Software:Well-known URI

From HandWiki
Short description: Uniform address for services on a website
HTTP
Request methods
Header fields
Status codes
Security access control methods
Security vulnerabilities

A well-known URI is a Uniform Resource Identifier for URL path prefixes that start with /.well-known/. They are implemented in webservers so that requests to the servers for well-known services or information are available at URLs consistent well-known locations across servers.

Description

Well-known URIs are Uniform Resource Identifiers defined by the IETF in RFC 8615.[1] They are URL path prefixes that start with /.well-known/. This implementation is in response to the common expectation for web-based protocols to require certain services or information be available at URLs consistent across servers, regardless of the way URL paths are organized on a particular host. The URIs are implemented in webservers so that requests to the servers for well-known services or information are available at URLs consistently in well-known locations across servers.

The IETF has defined a simple way for web servers to hold metadata that any user agent (e.g., web browser) can request. The metadata is useful for various tasks, including directing a web user to use a mobile app instead of the website or indicating the different ways that the site can be secured. The well-known locations are used by web servers to share metadata with user agents; sometimes these are files and sometimes these are requests for information from the web server software itself. The way to declare the different metadata requests that can be provided is standardized by the IETF so that other developers know how to find and use this information.

Use

The path well-known URI begins with the characters /.well-known/, and whose scheme is "HTTP", "HTTPS", or another scheme that has explicitly been specified to use well-known URIs. As an example, if an application hosts the service "example", the corresponding well-known URIs on https://www.example.com/ would start with https://www.example.com/.well-known/example.[1]

Information shared by a web site as a well-known service is expected to meet a specific standard. Specifications that need to define a resource for such site-wide metadata can register their use with the Internet Assigned Numbers Authority (IANA) to avoid collisions and minimize impingement upon sites' URI space.

List of well-known URIs

The list below describes known standards for .well-known services that a web server can implement.

URI suffix Description Reference Date of IANA registration
acme-challenge Automated Certificate Management Environment (ACME) [2] 2019-03-01
agent-card.json Details for an A2A Server's Agent Card [3]
ai-plugin.json Manifest for a ChatGPT plugin [4]
apple-app-site-association An Apple service that enables secure data exchange between iOS and a website [5]
apple-developer-merchantid-domain-association Apple Pay [6]
appspecific Used by some application to get some informations about the application (e.g. chrome devtools: appspecific/com.chrome.devtools.json) [7]
ashrae BACnet – A data communication protocol for building automation and control networks [8] 2016-01-22
assetlinks.json AssetLinks protocol used to identify one or more digital assets (such as web sites or mobile apps) that are related to the hosting web site in some fashion [9] 2015-09-28
atproto-did Handle-to-DID resolution for AT Protocol [10]
autoconfig/mail Mozilla Thunderbird mail autoconfiguration service [11]
browserid Mozilla Persona
caldav Calendaring Extensions to WebDAV (CalDAV) and vCard Extensions to WebDAV (CardDAV) [12]
carddav Calendaring Extensions to WebDAV (CalDAV) and vCard Extensions to WebDAV (CardDAV) [12]
change-password Helps password managers find the URL for changing client account passwords [13]
coap CoAP (Constrained Application Protocol) over TCP, TLS, and WebSockets [14] 2017-12-22
com.apple.remotemanagement Apple-Account–based user enrollment for mobile device management [15][16]
com.chrome.devtools.json Automatic Workspace Folders - Chromium DevTools Ecosystem Guide for Web development tools
