Check a credential’s status

The Status List Service hosts all status lists publicly. Each list is a signed JSON web token (JWT). You can verify the JWT’s signature by accessing the Status List Service’s JSON web key set (JWKS) hosted at https://crs.account.gov.uk/.well-known/jwks.json (production) or https://crs.integration.account.gov.uk/.well-known/jwks.json (integration).

There are two formats that the Status List Service supports: Bitstring status lists and Token status lists.

You can use the status list uri in the credential to check a credential’s status.

Each status at a specific index in the status list uses 2 bits. Each status index may contain one of the following bit combinations:

00 (VALID). Represents a valid credential
01 (INVALID). Represents a credential that has been permanently revoked (marked as invalid)
10 (NOT USED). Currently not used
11 (NOT USED). Currently not used

Bitstring status list

Status lists where the URI path begins with /b/ are Bitstring status lists that follow the W3C Bitstring Status List specification.

For consistency between the two different lists that the status list service publishes, the Status List Service uses the more complex implementation of Bitstring status lists.

Technical details

Endpoint URI

The URI path for the Bitstring status list endpoint is /b/{statusListIdentifier}. It is presented as a GET request, where:

b represents the type of status list: BitstringStatusList
statusListIdentifier represents an ID for a specific status list

Bitstring status list request example

Below is an example of the /b/{statusListIdentifier} request:

GET /b/A671FED3E9AD HTTP/1.1
Host: crs.account.gov.uk
Accept: application/json

Request Response

The JWT response header will contain the following:

{
  "alg": "ES256",
  "kid": "12",
  "typ": "vc+jwt"
}

Parameter	Description
`alg`	`alg` stands for ‘algorithm’. This value will be returned as `ES256`. This is the algorithm used to encode the JWT.
`kid`	`kid` stands for ‘key ID’. This key ID represents a key in the Status List Service’s JWKS which can be used to verify the JSON web signature (JWS).
`typ`	`typ` stands for ‘type’. This is the type of the status list. It is `vc+jwt` for Bitstring status lists.

Payload

The JWT response payload for a Bitstring status list will contain the following:

{
  "@context": [
    "https://www.w3.org/ns/credentials/v2",
    "https://www.w3.org/ns/credentials/examples/v2"
  ],
  "id": "https://crs.account.gov.uk/b/A671FED3E9AD",
  "type": [
    "VerifiableCredential",
    "BitstringStatusListCredential"
  ],
  "issuer": "https://crs.account.gov.uk/",
  "validFrom": "2025-10-01T14:00:00Z",
  "validUntil": "2025-10-08T14:00:00Z",
  "credentialSubject": {
    "id": "https://crs.account.gov.uk/b/A671FED3E9AD#list",
    "type": "BitstringStatusList",
    "statusSize": 2,
    "statusPurpose": "message",
    "statusMessage": [
      {
        "status": "0x0",
        "message": "VALID"
      },
      {
        "status": "0x1",
        "message": "INVALID"
      }
    ],
    "encodedList": "uH4sIAAAAAAAAA3MUBABJTAvCAgAAAA",
    "ttl": "3600"
  }
}

Parameter	Description
`id`	A unique URL that represents this status list.
`type`	The type of credential.
`issuer`	The URL of this status list credential’s issuer.
`validFrom`	The earliest point in time at which the status list is valid.
`validUntil`	The latest point in time at which the status list is valid.
`credentialSubject`	The status list subject about which the claims below are made.
`credentialSubject.id`	A unique URI that represents this status list.
`credentialSubject.type`	The type of credential. This will be `BitstringStatusList`.
`credentialSubject.statusSize`	The size of the status list in bits.
`credentialSubject.statusPurpose`	The purpose of the status list, as described in statusMessage.
`credentialSubject.statusMessages`	This is an array of objects, which each contain a status and a message.
`credentialSubject.statusMessages.status`	This represents the status value in the status list. It is a hexadecimal string, and will be `"0x0"` or `"1x1"`.
`credentialSubject.statusMessages.message`	The status message representing the status value. This will be `"VALID"` or `"INVALID"`.
`credentialSubject.encodedList`	This is a multibase-encoded base64url (with no padding) representation of the GZIP-compressed bitstring values for the associated range of verifiable credential status values.

Token status list

Status lists where the URI path begins with /t/ are Token status lists that follow the IETF Token Status List specification.

