Verification API
Document Rails features a unified credential and presentation verification API, which you can use to check cryptographic signatures, issuance/expiration dates, and other document properties.
sequenceDiagram
participant Wallet
participant Application
participant Document Rails
Note over Wallet, Application: Optional communication layer
Application-->>Document Rails: Credentials/presentations
Document Rails-->>Application: Verification status
The verification API supports the following documents:
| Name | Description | Kind | Input |
|---|---|---|---|
| W3C Verifiable Credential | A regular W3C V2 verifiable credential | w3c-vc | data field that accepts a W3C VC object |
| W3C Verifiable Presentation | A regular W3C V2 verifiable presentation | w3c-vp | data field that accepts a W3C VP object |
| MDoc presentation | A device-signed MDoc presentation | mdoc | data field that accepts a Base64 (standard, padded) string |
| SD-JWT | An SD-JWT credential without the key binding | sd-jwt | data field that accepts an SD-JWT string |
| KB-JWT | An SD-JWT credential with the key binding | kb-jwt | data field that accepts a KB-JWT string |
| C2PA | A resource with a C2PA data | c2pa | data field that accepts a Base64 (standard, padded) string |
Configuration flags
Document verification checks are configurable with the following flags:
| Name | Description | Default value |
|---|---|---|
check_signature | Whether to check the document signature | true |
check_trust_registry_list | Whether to check the document signer against provided trust registries | true |
check_canonical_form | Whether to check the document canonical form | true |
check_issuance_date | Whether to check the document issuance date | "required" |
check_expiration_date | Whether to check the document expiration date | "required" |
check_revocation_status | Whether to check the document revocation status | "optional" |
check_certificate_revocation_status | Whether to check the certificate revocation status | "optional" |
check_certificate_not_before | Whether to check the certificate NotBefore field | "optional" |
check_certificate_not_after | Whether to check the certificate NotAfter field | "optional" |
Certificate revocation status flag
check_certificate_revocation_status affects only X.509 certificates for supported credentials that utilize them as part of the verification process.
This flag does not affect separate credential status list checks, if a given credential kind supports them.
For example, when using MDoc credentials, enabling check_revocation_status but disabling check_certificate_revocation_status would still let Document Rails verify the status list hosted on the third-party SLP server, while ignoring X.509 certificate-specific revocation status.
Even with all flags disabled, Document Rails may still perform a basic document integrity check.
Some document kinds may not support some of these flags.
Disabling trust registry list matching
This functionality is supported only for W3C credentials at the moment.
Flag values
Certain flags support flexible configuration of checks depending on the presence of a given value within a credential.
| Value | Description |
|---|---|
"required" | Check is always performed |
"optional" | Check is performed if credential has relevant data |
"ignored" | Check is disabled |