How to verify a CWT credential
This guide will step through how to make a direct API call to verify a CWT or Semantic CWT credential. You can use it to verify a credential presented as either a PDF document, an image file or an encoded string.
Prerequisites
- A signed CWT or Semantic CWT credential encoded as a string. This
will be the
encodedelement of the credential issuance response.
or
- A signed CWT or Semantic CWT credential encoded as a QR code and represented as a PDF document or an image file: - File size can be 1MB or under. Larger files are rejected with a 413 error. - Only the first page of PDF documents is processed. - Image files must contain a QR code of sufficient quality and resolution. This depends on many factors such as the size of the QR relative to the image, and whether the image had been processed in any way. - For optimal performance, ensure that only a single QR code is present on the file.
Request
Make a request of the following structure to verify a CWT credential:
HTTP
POST /v2/credentials/compact/verifyYou can make a similar request to a different endpoint to verify a Compact Semantic Credential:
HTTP
POST /v2/credentials/compact-semantic/verifyIf you are verifying a credential presented as a PDF document or image file, specify the request
Content-Type to multipart/form-data and include the binary PDF or image file. The QR code in the
document/image will be read and its contents processed as the credential.
Request body
JSON
{
"payload": "CSC:/1/2KCE3IQEJB5DCMSLN5KWKZABE2QFQRVDAF4CIZDJMQ5HOZLCHIYDGOJUFUYTENJNGIZTOLJVGIWTCMJQFZXGO4TPNMXGS33ENZQW2ZLEJJXWQ3QH3BAFB3LISHKGQ2KBJ6Q35NXZFD6LGZ2YIAYHZAKCF7NKTIUZUTZQ3PWDBALAWVRG5XL2H4P4WFK25X3Y5X5RTN7NOZUST67KLCEFS3EPXQU5KM7VUGOPXJLQ6K5U676PMQNWRZCZ",
"trustedIssuers": ["did:web:example.com"],
"assertValidFrom": true,
"assertValidUntil": true,
"checkRevocation": true
}payload: Use theencodedelement from the response obtained when creating a CWT or Semantic CWT credential.trustedIssuers(optional): When you include issuers’ DIDs in this array, credentials will only be verified if theirissvalue matches one of these DIDs. You can include multiple trusted issuers, separated by commas.assertValidFrom: MATTR VII validates the credential’snbf(not before) field by default, so that credentials that have a future not before date will not be verified. When this field is set tofalse, credentials can be verified even when theirnbfdate is in the future.assertValidUntil: MATTR VII validates the credential’sexp(expiry) field by default, so that expired credentials will not be verified. When this field is set tofalse, credentials can be verified even when theirexpdate has passed.checkRevocation: MATTR VII checks the credential revocation status by default, so that revoked credentials will not be verified. When this field is set tofalse, credentials can be verified even if they had been revoked.
Response
JSON
{
"verified": true,
"decoded": {
"iss": "did:web:example.com",
"exp": 2516239922,
"nbf": 1516239022,
"status": {
"url": "/v2/credentials/compact/revocation-lists/c0bcfc20-1514-4899-a451-93bccf9a77a9",
"index": 604
},
"name": "Emma Jane Tasma",
"code": "HS.278",
"certificationName": "Working at Heights",
"certificationLevel": "Level 4",
"issuerName": "Advanced Safety Training",
"jti": "M2Cbq-3GRgu3aXR9YmMHcA"
}
}verified: Indicates whether the verification status istrueorfalse. When verified isfalse, a further error body is returned with more details about the error:- The credential is not issued by a trusted issuer.
- The issuer public key is invalid.
- The credential signature is invalid.
- The credential has expired (
expis in the past). - The credential has been revoked.
- The credential is not active (
nbfis in the future).
decoded: Includes the decoded payload.
Payloads that fail to decode will return standard HTTP status responses:
400:- Payload is not a string.
- Payload does not match a CWT credential format.
- Unable to validate or decode the payload.
415: Unsupported media type.413: Payload too large.