Trustless Gateway Specification

status: reliable
Editors
Marcin Rataj GitHub
Henrique Dias GitHub
History
Commit History
Feedback
GitHub ipfs/specs (pull requests, new issue, open issues)

Trustless Gateway is a subset of [path-gateway] that allows light IPFS clients to retrieve data behind a CID and verify its integrity without delegating any trust to the gateway itself.

The minimal implementation means:

1. HTTP API

A subset of "HTTP API" of [path-gateway].

1.1 GET /ipfs/{cid}[/{path}][?{params}]

Downloads verifiable data for the specified immutable content path.

Optional path is permitted for requests that specify CAR format (application/vnd.ipld.car).

For RAW requests, only GET /ipfs/{cid}[?{params}] is supported.

1.2 HEAD /ipfs/{cid}[/{path}][?{params}]

Same as GET, but does not return any payload.

1.3 GET /ipns/{key}[?{params}]

Downloads data at specified IPNS Key. Verifiable [ipns-record] can be requested via ?format=ipns-record

1.4 HEAD /ipns/{key}[?{params}]

Same as GET, but does not return any payload.

2. HTTP Request

Same as in [path-gateway], but with limited number of supported response types.

2.1 Request Headers

2.1.1 Accept (request header)

This HTTP header is required when running in a strict, trustless mode.

Below response types MUST to be supported:

Below response types SHOULD to be supported:

Gateway SHOULD return HTTP 400 Bad Request when running in strict trustless mode (no deserialized responses) and Accept header is missing.

2.2 Request Query Parameters

2.2.1 dag-scope (request query parameter)

Optional, dag-scope=(block|entity|all) with default value all, only available for CAR requests.

Describes the shape of the DAG fetched the terminus of the specified path whose blocks are included in the returned CAR file after the blocks required to traverse path segments.

  • block - Only the root block at the end of the path is returned after blocks required to verify the specified path segments.

  • entity - For queries that traverse UnixFS data, entity roughly means return blocks needed to verify the terminating element of the requested content path. For UnixFS, all the blocks needed to read an entire UnixFS file, or enumerate a UnixFS directory. For all queries that reference non-UnixFS data, entity is equivalent to block

  • all - Transmit the entire contiguous DAG that begins at the end of the path query, after blocks required to verify path segments

When present, returned Etag must include unique prefix based on the passed scope type.

2.2.2 entity-bytes (request query parameter)

The optional entity-bytes=from:to parameter is available only for CAR requests.

It implies dag-scope=entity and serves as a trustless equivalent of an HTTP Range Request.

When the terminating entity at the end of the specified content path:

  • can be interpreted as a continuous array of bytes (such as a UnixFS file), a Gateway MUST return only the minimal set of blocks necessary to verify the specified byte range of that entity.

    • When dealing with a sharded UnixFS file (dag-pb, 0x70) and a non-zero from value, the UnixFS data and blocksizes determine the corresponding starting block for a given from offset.

  • cannot be interpreted as a continuous array of bytes (such as a DAG-CBOR/JSON map or UnixFS directory), the parameter MUST be ignored, and the request is equivalent to dag-scope=entity.

Allowed values for from and to follow a subset of section 14.1.2 from [rfc9110], where they are defined as offset integers that limit the returned blocks to only those necessary to satisfy the range [from,to]:

  • from value gives the byte-offset of the first byte in a range.
  • to value gives the byte-offset of the last byte in the range; that is, the byte positions specified are inclusive.

The following additional values are supported:

  • * can be substituted for end-of-file
    • entity-bytes=0:* is the entire file (a verifiable version of HTTP request for Range: 0-)
  • Negative numbers can be used for referring to bytes from the end of a file
    • entity-bytes=-1024:* is the last 1024 bytes of a file (verifiable version of HTTP request for Range: -1024)
    • It is also permissible (unlike with HTTP Range Requests) to ask for the range of 500 bytes from the beginning of the file to 1000 bytes from the end: entity-bytes=499:-1000

A Gateway MUST augment the returned Etag based on the passed entity-bytes.

