![](data:image/svg+xml,%3Csvg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"%3E%3Crect width="16" height="16" rx="4" fill="%23093bff"/%3E%3Ctext x="8" y="11" text-anchor="middle" font-size="9" font-family="Arial,Helvetica,sans-serif" fill="white"%3EO%3C/text%3E%3C/svg%3E)
Badge specification
The OpenAuthCert badge schema is versioned alongside the registry. The current schema (schema-v1.json) defines the structure every badge must follow.
Schema highlights
- Title:
OpenAuthCert Badge - Required fields: vendor, application, version, badge_type, status, issued_at, expires_at, digital_signature
- Badge types: free-sso-idp, free-ldap-support, free-oidc-support, free-saml-support, multi-idp-ready
- Status values: certified, pending, revoked, denied
You can review the full JSON Schema on GitHub: schema-v1.json.
Canonicalization
Badges are signed using a deterministic JSON serialization:
- Keys are sorted lexicographically at every depth.
- Objects exclude the
digital_signaturefield before signing. - Arrays retain their original order.
- Numbers and booleans use standard JSON encoding with no extra whitespace.
This canonical form is what the verify tool reconstructs before checking the signature.
Digital signatures
- The initiative publishes a global Ed25519 public key at
/public_key.pem. - Vendors sign badge payloads with the corresponding private key after review.
- The
digital_signaturefield stores a Base64-encoded Ed25519 signature over the canonical payload. - Revocations require a new signature after updating
statusandrevoked_at.
For implementation details, see the oac CLI and the shared @openauthcert/core canonicalization.