A HTML+JS app for scanning an Open Permit from a QR code and verifying that the scanned data is legitimate.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Open Permits Item Prover

Copyright © 2018, Simon Worthington, Register Dynamics Limited.


This repository contains a HTML+JS app for scanning an Open Permit from a QR code and verifying that the scanned data is legitimate.

Registers are a way of expressing an authoritative list that you can trust. Registers are structured so that certain items can be given out whilst keeping the rest of the list private.

An Open Permit is an item from a Register packaged with all the information necessary to prove the item is genuine. This allows the item to be given out and used to prove things without needing to go back to the source to check that the information is correct. An example usage of this might be allowing machine-readable data included with a physical permit or license to be checked quickly with a smartphone, without any susceptibility to fraud.

Another example, demonstrated in this repository, is as a safety measure on an official's or tradeperson's identity card – when someone comes to the door, their card can be scanned to show that they are a current and legitimate agent of their employer. In neither case does anyone but the issuing authority need access to the full list, so it can be kept private.

See Simon's blog post for more information about Registers in the context of Open Permits, including how the technology and cryptography works.

Items from a demo register of "broadband engineers" have been extracted with metadata and an audit path allowing the root hash of the Register to be reconstructed. The extracts (in JSON form) have been encoded into QR codes in the examples/ directory.

When the app reads a QR code, it parses the JSON, hashes the item data, and uses the audit path to reconstruct the root hash of the Register. It then compares this against the known root hash and dispalys a verification result.

Note that the app doesn't need the full list of "broadband engineers" to check against – this list is not even in this repository.


To use the demonstration examples,

  1. Serve this folder with your webserver of choice and navigate to /index.html.
  2. Give permission for the app to use your camera and then show one of the QR codes from examples/. Note that the examples suffixed with FAKE are illegitimate and should not pass verification.
  3. When it scans successfully, the item will be displayed and verification status shown.

If you want to scan items from your own register, write the root hash into the rootHashes structure in index.html and encode the items you want to scan as free-text QR codes.

Note: Should you have any trouble in setting up and using this app, please feel free to contact Simon Worthington who is happy to receive even the slightest problems or most stupid questions.


The app loads sjcl, system-font-css and linearicons by Perxis from CDN locations. If used in an offline use-case these can be pre-downloaded. The app uses a pre-compiled version of jsqrcode generated by concatenating the individual script files in the correct order. Please consult the individual repositories for the licenses they use.


  1. QR codes are currently quite (physically) large; use a more compact item representation than JSON.
  2. Start using permanent browser storage to store history.
  3. Start using Service Workers to allow offline access.
  4. Provide a mechanism for root hashes to be downloaded and remembered.
  5. Support for iOS devices.
  6. I believe the scanner could be better at recognition – investigate this (e.g. convert ZXing to WebASM?).


Suggestions, extensions and patches are welcome via e-mail or Github.