GET /v1/ocsp/:jti
Returns the revocation status of a passport, identified by its jti. The response is signed with the company’s Ed25519 key, so verifiers can confirm the response is authentic. Requires authentication.
Responses are cached for 5 minutes (Cache-Control: public, max-age=300). Use this endpoint in verifiers that cannot hold the full revocation list but need stronger guarantees than offline-only verification.
Path parameters
Response 200 — valid passport
Response 200 — revoked passport
Verifying the OCSP response signature
Thesignature covers the response data object (excluding caPublicKey and signature themselves). To verify:
- Remove
caPublicKeyandsignaturefrom the response object. - Canonicalize the remaining object (sort keys recursively, then JSON-stringify).
- Compute SHA-256 of the canonical string.
- Verify the Ed25519 signature over that hash using the
caPublicKey.