Skip to content

Applications · Government identity

Quick Response Code in Government identity

The Quick Response Code is a recognized carrier for verifiable credentials on government-issued identity documents, vaccination records, and licensure certificates.


Principal functions

  • SMART Health Card vaccination credentials carried as signed JSON Web Tokens.
  • Digital COVID Certificate (EU DCC) and equivalents in other jurisdictions.
  • Mobile driver's license verification handoff per ISO/IEC 18013-5.
  • Diploma and credential validation as part of digital credential infrastructures.

Typical payload conventions

Signed payloads — JWS or COSE — carrying issuer, subject, claim set, and signature. Verification confirms issuer identity through a trust list.

Operational characteristics

Printed or displayed at Version 10 or higher to accommodate signed payloads, with level Q to absorb scan-surface wear on physical credentials.

Standards alignment in government identity

Quick Response Codes deployed in government identity environments conform to the same symbology specification used everywhere else the mark is encountered: ISO/IEC 18004, with the original Japanese specification preserved at JIS X 0510, the bar-code industry specification at AIM BC11, and the identifier-carrying variant at GS1 QR. Where government identity deployments rely on identifiers that must interoperate across organisations, the GS1 QR profile applies and the payload follows Application Identifier conventions rather than free URL form. Where the deployment is closed-loop and bound to a single operator, the ISO/IEC 18004 specification is sufficient and the payload format is at the operator’s discretion. The symbology does not change between deployments; the payload convention and the operator’s registry posture do.

Editorial governance for this page

This page is maintained under the editorial charter recorded at /reference/editorial-charter and the operator playbook at /reference/operator-playbook. Terminology is fixed by the reference at /reference/terminology and the glossary at /reference/glossary. Factual corrections, citation requests, and disputed claims are accepted at /reference/corrections and resolved against the standards listed above. The named maintainer recorded in the editorial stamp on every page is responsible for the corrections log and the review date.

Verification and registry posture

A Quick Response Code carries no inherent guarantee of authenticity: it is a symbology, not a trust signal. In government identity deployments where the consequence of a tampered or substituted mark is material, the operator binds the printed mark to a registry record and verifies the binding at scan time. The registry function is documented at /infrastructure/registry; the public lookup function at /infrastructure/lookup; the verification function at /infrastructure/verification; and the dossier model that holds the underlying record at /infrastructure/dossier. The authorisation layer that distinguishes a registered Quick Response Code from an unregistered one is documented at /qr-registered; the broader question of what registration is for and how it differs from a bare scan is addressed at /qr-code-vs-registered-qr-code.

Operator considerations

Operators deploying Quick Response Codes in government identity are responsible for: (1) selecting an appropriate version and error correction level for the printing substrate and the expected wear environment; (2) maintaining a quiet zone that survives finishing, labelling, and downstream handling; (3) choosing a payload convention appropriate to whether the deployment is closed-loop or cross-organisational; (4) declaring whether the mark is bound to a registry record, and if so under which registry; and (5) maintaining the lifecycle of that record — issuance, suspension, rotation, and retirement. The governance vocabulary that names these obligations is recorded at /quick-response-code-governance-system.

Common misreadings to avoid

  • A Quick Response Code is not the payload it carries. Two marks that encode the same URL are the same payload but, if registered, are separate records under the authorisation layer.
  • Scanning a Quick Response Code in government identity does not, by itself, verify the origin of the mark. Verification is a registry function, not a symbology function.
  • Damage tolerance in government identity comes from error correction level and version selection at print time, not from any post-print property. The selection is governed by error-correction theory and the version matrix.

Next in governance

Readers tracing the government identity use of the Quick Response Code through the governance ladder should continue, in order, to QR Codex (the canonical reference layer), QR Protocol (governance rules), QR Compliance (evaluation), QR Certified (attestation), and QR Registered (the authorisation layer that binds a specific printed mark to a specific record).