Build a verifier

You run the buyer or retailer side: ask the product's wallet to present its authenticity credential, then verify the proof — over the same VCALM exchange loop the wallet speaks.

You'll do exactly 3 things

Expose an interaction URL that advertises vcapi.
When the wallet POSTs to start, respond with a verifiablePresentationRequest describing the credential you need.
Receive the verifiablePresentation and verify its proof, challenge, and domain.

1. Request the credential

When the wallet POSTs an empty body to your exchange URL, respond with a QueryByExample asking for the credential type you need:

{
  "verifiablePresentationRequest": {
    "query": [{
      "type": "QueryByExample",
      "credentialQuery": [{
        "reason": "Please present this product's authenticity credential.",
        "example": {
          "@context": [
            "https://www.w3.org/ns/credentials/v2",
            "https://w3id.org/traceability/v1"
          ],
          "type": "ProductPassportCredential"
        },
        "trustedIssuer": [{
          "required": true,
          "issuer": "did:web:brand.example"
        }]
      }]
    }],
    "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
    "domain": "retailer.example"
  }
}

The challenge and domain are what you'll verify in the returned proof — they stop a captured presentation from being replayed. Use trustedIssuer to require the credential come from the real brand.

2. Receive the presentation

The wallet POSTs the signed presentation back to the same exchange URL:

{
  "verifiablePresentation": {
    "@context": ["https://www.w3.org/ns/credentials/v2"],
    "type": ["VerifiablePresentation"],
    "holder": "did:example:bag-456",
    "verifiableCredential": [{ "...": "the authenticity VC" }],
    "proof": {
      "challenge": "3182bdea-63d9-11ea-b6de-3b7c1404d57f",
      "domain": "retailer.example",
      "...": "holder signature"
    }
  }
}

3. Verify the proof

Before you trust the product is genuine, check all of the following:

The presentation proof is valid and the challenge / domain match what you sent.
The credential's proof is valid and the issuer is the brand you trust.
The credential is not revoked (e.g. reported stolen or recalled) — check its status.
The credential is unexpired and the type matches your request.

That's it

A conformant provenance verifier is this exchange: request, receive, verify. The cryptographic verification is your verifier instance's job — the coordinator just runs the exchange.

Prefer a library to raw HTTP?

Verifier-side helpers live in Digital Bazaar's Bedrock VC modules. A dogfooded standalone VCALM client is planned; until it ships, the HTTP flow above is the supported path.

Go deeper

← Back to roles