#authz #jwt #pki #ucan


Implement UCAN-based authorization with conciseness and ease!

9 unstable releases (3 breaking)

Uses new Rust 2021

0.6.0-alpha.1 May 19, 2022
0.5.0-alpha.6 Apr 1, 2022
0.5.0-alpha.5 Mar 31, 2022
0.4.0-alpha.1 Mar 21, 2022
0.3.0-alpha.4 Mar 16, 2022

#357 in Cryptography

Download history 76/week @ 2022-05-30 31/week @ 2022-06-06 5/week @ 2022-06-13 5/week @ 2022-06-20 12/week @ 2022-06-27 2/week @ 2022-07-04 12/week @ 2022-07-11 21/week @ 2022-07-18 22/week @ 2022-07-25 29/week @ 2022-08-01 8/week @ 2022-08-08 5/week @ 2022-08-15 20/week @ 2022-08-22 3/week @ 2022-08-29 22/week @ 2022-09-05 6/week @ 2022-09-12

52 downloads per month
Used in ucan-key-support


1.5K SLoC

This is the core Rust UCAN implementation.

See https://docs.rs/ucan for documentation.


Implement UCAN-based authorization with conciseness and ease!

UCANs are an emerging pattern based on JSON Web Tokens (aka JWTs) that facilitate distributed and/or decentralized authorization flows in web applications. Visit https://ucan.xyz for an introduction to UCANs and ideas for how you can use them in your application.


This crate offers the [builder::UcanBuilder] abstraction to generate signed UCAN tokens.

To generate a signed token, you need to provide a [crypto::SigningKey] implementation. For more information on providing a signing key, see the [crypto] module documentation.

use ucan::{

async fn generate_token<'a, K: KeyMaterial>(issuer_key: &'a K, audience_did: &'a str) -> Result<String, anyhow::Error> {

The crate also offers a validating parser to interpret UCAN tokens and the capabilities they grant via their issuer and/or witnessing proofs: the [chain::ProofChain].

Most capabilities are closely tied to a specific application domain. See the [capability] module documentation to read more about defining your own domain-specific semantics.

use ucan::{
  chain::{ProofChain, CapabilityInfo},
  capability::{CapabilitySemantics, Scope, Action},
  crypto::did::{DidParser, KeyConstructorSlice}

const SUPPORTED_KEY_TYPES: &KeyConstructorSlice = &[
    // You must bring your own key support

async fn get_capabilities<'a, Semantics, S, A>(ucan_token: &'a str, semantics: &'a Semantics) -> Result<Vec<CapabilityInfo<S, A>>, anyhow::Error>
        Semantics: CapabilitySemantics<S, A>,
        S: Scope,
        A: Action
    let mut did_parser = DidParser::new(SUPPORTED_KEY_TYPES);

    Ok(ProofChain::try_from_token_string(ucan_token, &mut did_parser).await?

Note that you must bring your own key support in order to build a ProofChain, via a [crypto::did::DidParser]. This is so that the core library can remain agnostic of backing implementations for specific key types.


~147K SLoC