Concepts
Callback and verification.
VibeID posts the signed result to your callback endpoint. Verify successful callbacks before creating a session or storing profile metadata.
Callback payload
| Field | Meaning |
|---|---|
| status | ok or error. |
| v | Protocol version. Current value is 1. |
| kind | signin for this flow. |
| requestId | The request id from the challenge. |
| signature | Base64 signature. Required when status is ok. |
| did | did:vibe:p256:<base64url-compressed-public-key>. Required when status is ok. |
| alg | P-256. |
| profile | Optional display metadata. Verify the signature before storing it. |
| error | Machine-readable error code when status is error. |
| message | Optional human-readable failure detail. |
{
"status": "ok",
"v": "1",
"kind": "signin",
"requestId": "abc123",
"signature": "<base64>",
"did": "did:vibe:p256:<base64url-compressed-public-key>",
"alg": "P-256",
"profile": { "displayName": "Personal" }
}Signature verification
- Require
alg: "P-256". - Decode
did:vibe:p256:...as a compressed 33-byte P-256 public key. - Verify SHA-256 ECDSA over the exact stored challenge string.
- Accept DER and IEEE P1363 ECDSA encodings during the pilot.