The Certification Badge, Made Live
Today, a certification is a PDF and a row in a directory someone has to go look up. This platform turns it into a live object: one badge record at the issuer, projected onto every surface that matters — the holder's website, a verification page, and a cryptographically signed credential. Change the record once, and every surface changes with it. Revoke it, and the badge disappears from the holder's site.
Walk the demo — four personas, four pages
1 · The Certified Organization
Dana — operations lead at Meridian Defense Solutions (recipient)
Dana passed a CMMC assessment and wants the world to know — especially the primes running supplier diligence. She pasted one line of HTML into the company site. Done forever.
- Visit her site: the client demo page
- Notice: the badge isn't a saved image — it renders live from the issuer on every page load
- Click the badge — it links straight to its own verification page
2 · The Third-Party Verifier
A supplier-risk analyst at a prime contractor
Someone claims to be certified. The analyst doesn't call anyone, request a PDF, or trust a screenshot — she asks the issuer of record and gets a live answer.
- Look up any org or badge ID: the verification page
- Notice: a revoked badge shows REVOKED — truth, not a dead link
- For automated diligence, her systems fetch the signed credential instead (persona 4)
3 · The Accreditation Body
A program administrator at the issuer (Cyber AB)
The admin holds the one record every surface derives from. Suspension and revocation are not letters that get filed — they are switches that propagate.
- Open the admin console — sign in with Cloudflare Access, no token needed
- Issue by EIN + CAGE alone — the legal org name auto-resolves (local registry → SAM.gov by CAGE); set a validity window with the date pickers; suspend, reinstate, revoke on an enforced state machine, not free-form edits
- Every action is Cedar-authorized and lands in the audit log — including refusals
- Click Suspend (repeatable) or Revoke (terminal), then reload Dana's site: the badge is gone
4 · The Machine
Any system that needs proof without a phone call (integrator)
Everything above is also an API. A wallet, GRC platform, or procurement system verifies a badge without ever asking the issuer's permission — the cryptography answers.
GET /credentials/{id}— signed Open Badges 3.0 / W3C VC 2.0 credentialGET /.well-known/did.json— the issuer's public key (did:web)GET /status/list— signed Bitstring Status List: one bit per badgeGET /api/badges/{id}— plain JSON status for simple integrations
The five-minute walkthrough
- Open Dana's company site — see the badge advertising the certification.
- Click the badge → the verification page: live status, EIN/CAGE, level, dates, C3PAO of record.
- From the verify page, open the signed credential (JSON) — this is what machines consume.
- In the admin console, Suspend the badge (repeatable — revoke is terminal, so suspend/reinstate lets you run the demo again).
- Reload Dana's site: the badge has disappeared. Reload the verify page: SUSPENDED. Re-fetch the status list: the bit is set. One record changed; three surfaces told the truth. Reinstate to bring it back.
Admin access — sign in, or get a token
The admin console and every /api/admin/* endpoint accept two
kinds of principal — humans sign in, machines present a token. Nothing secret is stored in code or on disk:
| Humans — no token at all | Cloudflare Access now fronts
/admin: open it and Cloudflare sends a one-time PIN to your email
(@oodamatic.com / @aiwars.ai are allowed). The Worker
independently verifies the Access JWT, and your email becomes the audit actor. No shared
secret exists for humans anymore |
| Root token (break-glass only) | A root bearer still exists as a Cloudflare
Worker secret for two cases only: recovery if Access is ever misconfigured, and local
wrangler dev (where Access isn't in the request path). It is not a normal
access path — humans sign in, machines use named tokens |
| Cloudflare-native (production) | The running Worker reads the token from a
Cloudflare Worker secret. Provision or rotate it entirely inside Cloudflare:
wrangler secret put ADMIN_TOKEN, or dashboard → Workers & Pages →
cyberab-badge-demo → Settings → Variables and Secrets. Secrets are write-only by design —
nobody can read a token back out of Cloudflare, so the administrator who sets it is the one who
distributes it, and rotating it instantly revokes every copy in circulation |
| Named tokens + audit | The console and the API share the same bearer surface —
the console is just an API client. The root token can mint named API tokens
(POST /api/admin/tokens) for each person or system; only a hash is stored, and
every change is attributed in the audit log (GET /api/admin/audit):
who, what, which badge, when. Rotating or revoking a named token never disturbs the others |
Don't have the token? This is what authorized administrators see — token accepted, issuance form, and full lifecycle control per badge:
Every admin decision is policy-as-code (Cedar)
Authorization here is not if-statements — the Worker asks the
Cedar policy engine (AWS's open-source authorization language, running as WASM inside
the Worker) for a PERMIT/DENY on every admin action. Who can do what is a
policy file, not application code — reviewable, diffable, and provably enforced:
// Named API tokens (machines: CI, billing, assessment platforms) —
// day-to-day automation only. Deliberately NOT permitted:
// badge.revoke — terminal certification death is a human decision
// token.* — a machine must never mint or revoke credentials
permit (
principal is BadgeAdmin::Token,
action in [
BadgeAdmin::Action::"badge.issue",
BadgeAdmin::Action::"badge.suspend",
BadgeAdmin::Action::"badge.reinstate",
BadgeAdmin::Action::"audit.read"
],
resource
);
| root token | Access human | named API token | |
| issue / suspend / reinstate | ✓ | ✓ | ✓ |
| revoke (terminal) | ✓ | ✓ | ✗ denied by policy |
| mint / revoke tokens | ✓ | ✓ | ✗ denied by policy |
| read audit log | ✓ | ✓ | ✓ |
Denials are themselves audit events (authz.deny) —
the log shows not just what happened but what was refused. For an accreditation body this is the
trajectory that matters: the same engine can compile compliance controls (NIST/OSCAL → Cedar) so that
"who may touch a certification" is continuously, mathematically enforceable — not a paragraph in an SOP.
How APIs drive the whole lifecycle
Nothing here requires a human at a keyboard. Every lifecycle event is an API call, which means the badge can be wired directly into the systems where certification events actually happen:
| Assessment close-out | C3PAO or assessment platform calls POST /api/admin/badges with just EIN + CAGE (the legal org name auto-resolves via SAM.gov) — the badge (and everything downstream: registry proof, the holder's embed) exists the moment certification does |
| Non-payment / lapse | Billing system calls POST …/suspend — badge goes dark on the holder's site until …/reinstate |
| Adjudicated violation | Case-management system calls POST …/revoke — terminal, propagates everywhere within the cache TTL (5 minutes) |
| Supplier onboarding | Procurement/GRC systems pull GET /credentials/{id} once, then watch GET /status/list — continuous monitoring of an entire supplier base from one signed document |
| Independent audit | Anyone verifies offline: check the Ed25519 proof against the published did:web key. The issuer never knows the check happened |
Why this matters
For the accreditation body
- Your registry becomes the product. Every badge is a live projection of your database — all trust flows back to your platform, not to screenshots of it.
- Enforcement with teeth. Today, revoking a certification changes a database row nobody looks at. Here it visibly removes the mark from the violator's website — within minutes, automatically.
- First-mover whitespace. No accreditation body offers an organization-level verifiable badge. ANAB, A2LA, PCI SSC all stop at directories for orgs and Credly for individuals.
- Standards, not lock-in. W3C Verifiable Credentials 2.0 + Open Badges 3.0 + Bitstring Status List — the stack that superseded blockchain credentialing. No ledger, no vendor dependency, auditable by anyone.
- A new class of service. The status list turns one-time certification into continuous assurance — something primes and insurers will pay to consume.
For the certified organization
- One paste, true forever. A single HTML snippet; no files to update, no expired logos, no compliance-marketing maintenance.
- Proof competitors can't fake. A copied image fails verification; a screenshot isn't a signature. Your badge is backed by the issuer's cryptographic key.
- Shortens diligence. When a prime's supplier-risk system can verify you in one API call, you clear onboarding gates faster than the vendor sending PDFs.
- Portable credential. The signed OB 3.0 credential is yours — present it in supplier portals, wallets, or bid packages, verifiable anywhere, no issuer round-trip.
- Fairness cuts both ways. The same mechanism that removes a revoked competitor's badge is what makes yours worth displaying.
All surfaces
| Client demo site | a certified company advertising its badge (persona 1) |
| Verification lookup | third-party attestation of any badge (persona 2) |
| Admin console | issue · suspend · revoke · reinstate (persona 3) |
| Status list | signed W3C Bitstring Status List (persona 4) |
| Issuer DID | did:web document with the Ed25519 public key (persona 4) |
Under the hood: one Cloudflare Worker, one D1 row per badge, Ed25519
eddsa-jcs-2022 proofs, and an embed that returns HTTP 410 the moment a badge stops being true.