Skip to main content

Verify a product as a secondary buyer

Tutorial

What you'll learn

Walk through the verify-dpp app to confirm that a Digital Product Passport is genuine — directly from the blockchain, with no sign-in. Useful for second-hand buyers, auditors, customs inspectors, or anyone who wants an independent check.

  • Time~5 min
  • DifficultyBeginner — no code
  • You'll needA product with a Keyban QR code or a passport URL

How it goes, end to end

  1. Step 1: Open

    Scan the QR or open the link — no sign-in.

  2. Step 2: Timeline

    Read the list of on-chain certifications.

  3. Step 3: Inspect

    Drill into attributes, decrypt or compare if needed.

  4. Step 4: Verdict

    Genuine, partial match, or red flag — decide.

Four phases the buyer goes through: open the link, read the certification timeline, inspect the attributes, reach a verdict.

What you actually see in the app

verify-dpp.your-domain.com
verify-dppNo sign-in, no account, just verification
  1. Land on the app

    Scan a QR or open the link — verify-dpp opens in your browser.

  2. Blockchain lookup

    The app fetches certification events from Starknet and IPFS.

  3. See the timeline

    Each certification shows date, certifier, signature status.

  4. Read the verdict

    A green check confirms authenticity; warnings flag what to investigate.

Step 1 — Open the link

The same verification flow applies to any product category. Pick the one closest to what you have in hand and open the corresponding link — the rest of this tutorial walks through what you'll see.

  1. Textile
  2. Electronics
    • Bluetooth headphones — inspect repairability score, recycled content and battery compliance.

    • Open demo passport →

  3. Cosmetics
    • Face moisturizer — check ingredient origin, ISO 22716 GMP and Cosmetics Reg 1223/2009 conformity.

    • Open demo passport →

The productId parameter tells the app which passport to look up. As soon as the page loads, the app starts fetching events from the blockchain — you do not need to click anything.

If you only have a serial number or a partial URL, you can paste it into the search field instead.

Step 2 — Read the certification timeline

The screenshots below use a wine bottle as the running example, but the fields, badges and verdicts work the same on any of the three demo passports above (or on your own product).

Once the lookup completes, the app shows every certification ever issued for this product, in order:

CertificationBlockCertifierSignature
#1 — May 1, 202612345Wine Experts LLCValid
#2 — May 15, 202612450Wine Experts LLCValid

Two entries here means the brand re-certified the product two weeks after the first issuance — a normal pattern when product information is corrected or enriched.

What if something looks off?

SignalMeaningWhat to do
Invalid signatureThe certified data was tampered with after signingStop. The product cannot be trusted. Report to the brand.
Revoked, certified afterThe key was compromised at certification timeStop. Contact the brand.
Revoked, certified beforeOld certification, still cryptographically validTreat as valid; cross-check the certifier info in step 4.
Unknown certifierNot registered on-chainVerify the certifier's identity directly with the brand before trusting.

When no certifications are found

If the app shows "No certifications found for this product", the blockchain has no event for this product ID. Possible reasons:

  • The QR code or product ID is wrong → try scanning again
  • The product is on a different network → try ?chain=sepolia if you suspect a testnet deployment
  • The product was never certified by this brand → ask the seller for an alternative proof of authenticity

A missing DPP for a product that should have one is a strong red flag — treat it like a missing serial number on a luxury watch.

Step 3 — Inspect the certified attributes

Tap a certification to expand it. You see every field the brand chose to certify:

AttributeValueVerified?
productNameWine Bottle 2020
vintage2020
alcohol14%
originBurgundy, France
vineyardDomaine de la Romanée-Conti

Each green check means the value passed signature verification — the brand's private key was used to sign exactly this value, and the signature checks out.

Optional: compare against a document you have

If the seller gave you a spec sheet, an invoice, or a receipt, you can paste it (JSON or plain text) into the Compare claim field. The app will show you which fields match and which differ:

FieldCertifiedYour documentStatus
vintage20202020Match
alcohol14%13.5%Mismatch
vineyardDomaine ABCDomaine ABCMatch

A mismatch here does not mean the passport is fake — the certified value is still cryptographically signed. It means the document you were given says something different. Common causes: an outdated spec, a typo, or a seller passing along the wrong claim.

Optional: decrypt sensitive fields

Some brands encrypt fields they do not want public — serial numbers, batch IDs, IBAN. You will see a Encrypted badge instead of the value:

  1. Tap the field → an "Enter encryption key" prompt appears
  2. Paste the key (usually printed on a card inside the box, or sent by SMS)
  3. The app decrypts and displays the plaintext

Step 4 — Read the certifier info

Below each certification, verify-dpp shows the certifier's metadata, fetched live from the on-chain registry:

Certifier — Wine Experts LLC Status: Active (trusted) Registered on: May 1, 2026

If the status is Active, the certifier is currently trusted. If it is Revoked, the certifier's key has been retired — older certifications signed before the revocation date may still be valid, but anything signed after the revocation should not be trusted.

Step 5 — Reach a verdict

You have everything you need to decide. Three possible outcomes:

  1. All verified

    Trust the product

    • All signatures pass
    • Certifier is active and trusted
    • Optional comparison and decryption succeeded
    • The product is genuine and has not been tampered with.
  2. Partial verification

    Investigate before trusting

    • Signatures still pass
    • Some attributes do not match your document
    • Some encrypted fields could not be decrypted
    • The on-chain proof is fine; investigate the document or the missing keys before drawing conclusions.
  3. Verification failed

    Do not trust

    • A signature does not verify
    • Certifier is revoked or unknown
    • Attribute history shows tampering
    • The product may be counterfeit or compromised. Do not use it; contact the brand.
Three possible verdicts after going through the verify-dpp checks: all verified, partial verification, or verification failed.

Next steps

  • You're the first owner of the product? → If you also got a magic link, head to the dpp app to claim the passport into your wallet.
  • Found a counterfeit? → Screenshot the verdict screen and report to the brand or your local consumer-protection authority.
  • Want to embed verification in your own app? → See the WAAS React SDK and the verify-dpp source.

Key concepts referenced here

  • W3C Verifiable Credential — the signed passport carrying the certified attributes
  • Content hash — a cryptographic fingerprint stored on-chain to detect tampering
  • Certifier registry — the on-chain directory of trusted signing keys
  • IPFS — decentralised storage where the signed passport lives

Deep dive: DPP Certification and Trust Chain.