This is an archived page. It's not actively maintained.

Remote Verification API

On November 30th, 2016, Mozilla shut down the services. and related domains will soon be taken offline.

For more information, see this guide to migrating your site away from Persona:


When a user tries to log into a website, their browser generates a data structure called an assertion, which is essentially a cryptographically signed email address. The browser sends this assertion to the website, which must verify that the assertion is valid before logging the user in.

Assertions can be verified locally, or with an API hosted at This page describes how to use the API.


HTTP POST request to


The assertion supplied by the user. Available as the first parameter passed to the onlogin function in
The protocol, domain name, and port of your site. For example, "".

Return values

The call returns a JSON structure containing a status element, which may be either "okay" or "failure". Depending on the value of status, the structure contains additional elements listed below.


The assertion is valid.

In this case the JSON structure contains the following additional elements:

"email" The address contained in the assertion, for the intended person being logged in.
"audience" The audience value contained in the assertion. Expected to be your own website URL.
"expires" The date the assertion expires, expressed as the primitive value of a Date object: that is, the number of milliseconds since midnight 01 January, 1970 UTC.
"issuer" The hostname of the identity provider that issued the assertion.


The assertion is invalid. In this case, the JSON structure contains one additional element:

"reason" A string explaining why verification failed.



This example uses a node.js server using express.js

var express = require("express"),
    app = express.createServer(),
    https = require("https"),
    querystring = require("querystring");
/* ... */

// The audience must match what your browser's address bar shows,
// including protocol, hostname, and port
var audience = "http://localhost:8888";"/authenticate", function(req, res) {
  var vreq = https.request({
    host: "",
    path: "/verify",
    method: "POST"
  }, function(vres) {
    var body = "";
    vres.on('data', function(chunk) { body+=chunk; } )
        .on('end', function() {
          try {
            var verifierResp = JSON.parse(body);
            var valid = verifierResp && verifierResp.status === "okay";
            var email = valid ? : null;
   = email;
            if (valid) {
              console.log("assertion verified successfully for email:", email);
            } else {
              console.log("failed to verify assertion:", verifierResp.reason);
              res.send(verifierResp.reason, 403);
          } catch(e) {
            console.log("non-JSON response from verifier");
            // bogus response from verifier!
            res.send("bogus response from verifier!", 403);


  vreq.setHeader('Content-Type', 'application/x-www-form-urlencoded');

  var data = querystring.stringify({
    assertion: req.body.assertion,
    audience: audience

  vreq.setHeader('Content-Length', data.length);

  console.log("verifying assertion!");

via Lloyd Hilaiel


$url = '';
$assert = filter_input(
//Use the $_POST superglobal array for PHP < 5.2 and write your own filter
$params = 'assertion=' . urlencode($assert) . '&audience=' .
$ch = curl_init();
$options = array(
    CURLOPT_URL => $url,
    CURLOPT_POST => 2,
    //CURLOPT_SSL_VERIFYPEER => true,   //This currently blocks connection to ''

curl_setopt_array($ch, $options);
$result = curl_exec($ch);
echo $result;

Via Christian Heilmann


protected void doPost(final HttpServletRequest req,
   final HttpServletResponse resp) throws ServletException,
   IOException {

   final String audience = req.getServerName();
   final String assertion = req.getParameter("assertion");
   final Verifier verifier = new Verifier();
   final BrowserIDResponse personaResponse = verifier.verify(assertion,audience);
   final Status status = personaResponse.getStatus();

   if (status == Status.OK) {
     /* Authentication with Persona was successful */
     String email = personaResponse.getEmail();"{} has sucessfully signed in", email);
     HttpSession session = req.getSession(true);
     session.setAttribute("email", email);

   } else {
     /* Authentication with Persona failed */"Sign in failed...");


Via Javier


Note: If you send the assertion and audience parameters as a JSON-object, they must not be URL-encoded. If they are sent as regular HTTP POST parameters, as in the example above, they must be URL-encoded.