DeDi Node

A self-hostable, tamper-evident public registry backed by a Merkle transparency log (signed checkpoints + inclusion proofs), not a blockchain. It is a drop-in for the Beckn ONIX registry, and any node can independently witness another.

Beckn message validated against this registry

sequenceDiagram
    autonumber
    participant BAP as ONIX · BAP
    participant BPP as ONIX · BPP
    participant D as dedid
    BAP->>BPP: select (signed)
    BPP->>D: GET /lookup/bap.example.com/subscribers.beckn.one/{keyId}
    D-->>BPP: signing_public_key (+ inclusion proof)
    BPP->>BPP: verify signature ✓
    BPP-->>BAP: on_select (signed)
    BAP->>D: lookup BPP key → verify ACK ✓
    Note over D: bad/absent key → 401 reject

Decentralised trust: one node witnesses another

sequenceDiagram
    autonumber
    participant A as Node A · primary
    participant B as Node B · witness
    B->>A: GET /log/checkpoint (signed)
    B->>A: GET /log/proof/consistency?old&new
    B->>B: verify append-only (RFC 6962)
    B->>B: record verdict in own log
    Note over B: forged history → alarm

Test cases

#TestResult
1ONIX dediregistry client (v1.8.0) over the wire6/6 pass
2Beckn starter-kit select/init/confirm vs dedidACK + on_* callbacks
3Tampered key in dedid → adapter validation401 rejected
4Offline inclusion proof (browser, WebCrypto)verified
5Witness verifies primary is append-onlyrecorded
6Witness detects a forked historyalarm

Witnessed checkpoints are browsable in the Explorer under the _witness namespace.

API

All read endpoints, relative to this node. Everything is a plain GET; no auth.

EndpointReturns
/dedi/lookup/{namespace}/{registry}/{record}latest live version of a record
/dedi/lookup/{namespace}/{registry}registry metadata
/dedi/lookup/{namespace}namespace metadata
/dedi/query/{namespace}[/{registry}]filtered search over records
/dedi/versions/{namespace}[/{registry}[/{record}]]full version history
/dedi/log/checkpointsigned tree head (C2SP checkpoint)
/dedi/log/proof/consistency?old=&new=append-only proof between two tree sizes

Lookup modifiers: ?proof=inclusion attaches a Merkle inclusion proof and the signed checkpoint it verifies against; ?version_id= pins an exact version; ?as_on= resolves the record as of an RFC 3339 timestamp. Example against the public reference node (seeded with Beckn identities — on your own node, use your host and a record you seeded):

curl -s "https://dedi.proto.theflywheel.in/dedi/lookup/bpp.example.com/subscribers.beckn.one/76EU7ofwRCF1aobQkShARrf1PAUsNpHqWUJoynPu9w45YFKmzqaPmy?proof=inclusion"

Run your own node

dedid is self-hostable: one binary, one Postgres. Requires Docker and Go ≥ 1.25.

git clone https://github.com/theflywheel/DeDi-node.git && cd DeDi-node
make keygen                # writes keys/dedid.key, prints your public verifier key
docker compose up -d       # postgres + dedid on http://localhost:8080
curl -s localhost:8080/dedi/log/checkpoint   # your own signed tree head

Load records with go run ./cmd/dedid seed -file examples/beckn-seed.json (set DEDI_DB_URL=postgres://dedi:dedi@localhost:5433/dedi?sslmode=disable). Distribute your verifier key; anyone — including another dedid node acting as a witness — can then verify your log independently.

Protocol & references