core Constrained RESTful Environments (CoRE) Link Format [17]
csvm CSV metadata, Model for Tabular Data and Metadata on the Web [18] 2015-09-28
dat Links domain to Dat identifier, used by Beaker web browser[19] [20]
did.json did:web Decentralized Identifiers (DIDs) for the Web
discord Domain verification for Discord account connection [21]
dnt Site-wide tracking status resource [22] 2015-08-19
dnt-policy.txt A privacy-friendly Do Not Track (DNT) Policy [23] 2015-08-19
est Enrollment over Secure Transport (EST) [24] 2013-08-16
genid Resource Description Framework (RDF) Skolem IRIs [25] 2012-11-15
gpc.json Global Privacy Control (GPC) [26]
hoba HTTP Origin-Bound Authentication (HOBA) [27] 2015-01-20
host-meta Web Host Metadata [28]
host-meta.json Web Host Metadata [28]
http-opportunistic Opportunistic Security for HTTP/2 [29] 2017-03-20
keybase.txt Used by the Keybase project to identify a proof that one or more people whose public keys may be retrieved using the Keybase service have administrative control over the origin server from which it is retrieved [30] 2014-04-08
keyparc Used by the Bloombase Keyparc project to secure online digital assets using cryptography over web services [31] 2012-09-23
matrix Provides discovery for both client and server APIs to the Matrix federated protocol [32]
mercure Discovery of Mercure hubs. Mercure is a protocol enabling the pushing of data updates to web browsers and other HTTP clients in a fast, reliable and battery-efficient way. [33]
mta-sts.txt SMTP MTA Strict Transport Security Policy [34] 2018-06-21
ni Naming Things with Hashes [35]
nodeinfo Metadata for federated social networking servers [36]
nostr.json Discovery of Nostr public keys and related relays, according to NIP-05 [37] 2024-03-18
oauth-authorization-server OAuth Authorization Server Metadata [38] 2018-03-27
openid-configuration OpenID Connect [39] 2013-08-27
openorg Organisation Profile Document [40] 2015-05-29
openpgpkey OpenPGP Web Key Service [41]
org.flathub.VerifiedApps.txt Verifies that an app is associated with given domain in Flathub [42]
passkey-endpoints Formally advertises support for passkeys and provides direct links for enrollment and management for password managers to automatically create/upgrade. [43]
pki-validation CA/Browser Forum's Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates [44] 2017-02-06
posh PKIX over Secure HTTP (POSH) [45] 2015-09-20
privacy-sandbox-attestations.json The Google Chrome Privacy Sandbox attestation file [46]
pubvendors.json The IAB pubvendors.json tech spec, which provide a standard for publishers to publicly declare the vendors that they work with, and their respective data rights/configuration [47] 2020-09-07
reload-config REsource LOcation And Discovery (RELOAD) Base Protocol [48]
repute-template A Reputation Query Protocol 2013-09-30
resourcesync ResourceSync Framework Specification [49] 2017-05-26
security.txt Standard to help organizations define the process for security researchers to disclose security vulnerabilities [50] 2018-08-20
smart-configuration SMART on FHIR configuration metadata, including OAuth authorization_endpoint and token_endpoint URLs [51] 2023-03-01
statements.txt Standard for collective contract signing [52]
stun-key Session Traversal Utilities for NAT (STUN) Extension for Third-Party Authorization [53] 2015-06-12
tdmrep.json Domain-wide TDM (Text and Data Mining) reservation [54]
time Time over HTTPS specification [55] 2015-12-09
timezone Time Zone Data Distribution Service [56] 2015-08-03
traffic-advice Prefetch control (proposal; implemented in Chrome Privacy Preserving Prefetch Proxy crawler) [57]
uma2-configuration User-Managed Access (UMA) 2.0 grant for OAuth 2.0 authorization [58] 2017-06-20
vercel/flags Overridable Feature Flag's for Vercel's Toolbar [59]
void Describing Linked Datasets with the VoID Vocabulary [60] 2011-05-11
wasm-pkg/registry.json WebAssembly registry [61]
webauthn WebAuthn Related Origins [62]
webfinger WebFinger [63] 2013-03-15, 2013-09-06
workflow Workflow Development Kit Routes [64]
xrp-ledger.toml XRP ledger node & account information [65]

