# zone.stratos.actor.enrollment > Published by [lexicon.northsky.app](https://lexicon.garden/identity/did:plc:6uxgo3ypovauub7nblwylqyv) ✓ This is the authoritative definition for this NSID. ## Links - [View on Lexicon Garden](https://lexicon.garden/lexicon/did:plc:6uxgo3ypovauub7nblwylqyv/zone.stratos.actor.enrollment) - [Documentation](https://lexicon.garden/lexicon/did:plc:6uxgo3ypovauub7nblwylqyv/zone.stratos.actor.enrollment/docs) - [Examples](https://lexicon.garden/lexicon/did:plc:6uxgo3ypovauub7nblwylqyv/zone.stratos.actor.enrollment/examples) ## Definitions ### `zone.stratos.actor.enrollment` **Type**: `record` A record indicating the user is enrolled in a Stratos service. Published to the user's PDS during OAuth enrollment for endpoint discovery by AppViews. Multiple enrollment records are supported — one per Stratos service. **Key**: `any` | Property | Type | Required | Description | |----------|------|----------|-------------| | `service` | `string` (uri) | Yes | The Stratos service endpoint URL where this user's private data is stored. | | `createdAt` | `string` (datetime) | Yes | Timestamp when the enrollment was created. | | `boundaries` | `array` | No | Service-qualified boundaries the user has access to on this Stratos service, each in '{serviceDid}/{domainName}' format. | | `signingKey` | `string` | Yes | The user's P-256 public key as a did:key string, generated by the Stratos service for user-level record signing. | | `attestation` | `ref` → `#serviceAttestation` | Yes | Service attestation vouching for the user's enrollment, boundaries, and signing key. | ### `zone.stratos.actor.enrollment#serviceAttestation` **Type**: `object` An attestation signed by the Stratos service key. The signed payload is DAG-CBOR encoded {boundaries, did, signingKey} with sorted keys. | Property | Type | Required | Description | |----------|------|----------|-------------| | `sig` | `bytes` | Yes | Raw signature bytes of the DAG-CBOR encoded attestation payload, signed by the service key. | | `signingKey` | `string` | Yes | The Stratos service's public key as a did:key string, used to verify the attestation signature. | ## Raw Schema ```json { "id": "zone.stratos.actor.enrollment", "defs": { "main": { "key": "any", "type": "record", "record": { "type": "object", "required": [ "service", "signingKey", "attestation", "createdAt" ], "properties": { "service": { "type": "string", "format": "uri", "description": "The Stratos service endpoint URL where this user's private data is stored." }, "createdAt": { "type": "string", "format": "datetime", "description": "Timestamp when the enrollment was created." }, "boundaries": { "type": "array", "items": { "ref": "zone.stratos.boundary.defs#Domain", "type": "ref" }, "maxLength": 50, "description": "Service-qualified boundaries the user has access to on this Stratos service, each in '{serviceDid}/{domainName}' format." }, "signingKey": { "type": "string", "description": "The user's P-256 public key as a did:key string, generated by the Stratos service for user-level record signing." }, "attestation": { "ref": "#serviceAttestation", "type": "ref", "description": "Service attestation vouching for the user's enrollment, boundaries, and signing key." } } }, "description": "A record indicating the user is enrolled in a Stratos service. Published to the user's PDS during OAuth enrollment for endpoint discovery by AppViews. Multiple enrollment records are supported — one per Stratos service." }, "serviceAttestation": { "type": "object", "required": [ "sig", "signingKey" ], "properties": { "sig": { "type": "bytes", "description": "Raw signature bytes of the DAG-CBOR encoded attestation payload, signed by the service key." }, "signingKey": { "type": "string", "description": "The Stratos service's public key as a did:key string, used to verify the attestation signature." } }, "description": "An attestation signed by the Stratos service key. The signed payload is DAG-CBOR encoded {boundaries, did, signingKey} with sorted keys." } }, "$type": "com.atproto.lexicon.schema", "lexicon": 1 } ```