✨Works out of the box guarantee. If you face any issue at all, hit us up on Telegram and we will write the integration for you.
logoReclaim Protocol Docs
Javascript SDK

Verifying the proof

Critical step to make sure user is not trying to defraud your app

Why do I need to verify, when the proof has already been generated?

The proof generation is a client side operation. On Success Callback is only responsible for notifying when the proof is generated successfully. All the proofs generated should be verified on your backend as a malicious user can bypass any check you add on the frontend.

Verifying proofs is a very simple light weight operation. You can think of it as verifying the digital signatures to make sure the data is tamper resistant.

Quickstart

Setup the callback endpoint

This should be the endpoint that will be called by your onSuccess callback.

This endpoint should be of type POST.

Decode the proof object

const proofs = JSON.parse(decodedBody);

Verify the proof

import { verifyProof } from '@reclaimprotocol/js-sdk';
 
...
const isValid = await verifyProof(proofs);

Extract the data

Context

If you set contextAddress and contextMessage when building the request, you can get them back :

const {contextAddress, contextMessage} = JSON.parse(proofs[i].context);

Extacted Parameters

The data that was extracted from the webpage that the user logged in into, depending on what data was configured to be extracted using the provider you had set when building the request.

const { extractedParameters } = JSON.parse(proofs[i].context);

Sample implementation

Example in Next.js

import { NextResponse } from 'next/server';
import { verifyProof } from '@reclaimprotocol/js-sdk';
 
export async function POST(request) {
  let providerId = 'example';

  try {
    // assuming that you set callback url with json set to true
    const proofs = JSON.parse(await request.text());
    const isValid = await verifyProof(proofs);
    if (!isValid) {
      return NextResponse.json({
        success: false,
        message: 'Proof verification failed'
      });
    }

    // As best practice, you MUST validate proofs as per expectations and business requirements.
    // This should happen on your backend.
    //
    // This must be done to make sure that
    // this is the proof you expected.
    //
    // As an example, validation can be done by checking request url, headers,
    // method, and all proven fields (aka extracted params), etc.
    const isProofValid = await YourBackendUsingReclaim.validateProof(proofs);

    if (!isProofValid) {
      // Do not use proof that failed your validation.
      return NextResponse.json({
        success: false,
        message: 'Proof validation failed'
      });
    }

    // save or use proof from your backend

    return NextResponse.json({
      success: true,
      message: 'Proof verification successful'
    });
  } catch (e) {
    return NextResponse.json({
      success: false,
      message: 'Proof verification failed'
    });
  }
}

Structure of proofs

{
 
        "identifier": "...",
 
        "claimData": {
 
          "provider": "...",
 
          "parameters": "...",
 
          "owner": "...",
 
          "timestampS": "...",
 
          "context": "{\n  \"contextAddress\": \"...\",\n  \"contextMessage\": \"...\",\n  \"extractedParameters\": {\n    \"pageTitle\": \"<pageTitle_value>\",\n    \"ianaLinkUrl\": \"<ianaLinkUrl_value>\"\n  },\n  \"providerHash\": \"...\"\n}",
 
          "identifier": "...",
 
          "epoch": "..."
 
        },
 
        "signatures": [
 
          "..."
 
        ],
 
        "witnesses": [
 
          {
 
            "id": "...",
 
            "url": "..."
 
          }
 
        ],
 
        "taskId": "'...' || null",
 
        "publicData": "{...} || null"
 
      }

Previous

Asking the user to generate the proof

Next

Getting Started

On this page