The Mintall Verification API is a public surface for verifiers and agents to retrieve Mintall Certificate for Product (MC4P) and reproduce key verification checks in a deterministic way. It assumes the terminology and trust model defined in the Verification Specification.
The offering is intentionally small:
proof.jwt offline.The API MUST NOT be treated as an authoritative source of image integrity or provenance; registry and provenance claims MUST be validated against the C2PA manifest extracted from the evaluated image bytes.
The following inputs are required to perform deterministic verification checks as defined in this API and the Verification Specification.
image_id: UUID for the certified image (Mintall asset identifier).current_domain: The domain where the agent observed the product page / certificate usage (hostname only). (For server calls this is sent as domain.)Complete API specification for all verification endpoints. Each endpoint includes required request format, response schema, authentication, error codes, and use cases.
Fetch the MC4P Certificate without full audit metadata. This endpoint is commonly used to normalize or refresh certificates that were first discovered via embedded JSON-LD.
Certificate// No request body for GET
200 OK{"@context": "https://schema.org","@type": "DigitalDocument","imageId": "5b749adb-f198-428f-a7af-4323f9c16297","verification": {"authorizedDomains": ["merchant.example"],"domainVerified": true,"hasSignature": true}}
Lightweight inspection, prefetching, or ranking-time evaluation.
Agents, verifiers, search/ranking systems
The minimal response may omit fields needed for full audit/offline verification (for example `contentCredentials.asset.url` and `cryptographicProof`). Verifiers requiring byte-level C2PA verification or full audit MUST request `full=true`.
Fetch the complete JSON-LD certificate with JWT proof, C2PA references, and metadata.
Certificate// No request body for GET
200 OK{"@context": ["https://schema.org", "..."],"@type": "MediaObject","proof": {"type": "JwtProof2020","jwt": "eyJhbGciOiJSUzI1NiIsImtpZCI6..."},"contentCredentials": {"dateIssued": "2025-12-14T17:12:00Z","lastUpdated": "2025-12-14T17:12:00Z"}}
Retrieve the certificate for offline verification, caching, or passing to third-party verifiers.
Compliance tools, auditing systems, offline verification, registries
Fetch the JSON Web Key Set used to verify Mintall-signed JWTs embedded in certificates.
JWKS// No request body for GET
200 OK{"keys": [{"kty": "RSA","kid": "mintall-2025-01","use": "sig","alg": "RS256","n": "...","e": "AQAB"}]}
Pin a verifier to the right signing key before validating `proof.jwt`.
Agents, third-party verifiers, platforms
Verify that a certificate is valid for the domain where it was observed (domain authorization + basic integrity checks).
VerificationRequest{"domain": "merchant.example"}
200 OK{"verified": true,"imageId": "5b749adb-f198-428f-a7af-4323f9c16297","authorizedDomain": "merchant.example","currentDomain": "merchant.example","checks": {"domainMatches": true,"certificateConsistency": true},"warnings": [],"errors": []}
Fast, default check when an agent encounters a certificate on a page.
Agentic commerce ranking, allowlisting, automated purchasing
`certificateConsistency` indicates internal consistency of the certificate and server-side authorization checks. It does not represent C2PA image integrity verification.
Context verification ensures a certificate is valid for the specific domain and context where it was observed. The POST /api/v1/mc4p/{image_id}/verify endpoint supports multiple verification modes by including optional fields in the request body:
domain to check domain authorization (see section 2.2.4).verifyField: "productId" to validate product binding.verifyField and fieldValue for other bound fields.Verify that the certificate context matches the expected product identifier for the page.
VerificationRequest{"domain": "merchant.example","verifyField": "productId","fieldValue": "gid://shopify/Product/1234567890"}
200 OK{"verified": true,"imageId": "5b749adb-f198-428f-a7af-4323f9c16297","checks": {"domainMatches": true},"warnings": [],"errors": []}
Validate that a certificate is bound to the exact product an agent is evaluating.
Marketplaces, search/ranking systems, agent checkout flows
Verify a single bound field in the certificate context (e.g., productUrl, sku, or platform-specific identifiers).
VerificationRequest{"domain": "merchant.example","verifyField": "productUrl","fieldValue": "https://merchant.example/products/modern-lamp"}
200 OK{"verified": true,"imageId": "5b749adb-f198-428f-a7af-4323f9c16297","checks": {"domainMatches": true},"warnings": [],"errors": []}
Enforce strict context binding for replay protection.
Integrations that need deterministic field-level checks
The following error codes are canonical error codes used by the Verification API. Individual endpoints may return a subset.
400 Bad Request: Invalid payload or missing required fields.402 Payment Required: Certificate paused due to entitlement or plan limits.403 Forbidden: Domain not authorized for this certificate.404 Not Found: No certificate exists for the specified image_id.412 Precondition Failed: Domain verification required (when enforcement is enabled).422 Unprocessable Entity: Context mismatch or unsupported verification field.500 Internal Server Error: Temporary server failure.JWKS responses are cacheable and SHOULD be reused for offline JWT verification. Verifiers SHOULD cache MC4P Certificates when possible and treat them as immutable for the duration of their validity window.
Offline verification requires:
C2PA verification MUST be performed against the image bytes being evaluated.
Agents may implement different verification profiles depending on use case:
JWT Verification Requirements: