You can think of UCAN as roughly an end-user controlled, offline-first, extensible, capabilities-based variant of OAuth that enables:
- Users to directly authorise each other without a backend at all
- Services to collaborate without pre-negotiation
- Restrict processes to be only able to perform a narrow set of actions
About
More Formally
User-Controlled Authorization Network (UCAN) is a trustless, secure, local-first, user-originated authorization and revocation scheme. It provides public-key verifiable, delegable, expressive, openly extensible capabilities. The project started as a layer on top of the familiar JWT structure, but for numerous reaons we have switched to DAG-CBOR. UCANs achieve public verifiability with chained certificates and decentralized identifiers (DIDs). Verifiable chain compression is enabled via content addressing. UCAN improves the modernity, familiarity, and adoptability of schemes like SPKI/SDSI for web and native application contexts. UCAN allows for the creation and discharge of authority by any agent with a DID, including traditional systems and peer-to-peer architectures beyond traditional cloud computing.