Signing a credential you can hand to a stranger

When a traveler finishes a declaration, they walk away with a short confirmation: a code, sometimes a QR, sometimes a pass in a phone wallet. That artifact will be handled by people and systems you do not control. It will be photographed, texted to a relative, printed, and shown to an officer who has eight seconds to decide if it is real. Designing it well means accepting that you cannot keep it private, and shifting the entire problem from secrecy to authenticity.

A visual that can be copied will be copied. A counterfeiter can reproduce a logo, a color, a layout, down to the pixel. So the question is never how to make the credential hard to look at. It is how to make a fake one fail the moment someone checks.

Sign it, do not encrypt it

The credential is not a secret, so we do not try to hide its contents. We sign them. The server holds a private key and stamps each confirmation with a digital signature over the specific facts that matter. Anyone can read the credential; only the holder of the private key could have produced a signature that verifies. A forger can copy the visible parts all day and still cannot produce the one part that counts.

• The signature binds the specific record. It covers the code and the details, so a signature lifted from one credential cannot be pasted onto another.
• It carries an expiry. The signed message includes a time bound, so a captured credential cannot be replayed indefinitely.
• Verification is offline-capable and instant. An officer's device checks the signature against the public key and gets a yes or no, with no lookup of the traveler's private data required to prove the credential is genuine.
• The private key never leaves the server. In production it lives in a hardware security module, so even a full application compromise does not hand an attacker the ability to mint credentials.

What the officer actually sees

At the booth, the officer scans the code or the QR and the screen says one of two things: verified as authentic, or not. The authentic path then pulls the record over an authenticated, audited channel, never from the credential itself. The credential's only job is to prove its own origin. The traveler's data is fetched separately, on the server, behind the officer's own login. The thing the traveler carries in the open and the thing the officer reads in private are deliberately not the same thing.

Stop trying to keep the credential secret. Make it so that a forged one announces itself the instant anyone checks.

This inversion is the whole design. Secrecy is brittle, it fails the first time the artifact is shared, which is immediately. Authenticity is durable, it holds no matter how many copies exist, because every copy of a genuine credential verifies and every forgery does not. You can hand it to a stranger precisely because there was never anything to hide.