decentrl.
Identity

DID Documents

The did:decentrl method embeds everything needed for communication directly in the identifier string — no registry lookups required.

Formal spec: DCTRL-0001 — The did:decentrl DID Method defines the full DID syntax, resolution algorithm, and security considerations.

The did:decentrl Method

A Decentralized Identifier (DID) is a globally unique identifier controlled through cryptographic key ownership rather than a platform-granted account. Alice controls her DID because she holds the private keys, not because a company manages her account.

Decentrl uses the did:decentrl method — a self-contained identifier that embeds all essential information directly in the string:

did:decentrl:{alias}:{signing_key}:{pre_key}:{mediator_did}
SegmentEncodingPurpose
aliasbase64Human-readable name
signing_keybase58btc multibaseEd25519 public key
pre_keybase58btc multibaseX25519 public key for bootstrapping contracts
mediator_didbase64The mediator's own DID

Because everything is embedded, applications can extract public keys and the mediator endpoint from the DID string alone. No network requests. No registry lookups. This makes did:decentrl ideal for rapid identity creation and immediate use.

Example

When Alice creates her identity with alias "alice" and registers with did:web:mediator.decentrl.io:

did:decentrl:YWxpY2U:z6MkpTzgH3Kj2w...:z6LSqR9vNp...:ZGlkOndlYjptZWRpYXRvci5kZWNlbnRybC5pbw

Anyone who receives this string can immediately:

  1. Extract Alice's public signing key (verify her signatures)
  2. Extract Alice's public pre-key (encrypt a contract request to her)
  3. Resolve her mediator endpoint (know where to deliver messages)

W3C DID Document

Resolving a did:decentrl identifier produces a standard W3C DID document:

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://w3id.org/security/suites/jws-2020/v1"
  ],
  "id": "did:decentrl:YWxpY2U:z6MkpT...:z6LSqR...:ZGlk...",
  "verificationMethod": [{
    "id": "did:decentrl:YWxpY2U:z6MkpT...:z6LSqR...:ZGlk...#signing",
    "type": "Ed25519VerificationKey2020",
    "publicKeyMultibase": "z6MkpT..."
  }],
  "keyAgreement": [{
    "id": "did:decentrl:YWxpY2U:z6MkpT...:z6LSqR...:ZGlk...#prekey",
    "type": "X25519KeyAgreementKey2020",
    "publicKeyMultibase": "z6LSqR..."
  }],
  "service": [{
    "id": "#mediator",
    "type": "DecentrlMediator",
    "serviceEndpoint": { "uri": "https://mediator.decentrl.io" }
  }]
}

The verificationMethod contains the Ed25519 signing key for signature verification. The keyAgreement contains the X25519 pre-key for initiating encrypted contracts. The service endpoint tells you where to send messages.

In Code

import { generateIdentityKeys } from '@decentrl/crypto'
import { createDecentrlDidFromKeys } from '@decentrl/identity'

const keys = await generateIdentityKeys()
const did = createDecentrlDidFromKeys(
  'alice',
  keys,
  'did:web:mediator.decentrl.io'
)
// → did:decentrl:YWxpY2U:z6MkpTzgH3Kj2w...:z6LSqR9vNp...:ZGlkOndlYjp...

Resolution requires resolving the mediator endpoint:

import { resolveDecentrlDid } from '@decentrl/identity'

const didDocument = await resolveDecentrlDid(did)
// → standard W3C DID document as shown above

Key Generation

Every Decentrl identity starts with three cryptographic keys — each with a distinct purpose and blast radius.

Network Architecture

The Decentrl network consists of two types of participants — clients and mediators — connected through communication contracts.

On this page

The did:decentrl MethodExampleW3C DID DocumentIn Code