Endorsement Token
This token represents an endorsement or recommendation issued by a user.
An endorsement can be used to recommend another user, vouch for their expertise, or endorse specific content or skills. The endorsement token can contain a content (c) field explaining the endorsement.
The token must contain an audience (aud) field which points to the identity or content being endorsed. For other constraints see the Action Tokens.
Content-Addressing
This token is content-addressed using SHA-256:
- The entire JWT token (header + payload + signature) is hashed
- Action ID format:
a1~{base64_hash} - See Content-Addressing & Merkle Trees for details
Parent Reference
The optional p (parent) field can reference specific content being endorsed:
- Contains the content’s action_id (
a1~...) - Allows endorsing specific posts, articles, or projects
- Creates verifiable link between endorsement and content
Database Key
The database key for an endorsement token is [iss, t, aud]
Purpose: This key ensures that a user can only have one active endorsement for a given target. The key components are:
iss: Issuer identity (who is endorsing)t: Token type (“ENDR”)aud: Audience (who/what is being endorsed)
Example:
- Alice endorses Bob → Stored with key
[alice.example.com, "ENDR", bob.example.com] - Alice updates the endorsement → New token with same key, previous one is marked deleted
- Only ONE endorsement from Alice to Bob at a time
Use Cases
User Endorsement
Endorsing another user’s profile or expertise:
{
"iss": "alice.example.com",
"aud": "bob.example.com",
"iat": 1738483200,
"k": "20240101",
"t": "ENDR",
"c": "Highly skilled developer with excellent problem-solving abilities. Great team player!"
}Content Endorsement
Endorsing specific content (post, article, project):
{
"iss": "alice.example.com",
"aud": "bob.example.com",
"iat": 1738483200,
"k": "20240101",
"t": "ENDR",
"p": "a1~xyz789...",
"c": "This post provides excellent insights into distributed systems."
}Fields
| Field | Required | Description |
|---|---|---|
| iss | ✓ | The identity issuing the endorsement |
| aud | ✓ | The identity or content being endorsed |
| iat | ✓ | Timestamp when endorsement was issued |
| k | ✓ | Key ID used to sign the token |
| t | ✓ | Token type (always “ENDR”) |
| c | Content explaining the endorsement (markdown) | |
| p | Parent token ID if endorsing specific content | |
| a | Attachments (credentials, certificates, etc.) |
Example
User @alice.example.com endorses @bob.example.com for their technical expertise:
| Field | Value |
|---|---|
| iss | alice.example.com |
| aud | bob.example.com |
| iat | 2024-04-13T00:01:10.000Z |
| k | 20240101 |
| t | ENDR |
| c | Bob is an exceptional Rust developer with deep expertise in distributed systems. I’ve worked with them on multiple projects and highly recommend their skills. |
Visibility and Federation
Endorsement tokens are typically broadcast actions, meaning they are:
- Sent to all followers of the issuer
- Visible to connections of the endorsee
- Can be displayed on the endorsee’s profile (with their permission)
The endorsee can choose whether to:
- Display endorsements publicly on their profile
- Accept or reject specific endorsements
- Control who can endorse them (anyone, connections only, etc.)
Permission Checks
When receiving an endorsement token:
- Verify signature: Ensure the token is signed by the claimed issuer
- Check relationship: Verify issuer and endorsee have appropriate relationship (connected, following, etc.)
- Validate audience: Ensure
audfield matches the local user or their content - Check consent: Respect endorsee’s preferences about who can endorse them
See Also
- Action Tokens - Overview of all action token types
- React Token - For simple reactions vs. detailed endorsements
- Follow Token - For following vs. endorsing
- [Access Control](/architecture/data-layer/access-control/access - Permission checking for endorsements