Before you start
- Confirm your target network and endpoint set in
/reference/networks-and-endpoints. - Confirm authentication requirements for each surface in
/reference/authentication-matrix. - Confirm controller authority for the domain DID.
What this guide does
You separate privacy responsibilities across protocol metadata and service storage, then verify that sensitive values are not exposed in public document fields.Privacy model boundary
- Protocol layer: public DID document structure and authorized metadata updates.
- Service layer: encrypted payload storage and controlled retrieval patterns.
Typical workflow
- Register key material and controller relationships at protocol layer.
- Encrypt sensitive settings before writing to service storage.
- Publish only references or proofs in public protocol metadata when required.
- Enforce recipient authorization on read.
Verify the result
Expected result:- domain metadata updates succeed with authorized signatures;
- sensitive values remain encrypted in service storage;
- unauthorized reads fail.
Next steps
- Domain settings:
/guides/dev/domain-settings - API authentication:
/api-reference/authentication - Product and SDK map:
/reference/product-and-sdk-map