Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Digitally verifiable certificates have emerged as a solution to help open up businesses and travel globally during the ongoing COVID-19 pandemic. There are four major COVID-19 certificate schemas popularly used in the world today:
ICAO-VDS
As the interoperability of these certificate schemas is critical to streamline the international travel process, DIVOC has added the ability to issue digital certificates in the EU-DCC and SmartHealthCard formats, in addition to the native DIVOC COVID-19 certificate format. This will enable citizens of a country, which is using a DIVOC certificate system, to export their native certificates in a format that is acceptable in the travel destination country.
Note: DIVOC will also add the capability to export the certificates in the ICAO-VDS format in 2022.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
DIVOC’s W3C-based digital certificate consists of three core components:
Credential metadata (schema version credential/certificate ID, etc).
Claim (vaccination event details).
Proof (issuer details, date of issue, time stamp, signature, etc).
The DIVOC digital certificate QR code includes the following data structure:
To illustrate the data structure of DIVOC certificate outputs, a sample certificate payload is outlined below:
| Basic components | Information sections | Description |
|---|---|---|
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Credential metadata
Certificate context
Sets the context, which establishes the special terms.
Certificate identifier
Specifies the identifier for the credential.
Credential type
Declares what data to expect in the credential.
2. Claim
Credential subject
Assertion about the subjects of the credentials.
Event block
When the credential was issued.
Issuer details
The entity that issued the credential.
3. Proof
Signature type
Digital proof that makes the credential tamper-evident. Cryptographic signature suite that was used to generate the signature.
Date of signature
When the signature was created.
Digital signature value
Identifier of the public key
That can verify the signature.
The verification component of the DIVOC certificate service checks for two things:
An issued certificate is valid (that is, the document is currently ‘live’ and is not a revoked document).
The document is authentic (that is, the document has not been tampered with).
DIVOC supports offline verification of the QR code-based digital certificates to support verification of certificates in connectivity restricted regions and make it more user-friendly.
The QR code can be verified by third-party authorised verifier applications to enable domestic and cross-border verification of DIVOC-issued certificates.
Use the following steps to verify a DIVOC certificate:
Scan to detect the QR code.
The verification component uses the QR code reader libraries to read the contents of the QR code embedded in the certificate.
Once the QR code is detected by the camera, it reads the binary data encoded in the QR code. (the binary data will be in zipped format).
The decompressed Json in the QR code is authenticated using a signing method mentioned in the proof section of the QR code content
After unzipping it, you will get a certificate.json file (certificate.json will have the signed, json-ld formatted VaccineCertificate).
Json-ld signature will be verified against the public key that is issued by the issuing authority.
On successful verification, the revoked API is called to check if a certificate has been revoked or not.
Once the signature and revocation are verified, the success screen is shown with beneficiary and vaccine details.
Since it is offline verification, the verifier will need to download the CRL within the verifier application. The verification service will also go through the CRL and check for the certificate's revoked status.
Please note: In addition to supporting verification by third-party verifiers, DIVOC also provides a verification portal. The portal works on a web browser as well as on a mobile phone browser, and it can be also used by verifying authorities to verify DIVOC-certificates in an “offline” capacity.
DIVOC provides a public portal that allows verifiers (including self-verification by beneficiaries) to verify certificates.
Next,
Scan the QR code.
On successful verification, certificate details will be shown on the screen.
On unsuccessful verification (unauthenticated/fraudulent certificates), the message will be shown as “Certificate Invalid.”
Using the DIVOC certificate generation service, a country can issue a QR code-based digitally verifiable certificate, which serves as proof of the health event, such as the COVID-19 vaccination. It involves an issuer (for example, a government department), a holder (for example, the citizen of a country), and a verifier (for example, security personnel at the airport).
All DIVOC issued digital certificates are based on the globally accepted W3C-Verifiable Credential Data Model 1.0.
DIVOC uses this data model for encoding the event data into the digital certificate’s QR code. DIVOC also uses a PKI mechanism to cryptographically sign all QR codes in the issued digital certificates.
Popular cryptographic signing algorithms (like RSA, EDDSA) are adopted in the DIVOC certificate QR signing process.
A. Holder: Someone who possesses one or more verifiable credentials as a proof of an event/identified use case and is responsible for generating presentations from them. In DIVOC’s vaccination use case, it is the vaccine recipient or beneficiary.
B. Issuer: Reefers to a legal entity that asserts claims about the holder or subject about a verifiable event or an identified use case by issuing a verifiable credential to a holder. Issuers may include central/state governments, authorities, corporations, etc. For instance, in the COVID 19 vaccine scenario, the issuer could be the issuing country or legal authorities.
C. Subject: An entity about which the verifiable claim is made by the issuer, for example, beneficiary or vaccine dose recipient.
D. Verifier: An entity who is responsible for verifying an issued credential. In the COVID-19 travel scenario, verifiers are the arrival country authorities that require a verifiable COVID-19 vaccine proof for allowing access to services and border entries.
E. Verifiable data registry: This refers to a role that a system may perform by mediating the creation and verification of identifiers, keys, and other relevant data, such as verifiable credential schemas, revocation registries, issuer public keys, and so on, which may be required to use verifiable credentials.
The purpose of this document is to provide information about the certificate generation service of DIVOC. It has the following sections:
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
This section describes the key features of DIVOC and how they work.
Countries can use the DIVOC's certificate module to issue digitally verifiable certificates to the entire population at speed and scale in a controlled manner post-vaccination.
This module is responsible for issuing a QR code-based digital certificate for any registered health event. It can be adapted to other areas too where there is a requirement for secure and tamper-proof documents, such as educational certificates.
The certificates can be issued in both digital and physical forms, which includes print, pdf, and other formats.
The module supports multilingual vaccination certificate templates.
Generates WHO-DDCC (World Health Organisation- Digital Documentation of COVID-19 Certificates) compliant digital vaccination certificates with a W3C (World Wide Web Consortium) JSON schema, for every resident after successful inoculation.
To aid travel into other countries, the certificate module supports on-demand services for travellers to export their vaccination certificates to other formats (e.g. EU-DCC, SmartHealthCard), used in the destination countries.
The module supports additional services, including certificate verification, certificate update/correction, and certificate revocation.
The public key of the adopter country can be published using DIVOC’s verification page that can be embedded into the country's vaccination program-specific website/portal.
This section covers the following:
Certificate generation process
Certify APIs
API structure
It involves the following steps:
Recording of a health event against a unique beneficiary, either in the source eHealth system (or in the DIVOC vaccination module, if used by a country, for their vaccination campaign). This results in the creation of the dataset for the specific event.
The event records all transactions associated with it (e.g. beneficiary demographics, vaccinator/facility details, certificate metadata, and timestamp, among others).
Marking the completion of the "event" in the system triggers a DIVOC certificate generation API (or “Certify” API), with the event data populated as per the defined API structure.
DIVOC’s certificate module receives the event data.
A digital certificate, encompassing both a QR code and a human readable document (e.g. PDF) is then issued, which holds the event data for the beneficiary, along with a unique certificate ID.
The QR code is signed with the issuing authority (e.g. national/provincial health agency) private key.
A summary of the health event is then used to populate the “human readable” part of the digital certificate.
The generated output has two parts:
It has a human-readable document (e.g. the PDF) and the machine-readable QR (the signed QR).
The digital certificate can be presented back to the source system in either of the ways (i.e. either just the signed QR as an image file, or the entire PDF output with the signed QR).
A sample DIVOC certificate output is further illustrated in the image below:
The DIVOC certificate generation service provides a “Certify” API for other eHealth systems, to generate digital certificates for specific events. Currently, DIVOC provides two certify APIs for a “COVID-19 vaccination certificate” and “COVID-19 test result certificate” respectively.
The API structure for the Certify API includes the following:
Recipient information: This section contains information about the beneficiary of the specific health event (e.g. COVID-19 vaccination or test event).
Vaccination event information: This includes details about the vaccination event such as name, batch, and vaccination date, as well as the vaccinator.
Issuer information: It contains information about the issuing authority.
Certificate information: It includes details such as certificate ID and expiry date, among others.
Meta: This part is used to populate related information about a previous event in the human-readable PDF twin of the digital certificate that can be used by the verifier for cross-reference. It contains additional information, which is not part of the current QR code (the QR code only contains information about the current event), such as the number of past doses taken. For example, If a QR code is generated for the final dose certificate, the QR code will contain all information about the final dose. If a country wants to show information about the previous dose, that can be populated from meta in the certificate PDF.
The purpose of this document is to outline the features of DIVOC's certificate distribution service.
DIVOC offers several ways in which countries can distribute certificates at scale.
The platform is designed to facilitate multiple certificate distribution methods, which includes:
- Printed paper certificate with QR code.
- Digital certificate distribution - download and share QR code via URL link, email attachments, smartphone with user authentication.
- By integrating with a country's vaccination portal, health wallets, PHR, consumer, or travel applications.
- Countries can also distribute certificates for a health event via DIVOC’s Citizen Portal.
