Skip to main content
If you’re a merchant, service provider, or any system that receives Sumvin identity credentials — this guide is for you. You don’t need to call the Sumvin API to create users or PINTs. Instead, you receive and verify credentials that arrive as HTTP headers on incoming requests. You don’t store the identity. You check it at the door. Every credential is anchored to a — the cryptographic authorisation the user signed.

What You Receive

When a Sumvin user (or their AI agent) interacts with your service, the request includes identity credentials as HTTP headers. Depending on the verification tier, you receive either: Standard tier (PINT JWT only): 
x-sumvin-pint-token: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...
Enhanced tier (PINT JWT + PINT signature): 
x-sumvin-pint-token: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...
X-Pint-Signature: 0x...
X-Pint-Payload: eyJ3YWxsZXQiOiIweEUyM2M5QTcwQkM3NDlFQmRkZDhj...
The x-sumvin-pint-token header carries the raw PINT JWT (no Bearer prefix). Reserve the Authorization: Bearer header for outbound calls you make to SIS using your SIS API key (for example, revocation checks or token exchange).

What You Need to Verify

At minimum, every verifier should:
  1. Validate the JWT signature against the SIS public keys ()
  2. Check the aud claim matches your registered identifier
  3. Check the exp claim to confirm the JWT hasn’t expired
  4. Optionally check revocation via the status endpoint
For enhanced-tier requests, you additionally verify the EIP-712 PINT signature — see Verifying PINT Signatures.

What You Need

RequirementHow to Get It
Your registered audience identifierProvided during partner onboarding
SIS JWKS endpoint URLhttps://sis.sumvin.com/v0/sis/.well-known/jwks.json
A JWT verification libraryAny standard JWT library (e.g., jose, PyJWT, jsonwebtoken)
SIS API key (optional)Only needed if you want to call the revocation check endpoint. Contact your account manager.
You do not need an API key to verify JWT signatures. The JWKS endpoint is publicly accessible. An API key is only required to call the revocation check endpoint.

Start verifying

The fastest path to a working verifier is the Verify a standard-tier PINT quickstart — five minutes from zero to a decoded, signature-verified JWT payload printed to stdout. Start there, then come back to the deeper reference pages below when you need to handle enhanced-tier requests or agent-signed PINTs.

Next Steps

The fastest path is the standard-tier quickstart — five minutes from zero to a decoded, signature-verified JWT. From there, verification tiers tells you when Standard is enough and when you need Enhanced, verify a JWT is the full step-by-step reference, and the header reference lists every identity-related HTTP header you’ll meet at the boundary. Everything else is detail — the shape of the credential, and the shape of your check against it.