Description
Matrix identity claim verification on keyoxide.org consistently fails with "The claim COULD NOT BE verified by the proof" despite the proof being correctly set up and the Matrix event being accessible.
Setup
- OpenPGP fingerprint:
0A993B268654DBBA52B7E8D3FCF653391E2C91FC - Keyoxide profile: https://keyoxide.org/0A993B268654DBBA52B7E8D3FCF653391E2C91FC
- Matrix user:
@jmrplens:matrix.jmrp.io - Keyoxide version: keyoxide-web/5.1.0+3f51dc5c8c
PGP notation (on all UIDs):
proof@ariadne.id=matrix:u/jmrplens:matrix.jmrp.io?org.keyoxide.r=dBfQZxCoGVmSTujfiv:matrix.org&org.keyoxide.e=tsThbgplkWUMLHnv_q4PgzfjqFkZ4QSMGI0vWwqwWb8
Matrix proof event posted in #doipver:matrix.org:
{
"sender": "@jmrplens:matrix.jmrp.io",
"content": {
"msgtype": "m.text",
"body": "openpgp4fpr:0A993B268654DBBA52B7E8D3FCF653391E2C91FC"
},
"event_id": "",
"type": "m.room.message"
}
What Keyoxide shows
@jmrplens:matrix.jmrp.io [Matrix]
Profile link: https://matrix.to/#/@jmrplens:matrix.jmrp.io
Claim verification has completed.
The claim COULD NOT BE verified by the proof.
Root cause analysis
After investigating the doipjs source code src/fetcher/matrix.js, the Matrix fetcher requires server-side credentials:
const url = `https://INSTANCE/_matrix/client/r0/rooms/ROOMID/event/EVENTID?access_token=TOKEN`
This means keyoxide.org must have a Matrix bot account that:
- Has a valid access token (
opts.claims.matrix.accessToken)
The event IS accessible — I verified it directly via the Matrix Client-Server API using an authenticated account that is a member of the room. The event exists, contains the correct fingerprint, and was sent by my Matrix identity.
The Keyoxide bot appears to have lost access — either the access token has expired/been revoked, or the bot is no longer a member of the #doipver:matrix.org room.
Evidence this is a known systemic issue
-
Issue #86 (Discord) — When implementing Discord verification, the developer explicitly states: "the Matrix approach does not work" as justification for using a different approach for Discord. This suggests developers are already aware Matrix verification is broken.
-
PR #26 (Decentralized Matrix verification) — Proposed switching from the centralized
#doipver:matrix.orgroom to a decentralized approach using room topics. This PR has been open since September 2022 and is stalled due to federation issues (room previews returnM_FORBIDDENacross instances). -
Issue #67 (Reddit) — Shows a similar pattern where an external service loses access and verification silently breaks for all users.
Impact
- All Matrix claim verifications on keyoxide.org are broken, not just mine
- Users follow the documentation, set everything up correctly, but verification always fails
- There is no error message indicating this is a server-side issue — users are left debugging their own (correct) setup
Suggested fixes
Short-term: Restore the Matrix bot access to #doipver:matrix.org on keyoxide.org (refresh the access token and/or rejoin the room).
Long-term (any of these):
- Merge/revive PR #26 decentralized approach (room topic-based verification instead of centralized room)
- Add a health check endpoint that monitors whether the Matrix bot can access the room
- Add a clear error message when the server-side Matrix fetcher fails (currently fails silently as "could not verify")
- Document the centralized room dependency so self-hosters know they must configure their own Matrix bot
Environment
- doipjs version: as used by keyoxide-web 5.1.0
- Matrix homeserver: matrix.jmrp.io (Synapse v1.147.1, federated with matrix.org)