After a health event such as vaccination, citizens can log in to the Citizen Portal with their registered mobile number, and they are given the option to securely download the certificate in PDF or other formats with added user authentication.
The DIVOC certificate distribution service provides a get API so that certificates can be downloaded or printed for specific events. For fetching the right certificate, the get service requires a “pre-enrollment code,” and the latest certificate is fetched.
The get certificate receives the preEnrollmentCode (beneficiary id) as input:
GET {domain}/certificate/api/certificatePDF/{beneficaryId}
Once it receives the input, it,
gets all certificates associated with preEnrollmentCode from the database.
gets the latest dose certificate by grouping the certificates by dose, and order them by their timestamps.
creates the QR code from signed certificate data.
using the above-generated QR code and certificate information, it creates a PDF.
Similarly, there are APIs in certificate-api service which can return the QR code as a png image, which follows the same step as above (till the third point):
GET /certificate/api/certificateQRCode/{beneficaryId}
We also have an API to check if a beneficiary has a certificate generated, which follows the same step as above (till the second point):
HEAD {domain}/certificate/api/certificatePDF/{beneficaryId}
Certificates can be scanned and verified on the following URL: and clicking on “Verify.”
All content on this page by is licensed under a .
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
| API type | API reference link |
|---|---|
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
If using DIVOC’s citizen portal, the home screen of the Citizen Portal has a “Download” button in the “Download your Vaccination Certificate” section. Citizens can click the button and they will be asked to log in using their registered mobile number to download the certificate. To understand how it works, you can check our demo section on .
All content on this page by is licensed under a .
“Certify” for vaccination events
“Certify” for test result events
This document refers to the revocation of a digital certificate issued to a person. DIVOC’s certificate revocation service will help stakeholders of a program to revoke digital certificates, according to the issuing authority’s predefined policy.
For example, during a COVID-19 vaccination campaign, the vaccination certificate issued to a person, as digitised proof of the event, can get revoked due to multiple reasons like:
errors in the information encoded in the digital certificate.
wilful tampering of the digital certificate (QR or PDF output) by external entities who have gained unauthorized access to the certificate data contents.
or if a specific batch of vaccines is found to be faulty, among others.
The purpose of this document is to provide an overview of the certificate revocation service offered by DIVOC. It describes the steps involved in the revocation process, as well as the maintenance of the revoked certificate list for verifiers.
DIVOC has enabled a “Revoke API” that can be used to revoke an issued certificate for manual revocation use cases.
The API uses a “beneficiary ID/pre-enrollment code” and either the “dose number(s)” or the “all doses” flag as input parameters to search and fetch the certificate(s) that need to be revoked from the certificate registry.
If the “dose number(s)” parameter is passed, it must be a sequential list of doses that includes the latest dose.
DIVOC stores the revoked certificate ID within a centrally-maintained “certificate revocation list (or CRL).”
DIVOC maintains a certificate revocation list to store certificate IDs of the revoked certificates. The revocation list can be hosted by an issuing authority (either inside or outside its central certificate registry) or can be periodically downloaded as a file and stored by a verifier application.
When a revoked certificate’s QR code is scanned using the DIVOC’s online verification service, the service searches the CRL for the certificate ID to check if the certificate is a valid or revoked certificate.
If the certificate ID is found in the CRL of the scanned QR code, the verification screen displays the certificate as revoked.
Each CRL has a serial number, time, and date on which the certificate was revoked.
It includes the date and time when the CRL was published, and when the next update to the CRL will be published.
A revocation is triggered when the revocation API is called by the source system (for example, a vaccination platform), on specific transactions (for example, the correction or update of a certificate).
As input parameters from the source system, the revoke API receives beneficiary ID/enrollment code and dose number(s) or the all doses flag.
The relevant certificate is fetched and DIVOC performs a “soft delete” of the certificate (also referred to as the “revocation” process).
The revoked certificate’s "certificate ID" is then moved to the certificate revocation list.
Certificate IDs of all revoked certificates are maintained in the CRL within the certificate registry. The revoked certificate IDs can be indexed in chronological order against the respective unique certificate ID, along with its revocation date and time.
The certificate revocation list will be regularly updated to support the verification flow by approved domestic and international verifiers.
If the certificate was revoked, the same information will be displayed to the third-party verifier application in real-time. On scanning, the verifier application will display the result as an “Invalid certificate.”
DIVOC’s certificate revocation list can be configured to support both offline and online verifications flows. For instance,
- On scanning a revoked certificate, a third-party verifier application can call the APIs (i.e. fetch APIs provided by DIVOC to the country’s issuing authority) to fetch the certificate revocation list to validate the “revoked” status of the digital certificate.
