# Harbor

# What is Harbor?

Harbor is an identity management system built on top of Polycentric. Harbor can be used to link identities across the web, make arbitrary claims, and manage endorsements of other users. It is conceptually similar to the PGP Web of Trust described by Phil Zimmerman in 1992:

As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.

Harbor profiles can be viewed on harbor.social, and managed with the Harbor iOS, and Android apps.

# Linking identities

Harbor identities may be linked to a set of accounts available across the internet. This is accomplished by creating a claim declaring ownership of some account, and then it being verified by other users. A bot infrastructure exists to automatically endorse claims of ownership if a user can demonstrate control of an account. A claim may be verified by just one bot, or many run by other parties. There are two types of challenges that are used to demonstrate control.

# Crawler Challenge

A user generates a token derived from their public key, and places it in a location under the control of their account such as the account description. The bot then uses a web scraper to examine the current account description, checks if the challenge token exists, and if so vouches for a claim. This method is used when sites do not implement extensive anti crawling measures.

# OAuth Challenge

A second challenge is using official OAuth based login provided by various sites. A bot offers the user the ability to "Log in with X platform", the user logs in, and the platform notifies the bot that login was successful. The bot is never granted access to the users password. This method is primarily used for locked down platforms that both provide OAuth support but have anti crawling measures.

# Platforms

Platform Domain Challenge method
Discord discord.com OAuth
Github github.com Crawler
Gitlab gitlab.com Crawler
Hacker News news.ycombinator.com Crawler
Instagram instagram.com OAuth
Kick kick.com Crawler
Minds minds.com Crawler
Nebula nebula.tv Crawler
Odyssee odysee.com Crawler
Patreon patreon.com Crawler
Rumble rumble.com Crawler
Spotify spotify.com OAuth
Spreadshop spreadshop.com Crawler
Substack substack.com Crawler
Twitch twitch.tv Crawler
Vimeo vimeo.com Crawler
Website example.com Crawler
X / Twitter x.com OAuth
Youtube youtube.com Crawler

# Operating a verifier

A docker image is available at gitlab.futo.org:5050/videostreaming/verifiers:latest. The container needs to expose the configured port and mount a volume to /usr/src/app/state for persistence. The following environment variables are used for configuration.

Variable Default
PORT 3000
X_CLIENT_ID undefined
X_API_KEY undefined
X_API_SECRET undefined

# Where is the code?