Verifying credentials
Four ways to verify an OpenCred credential — all running the same engine — and the common result shape.
Anyone holding an OpenCred-issued credential has four supported ways to verify it. All four run the same @opencred/verification engine — pick the surface that matches your environment.
Path | Best for | Inputs accepted |
|---|---|---|
Desktop app — Verify tab | Casual / one-off verification by humans | Pasted JSON · drag-dropped .json / .jsonld · QR image (PNG/JPG) · .pdf upload · live camera QR scan · pasted compact tokens (vc-jwt, sd-jwt-vc, bare PixelPass QR data) |
Docker server — POST /v1/credentials/verify | Programmatic / server-to-server / CI/CD | JSON body for text formats (auto-detected) or raw PDF body with Content-Type: application/pdf |
opencred verify CLI | One-shot verification from a shell, no HTTP server | File path or stdin; auto-detects JSON-LD, vc-jwt, sd-jwt-vc, PixelPass QR, or PDF. --json for scripts. Ships in the Docker image. |
@opencred/verification library | Embedding verification in a Node.js app | Same formats, via verifyCredential and verifyPdf |
The result shape
Every path returns the same shape:
a top-level
valid: true | falsean enum
code:VALID,REVOKED,EXPIRED,INVALID,UNRESOLVABLE,CONTEXT_MISSINGa per-check breakdown: signature, expiry, key resolution,
x5cchain (where applicable), revocation, schema, context
What needs network access
Credential type | Offline? |
|---|---|
did:key-issued | Verifies fully offline. |
did:web-issued | Needs network to fetch the issuer's DID document. |
DSC-backed (x5c chain) | Needs a CSCA trust store on disk. See Concepts → Trust chains. |
PDF certificates
OpenCred packages credentials as printable PDFs with a scannable QR and a copy of the payload in the PDF's info dictionary. Any path works — drop the PDF into the Desktop Verify tab, POST it to /v1/credentials/verify, or pipe it into the CLI:
opencred verify --input - < credential.pdf
Older PDFs (issued before info-dict embedding shipped) surface a clear "scan the QR or extract the embedded JSON" message rather than a generic failure.
Examples
HTTP (JSON credential):
curl -X POST http://localhost:3100/v1/credentials/verify \ -H "Authorization: Bearer $OPENCRED_API_KEY" \ -H "Content-Type: application/json" \ --data @credential.json
HTTP (PDF):
curl -X POST http://localhost:3100/v1/credentials/verify \ -H "Authorization: Bearer $OPENCRED_API_KEY" \ -H "Content-Type: application/pdf" \ --data-binary @certificate.pdf
CLI (scripted):
opencred verify --input credential.json --json