- The certificate revocation list can be downloaded by the third-party verifier application (in their local system) on a periodic basis.
The purpose of this document is to outline the features and workflow of DIVOC's “Update Certificate” service.
DIVOC provides an “update certificate” feature to help beneficiaries make changes in a certificate if any information was captured incorrectly during the beneficiary registration or vaccination process.
For this purpose, DIVOC provides an “Update Certificate API,” for a source system (e.g. a vaccination platform) to update the vaccination as well as beneficiary details in digital certificates issued by DIVOC.
There are multiple ways of using this service. The issuing authority can enable a self-service portal, or set up a call centre, or the source system can capture the update requests directly, which can then call the Update API to facilitate the updates/corrections to the specific certificates. The key requirement here is that the “Update Certificate API” is called by the source system(s) to update an issued certificate. Using this API, the source system can update a beneficiary’s latest as well as previously issued digital certificates.
As outlined earlier, DIVOC’s “Update Certificate” API is used by source systems to perform updates to already-issued certificates. You can refer to the update API specification link here.
An issued certificate’s QR code contains the two categories of information:
- Personal information, for example:
Beneficiary name
Gender
Date of Birth
- Event details, for example:
Vaccine type/prophylaxis
Vaccine name/brand
Manufacturer Vaccine batch
Vaccination date
Facility ID/name
Country of issuance
Issuer
Dose number
Total dose count
2. Any or all of the above fields can be corrected/updated by calling the Update Certificate API by a source system.
3. The Update Certificate API requires beneficiary ID/enrollment code and dose number as an input to fetch the right certificate that needs to be updated.
4. Once the certificate is fetched, the update API updates the information against the certificate ID as provided in the API payload input.
5. Once the certificate is updated, a new certificate is issued with a new certificate ID and updated information. The older certificate gets revoked by an automated revocation workflow using DIVOC’s “Revoke API.”
6. The revoked certificate is moved to the Certificate Revocation List (CRL). If the older revoked certificate is scanned by a verifier, the verification screen will show “certificate revoked.”
7. For update scenarios, DIVOC can also enable configuring a custom message for beneficiaries trying to verify the older corrected and revoked certificate as: “certificate revoked, please download the updated certificate from the portal.”
8. Updates/corrections can be made in the provisional and final certificate for any of the fields present in the QR code as per the issuing authority’s requirements and approved flow.
9. It is strongly recommended that an issuing authority should allow information correction/updates only after verifying the required proofs uploaded by the beneficiary.
When the “Certify API” is called by a vaccinating system, a unique QR code is generated for that specific event. This document specifies the data structure that can be used to generate a QR code-based digitally verifiable certificate for a registered health event.
The payload structure follows the JSON Web Token (JWT) digital signature and is defined in RFC 7519. The payload is transported in a DIVOC certificate. JWT includes the following:
Header
Payload
Signature algorithm
This contains the information about the certificate, which is based on the W3C verifiable credentials data model. The header also indicates the type of certificate being issued.
This is divided into several parts:
The first part contains the details of who is issuing the certificate along with the timestamp.
The second part contains the details of the beneficiary to whom the certificate has been issued.
The final part contains details on the event for which the certificate has been generated. The event part has details of the health event (such as vaccination) along with a timestamp, which includes information on the type of vaccine, dose details, and location of the vaccination.
DIVOC is capable of self-generating a public-private key pair. It also supports a signing configuration where the country has onboarded a CA (certificate authority) responsible for generating the keys. In the latter case, DIVOC will use the private key issued by the CA and sign the QR code.
The DIVOC certificate is flexible and multiple signing algorithms can be used.
Self-generated keys or the keys from a country’s PKI service provider can also be used. DIVOC currently uses two default signature algorithms:
1. PS256 - Using "crit" with "b64"
(https://w3c-ccg.github.io/security-vocab/#RsaSignature2018)
2. ES256
(https://w3c-ccg.github.io/security-vocab/#EcdsaSecp256k1Signature2019)
Click here to see the various versions of the algorithm.
The public key along with the method of signing will be provided to verifiers to authenticate certificates.
Based on the algorithm that is being used for certificate generation, the certificate can be verified by the verifier.
Click here to know more about what data set goes inside the QR code.
Conversion utility for generating EU-DCC compliant QR code
1. DIVOC’s EU-DCC adapter service: Technical details
2. EU’s technical specification for third-countries
DIVOC is an open-source platform that can be used to issue and verify certificates that are consistent with WHO’s minimum data set specifications. Digital certificates issued by DIVOC are based on the globally accepted W3C Verifiable Credential Data Model. Besides the native DIVOC COVID-19 certificate format, DIVOC has enabled an adapter that can convert a native W3C DIVOC issued certificate QR into an EU Digital COVID Certificate (DCC)-compliant QR code.