Technical details

Endpoint URI

The URI path for the Token status list endpoint is /t/{statusListIdentifier}. It is presented as a GET request, where:

t represents the type of status list: TokenStatusList
statusListIdentifier represents an ID for a specific status list

Token Status List Request Example

Below is an example of the /t/{statusListIdentifier} request:

GET /t/A671FED3E9AD HTTP/1.1
Host: crs.account.gov.uk
Accept: application/statuslist+jwt

Request Response

Header

The JWT response header will contain the following:

{
  "alg": "ES256",
  "kid": "12",
  "typ": "statuslist+jwt"
}

Parameter	Description
`alg`	`alg` stands for ‘algorithm’. This value will be returned as `ES256`. This is the algorithm used to encode the JWT.
`kid`	`kid` stands for ‘key ID’. This key ID represents a key in the Status List Service’s JWKS which can be used to verify the JSON web signature (JWS).
`typ`	`typ` stands for ‘type’. This is the type of the status list. This will be `statuslist+jwt` for a Token status list.

Payload

The JWT response payload for a Token status list will contain the following:

{
  "exp": 2291720170,
  "iat": 1686920170,
  "iss": "https://crs.account.gov.uk",
  "status_list": {
    "bits": 2,
    "lst": "eNpzdAEAAMgAhg"
  },
  "sub": "https://crs.account.gov.uk/b/A671FED3E9AD",
  "ttl": 43200
}

Parameter	Description
`exp`	`exp` stands for ‘expiry’. This is the expiry of the subject credential.
`iat`	`iat` stands for ‘issued at’. This is the timestamp the subject credential was originally issued at.
`iss`	`iss` stands for ‘issuer’. This is the URL of the credential issuer service operated by the organisation sharing the credential.
`status_list.bits`	The number of bits that represent a status.
`status_list.lst`	`lst` stands for ‘list’. This is an encoded version of this status list.
`sub`	`sub` stands for ‘subject’. This is the URI of the status list that was in the original HTTP request.
`ttl`	`ttl` stands for ‘time-to-live’. This is the lifetime of the cached version of this status list. Status lists are updated at regular and set intervals.

JSON Web Key Set (JWKS)

The JWKS endpoint exposes the Status List Service’s public cryptographic keys in JSON Web Key Set (JWKS) format. You can use a public key to verify the signature of a status list. This verification lets you make sure that the status list was published by the Status List Service and it has not been tampered with.

Technical details

Endpoint location

The JWKS is publicly accessible at the standardised location /.well-known/jwks.json on the Status List Service domain.

Response format

The endpoint must return a 200 OK HTTP status code and a valid JSON response that follows the JWKS specification defined in RFC 7517. Each key within the JWKS is represented as a JSON Web Key (JWK) object. The JWKS usually contains only one key, but it can contain two keys during a key rotation overlap period.

The JWK for an elliptic curve public key based on the P-256 curve must include the following parameters:

Parameter	Definition
`kty`	The family of cryptographic algorithms used with the key. This must be `EC`.
`kid`	A unique identifier for a specific key within the set. This value will be referenced in the status list JWT header to show which key must be used for verification. This parameter is important for associating the correct public key with the status list being verified.
`crv`	The cryptographic curve used with the key. This must be `P-256`.
`x`	The “x” coordinate for the elliptic curve point.
`y`	The “y” coordinate for the elliptic curve point.
`alg`	The cryptographic algorithm used with the key. This must be `ES256`.
`use`	The intended use of the key. This must be `sig` to indicate the key can be used to verify the signature.

JWKS example

Below is an example of a JWKS containing one elliptic curve public key based on the P-256 curve:

{
  "keys": [
    {
      "kty": "EC",
      "use": "sig",
      "crv": "P-256",
      "kid": "5dcbee863b5d7cc30c9ba1f7393dacc6c16610782e4b6a191f94a7e8b1e1510f",
      "x": "6jCKX_QRrmTeEJi-uiwcYqu8BgMgl70g2pdAst24MPE",
      "y": "icPzjbSk6apD_SNvQt8NWOPlPeGG4KYU55GfnARryoY",
      "alg": "ES256"
    }
  ]
}

This page was last reviewed on 22 October 2025. It needs to be reviewed again on 22 April 2026 .