01
Verify issuer domain
POST /public/api/issuers/verify
API Reference
Public verification.
Authenticated issuance.
No-key routes under /public/api/* handle verification and trust discovery.
Authenticated routes under /api/* manage issuance and signing.
Issue and verify in four calls
Minimal sequence from domain readiness to public verification.
02
Create issuer + badge class
POST /api/issuer
POST /api/badge-class
03
Issue + sign
POST /api/credential-subject
POST /api/sign-badge
04
Verify publicly
GET /public/api/verify/badge/:badgeUrl(*)
Public — no key required
Verify and discover trust without authentication
Verify a signed sample
curl "https://badges.firmament.works/public/api/verify/badge/https%3A%2F%2Fbadges.firmament.works%2Fsamples%2Fdemo-openbadge-v3-signed.json"
Expected response fields
{
"trustState": "DEMO_DOMAIN_VERIFIED_SIGNATURE",
"issuerDomain": "example.com",
"validationLabel": "DEMO",
"keyFingerprint": "sha256:...",
"verificationReason": "Signature is valid. Issuer uses the reserved example.com demo domain.",
"issuerClaimedName": "EXAMPLE.com Demo Issuer"
}
Trust discovery
curl "https://badges.firmament.works/public/api/trust/issuer/badges.firmament.works" curl "https://badges.firmament.works/public/api/trust/events/badges.firmament.works" curl "https://badges.firmament.works/public/api/trust/issuers?status=verified"
Trust write (rate-limited, no key)
curl -X POST "https://badges.firmament.works/public/api/issuers/verify" \
-H "Content-Type: application/json" \
-d '{"domain":"example.org"}'
Authenticated — X-API-Key required
Issuance, signing, and admin operations
Auth header
X-API-Key: <API_KEY>
Authenticated endpoint map
GET /api/validate-issuer-domain POST /api/issuer POST /api/badge-class POST /api/credential-subject POST /api/sign-badge POST /api/cache-public-key GET /api/badge-files GET /api/metrics
Agent-native
Human and LLM workflows use the same contract. See llms.txt for machine-readable docs, or connect via the MCP server for tool-native operations.
Implementation-specific behavior
Distinct additions beyond baseline issuance and verification.
Security
SSRF-hardened verifier routes
Public verify endpoints block localhost and private-network fetch targets before any server-side retrieval occurs.
Trust policy
Domain ownership verification
Trust writes are tied to issuer metadata at /.well-known/openbadges-issuer.json with rate limits and cooldown controls.
Interfaces
API + CLI + MCP + llms.txt
Human and LLM workflows issue, verify, and inspect trust state through the same public contract with identical semantics.
Endpoint reference
All public routes. No authentication required.
Verification plane
-
GETFetch and verify a remote badge URL.
/public/api/verify/badge/:badgeUrl(*) -
GETValidate issuer profile and key discoverability.
/public/api/verify/issuer/:issuerUrl(*) -
POSTVerify an inline badge JSON object.
/public/api/verify/json
Trust plane
-
POSTRate-limited trust write by domain ownership proof.
/public/api/issuers/verify -
GETRead issuer trust state record.
/public/api/trust/issuer/:domain -
GETRead recent trust events for a domain.
/public/api/trust/events/:domain -
GETList trusted issuers by status filter.
/public/api/trust/issuers?status=verified