Dave Longley

In our implementation, OAuth2 tokens have an audience of the particular issuer instance: e.g., `/issuers/zc612332f3`. The scopes are generalized to read/write actions on particular endpoints: `read:/` would allow reading on...

@OR13 -- Side note regarding the data model above: Did you consider putting `schema` in `meta` at the top-level and removing the need for `data` like this?: ```js { "id":...

@tplooker, > just so I am clear, you are proposing to create an encrypted index thats essentially a hash of the schema attribute in a document. Does this mean I...

See this http://pl.atyp.us/wordpress/index.php/2010/03/conflict-resolution/ about how just having the vector clock (without the rest of the update/patch information) may not be sufficient for many use cases. I'm not sure how much...

A rough outline of the issuing API: ### Create an issuer instance `/issuers` POST an issuer configuration to create an issuer instance: ``` { // used to detect update conflicts...

A rough outline of the verifying API: ### Create a verifier instance `/verifiers` POST a verifier configuration to create a verifier instance: ``` { // used to detect update conflicts...

The above APIs are expected to be fully compatible with both (concurrently or separately) zcaps and oauth2. The zcaps model involves setting a root controller via the configuration of each...

@OR13, added `GET` calls to get the instance configs. I just accidentally omitted those before.

We may want a separate set of endpoints for setting / getting oauth2 client credentials / access tokens for the instance to access keys / storage (similar to how contexts...

@tplooker, > To me this is too late, by then the end user has likely been through an auth journey, probably clicked yes to a bunch of T's & C's,...