Documentation Index
Fetch the complete documentation index at: https://docs.vane.build/llms.txt
Use this file to discover all available pages before exploring further.
GET /v1/ocsp/:jti
Returns the revocation status of a passport, identified by its jti. The response is signed with the company’s Ed25519 key, so verifiers can confirm the response is authentic. Requires authentication.
Responses are cached for 5 minutes (Cache-Control: public, max-age=300). Use this endpoint in verifiers that cannot hold the full revocation list but need stronger guarantees than offline-only verification.
Path parameters
| Parameter | Type | Description |
|---|
jti | string | The UUID from the passport’s jti claim. |
Response 200 — valid passport
| Field | Type | Description |
|---|
jti | string | The passport ID checked. |
companyId | string | The company that issued this passport. |
status | "valid" | The passport has not been revoked. |
checkedAt | string | ISO 8601 timestamp of this check. |
caPublicKey | string | Ed25519 SPKI PEM. Used to verify signature. |
signature | string | Ed25519 signature over the response data (base64url). |
Response 200 — revoked passport
| Field | Type | Description |
|---|
jti | string | The passport ID checked. |
companyId | string | The company that issued this passport. |
status | "revoked" | The passport has been revoked. |
checkedAt | string | ISO 8601 timestamp of this check. |
revokedAt | string | ISO 8601 timestamp when revocation occurred. |
reason | string | Present if a reason was recorded. |
caPublicKey | string | Ed25519 SPKI PEM. |
signature | string | Ed25519 signature over the response data (base64url). |
Verifying the OCSP response signature
The signature covers the response data object (excluding caPublicKey and signature themselves). To verify:
- Remove
caPublicKey and signature from the response object.
- Canonicalize the remaining object (sort keys recursively, then JSON-stringify).
- Compute SHA-256 of the canonical string.
- Verify the Ed25519 signature over that hash using the
caPublicKey.
Example
curl -s http://localhost:3000/v1/ocsp/550e8400-e29b-41d4-a716-446655440000 \
-H "Authorization: Bearer $API_KEY"
{
"jti": "550e8400-e29b-41d4-a716-446655440000",
"companyId": "acme",
"status": "valid",
"checkedAt": "2026-01-01T00:05:00.000Z",
"caPublicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
"signature": "vdv-nC4o..."
}
{
"jti": "550e8400-e29b-41d4-a716-446655440000",
"companyId": "acme",
"status": "revoked",
"checkedAt": "2026-01-01T02:00:00.000Z",
"revokedAt": "2026-01-01T01:00:00.000Z",
"reason": "agent compromised",
"caPublicKey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n",
"signature": "Xt8q1R7m..."
}
