The Vault is a Cloudflare Worker deployed at the root of theDocumentation Index
Fetch the complete documentation index at: https://docs.hyperauth.dev/llms.txt
Use this file to discover all available pages before exploring further.
did.run domain. It routes per-identifier requests to a Durable Object (the Vault DO, one instance per registration identifier) and handles stateless and global operations directly. All responses are JSON unless noted otherwise, and all endpoints are served with CORS headers.
Endpoint groups
Static / CDN
Serves the enclave WASM binary.
Stateless
Read-only operations that do not touch a Durable Object: contracts, bundler proxy, balance, status.
Global Lookups
Resolve credential IDs to DIDs and check alias availability via the global D1 database.
Registration
Per-identifier endpoints that route to a Durable Object: session creation, verification, DID registration.
Indexer
Proxy for the upstream indexer service with an allowlist.
Payments
Web Payment Handler API endpoints for the browser-native payment flow.
Conventions
- All responses use
application/jsonunless explicitly stated otherwise. - Errors return a non-2xx status and a body of the form
{ "error": "<code>" }unless otherwise noted. - CORS headers are returned on every response. Cross-origin embeds (widgets, payment handlers) are supported.
- IP-based rate limits are derived from the
CF-Connecting-IPheader. See Rate Limits for the full table.
Routing model
The worker uses three routing layers:| Layer | Backed by | Examples |
|---|---|---|
| Static asset | R2 (CDN_ASSETS) or ASSETS binding | GET /enclave.wasm, GET /pay/* |
| Stateless / global | Worker, with SESSION_DB (D1) for lookups | GET /api/contracts, GET /api/dids/lookup |
| Per-identifier | Vault Durable Object instance, keyed by registration identifier | POST /api/sessions, POST /api/verify/send |