The EU has published technical and operational specifications for third countries to onboard the EU gateway and facilitate smooth travel for their citizens by enabling digital verification of citizens’ COVID-19 vaccine certificates issued by the home country.
The key design principles on which DIVOC has been built are 'interoperability' and 'coexistence.' The EU-DCC adapter has been developed to ensure interoperability and verifiability of the DIVOC’s natively issued certificates with EU verifier apps.
This utility was required to facilitate restriction-free travel for residents from DIVOC’s adopter countries by enabling conversion of a DIVOC-issued vaccine certificate to an EU-DCC QR code.
The utility is an on-demand service enabled by the DIVOC platform. The service can be triggered by using an “export as” function or calling an API for the EU adapter service. The service uses DIVOC’s “fetch service” to fetch an already issued, digitally signed DIVOC certificate post the holder authentication. Once the W3C JSON is fetched, the adapter takes inputs on holder details, vaccine event, and issuer information from the JSON and converts it into an EU-DCC QR code. The EU-DCC QR payload is then digitally signed using the ECDSA cryptographic signature algorithm. DIVOC facilitates the digital signing of the QR via a self-signing process, by using a DIVOC generated public-private key pair. Alternatively, it also supports signing the QR code using a public-private key pair issued by a country’s root certificate authority.
To generate a valid EU-DCC compliant COVID-19 certificate for travel into the EU member states, the authorised user (certificate holder) can first provide the enrollment code (of his/her COVID-19 certificate that was generated by the issuing authority) via the national system used by the country to download these certificates.
To ensure the privacy and security of the certificate holder, DIVOC authenticates the user via a “mobile OTP” or a “user-password” authentication method.
DIVOC’s certificate fetch service uses the enrollment code to fetch the correct certificate from the certificate registry.
DIVOC then uses the EU-DCC conversion utility to convert the original W3C JSON payload into an EU-DCC compliant payload.
The payload is structured and encoded as a CBOR with a COSE digital signature. This is commonly known as a “CBOR Web Token (CWT)” and is defined in RFC 8392. The payload is transported in a hcert claim.
This payload is encoded in a QR code and signed using the ECDSA signing method.
DIVOC also supports the generation of a PDF template, as defined by the adopter country. Hence, after a successful conversion process, an EU-DCC certificate document (encompassing both, the EU-DCC QR code as well as the PDF template) is generated.
The user can then download the EU-DCC certificate onto their mobile phone or export the same to an integrated digital wallet platform, authorised by the adopter country.
Click on the following URL to see the API details: https://egovernments.github.io/DIVOC/developer-docs/api/admin-api.html#../../main/interfaces/certificate-api.yaml
https://github.com/Path-Check/dcc-sdk.js SDK has been used to generate a CBOR/COSE-based verifiable QR credential from the EU certificate payload.
Click here to know more about the EU digital green certificate.
You can check the EU specifications for onboarding third-countries by clicking on the following link: https://ec.europa.eu/health/system/files/2021-07/covid-certificate_equivalence-decision_en_0.pdf.
Click here to see third country COVID-19 certificate equivalence decision checklist.
List of all EU specifications are given here.
To check the JSON specifications, click on the link mentioned below: https://ec.europa.eu/health/system/files/2021-06/covid-certificate_json_specification_en_0.pdf.
For QR code specifications, click on the following link: https://ec.europa.eu/health/system/files/2022-02/digital-covid-certificates_v3_en_0.pdf.
To know the value sets for EU Digital COVID Certificates, click here.
Guidelines on verifiable vaccination certificates - basic interoperability elements, can be accessed here.
The document will cover steps on how to add a new user.
Login to keycloak (demo URL: https://demo-divoc.egov.org.in/auth). Click on the administration console and enter the username and password. Next, click on the "sign in" button.
Go to the 'manage' section, and click on 'users.'
Click on "add user" to create a new user.
Enter your mobile number as the user name, and click on save.
Click on 'attributes' and add the required attribute (mobile_number) by clicking on the 'add' button. Next, click on 'save.'
Click on "role mappings" and select the type of role you want to add from the list of "client roles."
Select the role you want to add from the list of "available roles" and click on "add selected." Once you have completed this step, you will see the new user in the "assigned roles" section.
The document will cover steps on how to print certificates at a facility.
