The Role of Vaccination Certification in Restoring Air Travel Confidence

The COVID-19 pandemic brought international travel to an unprecedented standstill. As borders began to reopen, airlines faced the enormous challenge of ensuring passenger safety while complying with a patchwork of national health regulations. Vaccination certification emerged as a linchpin of risk-managed travel, offering a verifiable way to confirm that passengers met entry requirements. However, the proliferation of paper certificates, mobile apps, and government portals created confusion and bottlenecks. To solve this, airlines and governments forged new partnerships to develop standardized, interoperable vaccination credentials that could restore traveler confidence and enable a smoother resumption of global mobility.

Early in the recovery, travelers encountered wildly different rules: some countries accepted only domestically issued certificates, others required negative PCR tests alongside vaccination proof, and still others refused certain vaccines not approved by their health authorities. This fragmentation undermined the very purpose of certification. Airlines, already under financial pressure, bore the burden of verifying compliance at check-in, often with manual checks prone to fraud and error. The need for a unified, digitized, and globally recognized system became a top priority for the aviation industry and public health authorities alike.

The Complexity of Global Health Credentials

Vaccination certificates are not new; the International Certificate of Vaccination or Prophylaxis (the “yellow card”) has been used for decades for diseases like yellow fever. But the scale and speed of COVID-19 certification requirements were unprecedented. By early 2021, dozens of countries had introduced their own digital or paper proof-of-vaccination schemes, each with distinct data formats, security features, and validity rules. Airlines had to manage these disparate systems while also respecting data protection laws like Europe’s GDPR. The result was a chaotic mix of manual checks, app downloads, and last-minute rejections at boarding gates.

Standardizing these credentials required alignment on technical specifications, data fields (e.g., name, date of birth, vaccine type, dates of doses), and authentication methods. The World Health Organization (WHO) provided guidance, but implementation fell to national governments and private-sector technology providers. Airlines, with their direct exposure to traveler friction, took a leading role in advocating for harmonization and in piloting digital solutions that could work across borders.

Key Collaborative Initiatives Shaping Standards

Several high-profile initiatives have emerged from the collaboration between airlines, governments, technology companies, and international bodies. Each aims to create a trusted ecosystem for vaccination verification, though their approaches vary in scope and governance.

IATA Travel Pass

The International Air Transport Association (IATA) launched its Travel Pass in early 2021 as a mobile app that allows travelers to receive, store, and share their COVID-19 test results and vaccination certificates in a secure, verifiable format. IATA worked with governments, laboratories, and airlines to define a common data structure and ensure the app could integrate with existing airline check-in systems. The Travel Pass uses a module architecture: a registry of health requirements, a lab app for issuing verified test/certificate results, and a passenger app that generates a QR code for check-in. Over 60 airlines participated in trials or operational deployments. Although IATA Travel Pass was eventually phased out in favor of broader initiatives, it demonstrated that industry-led standardization was technically feasible and operationally acceptable.

IATA continues to support the development of global standards through the IATA One ID initiative, which expands beyond health to include identity and travel document verification. The Travel Pass experience helped build the technical and governance frameworks now used in national digital certificate systems. (IATA One ID)

CommonPass and The Commons Project

CommonPass is a digital health pass developed by The Commons Project, a Swiss nonprofit, in partnership with the World Economic Forum. It allows travelers to create a verified account linking their lab results and vaccination records from approved health systems. CommonPass was designed from the start for cross-border interoperability, using a decentralized architecture that does not centralize personal data. Governments can trust the digital signature on each CommonPass QR code without needing to access the underlying medical records. Airlines including Cathay Pacific, United Airlines, and British Airways integrated CommonPass into their digital check-in flows. The CommonPass framework later influenced the WHO’s SMART Health Cards specification, which has become a global standard for verifiable health credentials.

The Commons Project also operated the CommonTrust Network, a set of governance rules for issuers and verifiers. This approach allowed small countries and health systems to participate without building their own infrastructure from scratch. (The Commons Project)

EU Digital COVID Certificate

Perhaps the most successful government-led effort is the European Union’s EU Digital COVID Certificate (EUDCC), launched in July 2021. It provided a standardized, QR-code-based certificate accepted by all 27 EU member states, plus Switzerland, Norway, Iceland, and many non-EU countries. The EUDCC covered vaccination, test results, and recovery. Airlines flying into or within the EU were required to accept the certificate, creating a powerful incentive for interoperability. The system relied on a gateway infrastructure that allowed each country’s certificate issuer to sign credentials with public-key cryptography, while verifiers used a central directory of trusted public keys. This model balanced national sovereignty with cross-border trust.

