Immunity Passport — Part 2: Specification

The anatomy of an ICVP

The International Certificate of Vaccination or Prophylaxis (ICVP) is an official document issued by the World Health Organization that serves as proof of immunization against certain diseases. It’s typically used as proof of immunization against yellow fever, which is mandatory in many countries. Occasionally it’s used for other diseases, such as polio. It’s the ideal starting point for designing a digital immunity passport.


A digital immunity passport needs a way to identify its subject. Without it, we wouldn’t know which person is certified to be immune to a disease. People would trade them, and they would lose their purpose.

A Passport, a standard ICAO Doc 9303 TD3 document.
An ICAO Doc 9303 TD3 Machine-Readable Zone.
A national ID card, a standard ICAO Doc 9303 TD1 document.
JSON representation of an ICAO Doc 9303 TD3 MRZ


A digital immunity passport needs to indicate the details of a person’s immunization status. Since we don’t yet have a vaccine, and we don’t know if and when we’ll have one, it needs to be flexible enough to account for alternative ways to assess immunity, such as positive antibody test results. The details of an intervention or test — such as the method, manufacturer, or lot number — should also be present to increase certainty. As we learn more about the disease, we might adjust what tests, methods, manufacturers, or even lot numbers we recognize as indicative of immunity.

JSON representation of an FHIR Immunization resource
SARS-CoV-2 IgG/IgM rapid immunoassay antibody test (via Time)
JSON representation of an FHIR Observation resource


A digital immunity passport needs credibility. Anyone can copy the JSON above and edit it to make it look like they’re immune to COVID-19. With paper documents, we use signatures and official stamps to make documents more difficult to fake and give them some credibility. What’s the digital equivalent? Digital signatures.

JSON Web Token with an HMAC-SHA256 digital signature (in blue)
W3C’s Verifiable Credentials roles and information flow (via Verifiable Credentials)
JSON representation of a Verifiable Credential



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store