![](data:image/svg+xml,%3Csvg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"%3E%3Crect width="16" height="16" rx="4" fill="%23093bff"/%3E%3Ctext x="8" y="11" text-anchor="middle" font-size="9" font-family="Arial,Helvetica,sans-serif" fill="white"%3EO%3C/text%3E%3C/svg%3E)
Apply for an OpenAuthCert badge
Follow these steps to submit a badge request through a GitHub pull request. All review activity happens in the open so other vendors and deployers can learn from the process.
1. Prepare your badge JSON
Create a file under the repository path:
/registry/badge-registry/<vendor>/<application>/<version>.jsonEach badge JSON must include:
vendor– unique vendor identifier (lowercase, hyphenated preferred)application– product or deployment nameversion– release identifier you want certifiedbadge_type– one of the values from the specificationstatus– start withpendingunless you already have approvalissued_at– ISO8601 timestamp when the badge is proposedexpires_at– ISO8601 timestamp when certification lapses (maintainers set this to 12 months after issue when signing)digital_signature– Base64 signature created after maintainers approve the payload
Optional but recommended fields:
evidence_urls– publicly accessible documentation, release notes, or audits that support the claimchecks– live endpoints the nightly compliance probe re-tests so your certification stays honest:oidc_discovery– your…/.well-known/openid-configurationURLsaml_metadata– your SAML 2.0 metadata URLldap–host:portfor an LDAP endpoint (TCP reachability)docs– the public docs page proving the feature is free
notes– context for reviewersrevoked_at– only if the badge is revoked (required whenstatusisrevoked)
Keeping your certification
A badge is a point-in-time attestation, so it does not last forever:
- Renewal – certifications are valid for 12 months (
expires_at). After that the badge shows as expired until you submit a renewal PR for re-validation. - Continuous checks – a nightly probe re-tests the URLs in your
checksblock. If the certified feature disappears or moves behind a paywall for three consecutive days, the badge is automatically re-signed as revoked. See Governance. - Embed a live badge – each registry entry offers a copy-paste status image (
https://openauthcert.org/badges/<vendor>/<application>/<version>.svg). It reflects current status, so it flips to expired or revoked on its own — no stale "certified" graphics on your site.
2. Add supporting evidence
Include links to documentation, conformance reports, or test vectors in the evidence_urls array. Self-hosted PDFs or static captures can be added under /registry/evidence/<vendor>/<application>/<version>/ and linked from the badge JSON.
3. Open a pull request
- Fork the repository and create a branch.
- Add your badge JSON and any evidence assets.
- Run the repository checks locally if possible (see below).
- Submit a pull request describing the badge and evidence.
The validate-badges.yml workflow runs on every pull request. It validates JSON schema compliance and ensures file layout consistency.
4. Collaborate on review
- Respond quickly to review comments and provide clarifications.
- Update the badge JSON based on feedback—maintainers will re-run signing once approved.
- Keep evidence links working; stale links can delay approval.
5. Passing checks
Before the site deploys, the CI pipeline runs:
validate-badges.yml- The website registry build check (see Governance)
After these pass, maintainers sign the badge payload, merge the PR, and publish the updated static site.