Mintall logoMintall

Integration Guide

Recommended integration guide for agents verifying product images with Mintall Certificate for Product (MC4P).

Practical guidance for implementing MC4P verification in an workflow. This section describes how agents discover certificates and apply minimal and full verification paths.

3.1 How to Verify a Product Image

Prerequisites (Inputs)

  • image_id: UUID for the certified image (Mintall asset identifier).
  • current_domain: The domain where the agent observed the product page or certificate usage (hostname only).

Verification Steps

  1. Obtain the MC4P Certificate (JSON-LD) Either by parsing JSON-LD embedded in the product page or by fetching the certificate from its canonical URL.
  2. Normalize the certificate (optional) If the certificate was discovered inline, the agent may fetch the canonical certificate to ensure a normalized, cacheable representation.
  3. Verify the JWT proof Validate the JWT signature using the cached JWKS.
  4. Verify domain authorization Confirm the observed domain matches an authorized domain in the certificate. If domainVerified is false, treat the result according to your policy.
  5. For full verification only Verify the C2PA manifest against the evaluated image bytes.

3.2 Minimal Verification Path

The minimal path establishes domain-level authorization and certificate consistency via JWT verification, without verifying image provenance.

Steps

  1. Obtain the MC4P Certificate (JSON-LD), either from embedded page data or via the certificate endpoint (minimal or full).
  2. Verify the JWT proof using cached JWKS.
  3. Confirm the observed domain is included in authorizedDomains. If domainVerified is false, treat the result according to your policy (for example downgrade trust, or require server-assisted verification).

Use When

  • Ranking, filtering, or allowlisting decisions are required.
  • Fast, low-latency verification is needed.
  • Full image provenance verification is not required.

3.3 Full Verification Path

The full path establishes cryptographic provenance and strict context binding.

Steps

  • Perform the minimal verification path.
  • Fetch or compute the image bytes being evaluated.
  • Verify the C2PA manifest against the image bytes.
  • Validate all bound context fields (e.g., productUrl, productId) where available.
  • Optionally confirm registry anchor references for audit or indexing purposes.

Notes

Registry anchor data is advisory and MUST be validated via the C2PA manifest. Registry fields surfaced in JWTs or JSON-LD MUST NOT be treated as authoritative.

3.4 What to Do on Failure

If any required check fails:

  • Treat the asset as unverified in the observed context.
  • Downgrade trust or exclude the asset from automated actions.
  • Record which check failed (JWT, domain authorization, or C2PA verification).
  • Avoid caching failures indefinitely; periodically re-check domain authorization and JWKS according to your retry policy.

Common Failure Modes

  • HTTP 402: Certificate paused due to plan or entitlement limits.
  • HTTP 404: No certificate exists for the image_id.
  • JWT verification fails: Treat as untrusted.
  • Domain mismatch: Observed domain not in authorizedDomains.
  • Domain not verified: Domain control not confirmed by Mintall.
  • C2PA verification fails: Image bytes do not match the signed manifest or trust chain is invalid.

3.5 Common Integration Mistakes

  • Verifying a certificate without verifying the domain context.
  • Treating server-assisted verification as a substitute for JWT verification.
  • Trusting viewer UIs instead of verifying against actual image bytes.
  • Not caching JWKS and refetching keys on every request.
  • Accepting certificates on subdomains not explicitly authorized.