> ## Documentation Index
> Fetch the complete documentation index at: https://docs.humanos.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify VP

> Evaluate a VP against runtime context. On allow, returns 201 with the signed receipt. On deny, returns 403 with the reason, evaluations, and receipt in the error body. If the mandate has no constraint schema, only signatures, verifier access, and validity are checked.

Supply the presentation exactly as returned by POST /credential/vp/:vcId — do not re-serialize or modify it. Pass it as either `presentation` (the signed VP object) or `presentationEncoded` (its base64 string); at least one is required — sending neither, a `presentationEncoded` that is not valid base64-encoded JSON, or a presentation that fails shape validation each return 400 — and if both are sent `presentationEncoded` wins. `presentationEncoded` is the recommended field: being an opaque string it is immune to JSON re-serialization / formatting changes (e.g. some HTTP clients reformatting date strings) that would otherwise break the signature.

Supply runtime action arguments in `executionParams` (an object; defaults to `{}`). They are validated against the action's declared executionParams shape and exposed to CEL rules as `executionParams.<field>`; a mismatch denies with reason execution_params_invalid.



## OpenAPI

````yaml /versions/2026-07-06.yaml post /credential/verify
openapi: 3.1.0
info:
  title: Humanos API
  description: Humanos API
  version: '1.0'
  contact: {}
servers: []
security: []
tags:
  - name: humanosApp
    description: ''
paths:
  /credential/verify:
    post:
      tags:
        - Credentials
      summary: Verify VP
      description: >-
        Evaluate a VP against runtime context. On allow, returns 201 with the
        signed receipt. On deny, returns 403 with the reason, evaluations, and
        receipt in the error body. If the mandate has no constraint schema, only
        signatures, verifier access, and validity are checked.


        Supply the presentation exactly as returned by POST /credential/vp/:vcId
        — do not re-serialize or modify it. Pass it as either `presentation`
        (the signed VP object) or `presentationEncoded` (its base64 string); at
        least one is required — sending neither, a `presentationEncoded` that is
        not valid base64-encoded JSON, or a presentation that fails shape
        validation each return 400 — and if both are sent `presentationEncoded`
        wins. `presentationEncoded` is the recommended field: being an opaque
        string it is immune to JSON re-serialization / formatting changes (e.g.
        some HTTP clients reformatting date strings) that would otherwise break
        the signature.


        Supply runtime action arguments in `executionParams` (an object;
        defaults to `{}`). They are validated against the action's declared
        executionParams shape and exposed to CEL rules as
        `executionParams.<field>`; a mismatch denies with reason
        execution_params_invalid.
      operationId: credentials_verify
      parameters:
        - $ref: '#/components/parameters/ApiVersion'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/VerifyPresentationDto'
      responses:
        '201':
          description: Verification allowed — decision + receipt.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/VerifyAllowResponseEntity'
        '400':
          description: >-
            No presentation provided, `presentationEncoded` is not valid
            base64-encoded JSON, or the presentation failed shape validation.
          content:
            application/json:
              schema:
                type: object
                properties:
                  statusCode:
                    type: number
                    example: 400
                  message:
                    type: string
                    example: >-
                      Presentation missing: provide `presentation` or
                      `presentationEncoded`
                  error:
                    type: string
                    example: Bad Request
        '403':
          description: >-
            Verification denied — body includes `reason`, `evaluations`, and
            signed `receipt`.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/VerifyDenyResponseEntity'
        '404':
          description: >-
            No credential matches the id in the presentation
            verifiableCredential.
          content:
            application/json:
              schema:
                type: object
                properties:
                  statusCode:
                    type: number
                    example: 404
                  message:
                    type: string
                    example: Credential not found
                  error:
                    type: string
                    example: Not Found
components:
  parameters:
    ApiVersion:
      name: API-Version
      in: header
      required: false
      schema:
        type: string
        pattern: ^\d{4}-\d{2}-\d{2}$
        example: '2026-07-06'
      description: >-
        Pin request, response, and webhook shapes to a specific dated API
        version (YYYY-MM-DD). Omit to use the version pinned to your API key
        (set when the key is created; new keys default to the latest version).
        New integrations should target the latest version.
  schemas:
    VerifyPresentationDto:
      type: object
      properties:
        presentation:
          type: object
          description: >-
            Signed W3C Verifiable Presentation (@context, type, holder,
            verifiableCredential, proof), exactly as returned by POST
            /credential/vp/:vcId — do not re-serialize or modify it.

            Provide this or `presentationEncoded` (at least one is required;
            `presentationEncoded` overrides and is recommended, since a base64
            string avoids JSON formatting changes that can break the signature).
          example:
            '@context':
              - https://www.w3.org/ns/credentials/v2
