A DID URL is a Uniform Resource Locator that extends a base Decentralized Identifier (DID) to point to a particular component within its associated DID document. It follows the syntax defined in the W3C DID specification, structured as did:method:identifier/path?query#fragment. The core DID (did:method:identifier) resolves to the entire document, while the optional path, query, and fragment components allow for precise referencing of embedded resources like cryptographic public keys, service endpoints, or specific JSON properties.
LABS
Glossary
DID URL
A DID URL is a Uniform Resource Identifier (URI) that extends a basic Decentralized Identifier (DID) with optional path, query, and fragment components to identify a specific resource within a DID document.
Chainscore © 2026
definition
DECENTRALIZED IDENTIFIER
What is a DID URL?
A DID URL is a web-like address that uniquely identifies a specific resource, such as a verification method or service endpoint, within a Decentralized Identifier (DID) document.
The primary function of a DID URL is to enable granular and verifiable references. For instance, in a Verifiable Credential, the proof section doesn't just state which DID created it; it uses a DID URL like did:example:123456789abcdefghi#key-1 to specify the exact public key (#key-1 fragment) within the issuer's DID document that should be used for signature verification. This eliminates ambiguity and ensures cryptographic proofs are bound to a specific key, even if the DID controller rotates or manages multiple keys.
Beyond key references, the path component can be used to address nested resources or services. A DID URL like did:web:example.com:user:alice/service/agent could point directly to a messaging endpoint described in the DID document. The query component allows for parameterized requests, such as requesting a document in a specific format. This structure makes DID URLs a powerful tool for decentralized interactions, enabling services, applications, and other DIDs to interact with precise, machine-readable addresses without relying on a central registry.
From an implementation perspective, developers must ensure their DID resolver can properly parse and dereference DID URLs. This involves first resolving the base DID to its document, then navigating the JSON structure using the URL's components. Proper handling is critical for security, as incorrectly resolving a DID URL could lead to using the wrong key for verification. The standardization of this syntax is a key enabler for interoperability across different DID methods and decentralized identity ecosystems.
etymology
DECENTRALIZED IDENTIFIER SYNTAX
Etymology & Origin
The DID URL is a core syntactical construct in decentralized identity, specifying how to locate and interact with a DID document. Its structure is a direct evolution of the familiar Uniform Resource Identifier (URI) standard, adapted for a trustless, self-sovereign web.
A DID URL (Decentralized Identifier URL) is a URI string that extends a base DID (Decentralized Identifier) with optional path, query, and fragment components to identify a specific resource within a DID document or enable a specific interaction with it. Its formal syntax is defined by the W3C Decentralized Identifiers (DIDs) v1.0 specification, which builds upon the foundational IETF RFC 3986 URI standard. This design ensures DID URLs are both machine-readable and interoperable with existing web infrastructure, while being resolvable to cryptographically verifiable data.
The term's origin lies in the need to reference not just the identity subject (the DID itself) but also specific verification methods (like public keys), service endpoints, or portions of the DID document's JSON structure. For example, the fragment component (the part after a #) is commonly used to point to a specific key: did:example:123456789abcdefghi#key-1. This allows for precise, granular referencing essential for verifiable credentials and selective disclosure, where you might need to prove control over one key without revealing others.
The adoption of the URI scheme was a deliberate architectural choice to leverage decades of web standards. It provides a well-understood mechanism for decomposition and resolution. The DID method (the segment after did:, like ethr or key) defines the specific rules for how the DID and its appended URL components are resolved to a DID document on its respective blockchain or decentralized network. This makes the DID URL a universal locator for decentralized resources, bridging the gap between classic web addresses and trust-minimized, cryptographic identity.
how-it-works
DECENTRALIZED IDENTIFIER MECHANICS
How a DID URL Works
A DID URL is a specific type of Uniform Resource Locator that points to a resource associated with a Decentralized Identifier (DID), enabling the retrieval of verifiable credentials, service endpoints, or specific keys.
A DID URL extends a core Decentralized Identifier (DID) by appending path components, query strings, or fragments, following the syntax defined in the W3C DID specification. The base DID (e.g., did:example:123456) uniquely identifies a subject on a verifiable data registry, while the appended components create a pointer to a specific resource within that DID's DID document. This mechanism allows for precise addressing, similar to how a traditional URL points to a specific page or file on a website, but within a decentralized identity system.
The structure of a DID URL is did:method:identifier/path?query#fragment. The path component typically references a service endpoint listed in the DID document, such as a messaging inbox or a credential repository. The query string can be used to request specific representations or parameters, and the fragment (#) uniquely identifies a specific key or section within the DID document itself, like did:example:123456#key-1. This granular addressing is crucial for cryptographic operations, where a verifier must reference the exact public key used for signing.
Resolving a DID URL is a two-step process handled by a DID resolver. First, the resolver fetches the DID document by processing the DID method (e.g., did:ethr:, did:web:) to query the corresponding blockchain or decentralized network. Once the DID document is retrieved, the resolver parses the appended URL components to locate the specific resource—whether it's a service endpoint URL, a public key description, or another linked resource. This resolution process enables trusted, machine-readable interactions without relying on a central directory.
Practical applications of DID URLs are extensive. They are used to dereference a specific verification key for checking a digital signature, to access a Verifiable Credential stored at a remote service endpoint, or to initiate a secure communication channel via a service listed in the DID document. For example, a DID URL like did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK#z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK directly identifies a public key for encryption, enabling secure, decentralized data exchange.
key-features
DID URL
Key Features & Components
A DID URL is a specific identifier that extends a Decentralized Identifier (DID) to point to a particular resource, service, or component within a DID document. It functions like a web URL but for decentralized identity systems.
01
Core Structure
A DID URL is composed of the base DID followed by a path, query, or fragment component, similar to a standard URI. The syntax is defined by the W3C DID specification. For example, did:example:123456789abcdefghi#key-1 uses a fragment to point to a specific public key within the DID document. This structure allows for precise addressing of resources without requiring a centralized server.
02
Path Component
The path component in a DID URL is used to navigate hierarchical resources or services associated with a DID. It is appended after the DID with a forward slash (/). For instance, did:example:123/path/to/service could point to a specific verifiable credential endpoint or a messaging service linked to that identity. This enables the DID to act as a root for a structured set of resources.
03
Query & Fragment
DID URLs use query (?) and fragment (#) components for specific lookups and references.
- Query: Used to request a specific representation or parameter, e.g.,
did:example:123?service=agent&relativeRef=/credentials. - Fragment: The most common component, it references a specific part within the DID document itself, such as a verification method (
#key-1) or a service endpoint (#service-1). The fragment is never sent over the network during resolution.
04
DID URL Resolution
DID Resolution is the process of taking a DID URL and returning the corresponding DID document or a specific resource within it. A DID resolver fetches the document from the underlying blockchain or decentralized network. If the URL contains a fragment, the resolver processes it locally to return the specific JSON object (like a public key) identified after the # symbol. This process is standardized to ensure interoperability.
05
Use Case: Service Endpoints
DID URLs are crucial for discovering and interacting with services linked to an identity. A DID document's service array often contains endpoints defined with DID URLs. For example, a DIDComm messaging endpoint might be listed as "serviceEndpoint": "did:example:alice#message-service". This allows applications to dynamically discover how to communicate with the identity's agent or other services in a decentralized way.
06
Relationship to DID Parameters
DID URLs are distinct from DID Parameters, which are modifiers placed before the path/query/fragment (e.g., did:example:123;version-id=5). Parameters provide instructions to the resolver (like requesting a specific version), while the URL components point to resources after resolution. Understanding this distinction is key for correctly parsing and resolving decentralized identifiers and their extended references.
examples
DECONSTRUCTING THE SYNTAX
DID URL Examples
A DID URL is a Uniform Resource Locator that extends a Decentralized Identifier (DID) with additional components to point to a specific resource, service, or parameter within a DID document. These examples illustrate its structure and common use cases.
01
Basic DID URL Structure
A DID URL is built by appending a path, query, or fragment to a base DID. The syntax follows the generic URI standard did:method:identifier/path?query#fragment.
Example: did:example:123456789abcdefghi/service/oidc
did:example:123456789abcdefghi: The core DID./service/oidc: A path component pointing to a specific service endpoint within the DID document.
02
Referencing a Public Key
A fragment (#) is commonly used to reference a specific key listed in the verificationMethod section of a DID document. This is essential for cryptographic operations.
Example: did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK#z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK
- The fragment after
#points to the specific public key material within the DID document, allowing a verifier to fetch and use it for signing or encryption.
03
Querying for a Specific Service
The query component (?) can be used to request a particular service type from a DID document that contains multiple services. It acts as a filter for service discovery.
Example: did:web:example.com:user:alice?service=LinkedDomains
- This DID URL queries the DID document located at
did:web:example.com:user:aliceand requests the service endpoint of typeLinkedDomains, which might return a URL likehttps://example.com/.well-known/did-configuration.json.
04
Pointing to a Credential Endpoint
A path can specify a route to a dynamic resource or API endpoint associated with the DID subject, such as a credential issuance or presentation interface.
Example: did:ethr:0xab32...c123/credentials/issue
- This URL could resolve to an endpoint where the entity controlling the Ethereum-based DID (
did:ethr) offers a service to issue Verifiable Credentials. The path/credentials/issueis defined in the DID document's service section.
05
DID URL with Parameters
Query parameters can convey specific instructions or versioning information when interacting with a DID or its services, enabling more precise requests.
Example: did:ion:example123?versionId=5&relativeRef=/service/1
versionId=5: Requests a specific historical version of the DID document from an ION network.relativeRef=/service/1: Further points to a service endpoint within that specific versioned document. This is defined in the W3C DID Core specification.
EXPLORE
06
Resource-Specific Fragment (Non-DID Document)
While typically used for the DID document, a fragment can also reference an external resource controlled by the DID subject, as defined by certain DID methods.
Example: did:web:vc.example.com#issuer-profile
- This could resolve to a specific JSON-LD context or a human-readable profile page for the issuer, not necessarily a key within the core DID document. The semantics are defined by the
did:webmethod specification.
IDENTIFIER COMPARISON
DID URL vs. DID vs. URI
A structural and functional comparison of the three related identifier types in decentralized identity systems.
| Feature | DID URL | DID | URI (General) |
|---|---|---|---|
Primary Purpose | References a specific resource within a DID document or invokes a service | Globally unique, persistent identifier for a subject (person, organization, thing) | Generic identifier for any resource (web page, file, service) |
Structure | DID + optional path, query, and fragment components (e.g., did:example:123456/path?query=1#fragment) | Method-specific identifier string prefixed by a DID method (e.g., did:example:123456) | Scheme-specific hierarchical sequence (e.g., https://, mailto:, urn:) |
Resolution Target | A specific key, service endpoint, or section within a DID Document | The entire DID Document containing public keys, service endpoints, and authentication methods | The resource defined by the specific URI scheme (web page, email address, etc.) |
Decentralized / Verifiable | |||
Inherently Persistent | |||
Standardization | W3C Decentralized Identifiers (DIDs) v1.0 | W3C Decentralized Identifiers (DIDs) v1.0 | IETF RFC 3986 (Uniform Resource Identifier) |
Example | did:ethr:0xab.../service/agent#key-1 | did:ethr:0xab1234cdef5678 |
resolution-process
DECENTRALIZED IDENTIFIER
The DID URL Resolution Process
DID URL resolution is the technical process of dereferencing a DID URL to retrieve the associated DID document and other resources, enabling secure interactions with decentralized identities.
A DID URL is a Uniform Resource Locator that extends a standard Decentralized Identifier (DID) with optional path, query, and fragment components, allowing one to address specific resources within a DID document or associated services. The resolution process, defined by the W3C DID Core specification, is the mechanism by which a DID resolver takes a DID URL as input and returns a DID document or a resource described therein. This is a foundational operation for all decentralized identity systems, enabling verifiable credentials, authentication, and secure service endpoints.
The resolution process typically involves several key steps. First, the resolver parses the DID URL to extract the DID method (e.g., did:ethr, did:web) and the method-specific identifier. It then interacts with the corresponding DID method's underlying system—which could be a blockchain, a distributed ledger, a peer-to-peer network, or a hosted file—to fetch the current DID document. If the URL contains a path or query, the resolver processes these components to locate a specific service endpoint, key, or other resource described in the document's service or verificationMethod sections.
A critical distinction is between DID Resolution and DID URL Dereferencing. Resolution strictly returns the DID document itself. Dereferencing goes further, interpreting the optional components of the DID URL to return the specific resource pointed to, such as a public key for verification (#key-1) or a service endpoint for messaging. The process must also handle DID document metadata, including versioning information, proof of integrity, and deactivation status, ensuring the resolver returns a complete DID resolution result that includes both the document and this metadata.
In practice, resolution can be performed by universal resolvers that support multiple DID methods or by method-specific resolvers. For example, resolving did:ethr:0xb9c5714089478a327f09197987f16f9e5d936e8a involves querying an Ethereum smart contract, while did:web:example.com:user:alice might fetch a JSON document from a well-known HTTPS endpoint. The security of the entire ecosystem depends on the integrity of this process, as the resolved document forms the root of trust for all subsequent cryptographic verifications and interactions with the identity holder.
ecosystem-usage
DID URL
Ecosystem Usage & Protocols
A DID URL is a Uniform Resource Locator that points to a specific Decentralized Identifier (DID) and can include optional path, query, and fragment components to reference a particular resource or service associated with that DID.
01
Core Structure & Syntax
A DID URL follows the generic URI syntax did:<method>:<method-specific-id>[/path][?query][#fragment]. The DID method (e.g., ethr, key, web) and method-specific identifier form the core DID. Optional components allow for precise resource addressing, such as a specific verification key or service endpoint within the DID document.
02
Primary Use: Resource Resolution
DID URLs are resolved to retrieve a specific part of a DID document. The fragment component (e.g., #key-1) points to a specific JSON object within the document, like a public key or service endpoint. This enables verifiers to directly reference the exact cryptographic material needed for a signature verification or to locate a service like a Verifiable Credential repository.
