Website: https://vax.codes/
This website allows event organizers and businesses to instantly verify that someone has received a Covid-19 test or vaccination by scanning a QR code issued by a locally trusted organization.
The goal of this project is to make it easy for event organizers and businesses to safely hold events by incorporating testing and vaccination verification into their admittance procedures.
-
An "issuer" creates a QR code for a tested or vaccinated person (can be emailed, printed, or texted)
-
The person shows that QR code to the event organizer or business.
-
The event organizer or business scans the code, using any QR scanner app or https://vax.codes/scan
-
Scanning the QR code will open a URL with the person's name and verification they have received a Covid-19 test or vaccine.
-
The event organizer makes sure the "issuer" is someone they trust and checks name on the verification against the person's ID.
Read more: https://vax.codes/how-it-works
See our github issues for the specific things we're working on.
- QR code scanner
- QR code issuing (in browser)
- Issuer admin
- Issuer explorer/searching
- Group admin
- Group explorer/searching
- Informational pages (how-it-works, about-us, etc.)
- Security overview page
- Multi-language support
- API docs
- Embedding scanner feature
- Embedding docs
- Local QR code issuing docs
- Self-hosting docs
- Other extra features (scanning uploaded pdfs, etc.)
The QR code only verifies someone with that name as having received a Covid-19 test or vaccine, so QR codes can be interchangeable between people with the same name.
The issuer may optionally include other information (such as birth date) when issuing the QR code, to increase uniqueness, but that is up to the issuer.
This limitation was deemed acceptable to ensure the protection of other confidential medical information.
Vax.Codes does not have a record of people who have received a Covid-19 test or vaccine.
Our website simply keeps a list of registered issuers and groups and verifies a QR code was issued by one of those organizations.
Names are stored directly in the QR codes themselves, and QR codes are generated by issuers and given to test/vaccine recipients directly. So we never see them.
Also, the verification process happens entirely "client-side" (i.e. in your browser after you've loaded the URL), so our servers never see QR codes, even during verification.
Finally, this project is entirely open source, so security professionals can confirm that our website does exactly what is described and never gets any QR codes or personal information.
In the QR code, names are cryptographically signed by the "issuer". So modifying the QR code to change the name will not work.
QR codes are "signed" by issuers that can confirm that a person has received a Covid-19 test or vaccine. Each organization has one or more "signing keys" that they can use to issue new QR codes.
Anyone can register to become an issuer, so event organizers and businesses that scan QR codes should have a list issuers they personally know and trust and not accept QR codes issued from anyone else.
Read more: https://vax.codes/docs/security
This project was created by volunteers at Open Austin, a brigade of Code for America. The website code and project documentation are all free and open source.
The contact information for registered issuers and groups are the property of the organizations themselves, so you must obtain written consent from issuers and group owners themselves to include them in a re-hosted version of our website.
This project follows Open Austin's Code of Conduct.
Original project idea issue: Project Idea #159