Well-known URI explained

A well-known URI is a Uniform Resource Identifier for URL path prefixes that start with /.well-known/. They are implemented in webservers so that requests to the servers for well-known services or information are available at URLs consistent well-known locations across servers.

Description

Well-known URIs are Uniform Resource Identifiers defined by the IETF in RFC 8615.[1] They are URL path prefixes that start with /.well-known/. This implementation is in response to the common expectation for web-based protocols to require certain services or information be available at URLs consistent across servers, regardless of the way URL paths are organized on a particular host. The URIs are implemented in webservers so that requests to the servers for well-known services or information are available at URLs consistently in well-known locations across servers.

The IETF has defined a simple way for web servers to hold metadata that any user agent (e.g., web browser) can request. The metadata is useful for various tasks, including directing a web user to use a mobile app instead of the website or indicating the different ways that the site can be secured. The well-known locations are used by web servers to share metadata with user agents; sometimes these are files and sometimes these are requests for information from the web server software itself. The way to declare the different metadata requests that can be provided is standardized by the IETF so that other developers know how to find and use this information.

Use

The path well-known URI begins with the characters /.well-known/, and whose scheme is "HTTP", "HTTPS", or another scheme that has explicitly been specified to use well-known URIs. As an example, if an application hosts the service "example", the corresponding well-known URIs on https://www.example.com/ would start with https://www.example.com/.well-known/example.

Information shared by a web site as a well-known service is expected to meet a specific standard. Specifications that need to define a resource for such site-wide metadata can register their use with Internet Assigned Numbers Authority (IANA) to avoid collisions and minimize impingement upon sites' URI space.

List of well-known URIs

The list below describes known standards for .well-known services that a web server can implement.

URI suffixDescriptionReferenceDate of IANA registration
acme-challengeAutomated Certificate Management Environment (ACME)[2] 2019-03-01
ai-plugin.jsonManifest for a ChatGPT plugin.[3]
apple-app-site-associationAn Apple service that enables secure data exchange between iOS and a website.[4]
apple-developer-merchantid-domain-associationApple Pay[5]
ashraeBACnet - A Data Communication Protocol for Building Automation and Control Networks[6] 2016-01-22
assetlinks.jsonAssetLinks protocol used to identify one or more digital assets (such as web sites or mobile apps) that are related to the hosting web site in some fashion.[7] 2015-09-28
atproto-didHandle-to-DID resolution for AT Protocol[8]
autoconfig/mailMozilla Thunderbird mail autoconfiguration service[9]
browseridMozilla Persona
caldavLocating Services for Calendaring Extensions to WebDAV (CalDAV) and vCard Extensions to WebDAV (CardDAV)[10]
carddavLocating Services for Calendaring Extensions to WebDAV (CalDAV) and vCard Extensions to WebDAV (CardDAV)
change-passwordHelps password managers find the URL for the change password section.[11]
coapCoAP (Constrained Application Protocol) over TCP, TLS, and WebSockets[12] 2017-12-22
com.apple.remotemanagementApple account-based user enrollment for Mobile device management[13] [14]
coreConstrained RESTful Environments (CoRE) Link Format[15]
csvmCSV metadata, Model for Tabular Data and Metadata on the Web[16] 2015-09-28
datLinks domain to Dat identifier, used by Beaker web browser.[17] [18]
did.jsondid:web Decentralized Identifiers (DIDs) for the Web
discordDomain verification for Discord account connection[19]
dntSite-wide tracking status resource[20] 2015-08-19
dnt-policy.txtA privacy-friendly Do Not Track (DNT) Policy[21] 2015-08-19
estEnrollment over Secure Transport (EST)[22] 2013-08-16
genidThe Resource Description Framework (RDF) Skolem IRIs[23] 2012-11-15
gpcGlobal Privacy Control (GPC)[24]
hobaHTTP Origin-Bound Authentication (HOBA)[25] 2015-01-20
host-metaWeb Host Metadata[26]
host-meta.jsonWeb Host Metadata
http-opportunisticOpportunistic Security for HTTP/2[27] 2017-03-20
keybase.txtUsed by the Keybase project to identify a proof that one or more people whose public keys may be retrieved using the Keybase service have administrative control over the origin server from which it is retrieved.[28] 2014-04-08
matrixProvides discovery for both client and server APIs to the Matrix federated protocol.[29]
mercureDiscovery of Mercure hubs. Mercure is a protocol enabling the pushing of data updates to web browsers and other HTTP clients in a fast, reliable and battery-efficient way.[30]
mta-sts.txtSMTP MTA Strict Transport Security Policy[31] 2018-06-21
niNaming Things with Hashes[32]
nodeinfoMetadata for federated social networking servers[33]
oauth-authorization-serverOAuth Authorization Server Metadata[34] 2018-03-27
openid-configurationOpenID Connect[35] 2013-08-27
openorgOrganisation Profile Document[36] 2015-05-29
openpgpkeyOpenPGP Web Key Service[37]
pki-validationCA/Browser Forum’s Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates[38] 2017-02-06
poshPKIX over Secure HTTP (POSH)[39] 2015-09-20
pubvendors.jsonThe IAB pubvendors.json tech spec, which provide a standard for publishers to publicly declare the vendors that they work with, and their respective data rights/configuration.[40] 2020-09-07
reload-configREsource LOcation And Discovery (RELOAD) Base Protocol[41]
repute-templateA Reputation Query Protocol[42] 2013-09-30
resourcesyncResourceSync Framework Specification[43] 2017-05-26
security.txtStandard to help organizations define the process for security researchers to disclose security vulnerabilities[44] 2018-08-20
statements.txtStandard for collective contract signing[45]
stun-keySession Traversal Utilities for NAT (STUN) Extension for Third-Party Authorization[46] 2015-06-12
tdmrep.jsonDomain-wide TDM (Text and Data Mining) reservation[47]
timeTime over HTTPS specification[48] 2015-12-09
timezoneTime Zone Data Distribution Service[49] 2015-08-03
uma2-configurationUser-Managed Access (UMA) 2.0 grant for OAuth 2.0 authorization[50] 2017-06-20
voidDescribing Linked Datasets with the VoID Vocabulary[51] 2011-05-11
webfingerWebFinger[52] 2013-03-15, 2013-09-06
xrp-ledger.tomlXRP ledger node & account information.[53]

