Skip to main content
If you’re a merchant, service provider, or any system that receives Sumvin identity credentials — this guide is for you. As a verifier, you don’t call the Sumvin API to create users or sign authorisations. Instead, you receive and verify credentials that arrive as HTTP headers on incoming requests. You don’t store the identity. You check it at the door. Every credential is anchored to a — the cryptographic authorisation the user signed. A Stamped Mandate is delivered over the API as a PINT (header x-sumvin-pint-token). The product name and the wire artifact describe the same thing — read “Stamped Mandate” wherever you see a PINT in the headers and code below.

What You Receive

When a Sumvin user (or their AI agent) interacts with your service, the request includes identity credentials as HTTP headers. Depending on the verification tier, you receive either: Standard tier (Stamped Mandate JWT only): 
x-sumvin-pint-token: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...
Enhanced tier (Stamped Mandate JWT + signature): 
x-sumvin-pint-token: eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9...
X-Pint-Signature: 0x...
X-Pint-Payload: eyJ3YWxsZXQiOiIweEUyM2M5QTcwQkM3NDlFQmRkZDhj...
The x-sumvin-pint-token header carries the raw JWT (no Bearer prefix). Reserve the Authorization: Bearer header for outbound calls you make to SIS using your SIS API key (for example, revocation checks or token exchange).

What You Need to Verify

At minimum, every verifier should:
  1. Validate the JWT signature against the SIS public keys ()
  2. Check the aud claim matches your registered identifier
  3. Check the exp claim to confirm the JWT hasn’t expired
  4. Optionally check revocation via the status endpoint
For enhanced-tier requests, you additionally verify the Stamped Mandate’s EIP-712 signature — see Verifying PINT Signatures.

What You Need

RequirementHow to Get It
Your registered audience identifierProvided during partner onboarding
SIS JWKS endpoint URLhttps://sis.sumvin.com/v0/sis/.well-known/jwks.json
A JWT verification libraryAny standard JWT library (e.g., jose, PyJWT, jsonwebtoken)
SIS API key (optional)Only needed if you want to call the revocation check endpoint. Contact your account manager.
You do not need an API key to verify JWT signatures. The JWKS endpoint is publicly accessible. An API key is only required to call the revocation check endpoint.

Start verifying

The fastest path to a working verifier is the Verify a standard-tier Stamped Mandate quickstart — five minutes from zero to a decoded, signature-verified JWT payload printed to stdout. Start there, then come back to the deeper reference pages below when you need to handle enhanced-tier requests or agent-signed mandates.

Next Steps

The fastest path is the standard-tier quickstart — five minutes from zero to a decoded, signature-verified JWT. From there, verification tiers tells you when Standard is enough and when you need Enhanced, verify a JWT is the full step-by-step reference, and the header reference lists every identity-related HTTP header you’ll meet at the boundary. Everything else is detail — the shape of the credential, and the shape of your check against it. These two tiers are the Sigil verification tiers — Standard and Enhanced.