{"id":44179827,"url":"https://github.com/nuts-foundation/nuts-node","last_synced_at":"2026-04-02T13:21:01.828Z","repository":{"id":36963691,"uuid":"329296775","full_name":"nuts-foundation/nuts-node","owner":"nuts-foundation","description":"The reference implementation of the Nuts specification. A decentralized identity network based on the w3c ssi concepts with practical functionality for the healthcare domain.","archived":false,"fork":false,"pushed_at":"2026-03-02T09:56:49.000Z","size":37284,"stargazers_count":27,"open_issues_count":126,"forks_count":22,"subscribers_count":5,"default_branch":"master","last_synced_at":"2026-03-02T13:37:12.517Z","etag":null,"topics":["decentralized-identifiers","did","pki","vc","verifiable-credentials"],"latest_commit_sha":null,"homepage":"https://nuts-foundation.gitbook.io","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nuts-foundation.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":"audit/audit.go","citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2021-01-13T12:11:12.000Z","updated_at":"2026-02-19T14:12:44.000Z","dependencies_parsed_at":"2024-04-19T07:33:13.566Z","dependency_job_id":"65c84858-3587-491e-8d1c-7bbf69fd2521","html_url":"https://github.com/nuts-foundation/nuts-node","commit_stats":null,"previous_names":[],"tags_count":158,"template":false,"template_full_name":null,"purl":"pkg:github/nuts-foundation/nuts-node","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuts-foundation%2Fnuts-node","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuts-foundation%2Fnuts-node/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuts-foundation%2Fnuts-node/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuts-foundation%2Fnuts-node/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nuts-foundation","download_url":"https://codeload.github.com/nuts-foundation/nuts-node/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nuts-foundation%2Fnuts-node/sbom","scorecard":{"id":559374,"data":{"date":"2025-08-11","repo":{"name":"github.com/nuts-foundation/nuts-node","commit":"63992868a27a43e6976fe64be289b698c3ebb948"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":6.8,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis-cron-schedule.yml:17","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis-cron-schedule.yml:18","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql-analysis.yml:31","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql-analysis.yml:30","Warn: no topLevel permission defined: .github/workflows/build-binaries.yaml:1","Warn: no topLevel permission defined: .github/workflows/build-images.yaml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis-cron-schedule.yml:1","Warn: no topLevel permission defined: .github/workflows/codeql-analysis.yml:1","Warn: no topLevel permission defined: .github/workflows/e2e-tests.yaml:1","Warn: no topLevel permission defined: .github/workflows/govulncheck-cron-schedule.yaml:1","Warn: no topLevel permission defined: .github/workflows/govulncheck.yaml:1","Warn: no topLevel permission defined: .github/workflows/helm-chart-release.yaml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: COPYING:0","Info: FSF or OSI recognized license: GNU General Public License v3.0: COPYING:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v6.1.4 not signed: https://api.github.com/repos/nuts-foundation/nuts-node/releases/229016243","Warn: release artifact v6.1.4 does not have provenance: https://api.github.com/repos/nuts-foundation/nuts-node/releases/229016243"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-binaries.yaml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-binaries.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-binaries.yaml:38: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-binaries.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-images.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-images.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-images.yaml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-images.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-images.yaml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-images.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-images.yaml:61: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-images.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-images.yaml:64: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-images.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-images.yaml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-images.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-images.yaml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-images.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-images.yaml:88: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/build-images.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis-cron-schedule.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis-cron-schedule.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis-cron-schedule.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis-cron-schedule.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis-cron-schedule.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis-cron-schedule.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis-cron-schedule.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis-cron-schedule.