A Gateway SHOULD return an HTTP 400 Bad Request error when the requested range cannot be parsed as valid offset positions.

In more nuanced error scenarios, a Gateway MUST return a valid CAR response that includes enough blocks for the client to understand why the requested entity-bytes was incorrect or why only a part of the requested byte range was returned:

  • If the requested entity-bytes resolves to a range that partially falls outside of the entity's byte range, the response MUST include the subset of blocks within the entity's bytes.

    • This allows clients to request valid ranges of the entity without needing to know its total size beforehand, and it does not require the Gateway to buffer the entire entity before returning the response.

  • If the requested entity-bytes resolves to a zero-length range or falls fully outside of the entity's bytes, the response is equivalent to dag-scope=block.

    • This allows client to produce a meaningful error (e.g, in case of UnixFS, leverage Data.blocksizes information present in the root dag-pb block).

  • In streaming scenarios, if a Gateway is capable of returning the root block but lacks prior knowledge of the final component of the requested content path being invalid or absent in the DAG, a Gateway SHOULD respond with HTTP 200.

    • This behavior is a consequence of HTTP streaming limitations: blocks are not buffered, by the time a related parent block is being parsed and returned to the client, the HTTP status code has already been sent to the client.

3. HTTP Response

Below MUST be implemented in addition to "HTTP Response" of [path-gateway].

3.1 Response Headers

3.1.1 Content-Type (response header)

MUST be returned and include additional format-specific parameters when possible.

If a CAR stream was requested, the response MUST include the parameter specifying CAR version. For example: Content-Type: application/vnd.ipld.car; version=1

3.1.2 Content-Disposition (response header)

MUST be returned and set to attachment to ensure requested bytes are not rendered by a web browser.

3.2 Response Payload

3.2.1 Block Response

An opaque bytes matching the requested block CID (application/vnd.ipld.raw).

The Body hash MUST match the Multihash from the requested CID.

3.2.2 CAR Response

A CAR stream for the requested application/vnd.ipld.car content type, path and optional dag-scope and entity-bytes URL parameters.

3.2.2.1 CAR version

Value returned in CarV1Header.version field MUST match the version parameter returned in Content-Type header.

3.2.2.2 CAR roots

The behavior associated with the CarV1Header.roots field is not currently specified.

Clients MAY ignore it.

As of 2023-06-20, the behavior of the roots CAR field remains an unresolved item within the CARv1 specification.

3.2.2.3 CAR determinism

The default CAR header and block order in a CAR response is not specified and is non-deterministic.

Clients MUST NOT assume that CAR responses are deterministic (byte-for-byte identical) across different gateways.

Clients MUST NOT assume that CAR includes CIDs and their blocks in the same order across different gateways.

In controlled environments, clients MAY choose to rely on undocumented CAR determinism, subject to the agreement of the following conditions between the client and the gateway:

  • CAR version
  • content of CarV1Header.roots field
  • order of blocks
  • status of duplicate blocks

In the future, there may be an introduction of a convention to indicate aspects of determinism in CAR responses. Please refer to IPIP-412 for potential developments in this area.

A. References

[ipns-record]
IPNS Record and Protocol. Vasco Santos; Steve Allen; Marcin Rataj; Henrique Dias; Gus Eggert. 2023-02-13. URL: https://specs.ipfs.tech/ipns/ipns-record/
[path-gateway]
Path Gateway Specification. Marcin Rataj; Adrian Lanzafame; Vasco Santos; Oli Evans; Henrique Dias. 2023-03-30. URL: https://specs.ipfs.tech/http-gateways/path-gateway/
[rfc2119]
Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[rfc9110]
HTTP Semantics. R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. IETF. June 2022. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc9110