              - https://via.humanos.dev/ns/v1
            type:
              - VerifiablePresentation
            holder: did:web:humanos.tech:org:550e8400-e29b-41d4-a716-446655440000
            verifiableCredential:
              '@context':
                - https://www.w3.org/ns/credentials/v2
                - https://via.humanos.dev/ns/v1
              id: urn:via:credential:550e8400-e29b-41d4-a716-446655440000
              type:
                - VerifiableCredential
                - VIAMandate
              issuer: did:web:humanos.tech
              validFrom: '2025-01-01T00:00:00Z'
              validUntil: null
              credentialSubject:
                id: did:web:humanos.tech:org:550e8400-e29b-41d4-a716-446655440000
                mandate:
                  grantor: >-
                    did:web:humanos.tech:user:7c9e6679-7425-40de-944b-e07fc1f90ae7
                  scope: humanos.credential.request
                  context:
                    authorizedDIDs:
                      - >-
                        did:web:humanos.tech:org:550e8400-e29b-41d4-a716-446655440000
                      - >-
                        did:web:humanos.tech:user:7c9e6679-7425-40de-944b-e07fc1f90ae7
              evidences:
                - id: urn:via:evidence:9b2e4f1a-3c7d-4e8a-bf12-2a6c5d8e0f34
                  digestSRI: sha256-abc123
                  location: >-
                    https://api.humanos.dev/credential/evidence/urn:via:evidence:9b2e4f1a-3c7d-4e8a-bf12-2a6c5d8e0f34
            proof:
              type: DataIntegrityProof
              cryptosuite: eddsa-jcs-2022
              created: '2026-05-02T10:15:30.000Z'
              verificationMethod: did:web:humanos.tech#key-1
              proofPurpose: authentication
              proofValue: z2pcVdSdoMTrkYP9rVdz...
        presentationEncoded:
          type: string
          description: >-
            Base64-encoded JSON of the signed Verifiable Presentation above.

            Pass it back to POST /credential/verify as `presentationEncoded`
            (recommended) to avoid signature failures caused by JSON
            re-serialization in some HTTP clients.
          example: >-
            eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvbnMvY3JlZGVudGlhbHMvdjIiXX0=
        executionParams:
          type: object
          description: >-
            Params the agent intends to supply when invoking the action.
            Validated against the action's declared `executionParams` shape and
            exposed to CEL rules as `executionParams.<field>`.
          example:
            amount: 100
            currency: USD
    VerifyAllowResponseEntity:
      type: object
      properties:
        decision:
          type: string
          enum:
            - allow
          example: allow
          description: Verification outcome — always "allow" on this 201 response.
        credentialId:
          type: string
          example: urn:via:credential:550e8400-e29b-41d4-a716-446655440000
          description: URN of the verified credential.
        evaluations:
          description: >-
            Per-rule evaluation results. Empty when the mandate has no action
            rules.
          type: array
          items:
            $ref: '#/components/schemas/VerifyEvaluationEntity'
        receipt:
          description: VERIFICATION_APPROVED receipt issued for this verification.
          allOf:
            - $ref: '#/components/schemas/ReceiptEntity'
      required:
        - decision
        - credentialId
        - evaluations
        - receipt
    VerifyDenyResponseEntity:
      type: object
      properties:
        statusCode:
          type: number
          example: 403
          description: HTTP status code; always 403 for a denial.
        message:
          type: string
          example: 'Verification denied: vp_signature_invalid'
        decision:
          type: string
          enum:
            - deny
          example: deny
          description: Verification outcome — always "deny" on this 403 response.
        reason:
          type: string
          example: vp_signature_invalid
          description: >-
            Machine-readable denial reason. Examples: vp_signer_unknown,
            vp_signature_invalid, credential_revoked, expired, not_yet_valid,
            verifier_not_authorized, vp_domain_mismatch, action_not_found,
            execution_params_invalid, rule_failed.
        credentialId:
          type: string
          example: urn:via:credential:550e8400-e29b-41d4-a716-446655440000
          description: URN of the credential that was evaluated.
        evaluations:
          description: >-
            Per-rule evaluation results. Empty for denials before action rules
            evaluation.
          type: array
          items:
            $ref: '#/components/schemas/VerifyEvaluationEntity'
        receipt:
          description: VERIFICATION_DENIED receipt issued for this verification.
          allOf:
            - $ref: '#/components/schemas/ReceiptEntity'
      required:
        - statusCode
        - message
        - decision
        - reason
        - credentialId
        - evaluations
        - receipt
    VerifyEvaluationEntity:
      type: object
      properties:
        rule:
          type: string
          example: amount-cap
          description: CEL rule name
        result:
          type: string
          enum:
            - pass
            - fail
            - error
          example: pass
          description: Per-rule outcome.
        reason:
          type: string
          example: Expression evaluated to false
          description: Failure or error explanation. Omitted on pass.
      required:
        - rule
        - result
    ReceiptEntity:
      type: object
      properties:
        id:
          type: string
          example: urn:via:receipt:c4bb2c9d-9b37-448b-8f1a-4ac5793945be
          description: Receipt URN
        timestamp:
          type: string
          example: '2026-05-02T10:15:30.000Z'
          description: Receipt issuance timestamp (ISO 8601)
      required:
        - id
        - timestamp

````