Skip to main content

Running an Identity Authority (IA)

Zapf is an open, federated protocol. While zapf.app operates a public Authority, anyone can spin up their own independent Identity Authority (IA).

You might run a custom IA to support a specific community platform, or to offer a high-privacy attestation service free from central oversight.

IA Server Requirements

To operate a compliant IA on the Zapf network, your infrastructure needs:

  1. A Nostr Keypair: A securely generated private key that will act as your Server Identity. You will use this to sign all Attestations and Zap Receipts.
  2. A Public Nostr Relay: An accessible relay (e.g., wss://relay.yourdomain.com) where you will publish your attestations. This relay must have high uptime, as wallets will query it during the Deep Check verification phase.
  3. A Lightning Node: A Master Node capable of generating and settling invoices instantly. This node holds the escrow funds for the Fallback Lightning Address flow.
  4. A Database (Ledger): To accurately track the balances of unregistered identities before they are swept to user wallets.
  5. A Web Server: To serve standard .well-known/lnurlp/ endpoints for LUD-16 resolution.

The Attestation Lifecycle

As an IA operator, you are responsible for the entire lifecycle of the identity connections you certify.

Signing

When a user authenticates with a LIDP via your service, you strictly normalize their identifier, generate the cryptographic ConnectionKey, and publish an Attestation to your relay.

Dealing with Expiration

If relying on OAuth, you should set the expiration timestamp ↗ on your Attestation to match the expiry of the underlying provider's access token. If the token expires, the attestation automatically becomes invalid.

Active Revocation

If a user disconnects their identity from your dashboard, or if you detect abusive behavior, your IA must immediately publish a deletion event targeting the original Attestation. When wallets perform a Deep Check on your relay, they will see the deletion and reject out-of-date attestations.

Establishing Trust

Because Zapf is permissionless, simply running an IA does not mean the network will use it.

Wallets and client applications (like the zapf.app web client) maintain a list of Trusted IA Pubkeys. To get your IA recognized broadly across the ecosystem, you must build a reputation for securely verifying identities, protecting user data, and maintaining stable infrastructure.