ZcapLd.Core 0.3.3

.NET 10.0 This package targets .NET 10.0. The package is compatible with this framework or higher. 
dotnet add package ZcapLd.Core --version 0.3.3
                    


                    

                
NuGet\Install-Package ZcapLd.Core -Version 0.3.3
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="ZcapLd.Core" Version="0.3.3" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="ZcapLd.Core" Version="0.3.3" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="ZcapLd.Core" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add ZcapLd.Core --version 0.3.3
                    


                    

                
#r "nuget: ZcapLd.Core, 0.3.3"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package ZcapLd.Core@0.3.3
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=ZcapLd.Core&version=0.3.3
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=ZcapLd.Core&version=0.3.3
                    


                            Install as a Cake Tool

ZcapLd.Core

ZcapLd.Core is a .NET implementation of the W3C ZCAP-LD model for capability-based authorization.

Install

dotnet add package ZcapLd.Core

What It Provides

  • Root capability creation (urn:zcap:root:*)
  • Delegated capability creation with attenuation
  • Invocation signing and verification
  • Delegation chain verification
  • Caveat support (expiration, usage count, and ValidWhileTrue remote revocation)
  • ValidWhileTrue caveat with pluggable IValidWhileTrueHandler for remote revocation checking
  • Revocation service abstractions with pluggable storage (IRevocationStore)
  • Pluggable crypto suites (Ed25519 and P-256 included, additional curves extensible)
  • Dynamic JSON-LD context URLs per crypto suite
  • Multibase signature encoding

Quick Example

using ZcapLd.Core.Cryptography;
using ZcapLd.Core.Models;
using ZcapLd.Core.Services;

// Wire up services — in production, replace InMemoryDidProvider with your
// IDidSigner (HSM/Key Vault) and IDidResolver implementations.
var didProvider = new InMemoryDidProvider(); // test helper: IDidSigner + IDidResolver
var signingService = new SigningService(didProvider, didProvider);
var capabilityService = new CapabilityService(signingService);
var caveatProcessor = new CaveatProcessor();
var verificationService = new VerificationService(didProvider, caveatProcessor);

var rootDid = "did:key:z6MkRoot";
var leafDid = "did:key:z6MkLeaf";

didProvider.GenerateAndRegisterKeyPair(rootDid);
didProvider.GenerateAndRegisterKeyPair(leafDid);

// Root capabilities only define root authority metadata.
var root = await capabilityService.CreateRootCapabilityAsync(
    rootDid,
    "https://api.example.com/documents",
    new[] { "read", "write" });

// Restrictions (actions, caveats, expiry) are enforced on delegated capabilities.
var delegated = await capabilityService.DelegateCapabilityAsync(
    root,
    leafDid,
    new[] { "read" },
    DateTime.UtcNow.AddDays(7),
    new Caveat[]
    {
        new ExpirationCaveat { Expires = DateTime.UtcNow.AddDays(3) }
    });

var invocation = new Invocation
{
    Capability = delegated.Id,
    CapabilityAction = "read",
    InvocationTarget = "https://api.example.com/documents/abc"
};

invocation.Proof = await signingService.SignInvocationAsync(invocation, leafDid);
var isValid = await verificationService.VerifyInvocationAsync(invocation, delegated);

ValidWhileTrue Caveat (Remote Revocation)

ValidWhileTrueCaveat enables remote revocation per the W3C ZCAP-LD spec. The delegator embeds a URI in the caveat; at verification time, the handler checks it. Core provides the IValidWhileTrueHandler interface — ZcapLd.AspNetCore provides the HTTP implementation.

// Delegate with a ValidWhileTrue caveat pointing to the controller's endpoint
var delegated = await capabilityService.DelegateCapabilityAsync(
    root, partnerDid, new[] { "read" },
    DateTime.UtcNow.AddDays(30),
    new Caveat[]
    {
        new ValidWhileTrueCaveat
        {
            Uri = "https://my-service/zcaps/revocations/urn%3Auuid%3A12345"
        }
    });

Without a handler configured, ValidWhileTrueCaveat always fails closed (denies access).

Revocation Backend Plug-In

ZcapLd.Core provides:

  • IRevocationStore for storage providers
  • IRevocationService for revocation workflow orchestration
  • IValidWhileTrueHandler for async remote revocation checks (ValidWhileTrue caveat)
  • InMemoryRevocationStore as the default implementation

Exposing Revocation Without ASP.NET

ZcapLd.Core is transport-agnostic. You can expose revocation through:

  • gRPC APIs
  • message consumers
  • worker services
  • CLI/admin operations

In all cases, call IRevocationService from your transport/application layer.

Persistence Strategies

Use IRevocationStore to plug in your persistence model:

  • In-memory (InMemoryRevocationStore) for local development
  • SQL/NoSQL-backed custom stores
  • Smart-contract/oracle-backed stores
  • Hybrid cache + durable stores

Notes

  • This package is designed for in-process usage.
  • No default IDidSigner ships in the core package — consumers must provide their own (HSM/KMS/Key Vault).
  • The ICryptoSuite abstraction supports pluggable algorithms; Ed25519 and P-256 are registered by default.
  • Data integrity processing currently uses deterministic JSON canonicalization rather than full RDF Dataset Canonicalization.

Documentation

Product Compatible and additional computed target framework versions.
.NET net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (1)

Showing the top 1 NuGet packages that depend on ZcapLd.Core:

Package Downloads
ZcapLd.AspNetCore

ASP.NET Core endpoint adapter for ZCAP-LD revocation workflows with pluggable revocation storage backends.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.3.3 123 3/4/2026
0.3.2 174 3/1/2026
0.3.1 92 3/1/2026
0.3.0 87 2/28/2026
0.2.1 157 2/26/2026
0.2.0 91 2/26/2026
0.1.1 100 2/24/2026
0.1.0 96 2/20/2026