Built to the standards
handling site data deserves.

Every wallet install generates an ES256 keypair on first run, registered against the holder's Cognito identity with a server-validated proof-of-possession. Issued credentials are cryptographically bound to that key via the cnf claim (RFC 7800). Biometric unlock gates the wallet; the private key never leaves the Secure Enclave / StrongBox. The holder's photo SHA-256 is bound into the signed credential, so an issuer cannot silently swap it later.

Credentials are signed inside AWS KMS — the issuer's private key never leaves the HSM. Output is a W3C Verifiable Credential as JWS-VC (ES256), with iss, sub, jti, iat, exp and the issuer-defined credentialSubject. Every KMS signing call is itself logged in KMS for non-repudiation.

For high-tier credentials, the holder signs a fresh server-issued nonce with their device key at present-time — a static screenshot of a QR code cannot replay. The credential surfaces as an Apple Wallet pass with PassKit signing layered on top of the UberVisor JWS. BLE proximity binding for the highest-tier credentials is on the Phase 3 roadmap.

Verifiers validate the JWS signature offline against a 24-hour issuer-key cache. A post-signature live-status check then asks the issuer whether the credential has been suspended or revoked since signing — closing the gap where a wallet pass added while ACTIVE later turns out to have been pulled. The public verifier URL printed on the card is status-only for anonymous scans — no holder photo, no name. The same URL Universal-Links into the wallet for authorised verifiers, who see full identity only after Cognito re-auth.

Every state transition — issue, suspend, restore, revoke, view — writes an immutable row keyed by actor, target, issuer, action, reason, reasonSource (preset list vs operator-typed), timestamp. Seven-year retention. Holders see their own activity in the wallet's in-app inbox; issuers see every event their organisation touched. Push notifications (APNs / FCM) on every state change — holders find out in seconds, not on next sign-in.

Credential data, audit events and holder photos stay in eu-west-2 only — no US transfers. Lawful-basis tracking per processing purpose; consent records versioned per notice text (Art. 7). Right to access (Art. 15) returns a signed JSON export. Right to erasure (Art. 17) clears non-audit data; audit rows survive under legitimate interest in credential integrity. Holder photos are S3 lifecycle-tagged for deletion when the credential reaches a terminal state.

TLS 1.3 everywhere with HSTS (2-year max-age, includeSubDomains). CSP, X-Frame-Options DENY and Referrer-Policy: no-referrer on the public verifier surface. No third-party trackers on the wallet or verifier surfaces. AppSync GraphQL is gated by Cognito JWT bearer — every authenticated query checks the caller's tenant and role server-side.

Every credential, template and BLE session-event envelope carries schemaVersion: 1. Future clients can introduce new fields without breaking older wallets — older clients log-and-ignore shapes they do not understand. Algorithm and key-id sit in the JWS header, so rotating from ES256 to a post-quantum algorithm later is a key-rotation plus an algorithm flag — no client rewrite.