The ADITUS G³ API enables ticketing providers to implement automated verification of digital COVID certificates in their online ticket store or during attendee registration. On-site, the API can be used for direct verification through a ticket reader. The API supports all EU-compliant 3G certificates (Vaccinated, Recovered, Tested), as used by EU member states plus Switzerland and Norway.
Participants can either upload their digital COVID certificate online during registration or scan it at the entrance control point at the venue. In both cases, the certificate is verified immediately.
For the validation of digital certificates, ADITUS offers a highly available interfacein the form of a RESTful API (HTTP 1.1), which can be used to integrate the validation of vaccination, recovery and test certificiates into online processes for participant registration and ticket sales, as well as into on-site admission control.
The API handles the validation of digital certificates for:
Online Verification
Attendee registration Ticket sales
On-Site Verification
Admission Control Access Control
Functionality
Supported COVID Certificate Types
Currently, the API is able to validate certificates that adhere to the EU standard, which is also supported by Switzerland and Norway. These certificates are referred to as Digital COVID Certificate (DCC) and can be provided via different media (including paper, PDF, app). The specification defines three certificate types:
- Vaccinated
- Recovered
- Tested
Verification of the Digital COVID Certificate
The verification of the digital COVID certificate covers the following elements:
Disease Code
Is this a COVID vaccination?
Name Matching
Do registration data and certificate data match?
- Step one: Matching of the complete first and last names based on the Levenshtein distance. Both the first and last names may have a maximum deviation of 10%. By default, the maximum permissible deviation is limited to three characters each; other values can be configured.
- Stage two: If the first comparison does not produce a positive result, the second stage may accept the omission of name components (e.g. middle name).
To do this, the first name and surname are split into their constituent parts. The shorter (= with fewer individual components) first name or surname must be contained completely (taking into account the Levenshtein distance) within the longer one.
Analogous to the first check, the deviation between the matching components of the first and last names must lie within the maximum Levenshtein distance.
The second check can be disabled.
Certificate Validity
Does the certificate contain a valid signature?
- check against the signature keys provided by the RKI gateway
- local caching of the signature keys for traffic reduction
What data is returned by the validation of the digital COVID certificate?
- status of the certificate’s validity
- beginning and end of the certificate’s validity
The following data is deliberately not returned because it is not relevant for the certificate check in the sense of data economy according to German data protection laws:
- certificate type (vaccinated/tested/recovered)
- vaccine type or other details about the vaccination
- place of vaccination
Calculation of the Validity Period
The determination of the validity period for a permit depends on the type of COVID certificate being reviewed.
Vaccination Certificates
Certificates of complete COVID vaccination will be assessed as valid for 18 months, 15 days after the last vaccination. Certificates outside this period are considered invalid. (Vaccination Certificate = certificate of complete vaccination or certificate of recovery + vaccination)
Certificates of Recovery
Digital certificates of recovery already contain information about the start and end of the certificate’s validity. This information is taken over 1:1 for the approval. (Recovery certificate = proof recovery without subsequent vaccination)
Test Certificates
The validity period of a digital test certificate with a negative result depends on the type of test. Rapid tests are valid for one day from the time of testing, PCR tests for two days.
Technical Specification
A highly available interface in the form of a RESTful API (HTTP 1.1) is provided for validation of the certificates listed above.
The API accepts the following attributes via a POST request:
- First Name (optional)
- Last name (optional)
- Content (payload) of the QR code or certificate
In the response, the caller receives the result, including the validity period of the certificate:
- certificate is valid (yes/no)
- If certificate is valid:
- valid from (date + time)
- valid until (date + time)
If the validation routines find a certificate to be not valid, the following reasons are returned:
- The certificate is not a COVID certificate.
- The first name and/or last name does not match with the certificate.
- The certificate has expired.
- The certificate signature could not be verified.
- The vaccination has not been completed.
- The test result is positive.
References
The ADITUS G³ Fast Lane has already been successfully used at major events such as IAA Mobility in Munich, Fachpack in Nuremberg, AMERICANA in Augsburg, HanseLife in Bremen as well as in the context of various B²B events with >10,000 participants and is being continuously optimized.
In all these events (B²B as well as B²C), the G³ Fast Lane was certified as offering excellent usability.
ADITUS Components are “White Label”
The modular structure of the ADITUS solution allows the use of additional ADITUS components as “white label” solutions.
For example, the ADITUS portfolio includes the “Speedy” access terminal, which, in combination with a turnstile or a column, enables live badge printing at the entrance. “Speedy” terminals are available for rent on an event-by-event basis and for purchase. In principle, the Speedy access terminal can be integrated into any type of ticket logic.
Notes
PCR and Antigen Test Results
Test results can only be processed in the form of an EU Digital COVID Certificate (DCC). Other digital test certificates, e.g. e-mail notifications with QR codes and/or test result URLs from test operators, can currently not be processed automatically.
The same limitation applies to QR codes from rapid test operators processed by the German Corona-Warn-App (CWA). These are only usable for the alert feature of the CWA in a contact tracing context (CWA v1).
The API supports all EU Digital COVID Certificates (DCC) displayed by the Corona-Warn-App under the “Certificates” menu item.
Service Levels and Assurance of Functionality
This product relies on numerous third-party systems. Both these systems and the regulatory requirements are currently still subject to weekly changes, enhancements and updates. We try to implement and keep up with all of these changes in a timely manner and inform our customers of any adjustments. However, please note that due to this high volatility, the complex structure and dependencies on other partners, we can neither guarantee a service level nor promise a binding feature set.