PacStac

Learn

PacStac Stewardship

Serving /.well-known/pacstac_<domain>.json

The /.well-known directory is defined by RFC 8615 as a place for site-wide metadata. PacStac uses it to host wallet proofs when DNS access is inconvenient. Because the file is fetched directly from your domain, it inherits HTTPS trust and avoids TTL delays.

Origins & history

• 2008: Google introduces host-meta under /.well-known/ for OAuth discovery.

• 2010–2018: ACME (Let’s Encrypt) and other specs reuse the pattern for certificate issuance, security.txt, and cross-origin policies.

• 2019: RFC 8615 formalizes /.well-known as a shared namespace. PacStac rides the same wave for lightweight HTTP proofs.

JSON contract

{
  "version": "1.0",
  "domain": "example.com",
  "pacstac_msg": "<base64-siwe-message>",
  "pacstac_verify": "<0x-signature>",
  "issued_at": "2025-10-21T00:00:00Z",
  "verified_by": "www.pacstac.com"
}
  • version — allows future schema expansion (keep at 1.0 today).
  • domain — must match the host portion of the URL (lowercase).
  • pacstac_msg — base64-encoded SIWE message.
  • pacstac_verify — EVM signature over decoded SIWE message.
  • issued_at (optional) — ISO 8601 timestamp for operational auditing.
  • verified_by (optional) — metadata for auditing/ops.

Deployment tips

Static sites

If you publish via static hosting (Vercel, Netlify, S3), create a public/.well-known directory and commitpacstac_example.com.json. Many frameworks treat dot directories as special—consult your routing docs.

Reverse proxies

When using Nginx/Apache, add explicit location rules before other rewrites so the JSON is served verbatim. Disable gzip and templating if your stack renders JSON through a view engine.

Verification checklist

  • Serve over HTTPS. Redirect HTTP to HTTPS if possible, but PacStac fetches both to maximise compatibility.
  • Set `Content-Type: application/json` and disable caching while testing. Once stable, a short `Cache-Control: max-age=300` is acceptable.
  • Ensure the JSON response is accessible without authentication, CAPTCHAs, or geo-blocks.
  • Monitor for 404s or CMS rewrites—some frameworks treat `.well-known` as reserved and require explicit pass-through rules.

Combine with DNS

You can keep both the TXT record and the JSON file. PacStac treats either proof as valid. Running both gives you redundancy—if your CMS rewrites the JSON, DNS still carries the proof, and vice versa.

Next: learn how PacStac consumes the data in PacStac Verification.