Extract the Machine Readable Zone string from the document via OCR or barcode scan and parse the three-line MRZ for document number, date of birth, date of expiry, and check digits
Verify each check digit in the MRZ using the ICAO 9303 check digit algorithm (weighted modulo 10) to confirm the MRZ was read correctly
Establish Basic Access Control or PACE with the passport chip using keys derived from the MRZ data to authenticate to the chip
Read data group 1 (DG1) for the MRZ data stored on chip and compare it against the optically read MRZ to detect alterations
Read data group 2 (DG2) for the facial image stored on chip and optionally perform a face match against a live selfie
Verify the Document Security Object (SOD) passive authentication signature using the issuing country certificate chain to confirm chip data integrity
Known gotchas
PACE replaces BAC on newer e-passports and requires knowing which PACE parameter set the chip supports before initiating; chips that support only BAC will reject PACE commands
Passive authentication requires access to the issuing country's Document Signer Certificate, which must be obtained from ICAO PKD or country-specific channels and kept up to date
Active authentication and Chip Authentication are optional features not present on all e-passports; do not assume their presence when planning your verification logic
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp