Do I have to register a /.well-known/ URI with IANA?

Yes if you're defining a new public protocol. The IANA Well-Known URI registry (https://www.iana.org/assignments/well-known-uris) tracks them to prevent collisions. For private/internal use within your own apps, you can use any subpath — but you risk conflicts if your URI later gets registered by someone else's protocol.

Should /.well-known/ paths be served over HTTPS only?

Mostly yes. `security.txt` requires HTTPS per RFC 9116. `apple-app-site-association` requires HTTPS (and used to require no redirects, though that was relaxed). OIDC discovery, OAuth metadata, and most identity-related endpoints require HTTPS. The few exceptions are legacy text files that predate ubiquitous TLS.

/.well-known/* URI Reference

Network

RFC 8615 defines `/.well-known/` as the standard path for site metadata that needs a predictable location — discovery endpoints, security contacts, mobile app deep-link associations, ACME validation tokens, identity provider configurations. This reference lists the URIs registered with IANA (plus a few de facto industry standards), grouped by purpose: security, identity, mobile, web, mail, miscellaneous. Each entry links to the defining RFC or spec so you can read the exact requirements. Useful when setting up a new domain, debugging an OIDC discovery flow, or just trying to remember which path Apple's universal links go on.

—

SearchCategory

Showing: 39 / 39

/.well-known/security.txt

SecurityRFC 9116

Standardized location for security disclosure contact info and policy. Required: Contact, Expires.

/.well-known/openid-configuration

IdentityOIDC Discovery

OpenID Connect provider configuration document — authorization/token/userinfo endpoints, supported scopes, JWKS URI.

/.well-known/oauth-authorization-server

IdentityRFC 8414

OAuth 2.0 Authorization Server Metadata. Like OIDC discovery but for plain OAuth 2.0 deployments.

/.well-known/oauth-protected-resource

IdentityRFC 9728

OAuth 2.0 Protected Resource Metadata — tells clients which authorization server protects this API.

/.well-known/jwks.json

IdentityJWK Set

JSON Web Key Set — public keys used to verify JWTs issued by this server.

/.well-known/webfinger

IdentityRFC 7033

Discover information about people or entities at a domain via account URIs (`acct:user@example.com`).

/.well-known/host-meta

IdentityRFC 6415

Site-wide metadata document, predecessor to WebFinger. XRD format.

/.well-known/nostr.json

IdentityNIP-05

NIP-05 verification — maps a name (`user@example.com`) to a Nostr public key.

/.well-known/change-password

WebW3C draft

Standard URL browsers redirect to when users want to change their password (W3C draft).

/.well-known/apple-app-site-association

MobileApple

Apple Universal Links + Handoff associations. JSON with `applinks` and `webcredentials` keys.

/.well-known/assetlinks.json

MobileGoogle

Android Digital Asset Links — verifies app-to-website ownership for App Links.

/.well-known/acme-challenge/<token>

SecurityRFC 8555

ACME HTTP-01 challenge token — Let's Encrypt and other CAs use this to verify domain control.

/.well-known/mta-sts.txt

MailRFC 8461

Mail Transfer Agent Strict Transport Security policy for inbound email.

/.well-known/dnt-policy.txt

SecurityEFF

EFF Do Not Track policy declaration — predates the deprecated DNT browser header.

/.well-known/traffic-advice

WebChrome

Tells private prefetch proxies (Chrome) the max throughput they should send.

/.well-known/ai.txt

WebIndustry

Industry-proposed convention for declaring AI training opt-out preferences.

/.well-known/llms.txt

WebIndustry

Proposed convention to give LLMs a curated, machine-friendly site overview.

/.well-known/privacy-policy

WebConvention

Convention for a canonical privacy policy URL — not standardized but common.

/.well-known/dat

MiscDAT

Dat peer-to-peer hyperdrive discovery.

/.well-known/did.json

IdentityDID Web

DID Web method — resolves `did:web:example.com` to a DID document.

/.well-known/matrix/server

MiscMatrix

Matrix server-server federation discovery.

/.well-known/matrix/client

MiscMatrix

Matrix client-server homeserver discovery.

/.well-known/ashrae135

MiscBACnet

BACnet building automation device discovery.

/.well-known/caldav

MiscRFC 6764

CalDAV calendar server discovery (RFC 6764).

/.well-known/carddav

MiscRFC 6764

CardDAV contacts server discovery (RFC 6764).

/.well-known/est/cacerts

SecurityRFC 7030

Enrollment over Secure Transport — CA certificate retrieval (RFC 7030).

/.well-known/gnap-as-rs

IdentityGNAP

Grant Negotiation and Authorization Protocol metadata.

/.well-known/included-in-set/<algorithm>

SecurityRFC 9335

Set inclusion proofs for transparency logs (RFC 9335).

/.well-known/jmap

MailRFC 8620

JSON Meta Application Protocol mail discovery (RFC 8620).

/.well-known/openpgpkey/hu/<localpart>

MailWKD

OpenPGP Web Key Directory — discover PGP keys from email addresses.

/.well-known/payment-manifest.json

WebW3C

W3C Payment Manifest — declares supported payment methods.

/.well-known/posh/<hostname>.json

SecurityRFC 7711

PKIX over Secure HTTP — TLS certificate publication (RFC 7711).

/.well-known/reload-config

MiscRFC 6940

REsource LOcation And Discovery configuration (RFC 6940).

/.well-known/sip

MiscRFC 7095

SIP service discovery (RFC 7095).

/.well-known/sips

MiscRFC 7095

SIPS service discovery (RFC 7095).

/.well-known/stun

MiscRFC 7064

STUN server discovery (RFC 7064).

/.well-known/turn

MiscRFC 7065

TURN server discovery (RFC 7065).

/.well-known/timezone

MiscRFC 7808

iCalendar timezone service discovery (RFC 7808).

/.well-known/oauth-token-introspection

IdentityRFC 7662

OAuth 2.0 token introspection endpoint (RFC 7662).

Sourced from IANA Well-Known URI registry + de facto industry conventions.

How to use

Filter by category to narrow down (Security for `security.txt`/ACME, Identity for OIDC/OAuth, Mobile for app deep links).
Search by path, RFC number, or description text. Copy the path with one click.
Click through to the RFC/spec to get exact content requirements — most have specific JSON schemas or text formats.

Frequently asked questions

Do I have to register a /.well-known/ URI with IANA?: Yes if you're defining a new public protocol. The IANA Well-Known URI registry (https://www.iana.org/assignments/well-known-uris) tracks them to prevent collisions. For private/internal use within your own apps, you can use any subpath — but you risk conflicts if your URI later gets registered by someone else's protocol.
Should /.well-known/ paths be served over HTTPS only?: Mostly yes. `security.txt` requires HTTPS per RFC 9116. `apple-app-site-association` requires HTTPS (and used to require no redirects, though that was relaxed). OIDC discovery, OAuth metadata, and most identity-related endpoints require HTTPS. The few exceptions are legacy text files that predate ubiquitous TLS.

Related tools

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00

HTTP Status Code Reference

Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.

Network00