An independent verifier — it signs claims, it doesn’t host the profile.
Trusted EIN Check hosts its own /.well-known/ucpon its own domain and publishes its signing keys there. It signs an attestation about a nonprofit’s EIN; the nonprofit carries that signed object in its profile but cannot forge it. Any reader verifies the signature against Trusted EIN Check’s published key — trust flows from the verifier’s domain, never the nonprofit’s.
Verifier discovery document: /v/trustedeincheck.com/.well-known/ucp
Review the claim & issue an attestation
The nonprofit asserts an EIN in its profile. Trusted EIN Check runs a KYB check, then signs an attestation with its own key vouching that the EIN belongs to this organization.
Seeded demo nonprofit: eastsideshelter.org (EIN 12-3456789).
The nonprofit accepts, then it's published
Once the nonprofit accepts the offer in their Verifications inbox, it appears in their /.well-known/ucp — but they cannot alter it. Fetch the live document and verify it independently.
This reads the nonprofit’s public profile, so it works any time — but it only finds the attestation once the nonprofit has accepted it.
A platform verifies the claim
Each check runs against live data. Crucially, the signature is verified against the key fetched from the verifier’sdomain — not the nonprofit’s.