptographic proof data for trustless verification. This protocol enables clients to verify the validity of UCAN delegations by checking their revocation status.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.
The revocations check protocol allows clients to verify whether UCAN delegations have been explicitly revoked. The protocol provides a simple HTTP GET endpoint that returns either cryptographic proof of revocation or indicates that no revocation exists for the queried delegation CID.
- Method:
GET - Path:
/{cid}(can be hosted at any path, the CID parameter is the key component) - Authentication: None required (public endpoint)
- CDN Cacheable: Yes (simple GET requests with 200/404 responses)
cid (required): Delegation CID to check for revocations. Must be a valid IPFS CID string.
- CID Format: Valid IPFS CID string (e.g.,
bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi) - Encoding: the CID SHOULD be encoded using multibase base32 (e.g.,
bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi)
Content-Type: application/vnd.ipld.car
Returns a CAR (Content Addressable aRchive) file containing:
- Revocation metadata in
revocations@0.0.1schema - Embedded UCAN proof blocks for trustless verification
- ETag header for caching optimization
The CAR file contains a root block with the following structure (shown in DAG-JSON for readability, but it is RECOMMENDED that the root block be encoded as DAG-CBOR for efficiency):
{
"revocations@0.0.1": {
"revocations": [
{
"delegation": { "/": "[delegationCID]" },
"cause": { "/": "[causeCID]" }
}
]
}
}Field Descriptions:
-
delegation: CID of the delegation that has been revoked -
cause: CID referencing aucan/revokeinvocation that caused this revocation. This must be a valid UCAN withcan: "ucan/revoke"capability, containing:with: DID of the principal that issued the UCAN being revoked (or some UCAN in its proof chain)nb.ucan: Link to the UCAN being revokednb.proof: Recommended list of UCAN links showing the path from revoked UCAN to the authority
See the W3 UCAN Revocation specification for complete details.
The CAR file includes the complete UCAN revocation proof referenced by causeCID, enabling clients to:
- Cryptographically verify the revocation signature
- Validate the revocation authority chain
- Perform trustless verification without server dependency
Content-Type: text/plain
No revocation record found
This indicates that this service does not know of a revocation for the provided delegation CID. Clients should check the delegation's proof chain to determine if it's invalid due to revoked dependencies by sending subsequent requests.
Content-Type: application/json
{
"error": "Bad request",
"message": "Invalid CID parameter"
}{
"error": "Bad request",
"message": "CID parameter is required"
}Content-Type: application/json
{
"error": "Internal server error",
"message": "Failed to query revocations"
}{
"error": "Internal server error",
"message": "An unexpected error occurred"
}The endpoint includes CORS headers for cross-origin requests:
Access-Control-Allow-Origin: *Access-Control-Allow-Methods: GETAccess-Control-Allow-Headers: Accept
# Check if a delegation is revoked
curl -X GET https://revocations.storacha.network/{cid}
# Save CAR file for offline verification (when response is 200)
curl -X GET https://revocations.storacha.network/{cid} \
-H "Accept: application/vnd.ipld.car" \
-o revocation-proof.car