Product architecture
How the passport engine works
Hospitality Passport is the identity, compliance and payments layer that sits above external training providers. This page shows the core flows — from module completion at a training provider, through the certificate ingest webhook, to the operator verifying a worker on their shift.
System overview
Four surfaces, one passport record.
Candidate app
Mobile-first passport, QR, renewals
Operator console
Multi-site verification & billing
Training provider
Publishes modules & certificates
Admin console
Support, override, reconciliation
Passport core
Identity, entitlements, expiry engine
Ledger (Postgres)
Immutable event store + audit
Edge API
tRPC + webhooks + Stripe
TSG webhook
module.completed → cert.issued
Stripe billing
Passport & operator subscriptions
Notification bus
Email · SMS · push · digest
Verifier
QR + signed JWT · 250ms P95
Certificate ingest flow
From module completion at TSG to a verified passport.
- 1Candidate completes module on TSGExternal LMS
- 2TSG posts signed webhookPOST /hooks/tsg
- 3Passport core verifies signatureHMAC + replay guard
- 4Certificate + expiry written to ledgerPostgres · immutable
- 5Passport & operators notifiedPush + digest
Expiry & renewal rules
Deterministic engine, per-module metadata driven.
- Renewal windowT–30 days before expiry
- Grace period7 days post expiry (read-only passport)
- EscalationOperator notified at T–14, T–7, T–0
- Auto-bookIf module has provider capacity & candidate opt-in
- Reciprocal recognitionEU Level-2 equivalents auto-mapped
Verification path
Operator scans a passport QR — what happens next.
- 1Operator app scans QR (offline capable, signed JWT)
- 2Signature validated against rotating public key set
- 3Cached passport read (edge KV, sub-100ms) → live check if stale
- 4Result rendered with modules, expiries, employer chain
- 5Verification event streamed to audit log & operator BI
99.98%
Rolling 90-day uptime
<180ms
Verify P95 (edge)
12
Provider integrations planned
ISO 27001
In audit — Q3 2026