🛡️ Certificate Verification API

Developer reference for verifying Space Duck birth certificates programmatically. Two endpoints: /beak/cert/view (authenticated) and /beak/cert/verify (public).

GET

/beak/cert/view

Requires Bearer token

Retrieve the full certificate object for the authenticated duckling. Requires a valid sd_token JWT as a Bearer authorization header.

Request headers

HeaderTypeRequiredDescription
AuthorizationstringRequiredBearer {sd_token}
Content-TypestringOptionalapplication/json

Response schema

FieldTypeDescription
cert_idstringUnique certificate identifier (UUID)
duckling_idstringOwner duckling identifier
display_namestringCertificate holder display name
cert_statusstringISSUED | REVOKED | DRAFT | EXPIRED
trust_tierstringT0 | T1 | T2 | T3
issued_atstringISO 8601 issuance timestamp
countrystringIssuance country (geo-detected)
lambda_versionstringIssuing Lambda version
curl -X GET \
  https://czt9d57q83.execute-api.us-east-1.amazonaws.com/prod/beak/cert/view \
  -H "Authorization: Bearer YOUR_SD_TOKEN"
POST

/beak/cert/verify

Public endpoint — no auth required

Publicly verify any Space Duck certificate by ID. No authentication required. Returns cert status, trust tier, and holder display name. Rate limited to 60 requests/minute per IP.

Request body

FieldTypeRequiredDescription
cert_idstringRequiredCertificate UUID to verify
actionstringOptionalverify (default)

Response schema

FieldTypeDescription
cert_idstringVerified certificate ID
cert_statusstringISSUED | REVOKED | DRAFT | EXPIRED
trust_tierstringT0 | T1 | T2 | T3
display_namestringMasked display name of holder
issued_atstringISO 8601 issuance date
verifiedbooleantrue if cert is valid and ISSUED
curl -X POST \
  https://czt9d57q83.execute-api.us-east-1.amazonaws.com/prod/beak/cert/verify \
  -H "Content-Type: application/json" \
  -d '{"cert_id":"CERT_ID_HERE","action":"verify"}'

⚡ Try it


            

          

        


        
        

          

            🏆
            
Trust Tier Interpretation Guide

          

          

            
Use the trust_tier field from verify responses to determine what level of trust to grant the certificate holder.

            

              
T0
Unverified
Account created, email not yet confirmed. Minimal trust.

              
T1
Basic Duckling
Email + phone verified. Standard trust for most operations.

              
T2
Certified Duckling
Full identity proofing: legal name, address, T2 cert issued.

              
T3
Operator
T2 + agent bond + Josh approval. Highest trust tier. Governance access.

            

          

        


        
        

          

            ⚠️
            
Error Codes

          

          

            

              
HTTP StatusError CodeDescription

              
400missing_cert_idcert_id parameter not provided

              
401invalid_tokenMissing or expired Bearer token (/view only)

              
403access_deniedToken does not match cert owner

              
404cert_not_foundCertificate ID does not exist

              
410cert_revokedCertificate has been revoked

              
429rate_limitedToo many requests — wait and retry

              
500internal_errorServer error — contact support

            

            
⏱️ Rate limits: /beak/cert/verify — 60 requests/minute per IP. /beak/cert/view — 30 requests/minute per authenticated user. Retry-After header included in 429 responses.