You can think of UCAN as roughly an end-user controlled, offline-first, extensible, capabilities-based variant of OAuth that enables:

  • Users to directly authorise each other without a backend at all
  • Services to collaborate without pre-negotiation
  • Restrict processes to be only able to perform a narrow set of actions


More Formally

User-Controlled Authorization Network (UCAN) is a trustless, secure, local-first, user-originated authorization and revocation scheme. It provides public-key verifiable, delegable, expressive, openly extensible capabilities by extending the familiar JWT structure. UCANs achieve public verifiability with chained certificates and decentralized identifiers (DIDs). Verifiable chain compression is enabled via content addressing. Being encoded with the familiar JWT, UCAN improves the familiarity and adoptability of schemes like SPKI/SDSI for web and native application contexts. UCAN allows for the creation and discharge of authority by any agent with a DID, including traditional systems and peer-to-peer architectures beyond traditional cloud computing.