# Address IPFS on the Web

This document is a guide to how to address IPFS content paths on the web.

# Dweb addressing in brief

  • In IPFS, addresses (for content) are path-like; they are components separated by slashes.
  • The first component is the protocol, which tells you how to interpret everything after it.
  • Content referenced by a hash might have named links. (For example, a Git commit has a link named parent, which is really just a pointer to the hash of another Git commit.) Everything after the CID in an IPFS address are those named links.
  • Since these addresses aren’t URLs, using them in a web browser requires reformatting them slightly:
    • Through an HTTP gateway, as http://<gateway host>/<IPFS address>
    • Through the gateway subdomain (more secure, harder to set up): http://<cid>.ipfs.<gateway host>/<path>, so the protocol and CID are subdomains.
    • Through custom URL protocols like ipfs://<CID>/<path>, ipns://<peer ID>/<path>, and dweb://<IPFS address>

# HTTP gateways

Gateways are provided strictly for convenience: in other words, they help tools that speak HTTP but do not speak distributed protocols such as IPFS. They are the first stage of the upgrade path for the web.

# Centralization

HTTP gateways have worked well since 2015, but they come with a significant set of limitations related both to the centralized nature of HTTP and some of HTTP's semantics. Location-based addressing of a gateway depends on both DNS and HTTPS/TLS, which relies on a trust in certificate authorities(opens new window) (CAs) and public key infrastructure(opens new window) (PKI). In the long term, these issues should be mitigated by use of opportunistic protocol upgrade schemes.

# Protocol upgrade

Tools and browser extensions should detect IPFS content paths and resolve them directly over IPFS protocol. They should use HTTP gateway only as a fallback when no native implementation is available in order to ensure a smooth, backward-compatible transition.

# Path gateway

In the most basic scheme, a URL path used for content addressing is effectively a resource name without a canonical location. The HTTP server provides the location part, which makes it possible for browsers to interpret an IPFS content path as relative to the current server and just work without a need for any conversion:

https://<gateway-host>.tld/ipfs/<cid>/path/to/resource
https://<gateway-host>.tld/ipns/<ipnsid_or_dnslink>/path/to/resource

WARNING

In this scheme, all pages share a single Origin , which means this type of gateway should be used only when site isolation does not matter (static content without cookies, local storage or Web APIs that require user permission).

When in doubt, use subdomain gateway instead (see below).

Examples:

https://ipfs.io/ipfs/bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq/wiki/Vincent_van_Gogh.html
https://ipfs.io/ipfs/QmT5NvUtoM5nWFfrQdVrFtvGfKFmG7AHE8P34isapyhCxX/wiki/Mars.html
https://ipfs.io/ipns/tr.wikipedia-on-ipfs.org/wiki/Anasayfa.html

# Subdomain gateway

When origin-based security(opens new window) is needed, CIDv1 in case-insensitive encoding such as Base32 or Base36 should be used in the subdomain:

https://<cidv1b32>.ipfs.<gateway-host>.tld/path/to/resource

Example:

https://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq.ipfs.dweb.link/wiki/
https://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq.ipfs.cf-ipfs.com/wiki/Vincent_van_Gogh.html
https://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq.ipfs.localhost:8080/wiki/

# Native support in go-ipfs 0.5+

go-ipfs(opens new window) provides native support for subdomain gateways on hostnames defined in the Gateway.PublicGateways(opens new window) configuration map.

Learn more about daemon configuration for hosting a public gateway:

Known issues

  • Some browsers and other user agents force lowercase for the authority part of URLs, breaking case-sensitive CIDs before the HTTP gateway has a chance to read them
  • DNS label length is limited to 63 characters (RFC 1034(opens new window) )

Due to these limitations, the use of short, case-insensitive CIDv1 in a subdomain context is advised.
Base32 is the safe default; the less-popular Base36 can be used for longer ED25519 libp2p keys.

See the next section to learn how to convert an existing CIDv0 to a DNS-safe representation.

# CID conversion for subdomains

If you have content identified by an older CIDv0, there are easy ways to safely represent it as CIDv1 for use in subdomains and other case-insensitive contexts.

# Automatic — leverage the gateway in go-ipfs

TL;DR: Using a subdomain gateway as a drop-in replacement for a path one removes the need for manual CID conversion.

Request for a content path sent to the gateway domain will return an HTTP 301 redirect to a correct subdomain version, taking care of any necessary encoding conversion if needed:

https://<gateway-host>.tld/ipfs/<cid> -> https://<cidv1>.ipfs.<gateway-host>.tld/

To illustrate, opening the CIDv0 resource at https://dweb.link/ipfs/QmT5NvUtoM5nWFfrQdVrFtvGfKFmG7AHE8P34isapyhCxX/wiki/Mars.html(opens new window)
returns a redirect to a CIDv1 representation at https://bafybeicgmdpvw4duutrmdxl4a7gc52sxyuk7nz5gby77afwdteh3jc5bqa.ipfs.dweb.link/wiki/Mars.html(opens new window) .

The gateway takes care of converting the CID to case-insensitive encoding.
The multihash in CIDv1 is the same as in the original CIDv0.

# Manual — use cid.ipfs.io or the command line

One can also do the conversion manually.
To convert a CID to Base32 (RFC4648(opens new window) , no padding) use cid.ipfs.io(opens new window) or the command line:

$ ipfs cid base32 QmbWqxBEKC3P8tqsKc98xmWNzrzDtRLMiMPL8wBuTGsMnR
bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi

PeerIDs can be represented as CID with libp2p-key multicodec(opens new window) .
Base36 is suggested as a safer default for longer keys:

$ ipfs key list -l --ipns-base base36
k51qzi5uqu5dh9ihj4p2v5sl3hxvv27ryx2w0xrsv6jmmqi91t9xp8p9kaipc2 self

$ ipfs cid format -v 1 -b base36 --codec libp2p-key QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN
k2k4r8jl0yz8qjgqbmc2cdu5hkqek5rj6flgnlkyywynci20j0iuyfuj

The gateway provided by the IPFS daemon understands the Host header present in HTTP requests, and will check if DNSLink exists for a specified domain name(opens new window) .
If DNSLink is present, the gateway will return content from a path resolved via DNS TXT record.
This type of gateway provides full origin isolation(opens new window) .

Example: https://docs.ipfs.io(opens new window) (this website)

TIP

For a more complete DNSLink guide, including tutorials, usage examples and FAQs, check out dnslink.io(opens new window) .

# Native URLs

Subdomain convention can be replaced with a native handler. The IPFS URL protocol scheme follows the same requirement of case-insensitive CIDv1 in Base32 as subdomains:

ipfs://{cidv1b32}/path/to/resource

An IPFS URL does not retain the original path, but instead requires a conversion step to/from URI representation:

ipfs://{immutable-root}/path/to/resourceA/ipfs/{immutable-root}/path/to/resourceA
ipns://{mutable-root}/path/to/resourceB/ipns/{mutable-root}/path/to/resourceB

The first element after the double slash is an opaque identifier representing the content root. It is interpreted as an authority component used for origin calculation, which provides necessary isolation between security contexts of different content trees.

Example:

ipfs://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq/wiki/Vincent_van_Gogh.html

TIP

Native URI require CID to be case-insensitive. Use of CIDv1 in Base32 is advised.

# Further resources

# Technical specification for implementers

The best and most up-to-date source of truth about IPFS addressing can be found in the IPFS in-web-browsers repo(opens new window) .

# Background on address scheme discussions

Discussions around IPFS addressing have been going on since @jbenet published the IPFS whitepaper(opens new window) , with a number of other approaches being proposed. This long-standing design discussion includes many lengthy GitHub issue threads, but a good summary can be found in this PR (opens new window) .

# IPFS Companion

IPFS Companion(opens new window) is a browser extension that simplifies access to IPFS resources.

It provides support for native URLs and will automatically redirect IPFS gateway requests to your local daemon so that you are not relying on, or trusting, remote gateways.

# Shared dweb namespace

This concept isn't yet built, but may be explored and experimented with in the future. The distributed web community is exploring the idea of a shared dweb namespace to remove the complexity of addressing IPFS and other content-addressed protocols. Currently investigated approaches include: