How to verify a CWT credential

This guide will step through how to make a direct API call to verify a CWT or Semantic CWT credential. You can use it to verify a credential presented as either a PDF document, an image file or an encoded string.

Prerequisites

or

  • A signed CWT or Semantic CWT credential encoded as a QR code and represented as a PDF document or an image file: - File size can be 1MB or under. Larger files are rejected with a 413 error. - Only the first page of PDF documents is processed. - Image files must contain a QR code of sufficient quality and resolution. This depends on many factors such as the size of the QR relative to the image, and whether the image had been processed in any way. - For optimal performance, ensure that only a single QR code is present on the file.

Request

Make a request of the following structure to verify a CWT credential:

HTTP
POST /v2/credentials/compact/verify

You can make a similar request to a different endpoint to verify a Compact Semantic Credential:

HTTP
POST /v2/credentials/compact-semantic/verify

If you are verifying a credential presented as a PDF document or image file, specify the request Content-Type to multipart/form-data and include the binary PDF or image file. The QR code in the document/image will be read and its contents processed as the credential.

Request body

JSON
{
    "payload": "CSC:/1/2KCE3IQEJB5DCMSLN5KWKZABE2QFQRVDAF4CIZDJMQ5HOZLCHIYDGOJUFUYTENJNGIZTOLJVGIWTCMJQFZXGO4TPNMXGS33ENZQW2ZLEJJXWQ3QH3BAFB3LISHKGQ2KBJ6Q35NXZFD6LGZ2YIAYHZAKCF7NKTIUZUTZQ3PWDBALAWVRG5XL2H4P4WFK25X3Y5X5RTN7NOZUST67KLCEFS3EPXQU5KM7VUGOPXJLQ6K5U676PMQNWRZCZ",
    "trustedIssuers": ["did:web:example.com"],
    "assertValidFrom": true,
    "assertValidUntil": true,
    "checkRevocation": true
}
  • payload : Use the encoded element from the response obtained when creating a CWT or Semantic CWT credential.
  • trustedIssuers (optional): When you include issuers’ DIDs in this array, credentials will only be verified if their iss value matches one of these DIDs. You can include multiple trusted issuers, separated by commas.
  • assertValidFrom : MATTR VII validates the credential’s nbf (not before) field by default, so that credentials that have a future not before date will not be verified. When this field is set to false, credentials can be verified even when their nbf date is in the future.
  • assertValidUntil : MATTR VII validates the credential’s exp (expiry) field by default, so that expired credentials will not be verified. When this field is set to false, credentials can be verified even when their exp date has passed.
  • checkRevocation : MATTR VII checks the credential revocation status by default, so that revoked credentials will not be verified. When this field is set to false, credentials can be verified even if they had been revoked.

Response

JSON
{
    "verified": true,
    "decoded": {
        "iss": "did:web:example.com",
        "exp": 2516239922,
        "nbf": 1516239022,
        "status": {
            "url": "/v2/credentials/compact/revocation-lists/c0bcfc20-1514-4899-a451-93bccf9a77a9",
            "index": 604
        },
        "name": "Emma Jane Tasma",
        "code": "HS.278",
        "certificationName": "Working at Heights",
        "certificationLevel": "Level 4",
        "issuerName": "Advanced Safety Training",
        "jti": "M2Cbq-3GRgu3aXR9YmMHcA"
    }
}
  • verified : Indicates whether the verification status is true or false. When verified is false, a further error body is returned with more details about the error:
    • The credential is not issued by a trusted issuer.
    • The issuer public key is invalid.
    • The credential signature is invalid.
    • The credential has expired (exp is in the past).
    • The credential has been revoked.
    • The credential is not active (nbf is in the future).
  • decoded : Includes the decoded payload.

Payloads that fail to decode will return standard HTTP status responses:

  • 400 :
    • Payload is not a string.
    • Payload does not match a CWT credential format.
    • Unable to validate or decode the payload.
  • 415 : Unsupported media type.
  • 413 : Payload too large.