Skip to content
NFH Fabric Support home
NFH Fabric Support home

Verifying credentials

Four ways to verify an OpenCred credential — all running the same engine — and the common result shape.

Anyone holding an OpenCred-issued credential has four supported ways to verify it. All four run the same @opencred/verification engine — pick the surface that matches your environment.

Path

Best for

Inputs accepted

Desktop app — Verify tab

Casual / one-off verification by humans

Pasted JSON · drag-dropped .json / .jsonld · QR image (PNG/JPG) · .pdf upload · live camera QR scan · pasted compact tokens (vc-jwt, sd-jwt-vc, bare PixelPass QR data)

Docker server — POST /v1/credentials/verify

Programmatic / server-to-server / CI/CD

JSON body for text formats (auto-detected) or raw PDF body with Content-Type: application/pdf

opencred verify CLI

One-shot verification from a shell, no HTTP server

File path or stdin; auto-detects JSON-LD, vc-jwt, sd-jwt-vc, PixelPass QR, or PDF. --json for scripts. Ships in the Docker image.

@opencred/verification library

Embedding verification in a Node.js app

Same formats, via verifyCredential and verifyPdf

The result shape

Every path returns the same shape:

  • a top-level valid: true | false

  • an enum code: VALID, REVOKED, EXPIRED, INVALID, UNRESOLVABLE, CONTEXT_MISSING

  • a per-check breakdown: signature, expiry, key resolution, x5c chain (where applicable), revocation, schema, context

What needs network access

Credential type

Offline?

did:key-issued

Verifies fully offline.

did:web-issued

Needs network to fetch the issuer's DID document.

DSC-backed (x5c chain)

Needs a CSCA trust store on disk. See Concepts → Trust chains.

PDF certificates

OpenCred packages credentials as printable PDFs with a scannable QR and a copy of the payload in the PDF's info dictionary. Any path works — drop the PDF into the Desktop Verify tab, POST it to /v1/credentials/verify, or pipe it into the CLI:

opencred verify --input - < credential.pdf

Older PDFs (issued before info-dict embedding shipped) surface a clear "scan the QR or extract the embedded JSON" message rather than a generic failure.

Examples

HTTP (JSON credential):

curl -X POST http://localhost:3100/v1/credentials/verify \ -H "Authorization: Bearer $OPENCRED_API_KEY" \ -H "Content-Type: application/json" \ --data @credential.json

HTTP (PDF):

curl -X POST http://localhost:3100/v1/credentials/verify \ -H "Authorization: Bearer $OPENCRED_API_KEY" \ -H "Content-Type: application/pdf" \ --data-binary @certificate.pdf

CLI (scripted):

opencred verify --input credential.json --json