References

Footnotes

Notes and References

  1. Nottingham. Mark. May 6, 2019. Well-Known Uniform Resource Identifiers (URIs). 8615. IETF.
  2. 8555. Automatic Certificate Management Environment (ACME). Richard. Barnes. Jacob. Hoffman-Andrews. Daniel. McCarney. James. Kasten. March 6, 2019. IETF.
  3. Web site: Getting Started - OpenAI API. platform.openai.com. 2023-03-25. 2023-03-25. https://web.archive.org/web/20230325012304/https://platform.openai.com/docs/plugins/getting-started. live.
  4. Web site: App Search Programming Guide: Support Universal Links. developer.apple.com. 2016-08-13. 2016-03-31. https://web.archive.org/web/20160331174014/https://developer.apple.com/library/ios/documentation/General/Conceptual/AppSearch/UniversalLinks.html. live.
  5. Web site: Apple Developer Documentation. developer.apple.com. 2016-08-13. 2016-09-20. https://web.archive.org/web/20160920015502/https://developer.apple.com/reference/applepayjs/. live.
  6. Web site: Proposed Addendum am to Standard 135-2012, BACnet - A Data Communication Protocol for Building Automation and Control Networks. 2018-02-07. 2018-05-08. https://web.archive.org/web/20180508115302/http://www.bacnet.org/Addenda/Add-135-2012am-ppr3-draft-17_chair_approved.pdf. dead.
  7. Web site: Getting Started | Google Digital Asset Links. Google Developers. 2016-08-13. 2016-11-05. https://web.archive.org/web/20161105104633/https://developers.google.com/digital-asset-links/v1/getting-started. live.
  8. Web site: Handle AT Protocol . 2024-02-16 . atproto.com . 2024-02-16 . https://web.archive.org/web/20240216222153/https://atproto.com/specs/handle#https-well-known-method . live .
  9. Web site: Thunderbird:Autoconfiguration - MozillaWiki. 2021-07-30. 2021-07-30. https://web.archive.org/web/20210730134932/https://wiki.mozilla.org/Thunderbird:Autoconfiguration. live.
  10. 6764. Locating Services for Calendaring Extensions to WebDAV (CalDAV) and vCard Extensions to WebDAV (CardDAV). Cyrus. Daboo. February 6, 2013. IETF.
  11. Web site: A Well-Known URL for Changing Passwords. February 6, 2022. w3c.github.io. April 21, 2022. https://web.archive.org/web/20220421024307/https://w3c.github.io/webappsec-change-password-url/. live.
  12. 8323. CoAP (Constrained Application Protocol) over TCP, TLS, and WebSockets. Carsten. Bormann. Simon. Lemay. Hannes. Tschofenig. Klaus. Hartke. Bill. Silverajan. Brian. Raymor. February 6, 2018. IETF.
  13. Web site: How users enroll their personal devices. support.apple.com. 2022-04-23. 2024-08-15. https://web.archive.org/web/20240815112226/https://support.apple.com/guide/deployment/user-enrollment-and-mdm-dep23db2037d/1/web/1.0#dep798f25ab7. live.
  14. Web site: Discover Authentication Servers. developer.apple.com. 2022-04-23. 2024-08-15. https://web.archive.org/web/20240815112223/https://developer.apple.com/documentation/devicemanagement/discover_authentication_servers. live.
