UCANman is a powerful VS Code extension that helps developers debug and inspect UCAN (User Controlled Authorization Network) tokens. With an intuitive, Postman-inspired interface, UCANman makes it easy to decode, analyze, and understand UCAN authentication flows directly inside your development environment.
- ✅ JWT-encoded UCANs - Decode and inspect JWT-formatted UCAN tokens
- ✅ CAR File Support - Upload and decode
.carfiles containing UCAN tokens - ✅ Request Payload Parsing - Extract UCANs from HTTP request payloads
- ✅ Invocation Detection - Identify and display invocation structures
- ✅ Multiple Format Support - CAR, CBOR, JSON, base64, base64url, hex encoding
- ✅ Proof Chain Resolution - Automatically resolve and display proof chains
- ✅ CID Decoding - Decode and display Content Identifiers (CIDs)
- ✅ Authorization Headers - Extract UCANs from HTTP headers
- Open VS Code
- Go to Extensions (
Ctrl+Shift+XorCmd+Shift+X) - Search for "UCANman"
- Click Install
- Open the Command Palette (
Ctrl+Shift+PorCmd+Shift+P) - Type "UCAN Inspector" and press Enter
- The UCANman panel will open
UCANman V1 provides two powerful input methods to analyze UCAN tokens:
Best for: Analyzing UCAN tokens stored in CAR (Content Addressable aRchive) files
How to use:
- Click on the 📦 CAR File tab
- Click the upload area or drag & drop your
.carfile - Click 🔍 Decode CAR File
- View the extracted UCANs with all their details
Supported:
- Standard
.carfiles containing UCAN tokens - Multiple UCANs within a single CAR file
- CID resolution and proof chain extraction
Best for: Debugging live API requests and network traffic
How to use:
- Click on the 📄 Request Payload tab
- Copy request data from your browser's DevTools:
- Open DevTools (
F12orCmd+Option+I) - Go to the Network tab
- Find your UCAN-related API request
- Click on it and navigate to Payload or Request tab
- Click "View source" or "Raw" to see the raw data
- Copy the entire payload
- Open DevTools (
- Paste the data into the text area
- Click 🔍 Decode Payload
- View extracted UCANs and invocations
Supported Formats:
- Base64-encoded CAR files - Direct CAR file data in base64
- Base64/Base64url-encoded CBOR - Compact binary format
- Hex-encoded CBOR - Hexadecimal representation
- JSON Payloads - Raw JSON containing UCAN structures
- Invocation Data - UCAN invocation requests with task details
Example Use Cases:
- Debugging web3.storage API calls
- Analyzing UCAN delegations in IPFS workflows
- Inspecting authorization tokens in decentralized apps
- Validating UCAN chains in service-to-service communication
When you decode a UCAN token, UCANman displays the following information in an organized, collapsible format:
- Format Type - Indicates the detected format (CAR, CBOR, JSON)
- Invocation Status - Shows if invocation data is present
Each UCAN token is displayed with these key fields:
| Field | Description |
|---|---|
| Issuer (iss) | DID of the entity that created the UCAN token |
| Audience (aud) | DID of the entity authorized to use the token |
| Capabilities (att) | List of authorized actions and resources |
| Expiration (exp) | Unix timestamp when the token expires |
| Not Before (nbf) | Unix timestamp when the token becomes valid |
| Proofs (prf) | Chain of parent UCANs proving authorization |
| Facts (fct) | Additional contextual data |
| Nonce (nnc) | Unique identifier to prevent replay attacks |
When present, invocations show:
- Task Name - The action being requested (e.g.,
store/add,upload/list) - Capabilities - Specific permissions being used
- Parameters - Task-specific data (links, sizes, etc.)
- Associated UCAN - The authorization token for the invocation
1. Download a .car file from your IPFS/web3.storage workflow
2. Open UCANman via Command Palette
3. Switch to "📦 CAR File" tab
4. Upload the file
5. Click "Decode CAR File"
6. Expand individual UCAN cards to inspect details
1. Open your web application
2. Open Browser DevTools (F12)
3. Navigate to Network tab
4. Perform an action that uses UCAN authorization
5. Find the relevant request in the network log
6. Copy the request payload
7. Open UCANman and switch to "📄 Request Payload" tab
8. Paste the payload and click "Decode Payload"
9. Analyze the extracted UCANs and invocations
1. Decode a UCAN token using either method
2. Look for the "prf" (proofs) field
3. Each proof is a parent UCAN in the authorization chain
4. Verify the capabilities flow from parent to child
5. Check expiration times across the chain
- UCAN Signature Verification - Cryptographically verify issuer signatures
- Proof Chain Visualization - Interactive graph showing authorization flow
- UCAN Authorization Validation - Automatic policy and capability checking
- Export Capabilities - Save decoded UCANs as JSON
- Advanced DAG-CBOR Support - Enhanced support for complex CBOR structures
- Multi-file Analysis - Compare and analyze multiple UCANs side-by-side
- Base64 (standard)
- Base64url (URL-safe)
- Hexadecimal
- CBOR (Concise Binary Object Representation)
- JWT (JSON Web Token)
- CAR (Content Addressable aRchive)
- JSON
- CBOR
- DAG-CBOR
- Multibase
- CID (Content Identifier)
- UCAN Specification: https://github.com/ucan-wg/spec
- Architecture Documentation: See docs/ARCHITECTURE_DIAGRAM.md
Contributions are welcome! Please feel free to submit issues, pull requests and feature requests.
UCANman is built with support from the decentralized web community and leverages open-source libraries for CBOR, CID, and CAR file processing.
Made with ❤️ for the decentralized web