Validation & Verification
DPP Kit provides tools for validating and verifying credentials at multiple levels — from cryptographic signature checks to full UNTP schema conformance testing.
Verification vs Validation
| Term | What It Checks |
|---|---|
| Verification | Is the credential cryptographically valid? (signature, DID, status) |
| Validation | Does the credential conform to the expected UNTP and W3C schemas? |
Cryptographic Verification
Every time you view a credential in DPP Kit, it is automatically verified:
- Signature check — Is the cryptographic proof valid?
- DID resolution — Does the issuer's DID resolve to a valid DID Document with the expected public key?
- Status check — Is the credential still active (not revoked)?
Verification Results
| Badge | Meaning |
|---|---|
| Pass (green) | All checks passed — the credential is authentic and active |
| Fail (red) | One or more checks failed — investigate before trusting |
UNTP Tier 2 Validation
DPP Kit includes a built-in UNTP Tier 2 validation engine that checks credentials against both UNTP type-specific schemas and the W3C Verifiable Credentials Data Model v2 schema. This is the same validation logic used by the UNTP Playground.
Validation Steps
Each validation run performs up to 5 checks:
| Step | What It Checks |
|---|---|
| Proof Type Detection | Identifies whether the credential uses enveloping (JWT) or embedded proof |
| Cryptographic Verification | Verifies the signature via VCKit |
| VCDM v2 Context Check | Confirms the first @context entry is the W3C VCDM v2 URL |
| UNTP Schema Validation | Validates against the type-specific UNTP schema (e.g., DPP, DFR, DCC) |
| VCDM Schema Validation | Validates against the W3C Verifiable Credential Data Model schema |
Error Severities
| Severity | Meaning |
|---|---|
| Error | A required field is missing or has the wrong type — must be fixed |
| Warning | An additional property was found that isn't in the schema — the credential still passes |
additionalProperties warnings are informational. They flag fields that aren't defined in the UNTP schema but don't prevent the credential from passing validation.
Validate Page
The Validate tab in the Toolkit provides two ways to validate credentials:
Verify by URL
Fetch a credential from a URL, verify its signature, and validate against UNTP schemas.
- Go to Toolkit > Credentials > Validate
- Paste a credential URL or IDR link (e.g.,
https://idr.example.com/api/1.0.0/gs1/01/04823171200019) - Click Verify Credential
- Review the step-by-step results
This works with:
- Direct credential URLs — Links to a stored credential JSON file
- IDR links — GS1 Digital Link resolver URLs. DPP Kit automatically resolves the IDR linkset to find the credential.
For URL-based verification, cryptographic verification is treated as a hard requirement — if the signature fails, the credential fails.
Verify Credential File
Upload a signed credential file (e.g., the vc.json downloaded after issuance) to verify its signature and validate against UNTP schemas.
- Go to Toolkit > Credentials > Validate
- Drag and drop a
.jsonfile onto the upload area, or click to browse - Review the step-by-step results
DPP Kit handles EnvelopedVerifiableCredential (JWT-wrapped) format automatically — the JWT is decoded for schema validation while the original envelope is used for signature verification.
For file uploads, cryptographic verification is best-effort — it shows as a warning rather than an error if it fails. This is because your local VCKit instance may not be able to resolve DIDs from external issuers.
Copying Results for AI Assistance
When validation fails, a Copy button appears in the results header. Clicking it copies a structured summary of all errors to your clipboard, formatted for pasting into an AI assistant (e.g., Claude with UNTP schema context). The copied text includes the credential type, version, and every error with its JSON path and message.
Validation in the Credential Editor
The credential editor includes a Run Tier 2 Tests button that validates the current draft against UNTP schemas without needing to issue it first.
- Open a draft credential in the editor (Form or JSON tab)
- Click Run Tier 2 Tests in the action bar
- Results appear alongside the editor — on wide screens, they display side-by-side with the form; on smaller screens, they appear below
This lets you iterate on your credential content and check conformance as you go, before committing to issuance.
Run Tier 2 Tests early and often. It's much easier to fix schema errors in a draft than to discover them after issuance.
Pre-flight Validation in the Pipeline
When you issue a credential, the pipeline automatically runs UNTP Tier 2 validation as a pre-flight check (step 1). If the credential fails schema validation, the pipeline stops and the credential is set to error status with details about what went wrong. You can then edit the draft and re-attempt issuance.
| Checkpoint | When | What |
|---|---|---|
| Pre-flight | Before signing | UNTP Tier 2 schema validation (VCDM v2 context, UNTP schema, VCDM schema) |
| Post-issuance | After signing, before IDR registration | Planned — conformance check on the signed credential |
If post-issuance validation fails, the pipeline compensates by removing the credential from storage (it was uploaded but shouldn't be published).
Evidence Files
Credentials can include evidence files (PDFs, photos, documents) that support the claims being made. Each evidence file has a public/private toggle:
| Visibility | Behavior |
|---|---|
| Public | URL is embedded directly in the signed credential. Anyone with the credential can access the file. |
| Private | URL points to a landing page with organization contact information. The file itself requires authorization. |
The public/private decision must be made before issuance. Once the credential is signed, the embedded URLs are immutable.