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis-cron-schedule.yml:69: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis-cron-schedule.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:47: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:79: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/codeql-analysis.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-tests.yaml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/e2e-tests.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/e2e-tests.yaml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/e2e-tests.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-tests.yaml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/e2e-tests.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-tests.yaml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/e2e-tests.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-tests.yaml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/e2e-tests.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-tests.yaml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/e2e-tests.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-tests.yaml:67: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/e2e-tests.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-tests.yaml:84: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/e2e-tests.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/e2e-tests.yaml:95: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/e2e-tests.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/govulncheck-cron-schedule.yaml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/govulncheck-cron-schedule.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/govulncheck-cron-schedule.yaml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/govulncheck-cron-schedule.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/govulncheck-cron-schedule.yaml:45: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/govulncheck-cron-schedule.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/govulncheck.yaml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/govulncheck.yaml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/helm-chart-release.yaml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/helm-chart-release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/helm-chart-release.yaml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/helm-chart-release.yaml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/helm-chart-release.yaml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/nuts-foundation/nuts-node/helm-chart-release.yaml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:2","Warn: containerImage not pinned by hash: Dockerfile:24: pin your Docker image by updating alpine:3.22.1 to alpine:3.22.1@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Warn: containerImage not pinned by hash: development/dev-image/Dockerfile:1","Warn: containerImage not pinned by hash: development/dev-image/Dockerfile:2: pin your Docker image by updating debian:stable-slim to debian:stable-slim@sha256:8810492a2dd16b7f59239c1e0cc1e56c1a1a5957d11f639776bd6798e795608b","Warn: containerImage not pinned by hash: development/performance_analyzer/Dockerfile:1: pin your Docker image by updating nutsfoundation/nuts-node:master to nutsfoundation/nuts-node:master@sha256:bc3cd6dd027404e7f382f6d058ecd26eeb6126adcb1d99526b1977d168edd432","Warn: containerImage not pinned by hash: docs/Dockerfile:2: pin your Docker image by updating sphinxdoc/sphinx to sphinxdoc/sphinx@sha256:8d8bdb4649e6577f20ca9a84ef1e1d46911dc65678fe7908b2e2d3a39508e1c8","Warn: downloadThenRun not pinned by hash: development/dev-image/Dockerfile:7","Warn: pipCommand not pinned by hash: docs/Dockerfile:6","Info: 0 out of 17 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 19 third-party GitHubAction dependencies pinned","Info: 0 out of 6 containerImage dependencies pinned","Info: 0 out of 1 downloadThenRun dependencies pinned","Info: 0 out of 1 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build-images.yaml:20"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T13:13:08.421Z","repository_id":36963691,"created_at":"2025-08-20T13:13:08.421Z","updated_at":"2025-08-20T13:13:08.421Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30078307,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T08:01:56.766Z","status":"ssl_error","status_checked_at":"2026-03-04T08:00:42.919Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["decentralized-identifiers","did","pki","vc","verifiable-credentials"],"created_at":"2026-02-09T14:09:53.774Z","updated_at":"2026-03-04T10:04:51.199Z","avatar_url":"https://github.com/nuts-foundation.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"nuts-node\n#########\n\nOpen-source implementation of did:web, OpenID4VC, PEX, private key management and related logic.\nIt enables secure and trusted data exchange between organizations.\nIt contains all the necessary components for secure discovery and authorization.\n\nSee the `documentation \u003chttps://nuts-node.readthedocs.io/en/stable/\u003e`_ for how to set up, integrate and use the Nuts node.\n\n.. image:: https://circleci.com/gh/nuts-foundation/nuts-node.svg?style=svg\n :target: https://circleci.com/gh/nuts-foundation/nuts-node\n :alt: Build Status\n\n.. image:: https://readthedocs.org/projects/nuts-node/badge/?version=latest\n :target: https://nuts-node.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n\n.. image:: https://api.codeclimate.com/v1/badges/69f77bd34f3ac253cae0/test_coverage\n :target: https://codeclimate.com/github/nuts-foundation/nuts-node/test_coverage\n :alt: Code coverage\n\n.. image:: https://api.codeclimate.com/v1/badges/69f77bd34f3ac253cae0/maintainability\n :target: https://codeclimate.com/github/nuts-foundation/nuts-node/maintainability\n :alt: Maintainability\n\n.. image:: https://github.com/nuts-foundation/nuts-node/actions/workflows/build-images.yaml/badge.svg\n :target: https://github.com/nuts-foundation/nuts-node/actions/workflows/build-images.yaml\n :alt: Build Docker images\n\n.. image:: https://img.shields.io/badge/-Nuts_Community-informational?labelColor=grey\u0026logo=slack\n :target: https://join.slack.com/t/nuts-foundation/shared_invite/zt-19av5q5ur-5fNbZVIFGUw5vDKSy5mqCw\n :alt: Nuts Community on Slack\n\nDevelopment\n^^^^^^^^^^^\n\n.. |gover| image:: https://img.shields.io/github/go-mod/go-version/nuts-foundation/nuts-node\n :alt: GitHub go.mod Go version\n\n|gover| or higher is required.\n\nBuilding\n********\n\nJust use ``go build``.\n\nES256 Koblitz support\n=====================\n\nTo enable ES256K (Koblitz) support, you need to build with the ``jwx_es256k`` tag:\n\n.. code-block:: shell\n\n go build -tags jwx_es256k\n\nRunning tests\n*************\n\nTests can be run by executing\n\n.. code-block:: shell\n\n go test ./...\n\nCode Generation\n***************\n\nCode generation is used for generating mocks, OpenAPI client- and servers, and gRPC services.\nMake sure that ``GOPATH/bin`` is available on ``PATH`` and that the dependencies are installed\n\nInstall ``protoc``:\n\n | MacOS: ``brew install protobuf``\n | Linux: ``apt install -y protobuf-compiler``\n\nInstall Go tools:\n\n.. code-block:: shell\n\n make install-tools\n\nGenerating code:\n\nTo regenerate all code run the ``run-generators`` target from the makefile or use one of the following for a specific group\n\n================ =======================\nGroup Command\n================ =======================\nMocks ``make gen-mocks``\nOpenApi ``make gen-api``\nProtobuf + gRCP ``make gen-protobuf``\nAll ``make run-generators``\n================ =======================\n\nDocumentation\n=============\n\nThe documentation is automatically build on readthedocs based on the config in ``.readthedocs.yaml``.\nAll files to be included can be generated using:\n\n.. code-block:: shell\n\n make cli-docs\n\nThis regenerates files from code, and the ``README.rst`` file which requires python package ``rst-include`` (``pip install rst-include``).\n\nIf needed, you can also build the documentation locally in ``/docs/_build`` using docker:\n\n.. code-block:: shell\n\n docker build -t local/nuts-node-docs ./docs\n docker run --rm -v ./docs:/docs local/nuts-node-docs\n\nConfiguration\n^^^^^^^^^^^^^\n\nThe Nuts node can be configured using a YAML configuration file, environment variables and commandline params.\n\nThe parameters follow the following convention:\n``$ nuts --parameter X`` is equal to ``$ NUTS_PARAMETER=X nuts`` is equal to ``parameter: X`` in a yaml file.\n\nOr for this piece of yaml\n\n.. code-block:: yaml\n\n nested:\n parameter: X\n\nis equal to ``$ nuts --nested.parameter X`` is equal to ``$ NUTS_NESTED_PARAMETER=X nuts``\n\nConfig parameters for engines are prepended by the ``engine.ConfigKey`` by default (configurable):\n\n.. code-block:: yaml\n\n engine:\n nested:\n parameter: X\n\nis equal to ``$ nuts --engine.nested.parameter X`` is equal to ``$ NUTS_ENGINE_NESTED_PARAMETER=X nuts``\n\nWhile most options are a single value, some are represented as a list (indicated with the square brackets in the table below).\nTo provide multiple values through flags or environment variables you can separate them with a comma (``var1,var2``).\nIf you need to provide an actual value with a comma, you can escape it with a backslash (``\\,``) to avoid it having split into multiple values.\n\nOrdering\n********\n\nCommand line parameters have the highest priority, then environment variables, then parameters from the configfile and lastly defaults.\nThe location of the configfile is determined by the environment variable ``NUTS_CONFIGFILE`` or the commandline parameter ``--configfile``. If both are missing the default location ``./nuts.yaml`` is used. ::\n\n CLI \u003e ENV \u003e Config File \u003e Defaults\n\nServer options\n**************\n\nThe following options can be configured on the server:\n\n.. marker-for-config-options\n\n.. table:: Server Options\n :widths: 20 30 50\n :class: options-table\n\n ======================================== =================================================================================================================================================================================================================================================================================================================================================================================================================================================================== ============================================================================================================================================================================================================================================================================================================================================\n Key Default Description\n ======================================== =================================================================================================================================================================================================================================================================================================================================================================================================================================================================== ============================================================================================================================================================================================================================================================================================================================================\n configfile ./config/nuts.yaml Nuts config file\n cpuprofile When set, a CPU profile is written to the given path. Ignored when strictmode is set.\n datadir ./data Directory where the node stores its files.\n didmethods [web,nuts] Comma-separated list of enabled DID methods (without did: prefix). It also controls the order in which DIDs are returned by APIs, and which DID is used for signing if the verifying party does not impose restrictions on the DID method used.\n internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode.\n loggerformat text Log format (text, json)\n strictmode true When set, insecure settings are forbidden.\n url Public facing URL of the server (required). Must be HTTPS when strictmode is set.\n verbosity info Log level (trace, debug, info, warn, error)\n httpclient.timeout 30s Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax.\n **Auth**\n auth.authorizationendpoint.enabled false enables the v2 API's OAuth2 Authorization Endpoint, used by OpenID4VP and OpenID4VCI. This flag might be removed in a future version (or its default become 'true') as the use cases and implementation of OpenID4VP and OpenID4VCI mature.\n **Crypto**\n crypto.storage Storage to use, 'fs' for file system (for development purposes), 'vaultkv' for HashiCorp Vault KV store, 'azure-keyvault' for Azure Key Vault, 'external' for an external backend (deprecated).\n crypto.azurekv.hsm false Whether to store the key in a hardware security module (HSM). If true, the Azure Key Vault must be configured for HSM usage. Default: false\n crypto.azurekv.timeout 10s Timeout of client calls to Azure Key Vault, in Golang time.Duration string format (e.g. 10s).\n crypto.azurekv.url The URL of the Azure Key Vault.\n crypto.azurekv.auth.type default Credential type to use when authenticating to the Azure Key Vault. Options: default, managed_identity (see https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/README.md for an explanation of the options).\n crypto.vault.address The Vault address. If set it overwrites the VAULT_ADDR env var.\n crypto.vault.pathprefix kv The Vault path prefix.\n crypto.vault.timeout 5s Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s).\n crypto.vault.token The Vault token. If set it overwrites the VAULT_TOKEN env var.\n **Discovery**\n discovery.client.refreshinterval 10m0s Interval at which the client synchronizes with the Discovery Server; refreshing Verifiable Presentations of local DIDs and loading changes, updating the local copy. It only will actually refresh registrations of local DIDs that about to expire (less than 1/4th of their lifetime left). Specified as Golang duration (e.g. 1m, 1h30m).\n discovery.definitions.directory ./config/discovery Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start.\n discovery.server.ids [] IDs of the Discovery Service for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start.\n **HTTP**\n http.clientipheader X-Forwarded-For Case-sensitive HTTP Header that contains the client IP used for audit logs. For the X-Forwarded-For header only link-local, loopback, and private IPs are excluded. Switch to X-Real-IP or a custom header if you see your own proxy/infra in the logs.\n http.log metadata What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). When debug vebosity is set the authorization headers are also logged when the request is fully logged.\n http.cache.maxbytes 10485760 HTTP client maximum size of the response cache in bytes. If 0, the HTTP client does not cache responses.\n http.internal.address 127.0.0.1:8081 Address and port the server will be listening to for internal-facing endpoints.\n http.internal.auth.audience Expected audience for JWT tokens (default: hostname)\n http.internal.auth.authorizedkeyspath Path to an authorized_keys file for trusted JWT signers\n http.internal.auth.type Whether to enable authentication for /internal endpoints, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode.\n http.public.address \\:8080 Address and port the server will be listening to for public-facing endpoints.\n **JSONLD**\n jsonld.contexts.localmapping [https://nuts.nl/credentials/2024=assets/contexts/nuts-2024.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist.\n jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json,https://w3id.org/vc/status-list/2021/v1] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here.