ex_did

ex_did is a typed DID resolution library for Elixir.

What Standard Is This?

Decentralized Identifiers (DIDs) are self-describing identifiers like did:web:example.com or did:key:z.... A DID resolves to a DID document, which usually tells other systems which keys or service endpoints belong to that identifier.

ex_did implements the DID Core resolution and dereferencing boundary for Elixir, with first-class support for did:web, did:key, and did:jwk.

If you want the formal standards context, start with:

Why You Might Use It

Use ex_did when you need to:

resolve a DID into a DID document
dereference a DID URL like did:web:example.com#key-1
normalize verification methods into a stable, typed Elixir shape
support web-anchored or key-derived identities without hand-rolling DID logic

The library exposes a method-agnostic API for DID parsing, DID resolution, DID representation resolution, DID URL dereferencing, and a small number of method-specific helper functions that remove common string-building mistakes.

ex_did is intentionally DID-only. VC, VP, JWT, JWS, Data Integrity, and other SSI proof features belong in sibling libraries built on top of this DID foundation.

Strict mode is canonical per method:

did:key strict is Multikey-first for every supported multicodec
did:jwk strict is JWK-native for every supported JWK family
validation: :compat exists for legacy/interoperability quirks, not as a second equal output family

Status

Current support:

typed DID / DID URL parsing
typed result structs for resolve, representation, and dereference operations
method registry with first-class did:web, did:key, and did:jwk
strict validation by default with opt-in validation: :compat
deterministic local resolution for did:key and did:jwk
did:web URL mapping, fetching, validation, and dereferencing
verification method extraction across current and legacy shapes
maintainer-only parity corpora for both JavaScript resolvers and ssi-dids

Not implemented yet:

additional DID methods
more advanced HTTP caching policy for did:web
broader DID document normalization rules beyond the current strict/compat set
broader ssi disagreement handling beyond the currently documented fixtures

Installation

Add ex_did to your dependencies:

def deps do
  [
    {:ex_did, "~> 0.1.2"},
    {:jose, "~> 1.11"}
  ]
end

Usage

Normal ex_did usage does not require JavaScript, Rust, pnpm, Cargo, or network access. Those are maintainer-only dependencies for rebuilding upstream parity fixtures.

Parse a DID or DID URL:

{:ok, did_url} = ExDid.parse("did:web:example.com#key-1")
did_url.method
# => "web"

Resolve a DID:

result = ExDid.resolve("did:key:z6MkeXCES4onVW4up9Qgz1KRnZsKmGufcaZxF6Zpv2w5QwUK")

document = result.did_document
verification_method = hd(document["verificationMethod"])

Resolve a representation:

result = ExDid.resolve_representation("did:web:example.com", fetch_json: fn _url ->
  {:ok, %{"@context" => ["https://www.w3.org/ns/did/v1"], "id" => "did:web:example.com"}}
end)

Jason.decode!(result.content_stream)

Derefence a DID URL:

result = ExDid.dereference("did:web:example.com#key-1", fetch_json: fn _url ->
  {:ok,
   %{
     "id" => "did:web:example.com",
     "verificationMethod" => [
       %{"id" => "did:web:example.com#key-1", "controller" => "did:web:example.com"}
     ]
   }}
end)

result.content_stream["id"]

Use compatibility mode only when needed for known ecosystem quirks:

result =
  ExDid.resolve("did:jwk:...", validation: :compat)

Override the registry or representation per call:

registry = %{"web" => ExDid.Method.Web}

result =
  ExDid.resolve_representation("did:web:example.com",
    method_registry: registry,
    accept: "application/did+ld+json",
    fetch_json: fn _url ->
      {:ok, %{"@context" => ["https://www.w3.org/ns/did/v1"], "id" => "did:web:example.com"}}
    end
  )

Map a did:web DID to its document URL:

{:ok, url} = ExDid.resolve_url("did:web:example.com:user:alice")
# => "https://example.com/user/alice/did.json"

Build a canonical did:web value or canonical local verification method id:

{:ok, did} = ExDid.did_web("greenfield.gov")
{:ok, verification_method} =
  ExDid.verification_method_id("did:key:z6MkeXCES4onVW4up9Qgz1KRnZsKmGufcaZxF6Zpv2w5QwUK")

Supported Method Matrix

did:web

HTTPS document resolution
DID document dereferencing for fragments and explicit service parameter path/query handling

did:key

supported multicodec prefixes: Ed25519, X25519, secp256k1, P-256, P-384, P-521
fixture-covered examples: Ed25519, X25519, secp256k1, P-256, P-384
strict profile: Multikey / publicKeyMultibase
compat profile: legacy JS shapes for Ed25519/X25519 where fixture-backed

did:jwk

supported public key shapes: OKP, EC, RSA
fixture-covered examples: OKP, EC P-256, RSA
strict profile: JWK-native publicKeyJwk
compat profile: same output family, with leniency such as private-material stripping

Validation Modes

ex_did defaults to validation: :strict.

validation: :compat is opt-in and intentionally narrow. It currently only relaxes behaviors that are explicitly implemented and covered by fixtures and tests, such as normalizing a single service object into a list, preserving legacy JS did:key shapes where documented, and stripping private material from did:jwk inputs before building the public DID document.

