Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.vouchmark.com/llms.txt

Use this file to discover all available pages before exploring further.

The Trust Badge is a public artifact that turns a verification result into something a buyer can check from the verified company’s website. It’s a JWT — anyone with the token can confirm it came from Vouchmark and that the underlying record is still in good standing.

Anatomy of a badge

A Trust Badge token carries:
  • vendorId — the verified company’s Vouchmark ID
  • bandverified, partially_verified, or self_asserted
  • score — the score at issue time
  • issuedAt and expiresAt — badges are short-lived; refresh nightly
  • iss — always vouchmark.com
The token is signed with TRUST_BADGE_SECRET, a key dedicated to badges (never reused for user authentication).

Issuing a badge

A badge is issued automatically when a verified company hits a score threshold. You can also force a re-evaluation from the dashboard. Programmatically: 
curl https://api.vouchmark.com/v1/trust-badge/my-badge?vendorId=cmp_aBcD... \
  -H "Authorization: Bearer $TOKEN"
Response
{
  "success": true,
  "badge": {
    "token": "eyJhbGciOiJIUzI1NiIs...",
    "band": "verified",
    "score": 90,
    "issuedAt": "2026-05-12T00:00:00Z",
    "expiresAt": "2026-05-13T00:00:00Z",
    "embedUrl": "https://vouchmark.com/badge/eyJhbGciOiJIUzI1NiIs..."
  }
}

Verifying a badge

Anyone — no auth — can verify a token: 
curl "https://api.vouchmark.com/v1/trust-badge/verify?token=eyJhbGciOiJIUzI1NiIs..."
Response
{
  "valid": true,
  "vendorId": "cmp_aBcD...",
  "band": "verified",
  "score": 90,
  "checkedAt": "2026-05-12T09:14:00Z"
}
The endpoint validates the signature and checks the badge’s status in the database. A badge that has been revoked (after a sanction hit, say, or a failed re-verification) will return valid: false even though the JWT signature is intact.

Embedding the badge

Drop this snippet on the verified company’s website: 
<a
  href="https://vouchmark.com/verify?token=YOUR_TOKEN"
  rel="noopener"
  target="_blank"
>
  <img
    src="https://vouchmark.com/badge/YOUR_TOKEN.svg"
    alt="Vouchmark Verified"
    width="160"
    height="48"
  />
</a>
The image URL is itself a verification: the SVG endpoint re-checks the token on every render, so a revoked badge renders as “expired” automatically.
Don’t hardcode the SVG into the page. The badge endpoint is the source of truth — fetch it live so revocations propagate.

Revocation

Badges are revoked when:
  • Smart Sentinel detects a material change (e.g. CAC status flipped to INACTIVE, sanction hit, FIRS TIN deactivated).
  • The owner manually disables it from the dashboard.
  • The underlying score drops below the issuing threshold on a nightly re-score.
Once revoked, the JWT still parses but the verify endpoint returns valid: false.