\n **PKI**\n pki.maxupdatefailhours 4 Maximum number of hours that a denylist update can fail\n pki.softfail true Do not reject certificates if their revocation status cannot be established when softfail is true\n **Storage**\n storage.session.memcached.address [] List of Memcached server addresses. These can be a simple 'host:port' or a Memcached connection URL with scheme, auth and other options.\n storage.session.redis.address Redis session database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. If not set it, defaults to an in-memory database.\n storage.session.redis.database Redis session database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance.\n storage.session.redis.password Redis session database password. If set, it overrides the username in the connection URL.\n storage.session.redis.username Redis session database username. If set, it overrides the username in the connection URL.\n storage.session.redis.sentinel.master Name of the Redis Sentinel master. Setting this property enables Redis Sentinel.\n storage.session.redis.sentinel.nodes [] Addresses of the Redis Sentinels to connect to initially. Setting this property enables Redis Sentinel.\n storage.session.redis.sentinel.password Password for authenticating to Redis Sentinels.\n storage.session.redis.sentinel.username Username for authenticating to Redis Sentinels.\n storage.session.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis session servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).\n storage.sql.connection Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL').\n **policy**\n policy.directory ./config/policy Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping.\n ======================================== =================================================================================================================================================================================================================================================================================================================================================================================================================================================================== ============================================================================================================================================================================================================================================================================================================================================\n\nOptions specific for ``did:nuts``/gRPC\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nThe following table contains additional (deprecated) options that are relevant for use cases that use ``did:nuts`` DIDs and/or the gRPC network.\nIf your use case does not use these features, you can ignore this table.\n\n.. table:: did:nuts/gRPC Server Options\n :widths: 20 30 50\n :class: options-table\n\n ================================ =========================== ======================================================================================================================================================================================\n Key Default Description\n ================================ =========================== ======================================================================================================================================================================================\n tls.certfile PEM file containing the certificate for the gRPC server (also used as client certificate). Required in strict mode.\n tls.certheader Name of the HTTP header that will contain the client certificate when TLS is offloaded for gRPC.\n tls.certkeyfile PEM file containing the private key of the gRPC server certificate. Required in strict mode.\n tls.offload Whether to enable TLS offloading for incoming gRPC connections. Enable by setting it to 'incoming'. If enabled 'tls.certheader' must be configured as well.\n tls.truststorefile ./config/ssl/truststore.pem PEM file containing the trusted CA certificates for authenticating remote gRPC servers. Required in strict mode.\n **Auth**\n auth.accesstokenlifespan 60 defines how long (in seconds) an access token is valid. Uses default in strict mode.\n auth.clockskew 5000 allowed JWT Clock skew in milliseconds\n auth.contractvalidators [irma,dummy,employeeid] sets the different contract validators to use\n auth.irma.autoupdateschemas true set if you want automatically update the IRMA schemas every 60 minutes.\n auth.irma.schememanager pbdf IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'.\n auth.irma.cors.origin [] sets the allowed CORS origins for the IRMA server\n **Events**\n events.nats.hostname 0.0.0.0 Hostname for the NATS server\n events.nats.port 4222 Port where the NATS server listens on\n events.nats.storagedir Directory where file-backed streams are stored in the NATS server\n events.nats.timeout 30 Timeout for NATS server operations\n **GoldenHammer**\n goldenhammer.enabled true Whether to enable automatically fixing DID documents with the required endpoints.\n goldenhammer.interval 10m0s The interval in which to check for DID documents to fix.\n **Network**\n network.bootstrapnodes [] List of bootstrap nodes ('\u003chost\u003e:\u003cport\u003e') which the node initially connect to.