Public key infrastructure and trust directory for the BIND Standard — the open data model for insurance interoperability.
Live: bindpki.org
The BIND Directory is a git-based registry of insurance participants — brokers, carriers, MGAs, TPAs, reinsurers, and vendors — and their public keys. It serves as the trust anchor for the BIND ecosystem: when a participant signs a BIND Bundle, anyone can verify the signature against the directory's published JWKS.
Each participant maintains a folder under participants/ containing their manifest (organization metadata, regulatory credentials) and public keys. Git is the review and governance workflow — no database, no central authority.
participants/
└── your-org/
├── manifest.json # Organization metadata and regulatory credentials
├── jwks.json # Public keys in JWKS format
├── logo.png # Organization logo (PNG)
└── logo.svg # Organization logo (SVG)
The fastest way to join is the scaffold script:
pnpm run join-directoryThis generates your participant folder with a key pair, pre-filled manifest, and prompts for regulatory credentials. See the full How to Join guide for details.
Before your PR is merged, email directory@bind-standard.org with your organization slug and regulatory credentials (license numbers, registry links). The BIND Standard Team verifies your organization's legitimacy — broker licenses, insurer registrations, bar admissions, etc.
Each participant's manifest.json contains organization metadata and an embedded BIND Organization resource:
{
"schemaVersion": "1.0",
"slug": "your-org",
"displayName": "Your Org",
"description": "A brief description of your organization.",
"joinedAt": "2026-02-16",
"status": "pending",
"organization": {
"resourceType": "Organization",
"name": "Your Organization Inc.",
"status": "active",
"type": {
"coding": [{ "system": "https://bind.codes/OrganizationType", "code": "broker", "display": "Broker" }]
},
"address": [{ "use": "work", "city": "Montréal", "state": "QC", "country": "CA" }],
"credentials": [
{
"type": "broker-license",
"authority": "Autorité des marchés financiers",
"identifier": "LIC-123456",
"registryUrl": "https://lautorite.qc.ca/en/general-public/registers",
"jurisdiction": "QC"
}
]
}
}| Code | Description |
|---|---|
insurer |
Insurance carrier |
broker |
Insurance broker |
mga |
Managing General Agent |
tpa |
Third-Party Administrator |
reinsurer |
Reinsurance company |
expert |
Claims adjuster, appraiser, or expert |
counsel |
Legal counsel |
tech-provider |
Insurance technology provider |
industry-body |
Industry association or standards body |
Public keys are published in standard JWKS format. EC (P-256), RSA, and OKP key types are supported. The kid is an RFC 7638 JWK Thumbprint (SHA-256, base64url).
Keys support optional temporal fields (Unix timestamps) for lifecycle management:
| Field | Description |
|---|---|
iat |
Issued At — when the key was created |
nbf |
Not Before — key is not valid before this time |
exp |
Expires — key is not valid after this time |
The validation pipeline warns on expired keys and not-yet-valid keys but does not reject them, since old keys may linger during rotation.
Once merged, keys are served at bindpki.org/<slug>/.well-known/jwks.json.
Rotate, retire, or remove keys interactively:
pnpm run manage-keysThe script supports listing keys with status, generating a new key while setting a grace period on old keys, retiring individual keys, and removing expired keys. See the How to Join guide for the full workflow.
The directory is accessible as a JSON API at bindpki.org/api/v1/. All URLs in the responses are absolute.
| Endpoint | Description |
|---|---|
GET /api/v1/participants/index.json |
Lightweight listing of all active participants (slug, name, type, ISS, URLs) |
GET /api/v1/participants/{slug}.json |
Full participant detail (manifest, JWKS, absolute logo/profile URLs) |
GET /{slug}/.well-known/jwks.json |
JWKS for a specific participant |
GET /logos/{slug}.png |
Participant logo (PNG) |
GET /logos/{slug}.svg |
Participant logo (SVG) |
# List all participants
curl https://bindpki.org/api/v1/participants/index.json
# Get a specific participant
curl https://bindpki.org/api/v1/participants/egr.json
# Fetch a participant's JWKS
curl https://bindpki.org/egr/.well-known/jwks.jsonThe API is statically generated at build time from the participants/ directory — no runtime dependencies.
The directory includes a comprehensive validation pipeline that checks structure, manifests, JWKS (including rejection of private key material), and logos:
pnpm run validate- VitePress for the directory site
- Cloudflare Workers for hosting and JWKS serving
- Biome for linting and formatting
- TypeScript validation scripts for CI enforcement
pnpm install
pnpm run validate # run all validation checks
pnpm run dev # local dev server for the directory site
pnpm run build # production build
pnpm run typecheck # TypeScript type checking
pnpm run check # Biome lint + format checkWe welcome contributions from everyone. See CONTRIBUTING.md for details, or open a pull request directly.
For questions or ideas, reach out at contact@bind-standard.org.
The BIND Directory is released under the CC0 1.0 Universal license — dedicated to the public domain. You are free to use, modify, and build upon it without restriction.