Strict mode is the production default. Compat mode is an interoperability tool, not a second equal runtime profile.

`did:web` Transport Rules

did:web resolution accepts the following response media types:

strict: application/did+json, application/did+ld+json
compat: strict types plus application/json

If the response media type falls outside those rules, resolution returns invalidDidDocument.

did:web Rules

ex_did follows the standard did:web mapping:

did:web:example.com -> https://example.com/.well-known/did.json
did:web:example.com:user:alice -> https://example.com/user/alice/did.json
did:web:localhost%3A8443 -> https://localhost:8443/.well-known/did.json

URI-encoded DID path components are decoded before building the HTTPS URL.

Testing And Parity

The library is tested with:

vendored fixture documents under test/fixtures/
JavaScript resolver parity corpora under test/fixtures/upstream/
ssi-dids parity corpora under test/fixtures/upstream/ssi/
fixture provenance manifests for both local deterministic fixtures and upstream-recorded fixtures
property tests for DID parsing and deterministic local DID generation
strict / compat coverage for did:web, did:key, and did:jwk
dereferencing coverage for did:web, did:key, and did:jwk
injected fetch functions so did:web resolution remains deterministic
downstream validation against current apps/delegate DID usage

Refresh upstream parity fixtures with the maintainer-only recorder:

cd libs/ex_did/scripts/upstream_parity
pnpm install
pnpm run record:released
pnpm run record:main

Refresh ssi parity fixtures with the maintainer-only Rust recorder:

cd libs/ex_did/scripts/ssi_parity
cargo run -- released
cargo run -- main

The committed fixtures are the contract. End users and CI should not need to run either recorder.

Fixture Policy

The fixture policy is documented in FIXTURE_POLICY.md.

upstream/released is contractual and should back CI
upstream/main is advisory drift detection
upstream/ssi/released is contractual for overlapping DID-only ssi behavior
upstream/ssi/main is advisory ssi drift detection
scratch captures and debug output should not be committed
compat behavior must be backed by committed upstream fixture evidence

When the JavaScript and ssi ecosystems disagree, ex_did records the released divergence set in test/fixtures/divergences/released.json, enforces it in tests, and keeps strict mode aligned to the library’s method-specific canonical behavior rather than silently switching output shapes. See INTEROP_NOTES.md for the current decision log.

Open Source Notes

License: MIT
Changelog: CHANGELOG.md
Fixture policy: FIXTURE_POLICY.md
The current stable public facade is ExDid; method modules are implementation details even though they are user-overridable through the method registry.
Canonical package repository: github.com/bawolf/ex_did

Maintainer Workflow

ex_did is developed in the delegate monorepo. The public github.com/bawolf/ex_did repository is the mirrored OSS surface for issues, discussions, releases, and Hex publishing.

The monorepo copy is authoritative for:

code
tests and fixtures
docs
GitHub workflows
release tooling

Direct standalone-repo edits are temporary hotfixes only and must be backported to the monorepo immediately.

The intended workflow is:

make library changes in libs/ex_did
run scripts/release_preflight.sh
sync the package into a clean checkout of github.com/bawolf/ex_did
verify the mirrored required file set with scripts/verify_standalone_repo.sh
review and push from the standalone repo

A helper to sync all public package repos from the monorepo lives at /Users/bryantwolf/workspace/delegate/scripts/sync_public_libs.sh.

The mirrored standalone repository carries GitHub Actions workflows for:

CI on push and pull request
manual publish through workflow_dispatch

The publish workflow expects a HEX_API_KEY repository secret in the standalone ex_did repository. Once triggered, it publishes to Hex and then creates the matching Git tag and GitHub release automatically.

Releasing From GitHub

Releases are cut from the public github.com/bawolf/ex_did repository, not from the private monorepo checkout.

The shortest safe path is:

finish the change in libs/ex_did
run scripts/release_preflight.sh
sync and verify the standalone repo with scripts/sync_standalone_repo.sh and scripts/verify_standalone_repo.sh
push the mirrored release commit to main in github.com/bawolf/ex_did
in GitHub, go to Actions, choose Publish, and run it with the version from mix.exs

The GitHub workflow is responsible for:

rerunning the release gate
publishing to Hex
creating the matching git tag
creating the matching GitHub release

Run the local preflight with:

scripts/release_preflight.sh