The OMI spec is under heavy development, and every piece of it is subject to change. We are documenting the core primitives for sovereign application lifecycles. Join us in defining the v1.0 draft.
Documentation
The OMI Lifecycle & Orchestration Protocol
Provisioning the Trust Anchor (Auth)

Provisioning the Trust Anchor (Auth)

An Auth Provider service serves as the swarm’s Trust Anchor, issuing cryptographically signed identity tokens that allow all functional services to verify users without needing to manage their own user databases. By anchoring its public key in the App Registry, it creates a unified security perimeter that stays under the developer’s control even if the underlying provider is swapped.

Objective

To select an Auth Provider and delegate it as the “User Authority” for the application.

Prerequisites

The Protocol Workflow

  1. Service Selection: The developer chooses an Auth Provider from the Service Registry.

  2. Provisioning Request: The developer sends a signed payload directly to the Auth Provider:

    provisional payload
    {
  "version": "1.0",
  "data": {
    "app_id": "org.omiappreg.alice_studio.business_app.7f8a9d",
    "timestamp": 1705412400,
    "nonce": "k9b2m1p0",
  },
  "signature": "e7f8g9h0i1j2k3l4m5n6..."
}

  3. The “Identity Pulse” Check:

    • The Auth Provider parses the AppID to find the registry (omiappreg.org).
    • It queries omiappreg.org for the Master Public Key associated with alice_studio.
    • It uses that key to verify the provisioning request signature.

  4. Resource Generation: The Auth Provider provisions all needed resources and generates a dedicated Auth Key-Pair for signing user tokens (JWTs).

  5. The Return (Handshake Part 1): The Auth Provider returns its Public Auth Key, and it’s Public Service Key to the developer.

  6. Authority Delegation (Handshake Part 2): The developer signs an “Auth Announcement” payload:

    provisional payload
    {
  "version": "1.0",
  "data": {
    "app_id": "org.omiappreg.alice.business_app.7f8a9d",
    "auth_public_key": "AuthPublic_Key_XYZ...",
    "service_public_key": "ServicePublic_Key_XYZ...",
    "auth_provider_url": "https://auth.provider.com",
    "timestamp": 1705412500,
    "nonce": "x7v9n2q5",
  },
  "signature": "a1b2c3d4e5f6g7h8i9j0..."
}

  7. Registry Update: This signed announcement is sent to the App Registry. The Registry stores “AuthPublic_Key_XYZ…” as the official “User Validator” for this app, and the “ServicePublic_Key_XYZ…” as the official “Service Validator” key for this app.

Application RegistrationProvisioning Domain Services (The Swarm)