Look Beyond REST APIs with Secure and Private DIDComm Channels

REST APIs have been the backbone of building web services for decades, powering everything from social media to e-commerce platforms. However, as our digital landscape evolves with increasing privacy concerns and cyberthreats, REST APIs are showing their limitations. As we head towards decentralisation with Decentralised Identifier (DID) as one of the key building blocks being adopted into different open standards, a new communication paradigm is emerging — DIDComm Messaging Protocol.

In this blog, we will explore the DIDComm Messaging Protocol, how it differs from REST APIs, and how we can leverage DIDComm as a more secure, privacy-first alternative for modern digital interactions.

What Is a REST API?

A REST API, or Representational State Transfer Application Programming Interface, is a widely used architecture for designing web applications and backend services that enable multiple systems to exchange data securely online. REST APIs use HTTP/S to send and receive data, usually in JSON format, and communicate through different endpoints published by the API server, for example:

• POST /api/v1/authenticate/ to authenticate to the web service.
• POST /api/v1/products to create a product.
• GET /api/v1/products to list all the products.

How REST APIs Work

• Client-Server Model — A client (e.g., a mobile app or web app) sends a request to a central server hosting the REST APIs.
• Endpoints — Published operations or capabilities by the API server that are reachable through a URL and use different HTTP methods like GET, POST, PUT, or DELETE.
• Authentication — REST APIs usually implement OAuth 2.0 and API Keys to authenticate the caller and authorise the request.
• Data Exchange — The API server processes the request sent through endpoints and returns a response in a JSON format, containing either the result of the operation or an error message.

Advantages of REST APIs

• Simple and well-established design principles.
• Supported by programming languages for integration.
• Scalability and performance by leveraging the HTTP caching mechanism.

Limitations of REST APIs

• Centralised trust — all communication usually takes place on a central API server.
• Limited security model — encryption depends on HTTP/TLS; the payload is not end-to-end encrypted by default.
• Identity management — uses external solutions like OAuth and JWTs, which are not built into the protocol.
• Privacy issues — headers and endpoints can reveal metadata about the system. Integrations often involve sharing sensitive information across domains.

With increasing cyber threats and data privacy regulations like GDPR, these limitations highlight the need for a more robust solution.

What is DIDComm Messaging Protocol?

DIDComm, or Decentralised Identifier Communication, is a protocol designed for secure, private, and trusted communication between parties that control the Decentralised Identifier (DID). DIDComm integrates seamlessly with the Self-Sovereign Identity (SSI) ecosystem, serving as the communication layer, and standardised by the Decentralised Identity Foundation (DIF) and the W3C community.

Core Concepts

• DIDs (Decentralised Identifier): A globally unique identifier that enables secure interactions, the DID is the cornerstone of Self-Sovereign Identity (SSI).

• DID documents: A digital document containing public key information and service endpoints for the DID.

• DIDComm Messages: A JSON Web Message (JWM), a lightweight, secure, and verifiable format for structured communication using DID. DIDComm Messages can be composed into plaintext, signed, and encrypted formats.

How DIDComm Works

• Each participant owns a DID associated with a cryptographic key pair (private and public keys).
• They discover each other’s service endpoints by resolving the DID document.
• They exchange DIDComm messages through a mediator, which are:
  • Digitally signed by the sender’s private key.
  • Encrypted end-to-end with the recipient’s public key.
  • Portable across transport layers (e.g., HTTP/S, WebSocket, Bluetooth, etc.)
• The recipient fetches the DIDComm message from the mediator:
  • Decrypts it with their private key.
  • Verifies the signature using the sender’s public key — confirming the sender’s identity.

Essentially, DIDComm provides a secure communication layer between identities, like how email or the Signal app works, but built for machine-to-machine communication.

Key Differences: DIDComm vs REST APIs

Feature	REST API	DIDComm
Communication Model	Client-server, request-response over HTTP	Peer-to-peer, asynchronous and synchronous messaging
Security	Relies on TLS for transport security; OAuth or API keys for authN/authZ	End-to-end encryption and authentication built into the protocol using DIDs and cryptographic keys
Identity Model	Centralised identity (e.g., user accounts, tokens)	Decentralised identity using DIDs
Message Format	JSON/XML over HTTP	Encrypted JSON Web Messages
Statefulness	Stateless (each request is independent)	Can support stateful interactions via message threads
Interoperability	Widely supported across platforms	Designed for interoperability in decentralised ecosystems
Trust Model	Trust via central authorities (e.g. OAuth providers)	Peer-to-peer trust based on cryptographic verification of DIDs

REST API is designed for data exchange over HTTP, while DIDComm is designed for secure interactions across decentralised ecosystems.

Using DIDComm as a Secure Alternative to REST API

DIDComm can be thought of as a secure messaging layer that replaces REST API requests and responses over HTTP with encrypted and authenticated DIDComm messages.

With DIDComm, it provides security and privacy by default, which enables:

• End-to-End Encryption: Unlike REST API, which typically secures data in transit via TLS, DIDComm encrypts messages at the application layer, ensuring confidentiality even across untrusted networks.
• Decentralised Trust: DIDComm uses DIDs and verifiable credentials, removing the need for centralised identity providers and reducing single points of failure.
• Protocol Flexibility: DIDComm supports rich interaction protocols (e.g., credential issuance, proof requests) that REST API would require custom logic to implement securely.
• Transport Independence: The protocol abstracts away the transport layer, allowing secure message exchange regardless of the underlying medium.
• Built-in Authentication: Every DIDComm message is signed, ensuring authenticity and integrity without relying on external auth systems.

When to Use DIDComm over REST API

DIDComm protocol isn’t designed to replace REST APIs entirely, but it is a better alternative in some use cases, like:

• Digital identity systems for verifiable credential issuance and presentation.
• Privacy-critical data exchanges, such as healthcare or finance.
• Decentralised ecosystems for zero-trust environments.

Conclusion

DIDComm represents a paradigm shift from traditional, centralised server-based communication models to a decentralised, peer-to-peer trust framework. While REST APIs continue to serve as the backbone of modern web services, DIDComm introduces a more secure, private, and identity-aware method of exchanging information, eliminating the need for third-party intermediaries and enabling end-to-end encrypted interactions between systems and autonomous AI agents.

This shift allows for systems to communicate based on verifiable digital identities, fostering trust and resilience in decentralised ecosystems.

How to Get Started with DIDComm

• Learn more about the DIDComm v2.1 protocol specifications.
• Explore Affinidi Messaging, an implementation of DIDComm v2.1 protocol.
• Deploy your own DIDComm Mediator and start integrating into your application.