# SSAFY Verify

> SSAFY 구성원 본인인증을 외부 앱에 연동하기 위한 Verify API.

Canonical issuer: https://verify.myknow.xyz
Canonical API/docs base URL: https://verify.myknow.xyz

Use Verify API for every v1 integration. OIDC login is planned for v2 and is not part of the public v1 quickstart.
The recommended basic integration is a verification page plus a server token exchange route.
The Hosted SDK creates or receives state, waits for the popup callback message, validates origin and state, and only then resolves the callback Promise.
The canonical Hosted SDK URL is https://verify.myknow.xyz/sdk/ssafy-verify.js. No pre-public compatibility alias is supported.

Canonical quickstart:

- Quickstart: https://verify.myknow.xyz/docs/quickstart
- Quickstart Markdown: https://verify.myknow.xyz/docs/quickstart.md
- Platform quickstarts: https://verify.myknow.xyz/docs/platforms
- React: https://verify.myknow.xyz/docs/platforms/react
- Vue: https://verify.myknow.xyz/docs/platforms/vue
- Backend token exchange: https://verify.myknow.xyz/docs/platforms/backend
- Mobile official scope: https://verify.myknow.xyz/docs/platforms/mobile
- Swift iOS deep link notes: https://verify.myknow.xyz/docs/platforms/swift
- Kotlin Android deep link notes: https://verify.myknow.xyz/docs/platforms/kotlin
- Flutter deep link notes: https://verify.myknow.xyz/docs/platforms/flutter
- Full AI context: https://verify.myknow.xyz/llms-full.txt
- Verify API: https://verify.myknow.xyz/docs/verify-api
- Errors: https://verify.myknow.xyz/docs/errors

Important rules:
- Use https://verify.myknow.xyz as the only canonical issuer.
- Verify token exchange uses grant_type=verification_code.
- PKCE S256 and state are required.
- Use only https://verify.myknow.xyz/sdk/ssafy-verify.js for Hosted SDK loading.
- Hosted SDK verify({ waitForCallback: true }) resolves only after callback state matches the request state.
- Partner backend routes must schema-validate code, codeVerifier, redirectUri, and iss before calling /verify/token.
- verification_token validation must check iss, aud, exp, sub, client_id, verified, auth_time, amr, and acr.
- client secret is server-only and only for confidential clients.
- Embedded WebView authorization is Unsupported / Do not use.
- callback success contains code, state, iss.
- callback iss must match https://verify.myknow.xyz before backend exchange.
- /verify/token result.auth_time is an ISO string, while verification_token auth_time is JWT NumericDate seconds.
- ssafy.profile_image is separate from ssafy.name and returns picture only when approved and requested.
- SSAFY Verify original API errors use error.code and error.request_id; partner app examples convert them to errorCode and requestId for their own frontend.
- SSAFY Verify original public errors contain error.code and error.request_id; partner app responses may expose errorCode and requestId.
- ssafy.mattermost_id is optional and should be requested only for migration or mapping from an existing Mattermost-authenticated project.
- Mattermost raw user.id is the stable provider user id; username is a mutable display/login helper.
- Cohort is derived from Mattermost team context, not from the raw user object.
- OIDC login is planned for v2; do not use OAuth/OIDC endpoints for new public v1 integrations.