Unleashing the Power of UCANs: Delegation & Invocation in Storacha’s Hot Storage

To kick off holiday season this week we’d like to celebrate two of the cornerstones of our object-capability-powered hot storage system: UCAN Delegation and Invocation! You may have heard that Storacha’s storage APIs are built on — you may already know that UCANs can be used to authorize your devices and your friends to upload data to your Storacha storage Spaces. You may not know that UCANs can be used in two powerful and interwoven ways to create your own complex authorization systems, and today we’ll give you the foundations you need to do just that.

Delegation Station

Imagine you’ve rented a car on a long train ride. It’s quite expensive to rent a whole car, so you sub-lease parts of your car to a few of your friends. To keep track of how much space each of your friends has rented, you write up a simple contract for each of them and sign it. This is the core of delegation — you grant other people some or all of a set of privileges (or “capabilities”) that you have been granted.

These contracts can get complicated, especially if you don’t have a high degree of trust with all of the people renting space in the car. You’ll probably end up writing each person’s name in the contract. Each of the people renting space from you might turn around and further sub-lease their space, which will mean more contracts, more names, more signatures.

UCAN Delegations support all of this — when you sign up for a Storacha account, we give you the ability to store data on our servers and you can re-delegate that ability to other users. Our delegations are signed and keyed to a specific identity, so they can be shared openly — nobody but the user who holds the private key a delegation is targeted at is able to use a delegation.

But what does it mean to “use” a delegation? What good are these delegations anyway? A bunch of paper saying that I am entitled to space on a train car is useless if I can’t actually get on the train car and occupy the space!

That’s where invocations come in.

Destination: Invocation

When you “invoke” a UCAN capability, you ask some service to take an action appropriate to that invocation. If someone has delegated you the capability to upload a file to their space on Storacha, invocation that capability means uploading the file. In your rented train car, someone can “invoke” the capability you granted them by coming into the car and claiming their space.

Invocation might mean something different to different service providers — when you delegate space on your car to your friends, you might also let them claim a souvenir afterwards by “invoking” their capability at the gift shop (though the employees at the gift shop may not be familiar with UCANs!). Where delegating a capability is primarily a theoretical exercise, invoking a capability usually gets something done.

The Storacha API is built around UCAN invocation — every “request” to our API is actually a UCAN invocation, which means you can create arbitrarily complicated delegation chains allowing your friends and users to store data in your Storacha spaces. We’re excited to show you more concrete examples of how this can work in coming months — subscribe to this blog and to make sure you don’t miss them!