---
title: The EU age verification app is open source, here is how it will work
description: The EU age verification app reads your passport on-device, never uploads it, and hands out single-use age passes. How it works, and why open source matters.
author: Darie Nani (Editor-in-Chief)
date: 2026-04-15T20:32:11.544Z
updated: 2026-05-01T14:10:37.120Z
canonical: https://www.sovereignmagazine.com/article/eu-age-verification-app-open-source
image: https://cdn.nanimediahouse.com/eu-age-app.webp
categories: EU Focus
content_type: News
region: Europe
publication: Sovereign Magazine
about:
  - type: Organization
    name: European Commission
---

Ursula von der Leyen announced on 15 April 2026 that the European Commission's age verification app is "technically ready". She also said it would be "completely anonymous". That is a big claim. The reason anyone can check whether it is true is that the app's code is sitting on GitHub, free for anyone to read, and has been for months.

Most of the public conversation has been about VPNs and whether teenagers will dodge the check. That is a separate argument. The more interesting question is what the app on the phone is actually doing, because that is what the privacy promise rests on.

## How the EU age verification app reads your passport

The first time someone sets up the [EU age verification app](https://github.com/eu-digital-identity-wallet/av-app-android-wallet-ui), they are asked to hold a passport or national ID card up to the phone. The phone reads the document itself, either by tapping the chip inside it or by scanning it with the camera. The phone pulls out the birthdate. That is all. The document is not sent anywhere. Nobody in Brussels ends up with a copy. No company does either.

### See More

- [The EU Age Verification App Was Always Meant to Be Broken Into](https://www.sovereignmagazine.com/article/eu-age-verification-app-open-source-defence)

The phone then asks a government-approved issuer for a set of digital age passes. The issuer does not see the passport. It does not see the name, the photo, the number or the birthdate. All it sees is a signal from the phone confirming that the app is the real app and the phone is a real phone. On the strength of that, the issuer hands over the passes. The passes sit in locked storage on the phone.

## The app hands out a batch of single-use age passes

Each pass works like a ticket from a strip. When a website asks "are you old enough", the app tears off one ticket and hands it over. The website gets back a yes or a no. It does not get the birthdate, it does not get the passport, it does not get anything it can match against the next site the user visits. Once used, the ticket is gone.

The user gets roughly thirty of these at a time. When the strip runs out, or after three months at most, the user holds their passport up to the phone again and gets a fresh strip. That is the only repeat step in normal use. No logins, no uploads, no accounts.

The reason for tearing each ticket up after use is the whole point. If every site received the same reusable code, those codes could be joined up to follow a person around the internet. Handing out thirty fresh tickets and binning each one after it is used takes that possibility off the table.

## Why the EU age verification app is open source

The Commission has published the Android app, the wallet code it is built on, and the full technical specification, including the cryptography. Researchers can read it. Journalists can read it. Anyone who wants to argue with any of the claims above can read it and argue from the actual source.

Member states can also take the code and make their own version. [Denmark, France, Greece, Italy and Spain](https://ageverification.dev/) are first in line, either folding it into their [national digital identity wallets](https://www.sovereignmagazine.com/article/tiktok-to-introduce-eu-age-verification-system) or shipping their own version on the app stores. Countries outside the EU can pick up the same code and do the same.

There is one rule they cannot break. They can translate it, rebrand it, change the colours and the onboarding screens. They are not allowed to change the part that keeps the user private. A member state cannot quietly rip out the anonymity layer and still ship the app under the Commission's name.

That is a different posture from how [age checks have worked in the UK and the US](https://www.sovereignmagazine.com/article/why-age-verification-is-now-a-reputational-issue-for-every-online-business), where private companies hold scans of driving licences and passports on their own servers and ask the public to trust that they will be careful. The proof of care there is a marketing page. The proof of care here is a Git repository anyone can audit.

## What the EU age verification app hides and what it does not

The issuer does not know which websites the user visits. The websites do not know who the user is. They only get a yes or a no.

The parts worth being honest about are at the edges. The setup step relies on the phone's locked storage working the way its maker says it works, and that is something the user has to take on faith. A government or a third-party that maintains its own version of the app is only as private as its maintainer, which is exactly why the rule against touching the privacy layer matters. And none of this stops a website from tracking a visitor through the rest of their browser session by more ordinary means, which is a different fight for a different regulation.

None of that makes "completely anonymous" a lie. It makes it a claim about a specific part of the stack, one that is now open for anyone to verify rather than take on trust.

The VPN conversation will keep running. The bigger question is whether the UK, the US and everyone else now building age checks copy this approach, or keep paying private companies to hold passports in a datacentre somewhere and promise to be careful.

## FAQ

**Q: Does the EU age verification app store your passport?**
No. The app reads the passport locally on the phone, either through the NFC chip or the camera, and extracts only the birthdate. The document itself is never uploaded to the issuer or to any website, and is not kept in app storage once the age credential has been generated.

**Q: Which countries are using the EU age verification app?**
Denmark, France, Greece, Italy and Spain are the first member states piloting the solution. Each will either integrate it into their national digital identity wallet or publish a customised version on the app stores under the EU Digital Identity Wallet framework.

**Q: How does zero-knowledge proof work for age verification?**
A zero-knowledge proof lets the app prove a mathematical statement, such as "this credential says the user is over eighteen", without revealing the underlying data the statement is based on. The website receives a valid or invalid result. It does not receive the birthdate, the name or the credential itself.

**Q: Do you have to verify your age every time you visit a website?**
No. After the initial document read, the app holds a batch of around thirty single-use credentials. Each site visit uses one credential, which is then deleted to prevent tracking across services. Users re-read their document to get a fresh batch when the current one runs out, or every three months at most.