  15. 6690. Constrained RESTful Environments (CoRE) Link Format. Zach. Shelby. August 6, 2012. IETF.
  16. Web site: Model for Tabular Data and Metadata on the Web. 2021-10-06. www.w3.org. 17 December 2015. en. 2024-08-15. https://web.archive.org/web/20240815112228/https://www.w3.org/TR/tabular-data-model/Overview.html. live.
  17. Web site: Use a domain name with dat://. 2020-08-24. beakerbrowser.com. en. 2020-01-14. https://web.archive.org/web/20200114212600/https://beakerbrowser.com/docs/guides/use-a-domain-name-with-dat#well-knowndat. live.
  18. Web site: DEP-0005: DNS - Dat Protocol. www.datprotocol.com.
  19. Web site: 2023-07-17 . advaith (@advaith@mastodon.social) . 2023-08-29 . Mastodon . en . 2024-08-15 . https://web.archive.org/web/20240815112246/https://mastodon.social/@advaith/110727524300667599 . live .
  20. Web site: Tracking Preference Expression (DNT). 2021-10-06. www.w3.org. 2024-08-15. https://web.archive.org/web/20240815112232/https://www.w3.org/TR/tracking-dnt/#status-resource. live.
  21. Web site: A privacy-friendly Do Not Track (DNT) Policy. April 24, 2014. Electronic Frontier Foundation. February 7, 2018. May 11, 2021. https://web.archive.org/web/20210511053858/https://www.eff.org/dnt-policy. live.
  22. 7030. Enrollment over Secure Transport. Max. Pritikin. Peter E.. Yee. Dan. Harkins. October 6, 2013. IETF.
  23. Web site: RDF 1.1 Concepts and Abstract Syntax. 2021-10-06. www.w3.org. 2024-08-15. https://web.archive.org/web/20240815112228/https://www.w3.org/TR/rdf11-concepts/Overview.html. live.
  24. Web site: Global Privacy Control (GPC) . live . https://web.archive.org/web/20240613073201/https://privacycg.github.io/gpc-spec/ . 2024-06-13 . 2024-06-13 . Global Privacy Control (GPC) - Proposal 22 March 2024.
  25. 7486. 6. HTTP Origin-Bound Authentication (HOBA). Other Parts of the HOBA Process. Stephen. Farrell. Paul E.. Hoffman. Michael. Thomas. March 6, 2015. IETF.
  26. 6415. Web Host Metadata. Blaine. Cook. Eran. Hammer-Lahav. E . Hammer-Lahav . October 6, 2011 . IETF.
  27. 8164. 2.3. Opportunistic Security for HTTP/2. The "http-opportunistic" Well-Known URI. Mark. Nottingham. Martin. Thomson. May 6, 2017. 10.17487/RFC8164 . IETF.
  28. Web site: The "keybase.txt" Well-Known Resource Identifier. keybase.io. 2018-02-07. 2024-08-15. https://web.archive.org/web/20240815112302/https://keybase.io/docs/keybase_well_known. live.
  29. Web site: Client-Server API. 2020-06-17. 2024-08-15. https://web.archive.org/web/20240815112227/https://spec.matrix.org/latest/client-server-api/#well-known-uri. live.
  30. Web site: Mercure.rocks: Mercure: The Specification. mercure.rocks. 2019-11-21. 2020-09-24. https://web.archive.org/web/20200924144821/https://mercure.rocks/spec#discovery. live.
  31. 8461. 3.2. SMTP MTA Strict Transport Security (MTA-STS). MTA-STS Policies. Daniel. Margolis. Mark. Risher. Binu. Ramakrishnan. Alex. Brotman. Janet. Jones. September 6, 2018. IETF.
