Trustless Gateway is a subset of [path-gateway] that allows light IPFS clients to retrieve data behind a CID and verify its integrity without delegating any trust to the gateway itself.
The minimal implementation means:
/ipfs/{cid}
A subset of "HTTP API" of [path-gateway].
GET /ipfs/{cid}[/{path}][?{params}]
Downloads verifiable data for the specified immutable content path.
Optional path
is permitted for requests that specify CAR format (application/vnd.ipld.car
).
For RAW requests, only GET /ipfs/{cid}[?{params}]
is supported.
HEAD /ipfs/{cid}[/{path}][?{params}]
Same as GET, but does not return any payload.
GET /ipns/{key}[?{params}]
Downloads data at specified IPNS Key. Verifiable [ipns-record] can be requested via ?format=ipns-record
HEAD /ipns/{key}[?{params}]
Same as GET, but does not return any payload.
Same as in [path-gateway], but with limited number of supported response types.
Accept
(request header)This HTTP header is required when running in a strict, trustless mode.
Below response types MUST to be supported:
Below response types SHOULD to be supported:
0x0300
).Gateway SHOULD return HTTP 400 Bad Request when running in strict trustless
mode (no deserialized responses) and Accept
header is missing.
Optional, dag-scope=(block|entity|all)
with default value all
, only available for CAR requests.
Describes the shape of the DAG fetched the terminus of the specified path whose blocks are included in the returned CAR file after the blocks required to traverse path segments.
block
- Only the root block at the end of the path is returned after blocks
required to verify the specified path segments.
entity
- For queries that traverse UnixFS data, entity
roughly means return
blocks needed to verify the terminating element of the requested content path.
For UnixFS, all the blocks needed to read an entire UnixFS file, or enumerate a UnixFS directory.
For all queries that reference non-UnixFS data, entity
is equivalent to block
all
- Transmit the entire contiguous DAG that begins at the end of the path
query, after blocks required to verify path segments
When present, returned Etag
must include unique prefix based on the passed scope type.
The optional entity-bytes=from:to
parameter is available only for CAR
requests.
It implies dag-scope=entity
and serves as a trustless equivalent of an HTTP
Range Request.
When the terminating entity at the end of the specified content path:
can be interpreted as a continuous array of bytes (such as a UnixFS file), a Gateway MUST return only the minimal set of blocks necessary to verify the specified byte range of that entity.
dag-pb
, 0x70
) and a non-zero
from
value, the UnixFS data and blocksizes
determine the
corresponding starting block for a given from
offset.cannot be interpreted as a continuous array of bytes (such as a DAG-CBOR/JSON
map or UnixFS directory), the parameter MUST be ignored, and the request is
equivalent to dag-scope=entity
.
Allowed values for from
and to
follow a subset of section 14.1.2 from
[rfc9110], where they are defined as offset integers that limit the
returned blocks to only those necessary to satisfy the range [from,to]
:
from
value gives the byte-offset of the first byte in a range.to
value gives the byte-offset of the last byte in the range;
that is, the byte positions specified are inclusive.The following additional values are supported:
*
can be substituted for end-of-file
entity-bytes=0:*
is the entire file (a verifiable version of HTTP request for Range: 0-
)entity-bytes=-1024:*
is the last 1024 bytes of a file
(verifiable version of HTTP request for Range: -1024
)entity-bytes=499:-1000
A Gateway MUST augment the returned Etag
based on the passed entity-bytes
.
A Gateway SHOULD return an HTTP 400 Bad Request error when the requested range cannot be parsed as valid offset positions.
In more nuanced error scenarios, a Gateway MUST return a valid CAR response
that includes enough blocks for the client to understand why the requested
entity-bytes
was incorrect or why only a part of the requested byte range was
returned:
If the requested entity-bytes
resolves to a range that partially falls
outside of the entity's byte range, the response MUST include the subset of
blocks within the entity's bytes.
If the requested entity-bytes
resolves to a zero-length range or falls
fully outside of the entity's bytes, the response is equivalent to
dag-scope=block
.
Data.blocksizes
information present in the root dag-pb
block).In streaming scenarios, if a Gateway is capable of returning the root block but lacks prior knowledge of the final component of the requested content path being invalid or absent in the DAG, a Gateway SHOULD respond with HTTP 200.
Below MUST be implemented in addition to "HTTP Response" of [path-gateway].
Content-Type
(response header)MUST be returned and include additional format-specific parameters when possible.
If a CAR stream was requested, the response MUST include the parameter specifying CAR version.
For example: Content-Type: application/vnd.ipld.car; version=1
Content-Disposition
(response header)MUST be returned and set to attachment
to ensure requested bytes are not rendered by a web browser.
An opaque bytes matching the requested block CID (application/vnd.ipld.raw).
The Body hash MUST match the Multihash from the requested CID.
A CAR stream for the requested
application/vnd.ipld.car
content type, path and optional dag-scope
and entity-bytes
URL parameters.
Value returned in
CarV1Header.version
field MUST match the version
parameter returned in Content-Type
header.
The behavior associated with the
CarV1Header.roots
field
is not currently specified.
Clients MAY ignore it.
As of 2023-06-20, the behavior of the roots
CAR field remains an unresolved item within the CARv1 specification.
The default CAR header and block order in a CAR response is not specified and is non-deterministic.
Clients MUST NOT assume that CAR responses are deterministic (byte-for-byte identical) across different gateways.
Clients MUST NOT assume that CAR includes CIDs and their blocks in the same order across different gateways.
In controlled environments, clients MAY choose to rely on undocumented CAR determinism, subject to the agreement of the following conditions between the client and the gateway:
CarV1Header.roots
fieldIn the future, there may be an introduction of a convention to indicate aspects of determinism in CAR responses. Please refer to IPIP-412 for potential developments in this area.