Blockchain-based vaccination records on Stellar β soulbound, verifiable, tamper-proof.
VacciChain lets governments and healthcare providers issue vaccination records as non-transferable NFTs (soulbound tokens) on the Stellar network via Soroban smart contracts. Patients hold records in their Stellar wallets. Schools, employers, and border agencies verify status on-chain β no central database, no forgery.
- Issuer-gated minting β only authorized healthcare providers can issue vaccination NFTs
- Soulbound tokens β all transfer attempts are reverted at the contract level
- On-chain verification β any third party can verify a wallet's vaccination status publicly
- SEP-10 authentication β Stellar Web Auth for secure, replay-protected sessions
- Analytics service β vaccination rates, issuer activity, and anomaly detection
- Fully dockerized β one command to spin up the entire stack
vacci-chain/
βββ contracts/ # Rust β Soroban smart contracts
β βββ src/
β β βββ lib.rs # Contract entrypoint
β β βββ mint.rs # Issue vaccination NFT
β β βββ verify.rs # On-chain verification logic
β β βββ storage.rs # Key-value storage schemas
β β βββ events.rs # Contract event definitions
β βββ Cargo.toml
β βββ Makefile # build, test, deploy targets
β
βββ backend/ # Node.js β Express REST API
β βββ src/
β β βββ routes/
β β β βββ auth.js # SEP-10 challenge + verify
β β β βββ vaccination.js # Issue and fetch records
β β β βββ verify.js # Public verification endpoint
β β βββ middleware/
β β β βββ auth.js # JWT guard middleware
β β β βββ issuer.js # Authorized issuer check
β β βββ stellar/
β β β βββ sep10.js # Challenge generation + signature verify
β β β βββ soroban.js # Contract invocation helpers
β β βββ app.js
β βββ package.json
β βββ Dockerfile
β
βββ frontend/ # React β patient & issuer UI
β βββ src/
β β βββ pages/
β β β βββ Landing.jsx
β β β βββ PatientDashboard.jsx
β β β βββ IssuerDashboard.jsx
β β β βββ VerifyPage.jsx
β β βββ hooks/
β β β βββ useFreighter.js # Wallet connect + SEP-10 flow
β β β βββ useVaccination.js
β β βββ components/
β β βββ NFTCard.jsx
β β βββ VerificationBadge.jsx
β βββ package.json
β βββ Dockerfile
β
βββ python-service/ # Python β FastAPI analytics
β βββ main.py
β βββ routes/
β β βββ analytics.py # Vaccination rates, issuer stats
β β βββ batch.py # Bulk verification scripts
β βββ requirements.txt
β βββ Dockerfile
β
βββ docker-compose.yml
| Layer | Technology |
|---|---|
| Smart Contracts | Rust Β· Soroban SDK |
| Backend | Node.js Β· Express.js Β· Stellar SDK |
| Frontend | React Β· Freighter API |
| Analytics | Python Β· FastAPI |
| Auth | SEP-10 Β· JWT |
| Infrastructure | Docker Β· Docker Compose |
| Network | Stellar Testnet β Mainnet |
The Soroban contract (contracts/) enforces all core rules. No backend can override it.
