WalletConnect’s Verify API is an easy-to-implement security feature that can enable your wallet to help users engage in a safer web3 experience. We have already covered the steps to verify a domain here. Implementing Verify API in your wallet can help your users to better determine the legitimacy of the website they are trying to interact with, using relevant cues and messages you choose to provide. In this guide, I’ll walk you through a step-by-step tutorial on how to integrate Verify API, which should give you a clear and straightforward understanding of how you can distinguish requests more effectively.
What is Verify API?
Verify API is a security-focused feature that allows wallets to notify end users when they may be connecting to a suspicious or malicious domain, helping to prevent phishing attacks across the industry. By combining WalletConnect’s domain registry with industry-leading security tools like Blowfish and BlockAid, Verify API enables wallets to support their users in detecting potentially harmful connections.
The Verify security system discriminates session requests in four different cases.
- Domain match: The domain linked to this request has been verified as this application's domain. This interface appears when the domain a user is attempting to connect to has been “verified” in our domain registry as the registered domain of the application. Furthermore, the domain has not been flagged as suspicious by either of the security tools we work with.
- Unverified: The domain sending the request cannot be verified. This interface appears when the domain a user is attempting to connect to has not been verified in our domain registry. In this case, the domain has not been flagged as suspicious by either of the security tools we work with.
- Mismatch: The application's domain doesn't match the sender of this request. This interface appears when the domain a user is attempting to connect to has been flagged as different from the one this application has verified in our domain registry. In this case, the domain has not been flagged as suspicious by either of the security tools we work with.
Along with these, an isScam field is exposed through verifyContext, which essentially clarifies if a domain is detected as Threat or not.
- Threat: This domain is flagged as malicious and potentially harmful. This interface appears when the domain a user is attempting to connect to has been flagged as malicious on one or more of the security tools we work with.
This ensures that Verify API can better distinguish session requests based on their sender.