Learn how to use WalletConnect Verify API to protect your users from phishing attacks. With Verify API, wallets can warn users or block malicious Web3 connections entirely. Meanwhile, Web3 apps can register and verify their domains so that supported wallets recognize them as trusted sites.
In this tutorial, you will learn how to:
- Add your trusted domain on Reown Dashboard.
- Configure Verify API (if you are a Web3 wallet) using WalletConnect to identify malicious sites.
This guide takes approximately 10 minutes to complete.
Let’s get started!
What is Verify API?
Verify API is a security-focused feature that allows wallets to notify end-users when they may be connecting to a suspicious or malicious domain, helping them to prevent their users from phishing attacks across the Web3 ecosystem.
Once a wallet knows whether an end-user is on uniswap.com or eviluniswap.com, it can help them to detect potentially harmful connections through Verify’s combined offering of WalletConnect domain registry.
Set Up your Domain on Dashboard
First, head over to Reown Dashboard. If you are a new user, please sign up if you haven’t already and create a new project for your Web3 app.
If you already have a project created for which you are trying to set this up, then please open your project on Reown Dashboard.
After you have selected/opened your project, click on “Domain” section and click on “+ Domain” to add and configure a new allowed domain. Within the input field, enter the complete URL of your Web3 app or domain as shown in the screenshot below.
Then, click on “Allowlist” to add the domain to your projectId’s allowlist. This will ensure that the domain of your Web3 app is on the allowlist to ensure that there no client-side warnings get thrown.
How to Verify your Domain as a Web3 App
WalletConnect’s Verify API no longer requires manual domain listing in the Cloud dashboard. Instead, it now automatically determines and checks your app’s domain when a wallet connects.
To be recognized as a trusted domain, two checks must pass:
- Domain Match: The wallet uses Verify API to compare the domain your app is running on against the app.metadata.url field. If they match, it’s considered valid.
- Scam Check: The domain is checked against WalletConnect’s Data Lake API, which flags known scam domains using upstream threat feeds and manual overrides.
If both checks pass, the wallet shows your app as trusted. If there’s a mismatch or scam flag, the wallet warns the user or blocks the connection.
How to Integrate Verify API as a Web3 Wallet
To integrate Verify API into your wallet, use the WalletKit SDK to perform domain verification when connecting to a Web3 app.
When a dApp connects, WalletKit provides a VerifyContext object containing:
- The domain the user is currently on
- The app.metadata.url provided by the app
- A verification status (VALID, INVALID, THREAT, UNKNOWN)
Your wallet can use this to:
- Check domain consistency between the app's actual domain and its claimed metadata.
- Perform a scam lookup using the Data Lake API to detect phishing or malicious domains.
- Warn users or block connections when the domain is flagged or doesn't match.
You don’t need to maintain any manual domain allowlists; all validation is handled via the SDK and WalletConnect APIs.
Navigate to the full integration docs 👉 here and select the framework or library that your Web3 wallet is built with to get the full integration guide.
Conclusion
And that’s it! You’ve now learned how to use WalletConnect Verify API to protect your users from phishing, whether you’re building a Web3 wallet or app.
By verifying your domain and integrating WalletConnect, you can add an extra layer of trust and security to your user experience.