API documentation

Verify certificates programmatically from your website, LMS, or internal tools.

The Certify.App API lets organizations look up certificates they have issued. Each request is authenticated with an API key and scoped to your organization — you can only verify certificates your team created.

Getting access

  1. API access must be enabled for your organization by a platform administrator.
  2. Organization admins can create API keys under Settings → API access.
  3. Copy your key when it is created. For security, the full key is only shown once.

Need API access enabled? Contact us.

Authentication

Send your API key on every request using either an Authorization bearer token or an X-API-Key header. Keys use the cert_live_ prefix.

Authorization: Bearer cert_live_<your_key>
X-API-Key: cert_live_<your_key>

Verify a certificate

Look up a certificate by its public ID (e.g. CERT-2026-001) or by the secure verification token from QR codes and email links (32-character hex string).

Endpoint

GET https://usecertify.app/api/v1/verify/{certificateId}

Path parameter

  • certificateId — public certificate ID or verification token. Certificate IDs are case-insensitive.

Example request

curl -s \
  -H "Authorization: Bearer cert_live_<your_key>" \
  "https://usecertify.app/api/v1/verify/CERT-2026-001"

Success response

200 OK — certificate found and belongs to your organization.

{
  "found": true,
  "certificate": {
    "certificateId": "CERT-2026-001",
    "recipientName": "Jane Doe",
    "courseName": "Digital Marketing",
    "organizationName": "Your Organization",
    "issueDate": "15 January 2026",
    "expiryDate": null,
    "status": "valid"
  }
}

The status field is one of valid, expired, or revoked. Dates are formatted for display (e.g. 15 January 2026).

Not found

404 Not Found — no matching certificate, or the certificate was issued by a different organization.

{ "found": false }

Error responses

  • 401 Unauthorized — missing, invalid, or revoked API key, or API access disabled for your organization.
  • 429 Too Many Requests — rate limit exceeded. Retry after the number of seconds in the Retry-After response header.
{ "error": "Invalid or missing API key" }
{ "error": "Rate limit exceeded" }

Rate limits

Each API key is limited to 60 requests per minute. Successful and failed lookups both count toward the limit.

CORS

Browser requests are supported. The API responds to OPTIONS preflight and allows GET from any origin with Authorization, X-API-Key, and Content-Type headers.

Verification logging

Successful lookups through the API are recorded in your organization's verification logs, the same as public web verifications.

JavaScript example

const response = await fetch(
  "https://usecertify.app/api/v1/verify/CERT-2026-001",
  {
    headers: {
      Authorization: "Bearer cert_live_<your_key>",
    },
  }
);

if (!response.ok) {
  throw new Error(`Verification failed (${response.status})`);
}

const data = await response.json();

if (data.found) {
  console.log(data.certificate.recipientName, data.certificate.status);
}