Direct verification of Web Credentials
This guide will step through how to make a direct API call to verify a signed Web Credential. This request will trigger a set of standard checks to confirm the credential validity:
Standard checks performed on all verification requests:
Issuer DID can be used to resolve its
did.json
document.Public key from issuer's
did.json
document validates the proof signature, confirming the credential has not been tampered with.JSON-LD context is valid for credential claims.
Optional parameter checks:
The credential has not been revoked.
The credential has not expired.
These checks apply to any credential provided, so the Issuer DID check and the revocation status check are not dependent on any setup in your tenant (unless the credential you are verifying is from your tenant).
Prerequisites
Access to MATTR VII APIs. If you’re experiencing any difficulties, contact us.
A signed Web Credential.
Request
Make a request of the following structure to verify a Web Credential:
1POST https://YOUR_TENANT_URL/v2/credentials/web-semantic/verify
1{
2 "payload": {
3 "type": [
4 "VerifiableCredential",
5 "EducationalOccupationalCredential",
6 "AlumniCredential"
7 ],
8//... rest of Web Credential
9}
payload
: Replace with the contents of thecredential
object from the response obtained when creating a Web Credential. Make sure you only include the contents of thecredential
object and not the entire response.assertExpiry
: When set totrue
and the credential has a set expiry date, verification will fail if the expiry date has passed.checkRevocation
: When set totrue
and the provided credential contains a revocation status list, verification will fail if the credential has been revoked.
Response
1{
2 "verified": true
3}
verified
: Indicates whether the verification status istrue
orfalse
.
For responses that show the verified
status to be false
, a further error body is returned with more details about the error in a reason
element:
The credential has been revoked.
The Issuer DID cannot be resolved.
The issuer public key is invalid.
The credential JSON-LD context is invalid.
The credential signature is invalid. Refer to Tamper proofing for more information.