Direct verification of Web Credentials
This guide will step through how to make a direct API call to verify a signed Web Credential. This request will trigger a set of standard checks to confirm the credential validity:
-
Issuer DID can be resolved, so that the referenced DID Document is available and valid and the public key is obtainable.
-
Proof is valid and the credential has not been tampered with.
-
JSON-LD context is valid for subject claims.
-
The Credential is not in a revoked status as per RevocationList2020.
These checks apply to any credential provided, so the Issuer DID check and the revocation status check are not dependent on any setup in your tenant (unless the credential you are verifying is from your tenant).
Prerequisites
-
Access to Sovrin APIs. If you’re experiencing any difficulties, contact us.
-
A signed Web Credential.
Request
Make a request of the following structure to verify a Web Credential:
POST https://api.sovrin.one/v2/credentials/web-semantic/verify
{
"payload": {
"type": [
"VerifiableCredential",
"EducationalOccupationalCredential",
"AlumniCredential"
],
//... rest of Web Credential
}
payload: Replace with the contents of thecredentialobject from the response obtained when creating a Web Credential. Make sure you only include the contents of thecredentialobject and not the entire response.
Response
{
"verified": true
}
verified: Indicates whether the verification status istrueorfalse.
For responses that show the verified status to be false, a further error body is returned with more details about the error:
-
The credential has been revoked.
-
The Issuer DID cannot be resolved.
-
The issuer public key is invalid.
-
The credential JSON-LD context is invalid.
-
The credential signature is invalid. Refer to Tamper proofing for more information.