QR Certificate Check — AWS-only Demo (KMS Sign/Verify)

🧩

Insert token

—

🌐

Verify (API)

—

🛠️

AWS Lambda

—

🔐

KMS Signature

—

🗄️

DynamoDB Check

—

✅

Result

How to use this page

Insert token: paste the Base64URL token in the console (right/up) and click Insert token.
Verify: click Verify Token. The app calls your API: /verify?t=....
Read the result: the status shows as Active, Suspended, or Withdrawn with public certificate fields.
(Optional) Download QR: generate a QR of the same URL to print or share.

What happens when you press “Verify”

🌐

API Gateway

Receives the HTTPS request at /verify?t=... (stage path included), keeps the t query string unchanged and forwards the event to Lambda via proxy integration. The final JSON produced by Lambda is returned to the client.

🛠️

AWS Lambda

Decodes the token → validates timestamp → verifies signature with KMS → loads certId from DynamoDB → recomputes keccak256(canonicalString) and compares to certHash → returns status & public fields.

🔐

AWS KMS

Checks the token signature (RSASSA_PSS_SHA_256) with the signing key (e.g., alias/qrcc-sign).

🗄️

Amazon DynamoDB

Holds certificate records keyed by certId (fields: status, issuerLab, standard, officialLink, canonicalString).

How to use this page

What happens when you press “Verify”

API Gateway

AWS Lambda

AWS KMS

Amazon DynamoDB

Demo tokens (ready to scan)