Skip to main content
The Vault is a Cloudflare Worker deployed at the root of the did.run domain. It routes per-identifier requests to a Durable Object (the Vault DO, one instance per registration identifier) and handles stateless and global operations directly. All responses are JSON unless noted otherwise, and all endpoints are served with CORS headers.

Endpoint groups

Static / CDN

Serves the enclave WASM binary.

Stateless

Read-only operations that do not touch a Durable Object: contracts, bundler proxy, balance, status.

Global Lookups

Resolve credential IDs to DIDs and check alias availability via the global D1 database.

Registration

Per-identifier endpoints that route to a Durable Object: session creation, verification, DID registration.

Indexer

Proxy for the upstream indexer service with an allowlist.

Payments

Web Payment Handler API endpoints for the browser-native payment flow.

Conventions

  • All responses use application/json unless explicitly stated otherwise.
  • Errors return a non-2xx status and a body of the form { "error": "<code>" } unless otherwise noted.
  • CORS headers are returned on every response. Cross-origin embeds (widgets, payment handlers) are supported.
  • IP-based rate limits are derived from the CF-Connecting-IP header. See Rate Limits for the full table.

Routing model

The worker uses three routing layers: