MC4P certificates are JSON-LD documents that include a signed JWT proof and references to C2PA content credentials embedded in an image. The verification model is designed to support future extensions while preserving baseline verification requirements. Verification involves cryptographic checks of the JWT and C2PA signatures, as well as context binding to ensure the certificate is used in an authorized domain and context.
GET /api/v1/mc4p/{image_id}/certificate?full=trueproof.jwt and (when full=true) contentCredentials.asset.url.POST /api/v1/mc4p/{image_id}/verifyGET /api/v1/.well-known/jwks.jsonproof.jwt.A Mintall Certificate for Product (MC4P), represented as a JSON-LD document
returned by GET /api/v1/mc4p/{image_id}/certificate. When full=true is
specified, the response includes additional fields required for full
cryptographic and audit verification.
Shorthand for MC4P Certificate when used elsewhere in this specification.
A JSON Web Token signed using JSON Web Signature (JWS), used to assert certificate claims and context binding.
proof.jwt.JSON Web Key Set used to verify the JWT signature (GET /api/v1/.well-known/jwks.json).
The Coalition for Content Provenance and Authenticity specification for embedding cryptographically verifiable content credentials in media assets.
An issuance-time identifier embedded in the asset’s C2PA manifest and optionally mirrored as a reference in MC4P JWT claims.
Fields in the certificate that bind it to a specific evaluation context,
including verification.authorizedDomains and other bound fields (e.g.,
productUrl, sku).
Evidence that the certificate is intended for a merchant domain and that domain control has been verified (public challenge verification: partial).
Trust is based on cryptographic verification of proofs (JWT + C2PA) and consistency checks against observed context (domain + bound fields).
The system is designed so third parties can reproduce core checks without private state.
No single field or flag is authoritative; verification depends on reproducing checks.
Domain authorization is a soft signal. It indicates control over a domain, but does not establish merchant identity or business legitimacy.
Some signals (for example registry anchoring) may influence trust scoring, but are not mandatory inputs for third-party verification.
Signed data is tamper-evident (JWT and/or C2PA). Byte-level verification
requires image bytes and (for convenience) fields returned when the
certificate is fetched with full=true (for example
contentCredentials.asset.url).
Verification is expected to fail when the certificate is replayed in an unauthorized context.
Certificates are intended to be valid only on authorized domains.
Fetch and parse certificate JSON-LD. Full cryptographic/audit verification
may require fetching the certificate with full=true (for example to obtain
contentCredentials.asset.url and cryptographicProof).
Verify C2PA manifest against image bytes (if present).
Validate context binding (domain + bound fields).
This endpoint may perform additional checks that are not yet publicly reproducible.
Agents can call POST /api/v1/mc4p/{image_id}/verify to validate authorization and compare JWT claims against server-computed checks.
Minimum checks require that the observed domain is within verification.authorizedDomains. The verification.domainVerified flag is a Mintall-recorded signal (currently not enforced by the public certificate endpoint). When verification.domainAuthorization is present, a verifier can validate domain control using DNS TXT or HTTP well-known data. If enforcement is enabled server-side, POST /api/v1/mc4p/{image_id}/verify returns 412 Precondition Failed when the authorized domain is not verified.
GET /api/v1/mc4p/{image_id}/certificate?full=trueimageId (must match {image_id})verification.canonicalUrl (treat as the canonical fetch location)verification.authorizedDomains (list of allowed hostnames)verification.domainVerified (Mintall-recorded verified flag)verification.domainAuthorization (if present)proof.jwt (if present)contentCredentials.hasC2PAcontentCredentials.asset.url (if present; requires full=true)registryAnchor.transactionHash / registryAnchor.explorerUrl (if present)Preconditions: proof.jwt exists; the agent can fetch JWKS.
GET /api/v1/.well-known/jwks.jsonkid selection from the JWT header and JWKS keys.imageId equals the certificate imageIdauthorizedDomains (if present) contains current_domaindomain (if present) is consistent with authorizedDomainsNote: the JWKS endpoint is designed to be cached by verifiers.
Minimum checks:
current_domain ∈ verification.authorizedDomains.verification.domainVerified == true (Mintall-recorded state).If verification.domainAuthorization is present, a verifier can additionally validate domain control using public web data (DNS TXT or HTTP well-known).
Verify C2PA provenance and integrity against the image bytes you are evaluating (c2patool / CAI SDK).
Notes: full cryptographic verification requires verifying against the actual image bytes. credentials.mintall.ai is a public viewer for humans; automated agents should verify using a C2PA verifier against image bytes instead.
If the certificate includes a registry anchor:
registryAnchor.transactionHash and registryAnchor.explorerUrl.This specification is expected to evolve as new verification signals are added (e.g., additional public registries, richer context binding, expanded error semantics). Backwards compatibility should be preserved where possible.