Skip to content

bind-standard/bind-directory

Repository files navigation

BIND Directory

Public key infrastructure and trust directory for the BIND Standard — the open data model for insurance interoperability.

Live: bindpki.org

What This Is

The BIND Directory is a git-based registry of insurance participants — brokers, carriers, MGAs, TPAs, reinsurers, and vendors — and their public keys. It serves as the trust anchor for the BIND ecosystem: when a participant signs a BIND Bundle, anyone can verify the signature against the directory's published JWKS.

Each participant maintains a folder under participants/ containing their manifest (organization metadata, regulatory credentials) and public keys. Git is the review and governance workflow — no database, no central authority.

Directory Structure

participants/
└── your-org/
    ├── manifest.json   # Organization metadata and regulatory credentials
    ├── jwks.json       # Public keys in JWKS format
    ├── logo.png        # Organization logo (PNG)
    └── logo.svg        # Organization logo (SVG)

Joining the Directory

The fastest way to join is the scaffold script:

pnpm run join-directory

This generates your participant folder with a key pair, pre-filled manifest, and prompts for regulatory credentials. See the full How to Join guide for details.

Verification

Before your PR is merged, email directory@bind-standard.org with your organization slug and regulatory credentials (license numbers, registry links). The BIND Standard Team verifies your organization's legitimacy — broker licenses, insurer registrations, bar admissions, etc.

Manifest

Each participant's manifest.json contains organization metadata and an embedded BIND Organization resource:

{
  "schemaVersion": "1.0",
  "slug": "your-org",
  "displayName": "Your Org",
  "description": "A brief description of your organization.",
  "joinedAt": "2026-02-16",
  "status": "pending",
  "organization": {
    "resourceType": "Organization",
    "name": "Your Organization Inc.",
    "status": "active",
    "type": {
      "coding": [{ "system": "https://bind.codes/OrganizationType", "code": "broker", "display": "Broker" }]
    },
    "address": [{ "use": "work", "city": "Montréal", "state": "QC", "country": "CA" }],
    "credentials": [
      {
        "type": "broker-license",
        "authority": "Autorité des marchés financiers",
        "identifier": "LIC-123456",
        "registryUrl": "https://lautorite.qc.ca/en/general-public/registers",
        "jurisdiction": "QC"
      }
    ]
  }
}

Organization Types

Code Description
insurer Insurance carrier
broker Insurance broker
mga Managing General Agent
tpa Third-Party Administrator
reinsurer Reinsurance company
expert Claims adjuster, appraiser, or expert
counsel Legal counsel
tech-provider Insurance technology provider
industry-body Industry association or standards body

JWKS

Public keys are published in standard JWKS format. EC (P-256), RSA, and OKP key types are supported. The kid is an RFC 7638 JWK Thumbprint (SHA-256, base64url).

Keys support optional temporal fields (Unix timestamps) for lifecycle management:

Field Description
iat Issued At — when the key was created
nbf Not Before — key is not valid before this time
exp Expires — key is not valid after this time

The validation pipeline warns on expired keys and not-yet-valid keys but does not reject them, since old keys may linger during rotation.

Once merged, keys are served at bindpki.org/<slug>/.well-known/jwks.json.

Key Management

Rotate, retire, or remove keys interactively:

pnpm run manage-keys

The script supports listing keys with status, generating a new key while setting a grace period on old keys, retiring individual keys, and removing expired keys. See the How to Join guide for the full workflow.

API

The directory is accessible as a JSON API at bindpki.org/api/v1/. All URLs in the responses are absolute.

Endpoint Description
GET /api/v1/participants/index.json Lightweight listing of all active participants (slug, name, type, ISS, URLs)
GET /api/v1/participants/{slug}.json Full participant detail (manifest, JWKS, absolute logo/profile URLs)
GET /{slug}/.well-known/jwks.json JWKS for a specific participant
GET /logos/{slug}.png Participant logo (PNG)
GET /logos/{slug}.svg Participant logo (SVG)

Example

# List all participants
curl https://bindpki.org/api/v1/participants/index.json

# Get a specific participant
curl https://bindpki.org/api/v1/participants/egr.json

# Fetch a participant's JWKS
curl https://bindpki.org/egr/.well-known/jwks.json

The API is statically generated at build time from the participants/ directory — no runtime dependencies.

Validation

The directory includes a comprehensive validation pipeline that checks structure, manifests, JWKS (including rejection of private key material), and logos:

pnpm run validate

Stack

  • VitePress for the directory site
  • Cloudflare Workers for hosting and JWKS serving
  • Biome for linting and formatting
  • TypeScript validation scripts for CI enforcement

Development

pnpm install
pnpm run validate   # run all validation checks
pnpm run dev        # local dev server for the directory site
pnpm run build      # production build
pnpm run typecheck  # TypeScript type checking
pnpm run check      # Biome lint + format check

Contributing

We welcome contributions from everyone. See CONTRIBUTING.md for details, or open a pull request directly.

For questions or ideas, reach out at contact@bind-standard.org.

License

The BIND Directory is released under the CC0 1.0 Universal license — dedicated to the public domain. You are free to use, modify, and build upon it without restriction.

About

No description, website, or topics provided.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors