# DIGHUb (hub.dig.net) > DIGHUb is the DIG Network app to browse, create and publish decentralized **stores**: > encrypted, content-addressable WebAssembly capsules anchored on Chia mainnet. The hub is a > GitHub-shaped **blind host** — it serves content by retrieval key and never holds your URNs or > decryption keys; all decryption and verification happen client-side. Your Chia wallet is your > account (any WalletConnect-compatible Chia wallet); every on-chain action is user-signed. ## Core concepts - **Store**: your permanent, on-chain identity (a Chia CHIP-0035 DataLayer singleton). Its `storeId` = the singleton launcher id and never changes. - **Capsule**: one immutable generation of a store — the pair `storeId:rootHash`. A store is a sequence of capsules (one per commit). The capsule is the unit of pricing, compilation, retrieval, caching, and provenance. Each capsule compiles to one fixed-size `.wasm` module so its length leaks nothing about content size. - **URN / retrieval key**: a capsule (+ optional resource) is named by a URN `urn:dig:::[/]`; the only id sent to the read service is `retrieval_key = SHA256(URN)`. - **chia://**: the user-facing scheme for opening verified DIG content (DIG Browser / extension). - **$DIG**: the network token. Publishing a capsule costs a small, live USD-pegged `$DIG` amount (see /v1/pricing). ## Machine-readable (start here) - OpenAPI 3.1 spec (control plane): https://hub.dig.net/v1/openapi.json - Error taxonomy (catalogued codes): https://hub.dig.net/v1/errors - Live USD-pegged pricing: https://hub.dig.net/v1/pricing - Node / serving identity (+ build version): https://hub.dig.net/v1/node - Health (+ build version): https://hub.dig.net/v1/healthz - JWT verification keys (JWKS): https://hub.dig.net/v1/auth/jwks - Per-store machine-readable view: https://hub.dig.net/v1/resolve/{handle}/{slug} and https://hub.dig.net/v1/stores/{storeId} (also linked per page via ``) ## API The control plane is REST over HTTPS under `/v1` (versioned in the path). Every response carries an `X-Request-Id` correlation header (CORS-exposed). Errors are JSON `{ "error": "", "message": "" }` with `` drawn from the catalog at /v1/errors and the OpenAPI error responses. Auth is a bearer EdDSA JWT (`Authorization: Bearer `) minted by `POST /v1/auth/verify` (web, wallet-signed) or the CLI device-pairing flow; CI exchanges a GitHub Actions OIDC token at `POST /v1/auth/ci/github-oidc`. Public read endpoints require no auth (`security: []` in the spec). ## The dig RPC (read path) Content is read via the dig JSON-RPC 2.0 service (separate origin: https://rpc.dig.net) — `dig.getContent` / `dig.getCapsule` / `dig.getProof` / `dig.getProofStatus` / `dig.getManifest` / `dig.listCapsules`, streaming ciphertext + base64 Merkle inclusion proofs by `retrieval_key`. Clients verify served bytes against the on-chain root and decrypt in-browser. The canonical method + chunk-wire spec lives in the docs (below); the hub never decrypts. ## Docs - Developer docs: https://docs.dig.net - dig RPC methods: https://docs.dig.net/docs/rpc/methods - Ecosystem error catalog: https://docs.dig.net/docs/support/error-codes - digstore CLI reference: https://docs.dig.net/docs/digstore/cli/command-reference - Deploy from GitHub Actions: https://docs.dig.net/docs/digstore/cli/deploy-from-github-actions ## Ecosystem - Marketing / overview: https://dig.net - Source: https://github.com/DIG-Network - Community (Discord): https://discord.gg/dignetwork