> ## Documentation Index
> Fetch the complete documentation index at: https://docs.veriflowapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Certificates

# Verification Certificates

Every verification performed through VeriflowAPI generates a signed certificate. Certificates provide a tamper-proof audit trail that proves a verification was performed at a specific point in time using specific data sources.

## What is a verification certificate?

A verification certificate is a cryptographically signed record containing:

* The verification ID
* The provider details verified
* The data sources checked
* The result of the verification
* A precise timestamp
* A SHA256 hash signature

Certificates are useful for regulatory audits, compliance documentation, and legal defensibility. If you are ever asked to prove that you verified a provider's credentials before onboarding, a VeriflowAPI certificate provides that proof.

## Certificate fields

Every verification response includes two certificate-related fields:

| Field              | Description                                                                                           |
| ------------------ | ----------------------------------------------------------------------------------------------------- |
| `verification_id`  | Unique identifier for this verification. Use this to retrieve the full certificate.                   |
| `certificate_hash` | SHA256 hash of the signed certificate. Use this to verify the certificate has not been tampered with. |

## Retrieve a certificate

```
GET https://api.veriflowapi.com/v1/certificate/{verification_id}
```

### Response

```json theme={null}
{
  "verification_id": "vrf_a1b2c3d4e5",
  "issued_at": "2026-02-20T10:30:00Z",
  "provider": {
    "name": "Dr. Sarah Chen",
    "npi": "1234567890",
    "license_number": "ME149820",
    "state": "Florida"
  },
  "result": {
    "verified": true,
    "status": "active",
    "expiry_date": "2027-06-30",
    "disciplinary_flags": false,
    "oig_excluded": false
  },
  "sources_checked": ["NPPES", "OIG", "FL Department of Health"],
  "certificate_hash": "sha256_9f8e7d6c5b4a3b2c1d...",
  "signature": "vrf_sig_a1b2c3d4e5f6g7h8..."
}
```

## Download PDF certificate

```
GET https://api.veriflowapi.com/v1/certificate/{verification_id}/pdf
```

Returns a PDF version of the certificate suitable for storage in compliance documentation systems or sharing with auditors.

The PDF includes:

* VeriflowAPI letterhead
* All verification details
* QR code linking to the online verification record
* Digital signature

## Certificate retention

VeriflowAPI retains all verification certificates for a minimum of **7 years** from the date of issue, in line with standard healthcare compliance record retention requirements.

Certificates are available via API at any time during the retention period using the original `verification_id`.

## Verifying certificate integrity

You can verify that a certificate has not been tampered with by recomputing the SHA256 hash of the certificate body and comparing it to the `certificate_hash` field.

```python theme={null}
import hashlib
import json

def verify_certificate_integrity(certificate):
    # Extract the hash from the certificate
    expected_hash = certificate.pop('certificate_hash')
    
    # Compute hash of remaining certificate body
    body = json.dumps(certificate, sort_keys=True).encode()
    computed_hash = 'sha256_' + hashlib.sha256(body).hexdigest()
    
    return computed_hash == expected_hash
```
