The "cpblty" scheme is used to identify capabilities.
There are two types of "cpblty" URIs. They are distinguished by the mechanism used to identify the authority responsible for resolving the capability.
The first type of capability URI uses IP address or DNS resolution to identify authority.
The second type of capability URI uses first path part of the URI to identify the authority responsible for resolving the capability, allowing for non-IP and non-DNS resolution mechanisms.
The scheme-specific syntax and semantics of capability URIs are as follows:
capability_URI = "cpblty:" "//" authority "/#" capability_token
/ "cpblty:" capability_authority [ "@" authority_scheme ] ":" capability_token
authority_scheme = ALPHA *( ALPHA / DIGIT / "-" / "_" )
capability_authority = base64url
capability_token = "CPBLTY" version "-" base64url
The semantics are such that the identified authority is the domain containing
the capability specified by the capability_token. For full specification of authority,
see RFC 3986, Section 3.2 - Authority.
Alternatively, the capability_authority, in combination with optional authority_scheme,
is the authority containing the capability specified by the capability_token.
The string CPBLTY is a well-known string to facilitate searches for leaked capabilities.
version is the numeric version of capability_token used. base64url is URL-safe base64
encoded bytes of the specified capability.
Capability URI using example.com registered DNS name to designate authority:
cpblty://example.com/#CPBLTY1-IbwNerN4Dw4BYlpYc4Az-pNBWen_WsdrTrpb-HmMiJOEHvCv1xHKBn2Q
Capability URI using DkDvHuU78RZGUeNs3Q-Wsw authority to be interpreted using a
custom my_dht resolution scheme:
cpblty:DkDvHuU78RZGUeNs3Q-Wsw@my_dht:CPBLTY1-IbwNerN4Dw4BYlpYc4Az-pNBWen_WsdrTrpb-HmMiJOEHvCv1xHKBn2Q
Capability URI using DkDvHuU78RZGUeNs3Q-Wsw authority with an implied resolution scheme:
cpblty:DkDvHuU78RZGUeNs3Q-Wsw:CPBLTY1-IbwNerN4Dw4BYlpYc4Az-pNBWen_WsdrTrpb-HmMiJOEHvCv1xHKBn2Q