init-issuer
Initialize the .well-known directory structure for an SIG issuer.
Initialize the .well-known directory structure for an SIG issuer. This is the first step when setting up a new organization to publish SIG feeds.
Usage
ak init-issuer --domain <DOMAIN> --out-dir <PATH> [OPTIONS]Flags
| Flag | Required | Default | Description |
|---|---|---|---|
--domain <DOMAIN> | Yes | — | Domain for the did:web identifier. |
--out-dir <PATH> | Yes | — | Output directory for .well-known files. |
--kid <KID> | No | orgsign-1 | Key ID for the initial signing key. |
--seed-hex <HEX> | No | Random | 32-byte hex seed for deterministic key generation. |
Created Files
Running init-issuer creates the following directory structure under the specified output directory:
.well-known/
did.json # DID document for the issuer
jwks.json # JSON Web Key Set with the initial signing key
sig.json # SIG metadata document
sig/
events.jsonl # Event feed (initially empty)- did.json — The DID document containing the issuer’s
did:webidentifier and verification methods. - jwks.json — The JWKS containing the initial public signing key.
- sig.json — Metadata pointing consumers to the JWKS and event feed locations.
- sig/events.jsonl — The append-only event log, starting empty.
Example
ak init-issuer \
--domain example.com \
--out-dir ./issuer-root \
--kid orgsign-1 \
--seed-hex 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1fOutput:
Initialized issuer for did:web:example.com
DID document: ./issuer-root/.well-known/did.json
JWKS: ./issuer-root/.well-known/jwks.json
SIG metadata: ./issuer-root/.well-known/sig.json
Event feed: ./issuer-root/.well-known/sig/events.jsonlNotes
- The
--seed-hexflag is useful for reproducible builds and test fixtures. When omitted, a cryptographically random key is generated. - The generated key uses the Ed25519 algorithm (
EdDSAwithEd25519curve). - The output directory will be created if it does not exist.