Skip to content
This repository has been archived by the owner on Jul 12, 2023. It is now read-only.

Verification component for COVID-19 Exposure Notifications.

License

Notifications You must be signed in to change notification settings

google/exposure-notifications-verification-server

Folders and files

NameName
Last commit message
Last commit date

Latest commit

c033566 · Jan 18, 2022
Dec 14, 2021
Jan 15, 2022
Jan 13, 2022
Jan 13, 2022
Jan 15, 2022
Jan 4, 2022
Jan 15, 2022
Sep 1, 2021
Jan 13, 2022
Nov 11, 2021
Aug 4, 2020
Feb 12, 2021
Aug 18, 2021
Jul 23, 2021
Mar 1, 2021
May 26, 2020
May 26, 2020
May 23, 2020
Oct 30, 2021
Jan 25, 2021
Aug 5, 2020
Jan 18, 2022
Jan 18, 2022

Repository files navigation

Exposure Notifications Verification Server

This is a reference implementation for an Exposure Notifications verification server, part of the broader Google Exposure Notifications system.

About the Server

This server follows the high level flow for a verification system:

  1. Authenticates and authorizes humans using Identity Platform.

  2. Provides a web interface for epidemiologists (epi) to enter test parameters (e.g. status + test date) to issue a verification code.

    • Short verification codes are typically 6-10 numeric digits and can be read over the phone to a patient. They expire quickly, usually in less than one hour.

    • Longer verification codes can be sent directly to the patient via SMS. These codes generally last longer, like 24 hours.

  3. Provides a JSON-over-HTTP API for exchanging the verification code for a verification token. This API is called by the patient's device.

    • Verification tokens are signed JWTs with a configurable validity period.
  4. Provides a JSON-over-HTTP API for exchanging the verification token for a verification certificate. This API call also requires an HMAC of the Temporary Exposure Key (TEK) data+metatata. This HMAC value is signed by the verification server to be later accepted by an exposure notifications server. This same TEK data used to generate the HMAC here, must be passed to the exposure notifications server, otherwise the request will be rejected.

    • Please see the documentation for the HMAC Calculation

    • The Verification Certificate is also a JWT

More resources