The facility/system administrator can print the certificates. The administrator can also create a user type (from the list of available roles) for a person who will print the certificates. Click to add a user type in DIVOC.
Once the user has been created, the person can log in to the portal using the following URL: . Enter the registered mobile number, and the OTP, and click on "login to portal."
Enter the phone number and the date of birth given during registration. Next, click on the search button.
You will see the name(s) displayed on the screen.
Click on 'print' to print the certificate. To save it on your desktop/laptop, click on 'save.'
Log out once you have printed the required certificate(s).
Conversion utility for issuing a Smart Health Card (SHC) compliant QR code
-
A Smart Health Card (SHC) is a globally popular HL7 FHIR (Fast Healthcare Interoperability Resources) and - based open standard for generating tamper-proof health credentials.
An SHC provides a framework that facilitates the generation, storing and verification of the SHC holder’s clinical information.
To enable people to access a digital record of their COVID-19 vaccine history, SHCs ascertaining an individual’s vaccination and test result status, have been rolled out in US-States (California, Colorado, Connecticut, Delaware, Hawaii, Illinois, New York, and 9 others), Canada, and Japan.
You can find the registry of verified Smart Health Card issuers for vaccinators and .
| Information an SHC can contain | Information an SHC cannot contain |
|---|
(Information courtesy )
Besides it’s native COVID-19 certificate schema, the DIVOC platform has also developed an adapter service to convert a native DIVOC W3C-JSON certificate into a Smart Health Card-compliant QR code.
This utility was required to facilitate restriction-free international travel for residents from DIVOC’s adopter countries by enabling conversion of a DIVOC issued vaccine certificate to an SHC-QR code.
The key design principles on which DIVOC has been built are “interoperability” and “coexistence.” The SHC adapter service has been developed to ensure interoperability and verifiability of the DIVOC’s natively issued certificates with the multiple verifier apps used in the SHC adopter countries.
DIVOC’s adapter issues a digital certificate, as per the SHC data model, and is presented as a signed-QR code. When a source system calls DIVOC’s SHC adapter API, the following steps are undertaken;
DIVOC first checks within the certificate registry (using the beneficiary enrolment code, passed from the source system) to see if a certificate is present for the given beneficiary.
It returns the generated QR code or the full-certificate PDF (including the signed-QR), based on type parameters.
The source system can then allow the download of the generated SHC-QR certificate onto a beneficiary’s mobile phone or allow the export to a beneficiary’s digital wallet platform.
You have likely seen a lot more QR codes over the last two years due to the pandemic. At many restaurants, for example, which are keen not to share physical menus, customers scan a QR code with their phone camera to open a website for the online menu.
Short for Quick Response, a QR code stores all kinds of information that can be scanned and accessed by a digital device such as your smartphone.
The machine-readable format can also be printed on a piece of paper.
While barcodes are one-dimensional, which means that information can be scanned only horizontally, QR codes are two-dimensional. Hence, information on a QR code can be read both horizontally and vertically, allowing it to store more data.
QR codes allow you to download applications, join WiFi networks without having to key in any password, scan coupons, and much more. They can be embedded on a company’s website to gather feedback, facilitate registrations, collect customer data, and order details. QR codes can be used on physical products as a way to provide more information.
QR codes are also used for document verification to check if a credential is genuine. This has gained popularity during the pandemic with some countries opting for QR code-based vaccination certificates to open up travel and business.
| Normal QR Code | Signed/Verifiable QR Code |
|---|
All content on this page by is licensed under a .
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
All content on this page by is licensed under a .
To understand how they work and where they can be used, click and .
If present within the certificate registry, it fetches the respective certificate and then converts the native DIVOC W3C certificate to a SHC-certificate () using a custom-built npm module.
This SHC-certificate payload is then signed and the resulting JWS is used to create a QR code (using the open-source library).
To know more on SHC specification, click .
You can check the SHC vaccination and testing implementation guide .
All content on this page by is licensed under a .
Legal name and date of birth | Phone number |
Clinical information | Address |
Tests: Date, manufacturer, and result | Government-issued identifier |
Vaccinations: type, date, and location | Any other health information |
A normal QR code contains information that can be read and understood by any QR code viewer. They typically carry a URL and a scan of such QR codes reroutes to a separate site. | A signed QR code encodes the verifiable data set or information within the QR itself, rather than on any website. |
In a normal QR code, information can be edited and altered, making the verification process untrustworthy and vulnerable to hacking. To address this issue, a signed or verifiable QR code is used, particularly in the case of sensitive information. Sensitive data could be your bank details, educational details, and medical information, among others. | The information is secure and cannot be altered or tampered with, nor can it be scanned and accessed by everyone. This is because the original data/information in the QR code is digitally signed. |
Example: In the case of COVID-19 vaccination certificates, for example, data identifying the vaccination event and the beneficiary is encoded within a QR code and then digitally signed, making it tamper-proof. Only a verifying authority with a secure key can validate this information accurately by matching it with the signing key of the QR code. |
This is a list of COVID-19 vaccines approved by the World Health Organisation (WHO) and used by DIVOC's adopter countries.
| Vaccine Name | Manufacturer Name (human readable) | Vaccine Code (ICD 11) (vaccine type/prophylaxis; normally in QR) | Vaccine Type/Prophylaxis (human readable description) |
|---|---|---|---|
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
This is a list of COVID-19 vaccines approved by the European Union (EU) and used by DIVOC's adopter countries.
| Vaccine Type/Prophylaxis (ICD 11) | EU Prophylaxis/Vaccine Type | Vaccine Name (varies for vaccinating system of countries) | EU Vaccine code (goes into the QR code) | Manufacturer Name (human readable) | Manufacturer Name (human readable) EU Manufacturer Code |
|---|---|---|---|---|---|
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
A vaccination certificate is a proof that a person has received the shot to protect them from an infectious disease such as COVID-19 or the flu. We have given below the type of information (mandatory and optional) that should be there in a QR code-based COVID-19 vaccination certificate, as specified by the World Health Organisation (WHO).
| Requirement status for proof of vaccination | DDCC label | DIVOC label | Description and definition | Data type/format | Examples |
|---|---|---|---|---|---|
All content on this page by eGov Foundation is licensed under a Creative Commons Attribution 4.0 International License.
Mandatory
Name
recipientName
The full name of the vaccinated person.
String
John Tom Brown
Mandatory
Date of birth
recipientDOB
The vaccinated person's date of birth (DOB) if known. If unknown, use the assigned DOB for administrative purposes.
Date
1998-01-05
Mandatory
Unique identifier (primary identifier of the beneficiary)
preEnrollmentCode
Unique identifier for the vaccinated person, according to the policies applicable in each country. There can be more than one unique identifier used to link records (example: national ID, health ID, immunisation information system ID, and medical record ID). All the certificate IDs will be linked to the beneficiary's preEnrollmentCode.
UUID
Optional
recipientIdentity
To be used only if there is a need to share/print an additional national ID. By default, it is set as 'null' in DIVOC's case. The above field covers this as well.
Alpha number
Driving license
Optional
Sex
recipientGender
Documentation of a specific instance of sex information for the vaccinated person.
Male/female/other
Optional
recipientMobileNumber
Numeric
18767778888
Mandatory
Vaccine type or prophylaxis
Need to incorporate in the payload.
Generic description of the vaccine or vaccine sub-type, such as COVID-19 mRNA vaccine, HPV vaccine.
Coding - ICD 11
Mandatory
Vaccine brand
vaccinationName
The brand or trade name used to refer to the vaccine received.
String
Pfizer
Optional
Vaccine manufacturer
vaccinationManufacturer
Name of the manufacturer of the vaccine received, such as Serum institute of India, or AstraZeneca. If the vaccine manufacturer is unknown, a market authorisation holder is needed.
String
ABC company
Optional
Vaccine market authorisation holder
Name of the market authorisation holder of the vaccine received. If the market authorisation holder is unknown, a vaccine manufacturer is required. This is needed only if the manufacturer is not listed in the WHO EUL (Emergency Use Listing Procedure) list.
String
Mandatory
Vaccine batch number
vaccinationBatch
Batch number or lot number of the vaccine.
String
4121Z104
Mandatory
Date of vaccination
vaccinationDate
Date on which the vaccine was administered.
Date
2021-11-30
Mandatory
Dose number
vaccinationDose
Vaccine dose number.
Quantity
1, 2
Mandatory
Total doses
vaccinationTotalDoses
Total expected doses as defined by a member state's care plan and immunisation programme policies.
Quantity
For Pfizer and BioNTech, the total expected doses are two.
Mandatory
Country of vaccination
facilityCountry
The country where a person was vaccinated.
Code
JAM = Jamaica
Optional
Administering centre
facilityName
The name or identifier of the vaccination facility responsible for administering the vaccination.
String
Falmouth Health Centre
Optional
Health worker identifier
vaccinatorName/ID
If the country does not have a national identifier, you can share the name of the vaccinator.
ID
National ID of the vaccinator
Optional
Disease or agent targeted
Available as a certificate header and not as a data element in the current certificate API payload.
