Hi, not sure if this is a big deal or not, but the full QR payload is visible when you click "View Details" after scanning the QR code. There is potential for somebody to copy the payload and create their own QR with it.

I know you could just screenshot the QR, but it feels like it might be a little more obvious if somebody were to do that.

The CWT is signed with public-key crypto. Changing contents will make the signature invalid.
Ministry of Health holds the private key.

Sorry, I was meaning using the payload to copy the scanned QR code.

If you don't think it's an issue, feel free to close this 😄

@zendamacf I don't see any issue with re-encoding that raw payload into your own QR code. You can even create a vanity QR code with a cute logo in the middle which will scan as a NZ COVID Pass. As long as it pops up as a valid pass in a verifier app, it's all good.

On a completely unrelated note, please refrain from sharing valid NZ COVID Passes on social media, because not every venue will be checking IDs and we don't want to let people cheat the system by showing NZ COVID Passes which are not theirs (effectively committing identity theft)