Verify Pass
Submit a digital pass for server-side verification. The server verifies the pass, checks the challenge conditions, and records an immutable transaction.
Note: The server always records a transaction regardless of result. Invalid or expired passes return "fail".
/api/v1/verifications/passSubmit pass data read from NFC or QR. The server verifies signature, expiry, and age threshold, then records a transaction. Both pass and fail outcomes return HTTP 200 — HTTP error codes indicate request-level failures only.
Headers
| Name | Type | Required | Description |
|---|---|---|---|
| Authorization | string | Required | DPoP <access_token> (device) or Bearer <access_token> (service client) — requires transactions:write scope |
| DPoP | string | Optional | Required for device callers using DPoP tokens; omit for Bearer service-client calls |
| Content-Type | string | Required | application/json |
AuthorizationstringRequiredDPoP <access_token> (device) or Bearer <access_token> (service client) — requires transactions:write scope
DPoPstringOptionalRequired for device callers using DPoP tokens; omit for Bearer service-client calls
Content-TypestringRequiredapplication/json
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
| passData | string | Required | Base64-encoded 64-byte pass (legacy 64-char Latin-1 value also accepted) |
| requiredAge | number | Required | Minimum age threshold to verify (for example, 18) |
| posReference | string | Optional | Your own reference for this transaction (e.g. receipt or basket ID, max 20 characters). Returned on the transaction record for reconciliation |
| deviceId | string | Optional | Service-client callers only: attribute the transaction to an api-origin device (created via POST /api/v1/devices). Ignored for device (DPoP) callers — their own device is always used. Returns 404 if the device does not exist, 400 if it is not an active api-origin device |
passDatastringRequiredBase64-encoded 64-byte pass (legacy 64-char Latin-1 value also accepted)
requiredAgenumberRequiredMinimum age threshold to verify (for example, 18)
posReferencestringOptionalYour own reference for this transaction (e.g. receipt or basket ID, max 20 characters). Returned on the transaction record for reconciliation
deviceIdstringOptionalService-client callers only: attribute the transaction to an api-origin device (created via POST /api/v1/devices). Ignored for device (DPoP) callers — their own device is always used. Returns 404 if the device does not exist, 400 if it is not an active api-origin device
Examples
cURL
curl -X POST https://abyrgverslun.is/api/v1/verifications/pass \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"passData": "<base64-or-latin1-pass>",
"requiredAge": 18
}'JavaScript
const response = await fetch('https://abyrgverslun.is/api/v1/verifications/pass', {
method: 'POST',
headers: {
'Authorization': 'Bearer YOUR_ACCESS_TOKEN',
'Content-Type': 'application/json',
},
body: JSON.stringify({
passData: '<base64-or-latin1-pass>',
requiredAge: 18,
}),
});
const data = await response.json();
// data.result === 'pass' | 'fail'
// data.transactionId === 'j57b2mNkR4e9...'Response
// Verification passed
{
"result": "pass",
"transactionId": "j57b2mNkR4e9..."
}
// Verification failed (invalid or expired pass, age check failed)
{
"result": "fail",
"transactionId": "j57b2mNkR4e9..."
}