Documentation · everything needed to verify or issue

Docs

The whitepaper, step-by-step guides for verifying and issuing, and the API at a glance. Everything here describes what is live — nothing aspirational.

Quickstart Receipt format Badge embed Trust SKU Whitepaper How to verify How to issue API reference Troubleshooting Info & links

Quickstart curl → verify in 5 min

Verification needs no account. Paste a receipt or a CID and get the four-state result. (Endpoints are exact and live at api.dcslabs.ai.)

1. Verify a credential you already have

curl -s -X POST https://api.dcslabs.ai/v1/credentials/verify \
  -H "Content-Type: application/json" \
  -d '{"cid":"sha256:<your-cid>"}'

2. Or verify by full receipt + original document (checks the hash too)

curl -s -X POST https://api.dcslabs.ai/v1/credentials/verify \
  -H "Content-Type: application/json" \
  -d '{"receipt":{ ... }, "document":{ ... }}'

3. Issuers: get a free key, then issue

curl -s -X POST https://api.dcslabs.ai/v1/auth/signup -H "Content-Type: application/json" -d '{"email":"[email protected]"}'
curl -s -X POST https://api.dcslabs.ai/v1/credentials/issue \
  -H "Authorization: Bearer <key>" -H "Content-Type: application/json" \
  -d '{"subject":{ ... }}'

The verify response is a four-state result (verified / invalid / revoked-or-suspended / unknown). No format guessing — unsupported inputs are refused, never faked.

Receipt format R+2 · RFC 8785

A receipt is a small JSON object. The content ID (CID) is computed over the canonical unsigned form (RFC 8785 JCS + SHA-256), so the signature never affects the CID.

{
  "id": "<issuer-scoped id>",
  "cid": "sha256:<hash of the canonical unsigned form>",
  "issuer": "did:web:dcslabs.ai",
  "subject": { ... },           // your credential payload
  "status": { "listId": "...", "index": 42 },   // optional
  "signature": "<Ed25519 over the canonical bytes>"
}

Verification recomputes the CID from the unsigned form, checks the Ed25519 signature against the issuer's did:web key, then checks the status list and any Base anchor. Fields you don't recognise are tolerated (forward-compatible).

Badge embed badge.js

Drop a verifiable badge on any page. It links to the live verify view for the credential and reflects real status.

<script src="https://verify.dcslabs.ai/badge.js" defer></script>
<span class="dcs-badge" data-cid="sha256:<your-cid>"></span>

The badge resolves the CID against the public verify endpoint and shows verified / revoked / unknown — clicking through opens verify.html?cid=... so anyone can re-check independently.

Trust SKU integration issuer onboarding

The Trust SKU is the issuer offering: sign your credentials as receipts, manage their lifecycle, and let anyone verify without trusting you.

1. Entitlement: your tenant is provisioned an issuer ID and an API key (Bearer).
2. Issue: POST /v1/credentials/issue signs + stores, with an optional status slot and Base anchor.
3. Lifecycle: POST /v1/credentials/{cid}/revoke|suspend|reactivate — revocation permanent, suspension reversible.
4. Embed: put the badge (above) on certificates/portals so recipients verify in one click.
5. Registry: your issuer appears in the public registry with a reproducible trust score (open formula, no pay-to-rank).

Pricing and tiers are on the pricing page. Verification stays free and account-free for everyone.

Technical whitepaper v1.0 · PDF

The complete technical reference: the R+2 receipt format, RFC 8785 canonicalization, the CID rule, Ed25519 signing and key rotation, Bitstring status lists, Base mainnet anchoring, the four-state verification algorithm, inbound W3C VC / Open Badges verification, the trust registry and open scoring formula, the security model, and full usage guides.

↓ Download whitepaper (PDF) Open in browser

How to verify a credential

Free, no account, four ways — pick whichever fits.

1 · On the website

Open verify.html.
Paste the credential ID (sha256:…) or the full receipt JSON you were given.
Optional: paste the original document JSON to also prove the file matches.
Press Verify. You get one of four states — valid · expired · suspended/revoked · renewed — plus the three checks (signature, document hash, Base anchor) and the raw materials to re-check everything yourself.

2 · On your phone (app)

Open app.html — installable via "Add to Home Screen".
Tap ⌖ Scan QR and point the camera at a credential QR (works on Android and iPhone), or paste the CID.

3 · By API (one call, no key)

curl -s -X POST https://api.dcslabs.ai/v1/credentials/verify \
  -H 'Content-Type: application/json' \
  -d '{"cid":"sha256:..."}'

→ {"validity_status":"valid","signature_valid":true,
   "hash_match":null,"anchor_present":true,"latest_cid":null}

4 · Fully independently — no DCS servers at all

Take the receipt JSON; remove the signature field.
Canonicalize it with RFC 8785 (JCS) and hash with SHA-256 → must equal the receipt's cid.
Verify the Ed25519 signature against the receipt's pubkey with any crypto library.
Confirm the key belongs to the issuer at dcslabs.ai/.well-known/did.json.
Confirm the anchor on basescan.org — the transaction's input data is the CID.

The MIT reference verifier implements all of this: github.com/DCS-LabsAI/r2-standard. Steps 1–5 work even if every DCS server is offline — that is the design.

Verifying other formats

W3C Verifiable Credentials (eddsa-jcs-2022) and Open Badges 3.0 verify through POST /v1/verify/universal — keys resolved via did:key or did:web. Unsupported formats get an honest "not yet verifiable", never a fake valid.

How to issue credentials

From zero to your first signed, anchored credential in four steps.

Step 1 · Get a free API key

Self-serve at join.html — instant, shown once, store it safely.

Step 2 · Request your issuer ID

curl -s -X POST https://api.dcslabs.ai/v1/issuers/request \
  -H "Authorization: Bearer $KEY" -H 'Content-Type: application/json' \
  -d '{"issuer_id":"your-org","display_name":"Your Organisation",
       "contact_email":"[email protected]","profile":"r2-education"}'

Requests are reviewed (the public registry lists real, accountable organisations only). Once approved, your profile and trust score appear in the Explorer automatically.

Step 3 · Issue

curl -s -X POST https://api.dcslabs.ai/v1/credentials/issue \
  -H "Authorization: Bearer $KEY" -H 'Content-Type: application/json' \
  -d '{
    "issuer": "your-org",
    "credential_type": "certificate",
    "subject": { "subject_name": "Asha Verma",
                 "issuer_institution": "Your Organisation",
                 "credential_title": "Full-Stack Diploma",
                 "issued_date": "2026-06-04" },
    "status_enabled": true,
    "anchor": true
  }'

Returns the signed receipt. Give the holder the receipt JSON, or simply the link / QR:

https://verify.dcslabs.ai/verify.html?cid=sha256:...

Step 4 · Manage over time

POST /v1/credentials/{cid}/revoke       # permanent — cannot be undone
POST /v1/credentials/{cid}/suspend      # temporary
POST /v1/credentials/{cid}/reactivate   # clears suspension only

Sector profiles (r2-education, r2-gov, r2-health, r2-finance) enforce required claims at issue time — pass "profile" in the issue body. Education credentials are permanent by default, revocable on fraud.

API at a glance api.dcslabs.ai

Endpoint	Auth	What it does
`POST /v1/credentials/verify`	none	Verify by cid or receipt (+ optional document) → four-state result
`GET /v1/credentials/{id\|cid}`	none	Fetch a receipt (`?format=w3c` for the VC envelope)
`GET /v1/status/{listId}`	none	Public status bitstring · `/v1/status/cid/{cid}` for one credential
`POST /v1/verify/universal`	none	Any format → verify or honest refusal · `GET …/formats` for the matrix
`GET /v1/registry`	none	All issuers + reproducible trust scores · `/{issuer}` for one profile
`GET /v1/explorer/stats`	none	Real network counts
`POST /v1/portal/check`	none	Anti-clone advisory for a portal URL
`POST /v1/auth/signup`	none	{email} → free API key (rate-limited)
`POST /v1/credentials/issue`	Bearer	Sign + store + optional status slot and Base anchor
`POST /v1/credentials/{cid}/revoke\|suspend\|reactivate`	Bearer	Lifecycle management
`POST /v1/issuers/request`	Bearer	Request your own issuer ID

Troubleshooting

Symptom	Likely cause	Fix
Result is `unknown`	CID not found / never issued by a known issuer	Confirm the CID is exact; check the issuer is in `/v1/registry`
Result is `invalid` after editing the document	The document no longer hashes to the receipt CID	Verify against the original unmodified document JSON
Signature check fails	Issuer key rotated, or wrong did:web	Re-fetch the issuer key from `dcslabs.ai/.well-known/did.json`
Badge shows nothing	badge.js blocked or wrong `data-cid`	Check the script loads over HTTPS and the CID attribute is set
`401` on issue	Missing/expired Bearer key	Re-issue a key via `/v1/auth/signup` (verification never needs a key)
`429`	Rate limit on the free tier	Back off per the `Retry-After` header; upgrade for higher limits

Info & links

The standard: R+2 is open and MIT-licensed — spec, conformance vectors, and reference verifier at github.com/DCS-LabsAI/r2-standard.
Issuer identity: the DCS signing key is publicly bound to the domain at dcslabs.ai/.well-known/did.json (did:web).
Trust scores: open formula — reliability 30 · longevity 20 · volume 20 · audit 20 · federation 10. Every registry response includes the inputs so you can recompute the number yourself. No pay-to-rank.
Honesty rules: network counts are real or shown as absent; advisory signals (portal risk, AI, fraud) are never blended into the cryptographic verdict; unsupported formats are refused, never faked.
Status semantics: revocation is permanent by design; suspension is reversible; status lists are anonymous public bitstrings.
Legal: Terms of Service · Privacy Policy.
Anchoring: credentials can be anchored as a hash in Base mainnet calldata — check any anchor on basescan.org.