Other Providers
As an open protocol, Zapf is designed to be extensible. Independent Identity Authorities (IAs) can implement any number of Legacy Identity Providers (LIDPs) to support niche communities or enterprise users.
Common targets include:
- GitHub (
github) - Google (
google) - LinkedIn (
linkedin) - Reddit (
reddit)
Standardization Rules
If an IA operator adds a new provider, they must adhere to the standard Zap Protocol conventions.
1. Unified Prefixing
The lidp name MUST be short, lowercased, and used as a prefix before the identifier to create the raw string.
Example: github:flzpace
2. Immutable Identifiers
The chosen identifier must be stable. For GitHub, the username is changeable, so an IA should use the numeric user ID (e.g., 12345) as the identifier to prevent account takeover vectors, even if the client UI resolves handles for display purposes.
3. Verification Mode
All providers must use one of the two supported verification flows:
- Bot Session: The IA's bot exchanges a challenge code with the user in a platform channel (Discord, Telegram). The resulting
npv1challenge token is posted in a public message. - Challenge Token: The user posts the
npv1challenge token in a publicly accessible profile field, post, or DNS record, then submits the URL (X, GitHub, TikTok, domain, etc.).
In both cases, auth_type in the evidence JSON is always "public_post". For platform-based providers where the user controls a public profile field (GitHub bio, LinkedIn About, Reddit bio), the Challenge Token flow is standard.
4. Evidence
The evidence tag in the resulting Kind 35522 Attestation must include evidence_url (the public post/profile URL), challenge (the npv1 token that appeared there), and pre_auth_code (the raw code used to generate the challenge). All three are required for cross-IA cryptographic verification.