Skip to main content

Running an Identity Authority (IA)

While zapf.app operates the primary Identity Authority for the network, the protocol is federated. Anyone can run their own IA.

You might run a custom IA to support a niche Legacy Identity Provider (LIDP) specific to your community, or to offer a higher-privacy attestation service that doesn't rely on the official servers.

IA Server Requirements

To operate a compliant IA on the Zapf network, your infrastructure needs:

  1. A Nostr Keypair: A securely generated private key (nsec) that will act as your Server Identity. You will use this to sign all Kind 35522 Attestations and Kind 5521/5522 Custodial Receipts.
  2. A Public Nostr Relay: An accessible relay (e.g., wss://relay.yourdomain.com) where you will publish your attestations. This relay must have high uptime, as wallets will query it during the Deep Check verification phase.
  3. A Lightning Node: A Master Node capable of generating and settling invoices instantly. This node holds the escrow funds for the Fallback Address flow.
  4. A Database (Ledger): To accurately track the balances of unregistered identities (using the r tag flow) before they are swept to user wallets.
  5. A Web Server: To serve standard .well-known/lnurlp/ endpoints for LUD-16 resolution.

The Attestation Lifecycle

As an IA operator, you are responsible for the entire lifecycle of the identity connections you certify.

Signing

When a user authenticates with a LIDP via your service, you strictly normalize their identifier, generate the cryptographic ConnectionKey, and publish a Kind 35522 (IA Attestation) to your relay.

Dealing with Expiration

If relying on OAuth, you should set the NIP-40 expiration tag on your Kind 35522 to match the expiry of the underlying provider's access token. If the token expires, the attestation automatically becomes invalid.

Active Revocation

If a user disconnects their identity from your dashboard, or if you detect abusive behavior, your IA must immediately publish a Kind 5 (Event Deletion) targeting the id of the original Kind 35522. When wallets perform a Deep Check on your relay, they will see the deletion and reject out-of-date attestations.

Establishing Trust

Because Zapf is permissionless, simply running an IA does not mean the network will use it.

Wallets and client applications (like the zapf.app web client) maintain a list of Trusted IA Pubkeys. To get your IA recognized broadly across the ecosystem, you must build a reputation for securely verifying identities, protecting user data, and maintaining stable infrastructure.