What this demonstrator shows
This is a technology demonstrator for supply-chain transparency in textile manufacturing. It implements the UN Transparency Protocol (UNTP): an open standard for publishing verifiable, machine-readable information about products, the facilities that make them, and the events in their life. The page below explains the building blocks — digital product passports, decentralised identities, verifiable credentials, the identity resolver, and the cryptography that ties them together — and how they fit together when you scan a single product.
How it works — from a scan to a verified passport
A product carries an identifier
A physical item — say, a roll of fabric — carries a data carrier such as a QR code or barcode. Encoded in it is an identifier: a globally unique reference to the product. Scanning it (or typing it in) is where every lookup begins.
An identifier can point at a whole product class (every roll of this fabric type), a batch or lot, or a single serialised item. The same scan can therefore mean "this kind of product" or "this exact object", and the demonstrator keeps track of which level you are looking at.
The identifier is sent to a resolver
An identifier on its own is just a string — it does not say where the information about that product lives. An Identity Resolver answers exactly that question. The demonstrator hands the scanned identifier to a resolver conformant with the UNTP resolver specification, which looks up what is known about it and where to find it.
The granularity you scan and the granularity you receive are decoupled. A serialised-item identifier might return item-specific data to one viewer, but only batch-level or class-level data to another — and those different slices may be hosted in entirely different places (the manufacturer's own store, an industry register, a certifier's system). One identifier, many possible answers.
The resolver returns a linkset
The resolver does not hand back the product information directly. Instead it returns
a linkset: a structured list of typed links. Each link says what it
points to — its link type, e.g. dpp for a product passport or
dcc for a conformity credential — its format, language, and the
anchor describing what the link is about (the item, or its product class).
This indirection is deliberate: it lets many parties publish links about the same product without any of them owning a central database. The actual documents live wherever their publishers host them; the linkset is just the index.
Following a link fetches a verifiable credential
Following a link retrieves a Verifiable Credential (VC) — a tamper-evident digital document in which one party makes a set of claims (this fabric is 70% organic cotton; this facility passed an audit; this batch was shipped on this date). VCs are a W3C standard, designed to be checked by anyone, anywhere, without phoning home to the issuer.
Each credential is digitally signed by its issuer using public-key cryptography (this demonstrator uses Ed25519 signatures, carried in a signed JWT). The signature is computed over the credential's contents, so any later change — even a single digit — invalidates it. Anyone can verify the signature using the issuer's published public key, confirming both that the document is unaltered and that it genuinely came from that issuer. Links may also carry a content hash, letting the viewer confirm the fetched document is exactly the one the resolver pointed to.
The signature is traced back to a decentralised identity
To check a signature you need the issuer's public key — and you need confidence the
key really belongs to them. That is the role of a Decentralised Identifier
(DID): an identity that no central authority issues or controls. In this
demonstrator issuers are identified by did:web, which resolves to a
document published on the issuer's own domain listing their public keys.
So verification is self-contained: the credential names its issuer's DID, the DID yields the public key, and the key confirms the signature. No central registry of issuers is required — trust rests on cryptography and on the issuer's control of their own domain.
The result is rendered — as a passport, and more
The flagship credential a consumer or regulator scans for is the Digital Product Passport (DPP): the product-level record of what something is, what it is made of, and how it performs against sustainability and safety criteria. But a DPP rarely stands alone — it links out to other UNTP credentials: conformity credentials (DCC) backing its claims, facility records (DFR) for where it was made, and traceability events (DTE) recording what happened to it.
The same identifier can resolve to different views depending on who is asking. This demonstrator illustrates roles such as public, customer, regulator, and recycler — a regulator might see emissions and chemical-safety data a casual viewer does not. These particular roles are just examples used here; the mechanism supports any role set a deployment chooses to define.
A product's story does not end at manufacture. New links can be added to an identifier after its passport was first issued — a repair, a change of ownership, a recycling event — so the record accretes over time. The viewer can assemble these into a chronological timeline, including events added long after the original credential.
Glossary
An open UN/CEFACT standard defining a small family of interoperable credentials and a resolver pattern for publishing trustworthy supply-chain information. This demonstrator targets version 0.7.0.
The product-level UNTP credential: identity, composition, classification, and sustainability or safety performance. The document a consumer or regulator typically scans for, and the hub that links to supporting credentials.
An attestation, usually from a third-party assessor, that a product or process meets a standard or regulation — the evidence a DPP's claims point to.
A record of something that happened to a product — made, moved, or modified — at a point in time. Chains of events build a product's traceable history.
A credential describing a facility — a mill, a smelter, a factory — including its location and operating attributes. Products and events reference facilities by their identifiers.
A W3C-standard digital document containing signed claims made by an issuer. Tamper-evident and independently checkable — the common envelope all UNTP credential types use.
A globally unique identity that no central authority issues or controls. Resolves to
a document listing public keys. This demonstrator uses did:web, anchored
to the issuer's own domain.
A cryptographic seal (Ed25519 here) computed over a credential's contents with the issuer's private key. It proves the document is unaltered and authentically theirs, and is verified with the matching public key from their DID.
A service that turns a product or facility identifier into a linkset of places to find information about it. The entry point that connects a physical scan to digital records, possibly held by many parties.
The structured response from a resolver: a list of typed links, each with a link type, format, language, and an anchor saying what it describes. An index of documents, not the documents themselves.
Whether an identifier refers to a product class, a batch/lot, or a single serialised item. Independent of the granularity of data actually returned, which can depend on the requester's role.
A view of a credential tailored to the requester's role (e.g. public, customer, regulator, recycler). Some claims are visible only to some roles. The roles shown here are illustrative examples.
Information added to an identifier after the original credential was issued — repairs, transfers, recycling — letting a product's record grow over its lifetime rather than being fixed at manufacture.
Ready to try it? Scan a product's QR or barcode, or enter an identifier manually.
Go to scanner