Skip to main content
The Trust Badge is a public artifact that turns a verification result into something a buyer can check from the verified company’s website. It’s a JWT — anyone with the token can confirm it came from Vouchmark and that the underlying record is still in good standing.

Anatomy of a badge

A Trust Badge token carries:
  • vendorId — the verified company’s Vouchmark ID
  • bandverified, partially_verified, or self_asserted
  • score — the score at issue time
  • issuedAt and expiresAt — badges are short-lived; refresh nightly
  • iss — always vouchmark.com
The token is signed with TRUST_BADGE_SECRET, a key dedicated to badges (never reused for user authentication).

Issuing a badge

A badge is issued automatically when a verified company hits a score threshold. You can also force a re-evaluation from the dashboard. Programmatically:
curl https://api.vouchmark.com/v1/trust-badge/my-badge?vendorId=cmp_aBcD... \
  -H "Authorization: Bearer $TOKEN"
Response
{
  "success": true,
  "data": {
    "vendorId": "cmp_aBcD...",
    "customerId": "usr_aBcD...",
    "status": "active",
    "score": 90,
    "badgeToken": "eyJhbGciOiJIUzI1NiIs...",
    "issuedAt": "2026-05-12T00:00:00Z",
    "revokedAt": null,
    "expiresAt": "2026-05-13T00:00:00Z"
  }
}
badgeToken is only populated while status is active; once a badge is revoked it is null.

Verifying a badge

Anyone — no auth — can verify a token:
curl "https://api.vouchmark.com/v1/trust-badge/verify?token=eyJhbGciOiJIUzI1NiIs..."
Response
{
  "success": true,
  "data": {
    "valid": true,
    "vendorId": "cmp_aBcD...",
    "customerId": "usr_aBcD...",
    "score": 90,
    "status": "active",
    "issuedAt": "2026-05-12T00:00:00Z",
    "expiresAt": "2026-05-13T00:00:00Z"
  }
}
The endpoint always returns 200; validity is expressed in data.valid. It validates the signature and checks the badge’s status in the database. A badge that has been revoked (after a sanction hit, say, or a failed re-verification) returns data.valid: false with a reason — even though the JWT signature is intact.

Embedding the badge

Drop this snippet on the verified company’s website:
<a
  href="https://vouchmark.com/verify?token=YOUR_TOKEN"
  rel="noopener"
  target="_blank"
>
  <img
    src="https://vouchmark.com/badge/YOUR_TOKEN.svg"
    alt="Vouchmark Verified"
    width="160"
    height="48"
  />
</a>
The image URL is itself a verification: the SVG endpoint re-checks the token on every render, so a revoked badge renders as “expired” automatically.
Don’t hardcode the SVG into the page. The badge endpoint is the source of truth — fetch it live so revocations propagate.

Revocation

Badges are revoked when:
  • Smart Sentinel detects a material change (e.g. CAC status flipped to INACTIVE, sanction hit, FIRS TIN deactivated).
  • The owner manually disables it from the dashboard.
  • The underlying score drops below the issuing threshold on a nightly re-score.
Once revoked, the JWT still parses but the verify endpoint returns valid: false.