Do I need an Apple Developer account to receive a pass?

No — only the issuer needs a Pass Type Identifier and signing certificate. CardCard handles all of that on the issuer side. Recipients just tap Add to Wallet from the public page.

Can the pass update after the recipient has installed it?

Yes. Wallet checks the issuing endpoint for changes; CardCard pushes a refresh whenever the underlying card edits. The serial number stays the same, but the visible fields on the front and back update on the next Wallet open.

Can the issuer see who installed the pass?

No. Wallet keeps the install local to the device. CardCard never sees who taps Add to Wallet — only that the pass file was downloaded by some browser. Privacy is on the recipient's side, not the issuer's.

Guide

What is an Apple Wallet pass?

A pkpass is a signed bundle Apple Wallet trusts. Here is what travels inside one and how a CardCard issues it.

Definition

An Apple Wallet pass is a small zipped bundle of JSON, images, and a manifest, signed by an Apple-issued certificate. Wallet trusts the bundle on the strength of that signature alone. The file extension is .pkpass and the format predates Wallet's name change from Passbook in 2015.

How it works

Wallet downloads the pkpass over HTTPS. It verifies the signature against Apple's WWDR root certificate, then stores the pass locally on the device. When the issuer changes the underlying record, the pass refreshes silently from a known endpoint the next time Wallet opens it. The user does not have to re-add anything for the change to land on the phone.

A worked example

Anna issues a CardCard. She opens the public page on her iPhone and taps Add to Wallet. Wallet fetches the .pkpass, checks the Apple signature, and renders the front fields — name, tagline, theme. The detail fields she marked Wallet-only sit on the back of the pass, one tap behind the card itself, exactly the way the public page hides them.

When it matters

Conferences, in-person meetings, and any moment a phone is closer than a paper card. The pass keeps a phone tap from going through a website round trip. Wallet shows the card at the lock screen when the holder reaches a venue or pins it as a favourite — much faster than typing a URL into Safari.

When it does not

If the recipient is on Android the pass does nothing — Wallet is iOS-and-Watch only. CardCard still serves a public web page and a vCard download for those cases, so the introduction is not lost. The Wallet pass is a bonus, not the only surface CardCard ships.

Questions

Do I need an Apple Developer account to receive a pass?: No — only the issuer needs a Pass Type Identifier and signing certificate. CardCard handles all of that on the issuer side. Recipients just tap Add to Wallet from the public page.
Can the pass update after the recipient has installed it?: Yes. Wallet checks the issuing endpoint for changes; CardCard pushes a refresh whenever the underlying card edits. The serial number stays the same, but the visible fields on the front and back update on the next Wallet open.
Can the issuer see who installed the pass?: No. Wallet keeps the install local to the device. CardCard never sees who taps Add to Wallet — only that the pass file was downloaded by some browser. Privacy is on the recipient's side, not the issuer's.

Reviewed 2026-05-08 by the CardCard atelier.