03
Protocol Integration (DIDComm, OIDC)
Decentralized protocols use DID URLs for secure routing and authentication. In DIDComm v2, DID URLs specify message endpoints. In OpenID Connect for Verifiable Credentials (OIDC4VC), they are used in the sub_jwk claim to identify the holder's key. This provides a standardized way for different systems to interact with a DID's resources.
04
Example: Referencing a Verification Key
A concrete example is did:ethr:0xab...def#controller. This URL resolves to the DID Document for the Ethereum address, then the fragment #controller identifies the specific public key entry authorized to make updates. This precise reference is crucial for creating and verifying Verifiable Presentations without ambiguity.
05
Contrast with Standard DID
A standard DID (e.g., did:key:z6Mk...) is an identifier for a subject. A DID URL extends this identifier to target a component within it. While a DID answers "who," a DID URL answers "what part" or "where." This distinction is fundamental for interoperability, allowing the same core identity to be used across multiple services and interactions.
security-considerations
DID URL
Security Considerations
A DID URL is a unique identifier string that locates a specific resource within a Decentralized Identifier (DID) document, such as a public key or service endpoint. Its security is paramount for maintaining the integrity and trust of decentralized identity systems.
01
URL Dereferencing & Endpoint Security
Resolving a DID URL to its target resource (e.g., a public key) requires dereferencing. Security depends on the integrity of the DID method's resolution process and the security of the endpoint hosting the DID document. Attackers may target resolution services or the endpoints listed in the document to serve malicious data.
- Man-in-the-Middle (MitM) attacks can intercept resolution requests.
- Compromised HTTP endpoints in service entries can deliver tampered keys.
- Use of HTTPS and integrity checks (like
integritymetadata in DID documents) is critical.
02
Canonicalization & Identifier Binding
A DID URL must be canonicalized (normalized to a standard form) before use to prevent equivalent URLs from being treated as different. Failure to canonicalize can lead to identifier binding attacks, where an entity is mistaken for another.
- Ensures the DID and its DID URL fragments (like
#key-1) are processed consistently across systems. - Prevents confusion from URL encoding differences or trailing slashes.
- This is a prerequisite for secure digital signature verification using keys referenced by URL.
03
Fragment Injection & Path Traversal
DID URLs can contain path and query components (e.g., /path?query=value). If the resolving software does not properly sanitize these, it could be vulnerable to injection attacks.
- Fragment injection could manipulate the internal pointer within a resolved document.
- Path traversal (
../) in path components could allow access to unauthorized parts of a filesystem or data store if the resolver is poorly implemented. - Resolvers must strictly validate and constrain input according to the DID method specification.
04
Key Revocation & Status Verification
A DID URL pointing to a public key or verification method must be checked for revocation status. The security of any transaction or signature depends on ensuring the key is currently valid.
- The referenced key's status is defined in the DID document, which must be fetched and validated in real-time.
- Relying parties must not cache document states beyond their TTL (Time-To-Live).
- Some DID methods use revocation registries or smart contracts; the URL resolution must integrate these checks.
05
DID Method-Specific Attack Vectors
Each DID method (e.g., did:ethr:, did:web:) has unique resolution mechanics that introduce specific risks.
did:web: Relies on traditional web security (TLS). Vulnerable to domain hijacking, expired certificates, and DNS attacks.did:ethr/did:ion: Security is tied to the underlying blockchain. Risks include 51% attacks, smart contract bugs in the registry, and transaction malleability.- The DID method specification dictates the threat model and required mitigations.
06
Privacy Leaks from Resolution
The act of resolving a DID URL can leak sensitive metadata. The resolution request itself may reveal who is requesting a particular identity, when, and from where, potentially compromising privacy.
- Correlation attacks are possible if resolvers log requests.
- Decentralized resolvers or peer-to-peer networks can help mitigate this.
- Techniques like obfuscation or using anonymous networks for resolution may be necessary for high-privacy use cases.
DID URL
Frequently Asked Questions (FAQ)
A DID URL is a specific type of Uniform Resource Locator that points to a Decentralized Identifier (DID) and its associated resources. These questions address its structure, purpose, and usage.
A DID URL is a Uniform Resource Locator that uniquely identifies a specific resource associated with a Decentralized Identifier (DID), such as a public key, service endpoint, or a specific version of the DID document. It works by appending a path, query, or fragment component to a base DID, creating a pointer that can be resolved to retrieve the specific resource. For example, the DID URL did:example:123456789abcdefghi#key-1 uses a fragment (#key-1) to reference a specific verification method within the DID document for did:example:123456789abcdefghi. This mechanism allows for precise addressing within decentralized identity systems.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall