Architecture
The Pilots Dataspace connector is built on Eclipse Dataspace Components (EDC) using the Decentralized Claims Protocol (DCP) for identity. Each connector is a self-contained stack of services.
Components
┌─────────────────────────────────────────────────────────────────┐
│ Connector Stack (one per organization) │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Control Plane (ports 19192–19194) │ │
│ │ - Management API (19193): your commands │ │
│ │ - DSP Protocol (19194): machine-to-machine │ │
│ │ - Stores: assets, policies, contracts, transfer state │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Data Plane (ports 38181–38185) │ │
│ │ - Control API (38182): receives instructions from CP │ │
│ │ - Public API (38185): consumer fetches data here │ │
│ │ - Pull: serves data with EDR token auth │ │
│ │ - Push: fetches from source, POSTs to destination │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Identity Hub (ports 7090–7096) │ │
│ │ - DID management (7093): serves participant DID doc │ │
│ │ - Credentials API (7091): VC presentation │ │
│ │ - STS (7096): issues SI tokens for DSP auth │ │
│ │ - Wallet: stores Verifiable Credentials │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │
│ ┌───────────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ DID Server │ │ Vault │ │ Postgres │ │Dashboard │ │
│ │ nginx (9876) │ │ (8200) │ │ (15432) │ │ (3000) │ │
│ │ Issuer DID │ │ Secrets │ │ State │ │ Web UI │ │
│ └───────────────┘ └──────────┘ └──────────┘ └──────────┘ │
└─────────────────────────────────────────────────────────────────┘
How the Components Interact
Control Plane
The brain of the connector. It handles:
- Management API (port 19193) — your interface for creating assets, policies, starting negotiations and transfers
- DSP Protocol (port 19194) — machine-to-machine communication with other connectors for catalog exchange, contract negotiation, and transfer coordination
- Contract enforcement — validates that every data transfer has a valid agreement
Data Plane
The data mover. It handles:
- Pull transfers — serves data through a public API (port 38185) that consumers access with an EDR (Endpoint Data Reference) token
- Push transfers — fetches data from the source and POSTs it to the consumer’s specified endpoint
- Token signing — signs and verifies EDR tokens using keys in
config/certs/
Identity Hub
The identity wallet. It handles:
- DID management — publishes the connector’s
did:webDID document - Credential storage — stores Verifiable Credentials (like MembershipCredential)
- Credential presentation — responds to credential requests from other connectors during DCP authentication
- STS (Secure Token Service) — issues Self-Issued (SI) tokens that the Control Plane uses for authenticated DSP requests
Supporting Services
| Service | Role |
|---|---|
| DID Server (nginx) | Serves the issuer DID document at port 9876. This is the public key other connectors use to verify your Verifiable Credentials. |
| Vault (HashiCorp) | Stores secrets: Ed25519 private keys, STS client secrets. Dev mode with root token root-token. |
| PostgreSQL | Persistent storage for all runtimes. Tables are auto-created on startup. |
| Dashboard | Web UI for managing assets, policies, catalogs, negotiations, transfers, and trusted issuers. |
Two DIDs Per Connector
Each connector has two separate identities:
| DID | Key Type | Served By | Purpose |
|---|---|---|---|
did:web:<host>%3A7093 | Ed25519 | Identity Hub | Participant identity — used for DSP protocol authentication |
did:web:<host>%3A9876 | EC P-256 | nginx DID server | Issuer identity — used to sign Verifiable Credentials |
The participant DID identifies the connector in protocol interactions. Its key pair is auto-generated by the Identity Hub.
The issuer DID signs Membership Credentials. Its key pair is generated by generate-keys.sh. In standalone mode, each connector is its own issuer.
Three Sets of Keys
| Key Pair | Type | Location | Signs |
|---|---|---|---|
| Participant key | Ed25519 | Vault (auto-generated by Identity Hub) | SI tokens for DSP authentication |
| Issuer key | EC P-256 | deployment/assets/ | MembershipCredentials (Verifiable Credentials) |
| Data Plane token key | Configurable | config/certs/ | EDR tokens for pull data transfers |
Port Reference
| Port | Service | Description |
|---|---|---|
| 3000 | Dashboard | Web UI |
| 7090 | IdentityHub | Health check |
| 7091 | IdentityHub — Credentials API | VP/VC presentation |
| 7092 | IdentityHub — Identity API | Participant management |
| 7093 | IdentityHub — DID API | Participant DID document |
| 7096 | IdentityHub — STS | Token issuance |
| 8200 | Vault | Secret management |
| 9876 | DID Server (nginx) | Issuer DID document |
| 15432 | PostgreSQL | Database |
| 18181 | Control Plane | Health check |
| 19192 | Control Plane — Control API | Internal (DP registration) |
| 19193 | Control Plane — Management API | Your REST API |
| 19194 | Control Plane — DSP | Protocol endpoint |
| 38181 | Data Plane | Health check |
| 38182 | Data Plane — Control API | Internal (from CP) |
| 38185 | Data Plane — Public API | Consumer data fetch |
Custom Extensions
The project includes several custom EDC extensions:
| Extension | What it does |
|---|---|
dataplane-public-endpoint | Public endpoint generator, EDR token proxy, and PEM key loading for the Data Plane |
dcp-patch | Registers DCP infrastructure: JWS 2020 signature suite, trusted issuer registry, default scope mapping |
superuser-seed | Seeds a super-user admin participant into IdentityHub at startup |
did-example-resolver | Seeds a hardcoded key pair into the vault for DCP token signing (dev convenience) |
trusted-issuer-registry | Dynamic trusted issuer management via REST API and dashboard |