  32. 6920. Naming Things with Hashes. Stephen. Farrell. Dirk. Kutscher. Christian. Dannewitz. Börje. Ohlman. Ari. Keränen. Phillip. Hallam-Baker. April 6, 2013. 10.17487/RFC6920 . IETF.
  33. Web site: NodeInfo. July 19, 2021. GitHub. February 7, 2019. May 18, 2019. https://web.archive.org/web/20190518023853/https://github.com/jhass/nodeinfo. live.
  34. 8414. OAuth 2.0 Authorization Server Metadata. Michael B.. Jones. Nat. Sakimura. John. Bradley. June 28, 2018. 10.17487/RFC8414. IETF.
  35. Web site: Final: OpenID Connect Discovery 1.0 incorporating errata set 1. openid.net. 2021-10-06. 2021-10-28. https://web.archive.org/web/20211028023533/https://openid.net/specs/openid-connect-discovery-1_0.html. live.
  36. Web site: Organisation Profile Documents. opd.data.ac.uk.
  37. draft-koch-openpgp-webkey-service-07. OpenPGP Web Key Directory. Werner. Koch. IETF.
  38. Web site: Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates. 2018-02-07. 2018-09-10. https://web.archive.org/web/20180910212525/https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.3.8.pdf. live.
  39. 7711. PKIX over Secure HTTP (POSH). Matthew A.. Miller. Peter. Saint-Andre. November 6, 2015. 10.17487/RFC7711 . IETF.
  40. Web site: web.
  41. 6940. REsource LOcation And Discovery (RELOAD) Base Protocol. Cullen. Jennings. Bruce. Lowekamp. Eric. Rescorla. Salman. Baset. Henning. Schulzrinne. B . Lowekamp . January 6, 2014. 10.17487/RFC6940 . IETF.
  42. 7072. A Reputation Query Protocol. Nathaniel S.. Borenstein. Murray. Kucherawy. Nathaniel Borenstein. Murray Kucherawy. November 6, 2013. 10.17487/RFC7072 . IETF.
  43. Web site: ANSI/NISO Z39.99-2017.
  44. Web site: security.txt. security.txt.
  45. Web site: The "statements.txt" Well-Known Resource Identifier. stated.ai.
  46. 7635 . Session Traversal Utilities for NAT (STUN) Extension for Third-Party Authorization. Tirumaleswar. Reddy.K. Prashanth. Patil. Ram. R. Justin. Uberti. August 6, 2015. 10.17487/RFC7635 . IETF.
  47. Web site: TDM Reservation Protocol (TDMRep) ; Final Community Group Report. 2022. Text and Data Mining Reservation Protocol Community Group. 2023-06-01.
  48. Web site: 20151129 Time over HTTPS specification — PHKs Bikeshed. phk.freebsd.dk. 2018-02-07. 2019-05-31. https://web.archive.org/web/20190531225846/http://phk.freebsd.dk/time/20151129/. live.
  49. 7808. Time Zone Data Distribution Service. Michael. Douglass. Cyrus. Daboo. March 6, 2016. IETF.
  50. Web site: User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization. E.. Maler. M.. Machulak. J.. Richer. January 7, 2018. docs.kantarainitiative.org.
  51. Web site: Describing Linked Datasets with the VoID Vocabulary. 2021-10-06. www.w3.org. 2021-10-22. https://web.archive.org/web/20211022235648/https://www.w3.org/TR/void/Overview.html. live.
  52. 7033. WebFinger. Paul. Jones. Gonzalo. Salgueiro. Michael. Jones. Joseph. Smarr. September 6, 2013. IETF.
  53. Web site: xrp-ledger.toml File | XRPL.org. xrpl.org.