Name of the disease vaccinated against (such as COVID-19). We recommend that you can have it as a data element within the payload.
Coding
Certificate header: COVID-19 Vaccination Certificate.
Optional
Due date of the next dose
Only implemented for India.
Date - YYYYMM/DD
Mandatory
Certificate issuer
Issuer (available in the output)
The authority or authorised organisation that issued the vaccination certificate.
String
Ministry of Health & Wellness, Jamaica
Mandatory
Health certificate identifier
Certificate ID (available in the output)
Unique identifier used to associate the vaccination status represented in a paper vaccination card.
ID
378855845
Optional
Certificate valid from
vaccinationEffectiveStart
Date on which the certificate became valid. No health or clinical inferences should be made from this date.
Date
2021-11-30
Optional
Certificate valid to
vaccinationEffectiveEnd
Last date on which the certificate is valid. No health or clinical inferences should be made from this date.
Date
2022-11-30
Optional
Certificate schema version
Only if schema versions are maintained.
Zycov-D
Cadila Healthcare
XM6AT1
COVID-19 vaccine, DNA-based
Covaxin
Bharat-Biotech
XM1NL1
COVID-19 vaccine, inactivated virus
Covishield
Serum Institute Of India
XM9QW8
COVID-19 vaccine, non-replicating viral vector
Sputnik V
Gamaleya-Research-Institute
XM9QW8
COVID-19 vaccine, non-replicating viral vector
Pfizer-BioNTech or Comirnaty
Biontech Manufacturing GmbH
XM0GQ8
COVID-19 vaccine, RNA-based
Janssen
Janssen-Cilag International
XM0CX4
COVID-19 vaccine, replicating viral vector
Moderna or Modema or Spikevax
Moderna Biotech Spain S.L.
XM0GQ8
COVID-19 vaccine, RNA-based
AstraZeneca or Vaxzevria
AstraZeneca AB
XM9QW8
COVID-19 vaccine, non-replicating viral vector
Sinovac or Coronavac
Sinovac-Biotech
XM1NL1
COVID-19 vaccine, inactivated virus
BBIBP- CorV or Sinopharm
China Sinopharm International Corp. - Beijing location
XM1NL1
COVID-19 vaccine, inactivated virus
Convidecia
CanSino Biologics
XM9QW8
COVID-19 vaccine, non-replicating viral vector
Corbevax
Biological E. Limited (BioE)
XM5JC5
COVID-19 vaccine, virus protein subunit
Novavax/Covovax NVX - CoV2373
Novavax
XM5JC5
COVID-19 vaccine, virus protein subunit
Gemcovac-19
Gennova Biopharmaceuticals Limited
XM0GQ8
COVID-19 Vaccine, Lyophilized mRNA vaccine
COVID-19 vaccine
J07BX03
Zycov-D vaccine
Not in the EU list
Cadila Healthcare
Not in the EU list
COVID-19 vaccine
J07BX03
Covaxin
Covaxin
Bharat-Biotech
Bharat-Biotech
COVID-19 vaccine
J07BX03
Covishield
Covishield
Serum Institute Of India
ORG-100001981
COVID-19 vaccine
J07BX03
Sputnik V
Sputnik V
Gamaleya-Research-Institute
Gamaleya-Research-Institute
COVID-19 vaccine
J07BX03
Pfizer-BioNTech or Comirnaty
EU/1/20/1528
Biontech Manufacturing GmbH
ORG-100030215
COVID-19 vaccine
J07BX03
Janssen
EU/1/20/1525
Janssen-Cilag International
ORG-100001417
COVID-19 vaccine
J07BX03
Moderna or Modema or Spikevax
EU/1/20/1507
Moderna Biotech Spain S.L.
ORG-100031184
COVID-19 vaccine
J07BX03
AstraZeneca or Vaxzevria
EU/1/21/1529
AstraZeneca AB
ORG-100001699
COVID-19 vaccine
J07BX03
Sinovac or Coronavac
CoronaVac
Sinovac-Biotech
Sinovac- Biontech
COVID-19 vaccine
J07BX03
BBIBP- CorV
BBIBP- CorV
China Sinopharm International Corp. - Beijing location
ORG-100020693
COVID-19 vaccine
J07BX03
Convidecia
Convidecia
CanSino Biologics
ORG-100013793
COVID-19 vaccine
J07BX03
Corbevax
Not in the EU list
Biological E. Limited (BioE)
Not in the EU list
COVID-19 vaccine
J07BX03
Novavax/Covovax NVX - CoV2373
NVX - CoV2373
Novavax
ORG-100032020