References

Footnotes

  1. 1.0 1.1 Nottingham, Mark (May 6, 2019), Well-Known Uniform Resource Identifiers (URIs), IETF, doi:10.17487/RFC8615, RFC 8615, https://tools.ietf.org/html/rfc8615 
  2. Barnes, Richard; Hoffman-Andrews, Jacob; McCarney, Daniel; Kasten, James (March 6, 2019), Automatic Certificate Management Environment (ACME), IETF, doi:10.17487/RFC8555, RFC 8555, https://tools.ietf.org/html/rfc8555 
  3. "Agent Discovery - A2A Protocol". https://a2a-protocol.org/latest/topics/agent-discovery/#discovery-strategies. 
  4. "Getting Started – OpenAI API". https://platform.openai.com/docs/plugins/getting-started. 
  5. "App Search Programming Guide: Support Universal Links". https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html. 
  6. "Apple Developer Documentation". https://developer.apple.com/reference/applepayjs/. 
  7. "Automatic Workspace Folders". https://chromium.googlesource.com/devtools/devtools-frontend/+/main/docs/ecosystem/automatic_workspace_folders.md. 
  8. "Proposed Addendum am to Standard 135-2012, BACnet – A Data Communication Protocol for Building Automation and Control Networks". http://www.bacnet.org/Addenda/Add-135-2012am-ppr3-draft-17_chair_approved.pdf. 
  9. "Getting Started | Google Digital Asset Links". https://developers.google.com/digital-asset-links/v1/getting-started. 
  10. "Handle | AT Protocol". https://atproto.com/specs/handle#https-well-known-method. 
  11. "Thunderbird:Autoconfiguration – MozillaWiki". https://wiki.mozilla.org/Thunderbird:Autoconfiguration. 
  12. 12.0 12.1 Daboo, Cyrus (February 6, 2013), Locating Services for Calendaring Extensions to WebDAV (CalDAV) and vCard Extensions to WebDAV (CardDAV), IETF, doi:10.17487/RFC6764, RFC 6764, https://tools.ietf.org/html/rfc6764 
  13. "A Well-Known URL for Changing Passwords". https://w3c.github.io/webappsec-change-password-url/. 
  14. Bormann, Carsten; Lemay, Simon; Tschofenig, Hannes; Hartke, Klaus; Silverajan, Bill; Raymor, Brian (February 6, 2018), CoAP (Constrained Application Protocol) over TCP, TLS, and WebSockets, IETF, doi:10.17487/RFC8323, RFC 8323, https://tools.ietf.org/html/rfc8323 
  15. "How users enroll their personal devices". https://support.apple.com/guide/deployment/user-enrollment-and-mdm-dep23db2037d/1/web/1.0#dep798f25ab7. 
  16. "Discover Authentication Servers". https://developer.apple.com/documentation/devicemanagement/discover_authentication_servers. 
  17. Shelby, Zach (August 6, 2012), Constrained RESTful Environments (CoRE) Link Format, IETF, doi:10.17487/RFC6690, RFC 6690, https://tools.ietf.org/html/rfc6690 
  18. "Model for Tabular Data and Metadata on the Web" (in en). 17 December 2015. https://www.w3.org/TR/tabular-data-model/Overview.html. 
  19. "Use a domain name with dat://" (in en). https://beakerbrowser.com/docs/guides/use-a-domain-name-with-dat#well-knowndat. 
  20. "DEP-0005: DNS – Dat Protocol". https://www.datprotocol.com/deps/0005-dns/#-well-known-dat. 
  21. "advaith (@advaith@mastodon.social)" (in en). 2023-07-17. https://mastodon.social/@advaith/110727524300667599. 
  22. "Tracking Preference Expression (DNT)". https://www.w3.org/TR/tracking-dnt/#status-resource. 
  23. "A privacy-friendly Do Not Track (DNT) Policy". April 24, 2014. https://www.eff.org/dnt-policy. 
  24. Pritikin, Max; Yee, Peter E.; Harkins, Dan (October 6, 2013), Enrollment over Secure Transport, IETF, doi:10.17487/RFC7030, RFC 7030, https://tools.ietf.org/html/rfc7030 
  25. "RDF 1.1 Concepts and Abstract Syntax". http://www.w3.org/TR/rdf11-concepts/Overview.html. 
  26. "Global Privacy Control (GPC)". https://privacycg.github.io/gpc-spec/. 
  27. Farrell, Stephen; Hoffman, Paul E.; Thomas, Michael (March 6, 2015), HTTP Origin-Bound Authentication (HOBA), IETF, sec. 6, doi:10.17487/RFC7486, RFC 7486, https://tools.ietf.org/html/rfc7486 
  28. 28.0 28.1 Cook, Blaine; Hammer-Lahav, Eran (October 6, 2011), Hammer-Lahav, E, ed., Web Host Metadata, IETF, doi:10.17487/RFC6415, RFC 6415, https://tools.ietf.org/html/rfc6415 
  29. Nottingham, Mark; Thomson, Martin (May 6, 2017), Opportunistic Security for HTTP/2, IETF, sec. 2.3, doi:10.17487/RFC8164, RFC 8164, https://tools.ietf.org/html/rfc8164 
  30. "The "keybase.txt" Well-Known Resource Identifier". https://keybase.io/__/keybase_well_known. 
  31. "Resource Identifier (RI) Scheme name: keyparc". https://www.iana.org/assignments/uri-schemes/prov/keyparc. 
  32. "Client-Server API". https://matrix.org/docs/spec/client_server/latest#well-known-uri. 
  33. "Mercure.rocks: Mercure: The Specification". https://mercure.rocks/spec#discovery. 
  34. Margolis, Daniel; Risher, Mark; Ramakrishnan, Binu; Brotman, Alex; Jones, Janet (September 6, 2018), SMTP MTA Strict Transport Security (MTA-STS), IETF, sec. 3.2, doi:10.17487/RFC8461, RFC 8461, https://tools.ietf.org/html/rfc8461 
  35. Farrell, Stephen; Kutscher, Dirk; Dannewitz, Christian; Ohlman, Börje; Keränen, Ari; Hallam-Baker, Phillip (April 6, 2013), Naming Things with Hashes, IETF, doi:10.17487/RFC6920, RFC 6920, https://tools.ietf.org/html/rfc6920 
  36. "NodeInfo". July 19, 2021. https://github.com/jhass/nodeinfo. 
  37. "NIP-05: Mapping Nostr keys to DNS-based internet identifiers". https://github.com/nostr-protocol/nips/blob/master/05.md. 
  38. Jones, Michael B.; Sakimura, Nat; Bradley, John (June 28, 2018), OAuth 2.0 Authorization Server Metadata, IETF, doi:10.17487/RFC8414, RFC 8414, https://tools.ietf.org/html/rfc8414 
  39. "Final: OpenID Connect Discovery 1.0 incorporating errata set 1". https://openid.net/specs/openid-connect-discovery-1_0.html. 
  40. "Organisation Profile Documents". http://opd.data.ac.uk/. 
  41. Koch, Werner, OpenPGP Web Key Directory, IETF, I-D draft-koch-openpgp-webkey-service-07, https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-07 
  42. "Verification | Flathub Documentation" (in en). https://docs.flathub.org/docs/for-app-authors/verification. 
  43. "A Well-Known URL for Passkey Endpoints". https://w3c.github.io/webappsec-passkey-endpoints/passkey-endpoints.html. 
  44. "Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates". https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.8.pdf. 
  45. Miller, Matthew A.; Saint-Andre, Peter (November 6, 2015), PKIX over Secure HTTP (POSH), IETF, doi:10.17487/RFC7711, RFC 7711, https://tools.ietf.org/html/rfc7711 
  46. "Enroll for the Privacy Sandbox" (in en). https://developers.google.com/privacy-sandbox/private-advertising/enrollment#upload_your_attestation_file. 
  47. "web". https://documentation.sourcepoint.com/cmp/consent-management-platform-cmp-overview/gdpr/iab-framework/create-pubvendors-json-file-with-sourcepoint-api. 
  48. Jennings, Cullen; Lowekamp, Bruce; Rescorla, Eric; Baset, Salman; Schulzrinne, Henning (January 6, 2014), Lowekamp, B, ed., REsource LOcation And Discovery (RELOAD) Base Protocol, IETF, doi:10.17487/RFC6940, RFC 6940, https://tools.ietf.org/html/rfc6940 
  49. "ANSI/NISO Z39.99-2017". http://www.openarchives.org/rs/resourcesync. 
  50. "security.txt". https://securitytxt.org/. 
  51. "SMART app launch". https://build.fhir.org/ig/HL7/smart-app-launch/. 
  52. "The "statements.txt" Well-Known Resource Identifier". https://stated.network/docs/stated_well_known.html. 
  53. Reddy.K, Tirumaleswar; Patil, Prashanth; R, Ram; Uberti, Justin (August 6, 2015), Session Traversal Utilities for NAT (STUN) Extension for Third-Party Authorization, IETF, doi:10.17487/RFC7635, RFC 7635, https://tools.ietf.org/html/rfc7635 
  54. "TDM Reservation Protocol (TDMRep) ; Final Community Group Report". Text and Data Mining Reservation Protocol Community Group. 2022. https://www.w3.org/2022/tdmrep/. 
  55. "20151129 Time over HTTPS specification — PHKs Bikeshed". http://phk.freebsd.dk/time/20151129. 
  56. Douglass, Michael; Daboo, Cyrus (March 6, 2016), Time Zone Data Distribution Service, IETF, doi:10.17487/RFC7808, RFC 7808, https://tools.ietf.org/html/rfc7808 
  57. "Traffic Advice A Collection of Interesting Ideas, 12 May 2022". https://buettner.github.io/private-prefetch-proxy/traffic-advice.html. 
  58. Maler, E.; Machulak, M.; Richer, J. (January 7, 2018). "User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization". https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html#as-config. 
  59. "Toolbar Flags Reference". https://vercel.com/docs/workflow-collaboration/feature-flags/supporting-feature-flags. 
  60. "Describing Linked Datasets with the VoID Vocabulary". http://www.w3.org/TR/void/Overview.html. 
  61. "Definition". https://github.com/bytecodealliance/registry/blob/ec28719bd9ef636628f36ec268d935b69c8face4/crates/api/src/lib.rs#L9. 
  62. Cappalli, Tim; Jones, Michael B.; Kumar, Akshay; Lundberg, Emil; Miller, Matthew; Balfanz, Dirk; Bharadwaj, Vijay; Birgisson, Arnar et al. (January 27, 2025). "Web Authentication: An API for accessing Public Key Credentials - Level 3". W3C. https://www.w3.org/TR/webauthn-3/#sctn-related-origins. 
  63. Jones, Paul; Salgueiro, Gonzalo; Jones, Michael; Smarr, Joseph (September 6, 2013), WebFinger, IETF, doi:10.17487/RFC7033, RFC 7033, https://tools.ietf.org/html/rfc7033 
  64. "Workflow Development Kit Reference". https://useworkflow.dev/docs/how-it-works/code-transform#comparison-table. 
  65. "xrp-ledger.toml File | XRPL.org". https://xrpl.org/xrp-ledger-toml.html. 



Retrieved from "https://handwiki.org/wiki/index.php?title=Software:Well-known_URI&oldid=4346271"