⚠
Archived Version
This is the archived RCAN Protocol Specification v1.0.0. It has been superseded by v1.1.0 (current). New implementations should target v1.1.0.
RCAN Protocol Specification
Version 1.0.0
Archived
Table of Contents
1. Robot URI (RURI)
Every robot has a globally unique RURI similar to a URL:
rcan://<registry>/<manufacturer>/<model>/<device-id>[:<port>][/<capability>]Examples
rcan://continuon.cloud/continuon/companion-v1/d3a4b5c6-7890-1234-5678-abcdef012345
rcan://continuon.cloud/continuon/companion-v1/d3a4b5c6/arm
rcan://local.rcan/discovered/192.168.1.42:8080
rcan://my-server.lan/acme/bot-x1/a1b2c3d4:9000/teleopComponents
| Component | Description | Required |
|---|---|---|
registry | Root registry domain (e.g., continuon.cloud, local.rcan) | Yes |
manufacturer | Manufacturer namespace | Yes |
model | Robot model identifier | Yes |
device-id | UUID or short-form (8 hex chars) | Yes |
port | Communication port (default: 8080) | No |
capability | Specific endpoint (e.g., /arm, /vision) | No |
Validation Regex
ruri-validation.regex
^rcan://([a-z0-9][a-z0-9.-]*[a-z0-9])/([a-z0-9][a-z0-9-]*[a-z0-9])/([a-z0-9][a-z0-9-]*[a-z0-9])/([0-9a-f]{8}(?:-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})?)(?::(\d{1,5}))?(/[a-z][a-z0-9/-]*)?$2. Role-Based Access Control
RCAN defines a five-level role hierarchy:
| Role | Level | Key Permissions |
|---|---|---|
| CREATOR | 5 | Full hardware/software control, OTA push, safety override |
| OWNER | 4 | Configuration, skill installation, user management |
| LEASEE | 3 | Time-bound operational control, cannot change ownership |
| USER | 2 | Operational control within allowed modes |
| GUEST | 1 | Limited interaction, chat, read-only status |
Rule: Higher roles inherit all permissions of lower roles.
3. Message Format
All RCAN messages use a common envelope:
message_envelope.proto
message RCANMessage {
string version = 1; // "1.0.0"
string message_id = 2; // UUID
string source_ruri = 3; // Sender RURI
string target_ruri = 4; // Recipient RURI (or "broadcast")
string auth_token = 5; // JWT session token
MessageType type = 6;
bytes payload = 7; // Type-specific payload
int64 timestamp_ms = 8;
int32 ttl_ms = 9; // Time-to-live (0 = no expiry)
Priority priority = 10;
enum MessageType {
DISCOVER = 1;
STATUS = 2;
COMMAND = 3;
STREAM = 4;
EVENT = 5;
HANDOFF = 6;
ACK = 7;
ERROR = 8;
}
enum Priority {
LOW = 1;
NORMAL = 2;
HIGH = 3;
SAFETY = 4; // Always processed first
}
}4. Discovery (mDNS)
For LAN discovery without cloud connectivity:
_rcan._tcp.local.TXT Records
ruri=rcan://continuon.cloud/continuon/companion-v1/d3a4b5c6
model=companion-v1
caps=arm,vision,chat,teleop
roles=owner,user,guest
version=1.0.0
name=Living Room Companion
status=idle5. Authentication
RCAN uses JWT tokens for session management:
session_token.jwt
{
"sub": "550e8400-e29b-41d4-a716-446655440000",
"iss": "continuon.cloud",
"aud": "rcan://continuon.cloud/continuon/companion-v1/*",
"role": "owner",
"scope": ["control", "config", "training"],
"fleet": ["d3a4b5c6", "a1b2c3d4"],
"exp": 1735689600,
"iat": 1735603200
}6. Safety Invariants
These are protocol requirements, not suggestions:
- Local safety always wins. No remote command can bypass on-device safety checks.
- Graceful degradation. Network loss triggers safe-stop, not undefined behavior.
- Audit trail. All commands logged with user, timestamp, and outcome.
- Rate limiting. Commands throttled per role (Guest: 10/min, User: 100/min, etc.).
- Timeout enforcement. Control sessions expire; explicit renewal required.
7. Federation
RCAN is federated like email, not centralized like a platform:
rcan://continuon.cloud/...— Managed servicercan://my-local-server.lan/...— Self-hostedrcan://robotics-co-op.org/...— Community run
The Right to Redirect: An Owner (Level 4) can always change the robot's upstream registry.
Local Supremacy: Even if the cloud registry deletes your ID, local discovery (
_rcan._tcp.local) always works.
Edit this page on GitHub
Last updated: 2/22/2026