| Function | Access | Description |
|---|---|---|
mint_vaccination(patient, vaccine, date, issuer) |
Issuer only | Issues a soulbound vaccination NFT |
transfer(...) |
Blocked | Always reverts β tokens are non-transferable |
verify_vaccination(wallet) |
Public | Returns vaccination status + metadata list |
add_issuer(address) |
Admin only | Authorizes a new healthcare provider |
revoke_issuer(address) |
Admin only | Removes issuer authorization |
patient_address β Vec<token_id>
token_id β VaccinationRecord { vaccine_name, date, issuer, timestamp }
issuer_address β bool (authorized)
- Issuer allowlist checked on every mint
- Duplicate record detection before minting
- All inputs validated at contract boundary
- Replay protection via SEP-10 nonces
- No reentrancy patterns β single-entry invocation model
- Safe arithmetic throughout
- All critical actions emit on-chain events
Base URL: http://localhost:4000
| Method | Endpoint | Description |
|---|---|---|
| POST | /auth/sep10 |
Generate SEP-10 challenge transaction |
| POST | /auth/verify |
Verify signed challenge, issue JWT |
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| POST | /vaccination/issue |
Issuer JWT | Mint NFT via Soroban contract |
| GET | /vaccination/:wallet |
JWT | Fetch all records for a wallet |
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /verify/:wallet |
None | Public vaccination status check |
Landing β Project overview and connect wallet CTA
Patient Dashboard β View all vaccination NFTs held in connected wallet, with vaccine name, date, and issuer details
Issuer Dashboard β Authorized issuers can fill and submit the vaccination form; mints directly to patient wallet via contract
Verification Page β Enter any Stellar wallet address and get an instant on-chain verification result with badge
Base URL: http://localhost:8001
| Endpoint | Description |
|---|---|
GET /analytics/rates |
Vaccination rates by vaccine type and region |
GET /analytics/issuers |
Issuer activity β volume, frequency, last active |
POST /batch/verify |
Bulk verify a list of wallet addresses |
GET /analytics/anomalies |
Flag unusual minting patterns |
Client (Freighter) Backend Stellar Network
β β β
βββ POST /auth/sep10 ββββββββββΊβ β
β βββ build challenge tx ββββββββΊβ
ββββ challenge tx ββββββββββββββ β
β β β
βββ sign with wallet βββββββββββ€ β
β β β
βββ POST /auth/verify βββββββββΊβ β
β { signed_tx } βββ verify signature ββββββββββΊβ
β ββββ valid βββββββββββββββββββββ
ββββ JWT βββββββββββββββββββββββ β
# Start all services
docker compose up --build
# Services and ports
# frontend β http://localhost:3000
# backend β http://localhost:4000
# python-service β http://localhost:8001docker-compose.yml wires all services on an internal vaccichain network. Only frontend, backend, and analytics ports are exposed to the host.
- Rust +
wasm32-unknown-unknowntarget - Soroban CLI
- Node.js 18+
- Python 3.11+
- Docker + Docker Compose
- Freighter Wallet browser extension
git clone https://github.com/your-org/vacci-chain.git
cd vacci-chain
cp .env.example .env
# Fill in your Stellar keys and contract IDscd contracts
make build # compile to WASM
make deploy # deploy to testnet, outputs CONTRACT_ID
make test # run contract unit testsdocker compose up --build# Backend
cd backend && npm install && npm run dev
# Frontend
cd frontend && npm install && npm run dev
# Python service
cd python-service && pip install -r requirements.txt && uvicorn main:app --port 8001# Stellar / Soroban
STELLAR_NETWORK=testnet
HORIZON_URL=https://horizon-testnet.stellar.org
SOROBAN_RPC_URL=https://soroban-testnet.stellar.org
STELLAR_NETWORK_PASSPHRASE=Test SDF Network ; September 2015
# Contract
VACCINATIONS_CONTRACT_ID=
# Backend
ADMIN_SECRET_KEY=
SEP10_SERVER_KEY=
JWT_SECRET=
PORT=4000
# Python service
ANALYTICS_PORT=8001# Smart contract tests
cd contracts && cargo test
# Backend tests
cd backend && npm test
# Python service tests
cd python-service && pytest- Soulbound enforcement is at the contract level β no UI or backend can bypass it
- Issuer authorization is on-chain β adding/removing issuers requires an admin-signed contract call
- SEP-10 challenges expire after 5 minutes and are single-use
- JWTs are short-lived (1 hour) and scoped by role (
patient|issuer) - All contract events are emitted and indexable for audit trails
MIT Β© VacciChain Contributors