Is it possible to Read a COVID Certificate with Power Apps?

After the summer, there was discussion in Finland about a COVID passport and its necessity. To a low-code professional, the proposed project schedule seemed to be way too long.

Of course, it’s unfair to compare a national project to a project within an organization, which Power Platform projects typically are. In addition, the project becomes even more complicated because sensitive personal health information is being processed. Still, I want to experiment how the Power Platform could be used to implement a COVID passport solution.

Let’s see how it goes.

The idea of ​​the solution is simple. Every Finnish citizen can download an EU COVID certificate from omakanta-service. There are three types of certificates available:

  • Certificate of COVID vaccination
  • Certificate of COVID test result
  • Certificate of COVID disease

Below are pictures of the first two.

In our implementation, any of these three certificates will serve as the COVID passport. The certificate can be kept with you in paper format, downloaded as a document/image to your phone or added to Apple Wallet at

The certificates have a QR code that contains the information on the certificate.

All you need is a mobile application that reads this QR code. Based on the content, the user is told whether the person’s certificate is valid (there must be at least x days from the infection, at least n days from the second vaccination and max y days from a negative test result).

Reading a QR code with Power Apps

Currently, Power Apps has an excellent barcode reader that can also read QR codes.

Let’s quickly make a Power App that initially only shows the contents of a read QR code (BarcodeScanner1.Value)

And try to read my own COVID certificate with it.

Reading the barcode is so fast that it’s hard to even take a picture of it…

To our surprise, the end result is something completely different from a readable JSON.

And this is the reason why I always prefer to start doing things as early as possible. That is making a Proof of Concept alongside defining requirements.

I have been involved in projects that first only define for weeks. And when work finally begins, after 30 minutes some sort of dead end is already found. And the definitions have to be partly revised.

Too many assumptions, too few experiments.

After a bit of research, it becomes clear to us that the content of the QR code is base45 encoded. Once unpacked, it contains a compressed (zlib) text. This in turn is encoded with CBOR, which uses a digital signature (COSE). More familiarly known as CBOR Web Token (CWT).

What to do now?

Power Apps runs out of tricks at this point. But that doesn’t mean you have to give up. The following options come to mind:

Power Automate Desktop (PAD)

Base 45 coding can be done on various sites (e.g. What if there is somewhere equivalent site for each of the steps (zlib and CBOR)? After reading the QR code, our Power Apps would launch an RPA process implemented on a PAD that would decode the code into a readable format using various online services.

No. No. No. And once again No.

Using PAD here is far too slow. The QR code scanner should probably wait minutes for results. In addition, the use of PAD would require separate licenses, and we cannot assume that barbershops, restaurants, theaters, movie theaters, etc. would all acquire additional licenses for our solution.

Next idea.

Azure Functions

There are ready-made codes for decoding the QR code of EU COVID certificates, implemented at least with Javascript and Python. It is possible to create Azure Functions, which Power Apps would call. Azure Functions would decode the encoded text and return it readable format to Power Apps.

Sounds better. In this option, the Power Apps users must have a Power Apps per user license (new price $5/month/user), as calling Azure Functions is a premium feature.

Or it could be possible to build Power Apps inside Dataverse for Teams. In this case, the application is always opened from inside Teams. And using it does not require new licenses from the end user. But… In this case, Azure Functions must then be called through Azure API Management. And such should be created for every barber, restaurant, etc…

Tough choices.

Custom connector that contains code

Currently, you can add your own c # code to run on your custom connectors. However, the available libraries are quite limited, so I don’t think this is a realistic option.

And even if it was, using your own connectors is a premium feature. This means that all end users should have at least a Power Apps per App license. Again.

Implementation of Power Apps Component Framework (PCF) control

One possible solution is to implement a PCF control with TypeScript that handles the decoding. The control could be placed directly in the Power Apps, in which case everything would be done on the user’s device. Fast and cost-effective. No license requirements.

However, these are not familiar to me, so there is no certainty that it will succeed. Let’s skip.

Finishing the application

The application we first imagined to be simple suddenly became complicated. This time, we’re ignoring the whole QR decoding. However, if I were to do it I would try the Azure Functions option first.

Let’s imagine that we managed to decode the contents of the QR code. It is in JSON format (description can be found here).

The contents of the QR code on my own COVID vaccination certificate look like this.

  "v": [
      "ci": "URN:XXXXX",
      "co": "FI",
      "dn": 2,
      "dt": "2021-08-15",
      "is": "KELA/FPA",
      "ma": "ORG-100030215",
      "mp": "EU/1/20/1528",
      "sd": 2,
      "tg": "840539006",
      "vp": "1119349007"
  "dob": "19XX-XX-XX",
  "nam": {
    "fn": "Pertilä",
    "gn": "Timo",
    "fnt": "PERTILAE",
    "gnt": "TIMO"
  "ver": "1.3.0"

Power Apps itself cannot read content in JSON format. However, we can

  • Return a JSON response with schemas to Power Apps using Flow’s http response. This is again a Premium feature, which means licenses are required.
  • Return each field of the JSON message as its own value to Power Apps. This is possible, because each piece of information appears only once in the response

Based on the return values, Power Apps tells you if the read COVID certificate is valid (enough time has passed since vaccinations, the test is recent enough, etc.). Other necessary information could also be displayed to help ensure that the certificate belongs to the presenter.


This time everything did not go as planned. But in the real life it rarely does. The key is to identify problems (both technical and process-related) as quickly as possible. There is often a solution to them. The earlier the problems are identified, the more time is left to resolve them.

When we evaluated the different solution options, we found that there are very different approaches. Each had its own weaknesses and strengths. Choices can lead to fundamental changes in the solution itself. For example, a shift to using Dataverse for Teams.

In our example, end-user licenses were also a variable. We sought a solution that worked with Microsoft 365 licenses. In this case, the solution quickly becomes a complicated mess. A single decision may result in all users being required to have a Power Apps per App license. Or worse, a situation where licenses are not technically needed, even though the license terms still require them to be acquired (so-called multiplexing).

And yes. There are already free solutions for reading EU COVID certificates. Like

You don’t always have to do everything on the Power Platform.

Show me more apps running on Power Platform!

Are you interested in seeing examples of the kinds of apps we’ve built for our customers & ourselves by using Power Apps, Power Automate and Power BI? Check out the Forward Forever App Gallery for ideas and inspiration on what your organization could also achieve with low-code apps.

Leave a Reply