The EUDCC became the de facto standard for many international routes, and non-EU countries like the United Kingdom, Singapore, and Japan aligned their own certificates with the EU Technical Specifications. The World Health Organization later endorsed the EUDCC as a global model and established a WHO Global Digital Health Certification Network based on the same principles. (EU Digital COVID Certificate)

WHO and Global Health Trust Framework

Building on the momentum of the EUDCC, the WHO in 2023 launched a Global Digital Health Certification Network that allows countries to trust each other’s digital certificates without bilateral agreements. This network is grounded in the WHO’s International Health Regulations (IHR) and is designed to be applicable beyond COVID-19 to other health requirements. Airlines participate through industry bodies like IATA, which have aligned their data standards with the WHO framework. The network supports multiple certificate formats, including SMART Health Cards and the EUDCC, and provides a trust anchor for future public health emergencies. The WHO’s involvement adds a layer of public-health legitimacy that purely commercial solutions lacked.

Technological Foundations: Security and Interoperability

Underpinning all major certification initiatives are three key technological principles: digital signatures to prevent forgery, decentralized storage to protect privacy, and QR codes for offline verification at check-in. Most systems use a public-key infrastructure (PKI) where health authorities sign each certificate with their private key. Airlines and border control agencies use a directory of trusted public keys to verify the signature without needing to contact the issuing authority in real time. This approach works even in low-connectivity environments, such as airports with intermittent internet.

Data minimalism is another critical feature. The QR code on a vaccination certificate typically contains only the minimum information needed for verification: the traveler’s name, date of birth, vaccine details, and a digital signature. It does not include underlying medical records or government identifiers. The verifier’s device never stores the data longer than necessary, reducing the risk of data breaches. Some systems, such as the SMART Health Cards format, encode the data as a JSON Web Token (JWT) embedded in the QR code, making it self-contained and verifiable offline.

Blockchain has been proposed as a solution for immutability and decentralized trust, but most deployed systems have opted for simpler PKI models due to scalability and regulatory concerns. The IATA Travel Pass, for example, used a combination of PKI and the IATA Identity platform to bind a traveler’s identity to their health information, but it did not rely on a blockchain ledger.

Tackling Persistent Challenges

Despite the technical sophistication of these systems, several challenges continue to test the airline-government collaboration model.

Data Privacy and Security

Vaccination certificates contain sensitive health data. Airlines are not healthcare providers, and many jurisdictions strictly limit what health information carriers can collect or store. The EU’s GDPR, for example, requires explicit consent and purpose limitation. The decentralized verification model helps, but airlines must still process personal data at check-in. Breaches have occurred: in 2021, a credential check service used by multiple airlines suffered a data leak exposing travelers’ test results. The incident underscored the need for rigorous security audits and adherence to privacy-by-design principles.

Governments have helped by setting clear legal frameworks. The EU’s Digital COVID Certificate Regulation explicitly defined what data could be processed and by whom, and it prohibited airlines from storing the certificate after the journey. Similar regulations are needed in other regions to prevent mission creep—where health credentials might be used for non-health purposes like employment screening.

Global Interoperability and Equity

While the EUDCC set a high bar, many low- and middle-income countries lacked the digital infrastructure to issue compliant certificates. As a result, travelers from those countries faced barriers, sometimes being turned away at borders or forced to pay for expensive tests. The WHO and the World Bank have invested in digital health infrastructure projects, but progress is uneven. The International Civil Aviation Organization (ICAO) has also worked on a Digital Travel Credential that could embed health data, but this is still in the pilot phase.

Equity also extends to vaccine acceptance. Some countries only recognize vaccines that have received domestic emergency use authorization, leaving travelers with WHO-approved but not locally authorized vaccines unable to enter. Airlines cannot unilaterally override national health regulations, but they have advocated for Mutual Recognition Agreements (MRAs) between governments. The G7 and G20 have issued statements supporting such MRAs, but implementation remains slow.

Acceptance of Different Vaccines and Booster Schedules

Validation rules are a moving target. As boosters became recommended, certificate systems had to accommodate multiple dose entries and expiry dates. Airlines had to update their verification logic frequently, often on short notice. The IATA Travel Pass solution used a cloud-based rules engine that could be updated centrally, but airlines using in-house systems struggled. Governments have not always communicated changes clearly to carriers, leading to confusion at check-in counters.

Another complexity is the rise of hybrid immunity: travelers infected after vaccination have different certificates than those who are fully vaccinated. Some systems treated recovery certificates as equivalent to vaccination, but others did not. The lack of a universal definition of “fully vaccinated” remains a headache.

Government-Airline Partnerships in Action

Real-world examples show how these collaborations have played out. In Singapore, the Singapore Airlines teamed up with the Singapore government’s HealthHub and the Vaccine-verified Travel Framework to pre-validate vaccination certificates before travel. Passengers uploaded their certificates to the airline’s mobile app, where they were checked against the national registry. This allowed for a contactless check-in process and reduced wait times.

In the United Arab Emirates, Emirates Airlines worked with the Dubai Health Authority to integrate the Alhosn national COVID-19 app into its check-in system. Passengers could generate a shared QR code that the airline could scan at the airport, eliminating the need for printed certificates. Emirates also participated in the IATA Travel Pass pilots and later transitioned to the WHO-accredited digital certificate framework.

The United States took a less centralized approach, relying on the CDC’s SMART Health Cards specification rather than a national app. Airlines like United and American Airlines built their own verification workflows, accepting SMART Health Cards from states and pharmacy chains. The lack of a federal mandate meant that airlines had to handle multiple formats, but the SMART Health Cards standard—based on the same JWT/Qr code structure used by the EUDCC—ensured a degree of interoperability. The U.S. Department of Homeland Security also issued guidance for inbound travelers, aligning with the WHO Smart Health Cards framework.

In Africa, Ethiopian Airlines and RwandAir worked with the African CDC and the African Union’s Trusted Travel initiative to pilot digital certificate verification for intra-African travel. The project aimed to create a pan-African health credential that would reduce reliance on paper certificates and speed up border crossing at major hubs like Addis Ababa and Kigali. Funding from the World Bank helped build the digital infrastructure, and the lessons are now being applied to the WHO Global Network.

The Future of Digital Health Credentials Beyond COVID-19

The COVID-19 pandemic accelerated the digitization of health certificates, but the infrastructure being built is not limited to one disease. The WHO Global Digital Health Certification Network is designed to be extendable to other International Health Regulations-notifiable diseases, such as yellow fever, polio, and meningitis. Airlines see this as an opportunity to create a universal travel health wallet where travelers can store all their required immunizations and test results in one verifiable format.

IATA’s One ID initiative aims to combine identity verification, health credentials, and travel documents into a single digital token that a passenger can present at every touchpoint of the journey—check-in, bag drop, security, boarding. This would eliminate multiple document checks and reduce processing time. Several airports, including Singapore Changi and Amsterdam Schiphol, have begun live trials of One ID with select airlines.

Governments are also exploring the use of digital credentials for non-travel purposes, such as access to large events, workplace entry, or school attendance. The line between travel health passes and general digital identity is blurring. Privacy advocates warn that this could lead to a two-tier system where only the digitally equipped can freely move. Airlines and governments will need to ensure that off-ramps exist for those who cannot or will not use digital certificates—as the EUDCC did by allowing paper with QR codes.

Conclusion

The collaboration between airlines and governments on vaccination certification standards represents a remarkable achievement in public-private cooperation under extreme time pressure. What began as a scramble to react to border closures has matured into a globally interoperable framework that uses digital signatures, QR codes, and decentralized trust architectures to verify health status without compromising privacy. The EUDCC, IATA Travel Pass, CommonPass, and WHO network have each contributed technical and governance models that are now converging toward a single global standard.

However, the system is not yet complete. Equity gaps persist, vaccine recognition is still fragmented, and the long-term governance of health data remains contested. Travelers, airlines, and governments all have a stake in seeing this infrastructure maintained and improved—not just for COVID-19, but for the next health crisis that inevitably will test global mobility again. The partnerships forged during the pandemic have proven that aviation and public health can work hand in hand when trust, transparency, and shared standards are the foundation.