Problem
Anyone can register any server URL on suimpp.dev — there's no verification that the registrant controls the server. This could lead to impersonation or squatting.
Solution
Implement ownership verification using x-discovery.ownershipProofs from the OpenAPI spec.
Options to explore
- DNS TXT record — registrant adds a TXT record to their domain proving control
- Well-known endpoint — server must respond at
/.well-known/suimpp-verify with a challenge token
- Signed challenge — server signs a nonce with the recipient wallet key (proves on-chain identity)
Acceptance criteria
Context
Deferred from Phase 4 scope. Currently server.verified defaults to false — this field exists but is never set to true through any automated flow.
Problem
Anyone can register any server URL on suimpp.dev — there's no verification that the registrant controls the server. This could lead to impersonation or squatting.
Solution
Implement ownership verification using
x-discovery.ownershipProofsfrom the OpenAPI spec.Options to explore
/.well-known/suimpp-verifywith a challenge tokenAcceptance criteria
verifiedbadge displayed on server detail + listing pages/discovery)Context
Deferred from Phase 4 scope. Currently
server.verifieddefaults tofalse— this field exists but is never set totruethrough any automated flow.