Registry Notary

Registry Notary answers configured claims about a person or entity by reading the minimum data from a source registry, without becoming a copy of that registry. Depending on the claim, it returns a claim result, renders a supported format, or issues a short-lived SD-JWT VC credential.

Pick your path below. New to Registry Notary? Start with the hosted walkthrough or a runnable local tutorial. If you are configuring or operating Notary, start with the architecture overview.

• See it live: watch Notary issue a privacy-preserving credential against a hosted lab, with zero install.

• Verify a claim with Registry Notary: add Notary to a local registry API project with registryctl. Its final section, Run Notary standalone for an API you operate, covers creating a standalone Notary project for a source API you operate.

• Architecture overview: what Registry Notary is, the request lifecycle, and how the layers relate.

• Capability matrix: which flows Notary supports today, by persona and system.

• Identity and record matching: how Notary resolves the target entity to a source record, the outcome model, and matching policy.

Integrate

For application and wallet developers calling the API or the SDKs.

• Client SDK guide: evaluate claims and issue credentials from Rust, Python, and Node.js.
• Call Notary from OpenFn: use the Registry Stack OpenFn Notary adaptor to branch a workflow on a minimized claim result or certified value claim.
• API reference: the route-to-client-method matrix and the stable problem-code registry.
• Wallet interop with OID4VCI: the OpenID4VCI wallet facade contract and compatibility checklist.
• SD-JWT VC conformance: the supported credential wire contract and the explicit non-support list.
• OpenCRVS tutorial: issue local demo SD-JWT VCs from OpenCRVS birth-record evidence.
• OpenCRVS onboarding model: understand the registryctl-generated project boundary, evidence question, demo signing posture, and lightweight PDP model.
• Scenario patterns: reusable evaluation, federation, and issuance flows with sequence diagrams.
• GITB conformance suite design: target runtime scenarios and claim boundary for ITB/GITB interoperability evidence.

Operate

For operators deploying, configuring, and running a Registry Notary.

• Configuration reference: the config blocks for auth, evidence, sources, replay, status, self-attestation, OID4VCI, and federation.
• Model sources and claims: design source connectors, source adapter sidecars, claim boundaries, disclosure, and batch reads.
• FHIR source adapter: project bounded FHIR R4 graphs into Notary-ready source facts without exposing raw FHIR Bundles.
• Script (Rhai) source adapter: run a sandboxed, orchestration-only Rhai script for sources that need a little branching across a few governed reads.
• Signing key providers: SD-JWT VC signing-key configuration, rotation, and PKCS#11 setup.
• Self-attestation: citizen OIDC subject binding, token policy, allow-lists, and rollout.
• Federated evaluation: static-peer setup, environment variables, and the replay limitation.
• Credential lifecycle and status: short-lived credentials, optional live status, retention, and verifier caveats.
• Sidecar trust and secret handling: how the source adapter sidecar verifies its configuration, how Notary pins the sidecar it trusts, how secrets are handled, and what that path does and does not protect against.
• Deployment hardening runbook: production-readiness checklist for network boundaries, secrets, Redis, audit, and rollback.

Build and maintain

For maintainers changing the code or reviewing design history.

• Workspace layout: the crates and bindings and what each owns.
• Command-line interface: the server binary and its subcommands.
• Design records: specifications and implementation traces, kept as design history.
• Security assurance: CI security gates, image publication and signing policy.

Related

• Release notes
• Security policy