Open Trust Infrastructure

Sign badges. Verify domains. Share proof.

Issue Signet credentials with domain-bound signatures and verify them through public endpoints. No lock-in, no platform-only trust claims, and no API key needed for verification.

  • Signet v2 and v3
  • W3C VC compatible
  • Ed25519 signatures
  • Public verifier APIs

What this proves

Domain identity, cryptographic integrity, and public verification in one open workflow.

Domain-bound signatures

Identity anchored to domains

Badges are signed with Ed25519 keys and checked against issuer domain metadata at well-known endpoints.

Public verification

No-key verification endpoints

Anyone can verify badges by URL or JSON through public APIs with SSRF protections for untrusted input.

Three trust states

Clear output, no inflation

DOMAIN_VERIFIED_SIGNATURE, DEMO_DOMAIN_VERIFIED_SIGNATURE, or UNVERIFIED. Assessment rigor remains issuer policy.

What this implementation contributes

Distinctive strengths versus hosted badge platforms.

Security

SSRF-hardened public verifier

Public verify routes block private/internal targets before any server-side fetch happens.

Trust policy

Anti-impersonation domain checks

Issuer verification is tied to /.well-known/openbadges-issuer.json, with rate limits and cooldowns.

Agent-native ops

API + CLI + MCP + llms.txt

Run the same trust flow manually or programmatically with markdown-first and MCP-compatible interfaces.

Issue in four API calls

From issuer setup to verifiable assertion URL in one pipeline. Or run the same flow via CLI.

1. Verify issuer domain

POST /public/api/issuers/verify

2. Create issuer + badge class

POST /api/issuer
POST /api/badge-class

3. Issue + sign

POST /api/credential-subject
POST /api/sign-badge

4. Verify publicly

GET /public/api/verify/badge/:badgeUrl(*)

Who this serves

Separate paths for issuance operations and verification operations, both on open rails.

For issuers

Issue from your own domain and keys

Generate issuer metadata, publish /.well-known/openbadges-issuer.json, verify domain control, and sign badges without platform lock-in.

For verifiers

Verify badges without private access

Paste badge URLs or JSON, inspect trust state and key fingerprint, and automate checks with public verifier endpoints.

Step 0: Prompt-to-badge activation

Use a short learning summary, generate a signed sample badge, and share a verify link. This is the fastest path for enthusiasts to test the system end-to-end.

Trust caveat

Verifier proves signer identity

Verification answers who signed the badge and whether the key is discoverable for that domain. It does not score educational quality or accreditation.

The Let's Encrypt direction for credentials

Free, interoperable trust rails for issuers and verifiers. Built by Firmament Works.

Read the vision