Skip to main content

GET /v1/ocsp/:jti

Returns the revocation status of a passport, identified by its jti. The response is signed with the company’s Ed25519 key, so verifiers can confirm the response is authentic. Requires authentication. Responses are cached for 5 minutes (Cache-Control: public, max-age=300). Use this endpoint in verifiers that cannot hold the full revocation list but need stronger guarantees than offline-only verification.

Path parameters

Response 200 — valid passport

Response 200 — revoked passport

Verifying the OCSP response signature

The signature covers the response data object (excluding caPublicKey and signature themselves). To verify:
  1. Remove caPublicKey and signature from the response object.
  2. Canonicalize the remaining object (sort keys recursively, then JSON-stringify).
  3. Compute SHA-256 of the canonical string.
  4. Verify the Ed25519 signature over that hash using the caPublicKey.

Example

Valid passport:
Revoked passport: