Skip to main content
These endpoints are designed to be public and cached. They give verifiers everything they need to verify passports and attestation records offline, without any authentication.

GET /v1/ca/public-key

Returns the company’s CA public key in three formats: PEM, JWK, and fingerprint. No authentication required. Cached for 1 hour. This is the only thing a verifier needs to verify any passport or OCSP response issued by this company.

Query parameters

Response 200

JWK fields:

Error responses

Example


GET /v1/ca/well-known

Returns an OIDC-style discovery document describing the company’s cryptographic configuration. No authentication required. Cached for 1 hour. This document is designed to be fetched once at verifier startup and cached. It includes the jwks_uri pointing to the public key endpoint, plus inline JWKS to avoid a second round-trip.

Query parameters

Response 200

passport_format fields:
Set VANE_BASE_URL to your public URL so the jwks_uri in the discovery document is correct when running behind a reverse proxy. If not set, the URL is inferred from the Host and X-Forwarded-Proto headers.

Example