@@ -197,8 +197,19 @@ Note: The RS is ultimately responsible for verifying and enforcing zCaps.
197197A way to revoke (make invalid) a given zcap, after it was issued.
198198
199199#### root zcap
200+ Using zCaps to make authorization-carrying HTTP requests is done in one of two
201+ modes: either using a [ root capability] ( #root-zcap ) , or using a delegated
202+ capability.
203+
204+ Root zcaps are used in cases where full "admin" access is appropriate.
205+ All other zcaps are delegated by the agent holding a root zcap. Delegation
206+ is expressed in the [ proof chain] ( #capability-chain-proof-chain ) section of a
207+ zcap.
208+
209+ See [ Creating a Root zCap] ( #creating-a-root-zcap )
200210
201211#### signer
212+ See [ Creating a did: key Signer Instance] ( https://github.com/digitalcredentials/wallet-attached-storage#creating-a-didkey-signer-instance )
202213
203214#### target, invocation target
204215
@@ -271,9 +282,8 @@ Example root zcap:
271282#### Delegating a zCap
272283
273284``` js
274- import { ZcapClient } from ' @digitalbazaar/ezcap' ;
275- import { Ed25519Signature2020 } from ' @digitalbazaar/ed25519-signature-2020' ;
276- import { ZcapClient } from ' @digitalbazaar/ezcap' ;
285+ import { Ed25519Signature2020 } from ' @digitalcredentials/ed25519-signature-2020' ;
286+ import { ZcapClient } from ' @digitalcredentials/ezcap' ;
277287
278288const zcapClient = new ZcapClient ({
279289 delegationSigner: capabilityDelegationKey .signer (),
@@ -370,6 +380,67 @@ Example zCap request:
370380
371381## Using zCaps with HTTP Requests
372382
383+ ### Code Examples
384+
385+ Although this guide goes into the details (below) of how to construct an HTTP
386+ request using zCaps for authorization, developers are likely to interact with
387+ zCaps using some sort of REST client with a wrapper that constructs the
388+ necessary headers.
389+
390+ Javascript example, using a [ root capability] ( #root-zcap ) to make requests.
391+ Note that to use a root zcap, the client needs to know just two things:
392+
393+ 1 . Which cryptographic key type to use (that's the ` Ed25519Signature2020 ` suite)
394+ 2 . A [ signer] ( #signer ) , which is an abstract handle to a signature function.
395+ Signers are either provisioned at config time (with a private key loaded from
396+ an environment secret), or, preferably, used via an HSM (Hardware Security
397+ Module).
398+
399+ ``` js
400+ import { Ed25519Signature2020 } from ' @digitalcredentials/ed25519-signature-2020'
401+ import { ZcapClient } from ' @digitalcredentials/ezcap'
402+
403+ const rootSigner = await loadOrConstructRootSigner ()
404+
405+ // Construct a client, pass it the ability to sign requests (via invocationSigner)
406+ const zcapClient = new ZcapClient ({
407+ SuiteClass: Ed25519Signature2020, invocationSigner: rootSigner
408+ })
409+
410+ // You can now perform authorization-carrying requests
411+ const url = ' https://example.com/api/protected-endpoint'
412+
413+ const response = await zcapClient .request ({
414+ url, method: ' GET' , action: ' GET'
415+ })
416+ console .log (response)
417+ ```
418+
419+ When using a [ delegated] ( #delegating-a-zcap ) zcap, you will need to also include
420+ it in each request. Example:
421+
422+ ``` js
423+ const capability = await loadDelegatedCapabilityFromConfig ()
424+ const invocationSigner = await loadSignerFromConfig ()
425+ const zcapClient = new ZcapClient ({
426+ SuiteClass: Ed25519Signature2020, invocationSigner
427+ })
428+
429+ // You can also include additional custom headers
430+ const response = await zcapClient .request ({
431+ url, capability, headers,
432+ method: ' POST' , action: ' POST' , json: { hello: " world" }
433+ })
434+ console .log (response)
435+ ```
436+
437+ ### Constructing an HTTP Request Algorithm Overview
438+
439+ Note: This section is mostly for the benefit of zCap library implementers.
440+ Developers wishing to use zCaps to make requests are encouraged to use existing
441+ libraries whenever possible, such as the ` @digitalcredentials/ezcap ` Javascript
442+ library.
443+
373444To create an authorized HTTP request by [ invoking] ( #invocation-capability-invocation )
374445a given zcap, follow this general algorithm:
375446
0 commit comments