certscore

How CertScore Verifies Your Credentials: A Transparency Guide

A detailed look at how CertScore verifies professional credentials from Credly, Accredible, and EC-Council, and why verification status matters for trust.

By Rajat Ravinder Varuni

How CertScore Verifies Your Credentials

At CertScore, trust is everything. When you add a professional certification to your profile, we don’t just take your word for it. We verify it directly with the credential provider. This post explains exactly how that process works, what each verification status means, and why some credentials receive a higher trust level than others.

The Three Verification Tiers

Every credential on CertScore receives one of three verification statuses:

✅ Verified (Gold Standard)

What it means: We have cryptographic proof that the credential belongs to you.

How it works: The credential provider offers an API that lets us verify ownership through an email hash comparison. We hash your account email and compare it against the hash stored by the provider. If they match, the credential is mathematically proven to belong to you. No one else could produce that match.

Points: Full points awarded based on certification tier.

🟡 Self-Reported

What it means: We confirmed the credential exists and is valid, but cannot cryptographically prove it belongs to you.

How it works: We fetch the credential from the provider’s public verification page and check that the name matches your profile. While this confirms the credential is real, anyone can view a public verification page, so name matching alone isn’t enough to prove ownership.

Points: 0 points awarded. Self-reported credentials appear on your profile for visibility, but don’t count toward your CertScore until the provider offers a verification API.

❌ Rejected

What it means: We could not verify the credential, or the identity information didn’t match.

How it works: This happens when the name on the credential doesn’t match your CertScore profile, the credential URL is invalid, or the credential has been revoked.

Platform-by-Platform Breakdown

Credly (Acclaim): ✅ Verified

Credly is the gold standard for credential verification. Here’s why:

  1. You submit your Credly badge URL (e.g., credly.com/badges/abc123)
  2. We fetch the badge data from Credly’s public API, confirming the credential exists, is valid, and hasn’t expired
  3. We retrieve the OBI (Open Badges Infrastructure) assertion, which is the W3C standard badge data that includes a hashed email
  4. We hash your CertScore email using the same algorithm (SHA-256 with salt) and compare it to the hash in the badge assertion
  5. If the hashes match, the credential is cryptographically verified as yours

This process follows the Open Badges 2.0 specification, an industry standard for digital credential verification. The email hash comparison means that even if someone knows your badge URL, they cannot claim it on CertScore without access to the email address associated with the badge.

Result: verified status, full points awarded.

Accredible (credential.net): ✅ Verified or 🟡 Self-Reported

Accredible supports the OBI standard, but not all credentials include the email hash. Here’s the flow:

  1. You submit your Accredible credential URL (e.g., credential.net/abc123)
  2. We fetch the credential data from Accredible’s public API
  3. We look for an OBI badge assertion with an email hash
  4. If found: We perform the same SHA-256 hash comparison as Credly, and the result is verified
  5. If no hash exists: We can confirm the credential is real but cannot prove ownership, so the result is self_reported

The verification status depends on how the issuing organization configured their Accredible account. Many issuers enable full OBI compliance, but some don’t include the recipient email hash.

Result: verified (with email hash) or self_reported (without email hash).

EC-Council (ASPEN): 🟡 Self-Reported

EC-Council certifications (CEH, CCISO, CND, etc.) are among the most respected in cybersecurity. Unfortunately, EC-Council’s ASPEN verification system does not currently offer an API or email hash verification mechanism. Here’s what we do:

  1. You submit your ASPEN verification URL (e.g., aspen.eccouncil.org/VerifyBadge?type=certification&a=...)
  2. We fetch the public verification page and parse the credential details (certification name, cert number, issue date, expiry date)
  3. We check that the name on the credential matches your CertScore profile. If it doesn’t, the request is rejected to prevent someone from claiming another person’s certification
  4. If the name matches, the credential is imported as self_reported

Why not verified? EC-Council’s ASPEN system is a public, read-only webpage. It provides no authenticated API, no email hash endpoint, and no mechanism for a credential holder to programmatically prove ownership to a third-party platform. Anyone who knows a certification holder’s name could potentially view their public ASPEN page.

We have reached out to EC-Council requesting the addition of an email hash API or verification endpoint. Until such a mechanism exists, all EC-Council credentials on CertScore are marked as self-reported and award 0 points.

Result: Always self_reported, 0 points.

Why This Matters

The distinction between “verified” and “self-reported” exists to protect the integrity of the CertScore leaderboard and the value of your profile:

  • For employers: A verified credential means the person demonstrably holds the certification. No ambiguity.
  • For credential holders: Verified status gives your credentials more weight and earns points toward your CertScore ranking.
  • For the community: The leaderboard reflects genuine, verified expertise, not just claimed certifications.

What We’re Doing About It

We’re actively working with credential providers to expand verified status:

  • Credly: Full verification support ✅
  • Accredible: Full verification support (when issuers enable OBI email hashing) ✅
  • EC-Council: We’ve formally requested API access and OBI compliance. We’ll update this post when their ASPEN system supports programmatic verification.

If you’re an EC-Council certification holder, we understand this is frustrating. Your CEH, CCISO, or CND certification is just as valuable. The limitation is purely technical on EC-Council’s end. We encourage credential holders to contact EC-Council and request they adopt the Open Badges standard or provide a verification API.

Our Commitment to Transparency

CertScore is built by a 501(c)(3) nonprofit. We have no financial incentive to favor one credential provider over another. Our verification standards are based solely on what each provider’s technology allows us to prove.

Every verification request is logged, rate-limited (15 per hour per user), and monitored. Our edge functions are instrumented with error tracking, and our infrastructure is monitored 24/7 via our status page.

If you have questions about how your credential was verified, reach out to us at support@certscore.org.

Last updated: February 16, 2026

Back to Blog