\n network.connectiontimeout 5000 Timeout before an outbound connection attempt times out (in milliseconds).\n network.enablediscovery true Whether to enable automatic connecting to other nodes.\n network.grpcaddr \\:5555 Local address for gRPC to listen on. If empty the gRPC server won't be started and other nodes will not be able to connect to this node (outbound connections can still be made).\n network.maxbackoff 24h0m0s Maximum between outbound connections attempts to unresponsive nodes (in Golang duration format, e.g. '1h', '30m').\n network.nodedid Specifies the DID of the party that operates this node. It is used to identify the node on the network. If the DID document does not exist of is deactivated, the node will not start.\n network.protocols [] Specifies the list of network protocols to enable on the server. They are specified by version (1, 2). If not set, all protocols are enabled.\n network.v2.diagnosticsinterval 5000 Interval (in milliseconds) that specifies how often the node should broadcast its diagnostic information to other nodes (specify 0 to disable).\n network.v2.gossipinterval 5000 Interval (in milliseconds) that specifies how often the node should gossip its new hashes to other nodes.\n **Storage**\n storage.bbolt.backup.directory Target directory for BBolt database backups.\n storage.bbolt.backup.interval 0s Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed.\n storage.redis.address Redis database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options.\n storage.redis.database Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance.\n storage.redis.password Redis database password. If set, it overrides the username in the connection URL.\n storage.redis.username Redis database username. If set, it overrides the username in the connection URL.\n storage.redis.sentinel.master Name of the Redis Sentinel master. Setting this property enables Redis Sentinel.\n storage.redis.sentinel.nodes [] Addresses of the Redis Sentinels to connect to initially. Setting this property enables Redis Sentinel.\n storage.redis.sentinel.password Password for authenticating to Redis Sentinels.\n storage.redis.sentinel.username Username for authenticating to Redis Sentinels.\n storage.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address).\n **VCR**\n vcr.openid4vci.definitionsdir Directory with the additional credential definitions the node could issue (experimental, may change without notice).\n vcr.openid4vci.enabled true Enable issuing and receiving credentials over OpenID4VCI.\n vcr.openid4vci.timeout 30s Time-out for OpenID4VCI HTTP client operations.\n ================================ =========================== ======================================================================================================================================================================================\n\nThis table is automatically generated using the configuration flags in the core and engines. When they're changed\nthe options table must be regenerated using the Makefile:\n\n.. code-block:: shell\n\n $ make docs\n\nSecrets\n*******\n\nAll options ending with ``token`` or ``password`` are considered secrets and can only be set through environment variables or the config file.\n\nStrict mode\n***********\n\nSeveral of the server options above allow the node to be configured in a way that is unsafe for production environments, but are convenient for testing or development.\nThe node can be configured to run in strict mode (default) to prevent any insecure configurations.\nBelow is a summary of the impact ``strictmode=true`` has on the node and its configuration.\n\nSave storage of any private key material and data requires some serious consideration.\nFor this reason the ``crypto.storage`` backend and the ``storage.sql.connection`` connection string must explicitly be set.\n\nPrivate transactions can only be exchanged over authenticated nodes.\nTherefore is requires TLS to be configured through ``tls.{certfile,certkeyfile,truststore}``.\nTo verify that authentication is correctly configured on your node, check the ``network.auth_config`` status on the ``/health`` endpoint.\nSee :ref:`Monitoring \u003cnuts-node-monitoring\u003e` for more details.\n\nThe incorporated `IRMA server \u003chttps://irma.app/docs/irma-server/#production-mode\u003e`_ is automatically changed to production mode.\nIn fact, running in strict mode is the only way to enable IRMA's production mode.\nIn addition, it requires ``auth.irma.schememanager=pbdf``.\n\nAs a general safety precaution ``auth.contractvalidators`` ignores the ``dummy`` option if configured,\nrequesting an access token from another node on ``/n2n/auth/v1/accesstoken`` does not return any error details,\n``auth.accesstokenlifespan`` is always 60 seconds,\njson-ld context can only be downloaded from trusted domains configured in ``jsonld.contexts.remoteallowlist``,\nand the ``internalratelimiter`` is always on.\n\nInteracting with remote Nuts nodes requires HTTPS: it will refuse to connect to plain HTTP endpoints when in strict mode.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnuts-foundation%2Fnuts-node","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnuts-foundation%2Fnuts-node","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnuts-foundation%2Fnuts-node/lists"}