The OMI spec is under heavy development, and every piece of it is subject to change. We are documenting the core primitives for sovereign application lifecycles. Join us in defining the v1.0 draft.
Documentation
The OMI Provisioning Protocol
Provisioning Domain Services (The Swarm)

Provisioning Domain Services (The Swarm)

Objective: To attach functional services (CMS, CRM, Storage) to the app that automatically trust the Auth Provider and integrate with the Operational Backbone.

Prerequisites

The Protocol Workflow

  1. Service Selection: The developer selects a Domain Service (e.g., “cms-article”) from the Service Registry.

  2. Provisioning Request: The developer sends a signed payload to the Domain Service (article.cms.io):

{
  "version": "1.0",
  "data": {
    "app_id": "org.omiappreg.alice.business_app.7f8a9d",  
    "target_provider": "article.cms.io",
    "service_tier": "pro_cluster",
    "region": "eu-central-1",
    "storage_limit_gb": 50,
    "timestamp": 1705412600,
    "nonce": "z3x9v2n8"
  },
  "signature": "b9c8d7e6f5a4b3c2d1e0..."
}

  1. The Verification Lookup:

    • The Domain Service parses the app_id to locate the correct App Registry.
    • It requests the Master Public Key to verify the developer’s provisioning signature.
    • Security Check: If the signature is invalid or the nonce is reused, the request is rejected immediately.

  2. The Service Binding (Auto-Registration):

    • Upon successful verification, the Domain Service contacts the App Registry again to perform the Binding Handshake.

    • It submits a “Proof of Duty” payload containing:

      • The Developer’s original signature (Proof of Authority).
      • The Service’s own Public Key and Endpoint URL.
      {
  "version": "1.0",
  "developer_proof": {
    "payload": {
      "app_id": "org.omiappreg.alice.business_app.7f8a9d",
      "target_provider": "article.cms.io",
      "service_tier": "pro_cluster",
      "timestamp": 1705412600,
      "nonce": "z3x9v2n8"
    },
    "signature": "b9c8d7e6f5a4b3c2d1e0..."
  },
  "service_binding": {
    "service_id": "cms-article-instance-77",
    "service_type": "cms-article",
    "public_key": "PUB_KEY_SERVICE_ABC123...",
    "endpoint_url": "https://i77.article.cms.io/api/v1",
    "timestamp": 1705412605,
    "nonce": "k9m2p4r1"
  },
  "binding_signature": "f2e1d0c9b8a7f6e5d4..." 
}

    • Result: The App Registry updates the “Service DNS” record, officially listing this service under the AppID.

  3. Operational Discovery (Context Injection):

    • The App Registry responds to the binding request with the app’s Operational Context.
    • This payload contains the “Backbone Configuration” previously set by the developer, like:
      • Billing service - Where to send usage metrics.
      • Logging service - Where to send error logs.
      • Auth Public Key - The key needed to verify user tokens.
      • … other operational services

  4. Cache & Activate:

    • The Domain Service auto-configures itself using the Operational Context.
    • It caches the Auth Public Key locally for rapid validation.
Outcome: The Domain Service is now live and fully “wired” into the Swarm. It will automatically report billing data to the correct provider and accept user requests signed by the Auth Service without further manual configuration.
Provisioning the Trust Anchor (Auth)Service Decommissioning & Revocation