Verification & Trust

Verification & Trust

A Digital Product Passport is only as valuable as it is trustworthy. Pasera makes every passport independently verifiable — anyone can confirm a DPP was issued by Pasera and has not been altered, without trusting Pasera’s servers.

Signed passports (Verifiable Credentials)

Every published DPP is a W3C Verifiable Credential. When a brand publishes a passport, Pasera signs it with an Ed25519 key under the decentralized identifier did:web:pasera.app. The signature is embedded in the passport’s JSON-LD as a Data Integrity proof.

This means:

  • Authenticity — the passport provably comes from Pasera’s signing key.
  • Integrity — if a single field is altered, the signature no longer verifies.
  • Independence — verification uses only the public key; it does not require calling Pasera.

The public key (DID document)

Pasera’s public signing key is published as a DID document at:

https://pasera.app/.well-known/did.json

Any standards-compliant verifier can resolve did:web:pasera.app to this document and check passport signatures.

Verifying a passport

Each consumer passport page links to a Verify endpoint. Programmatically:

GET https://api.pasera.app/dpp/{gtin}/{serial}/verify

Returns:

{ "verified": true, "signed": true, "issuer": { "id": "did:web:pasera.app", "name": "Pasera" }, "id": "https://p.pasera.app/dpp/..." }

To verify manually: take the stored credential, remove the proof block, canonicalize the remaining JSON (RFC 8785 / JCS), base64url-decode the proof.proofValue (dropping its leading u), and check the Ed25519 signature against the public key in the DID document.

Certificate verification

Sustainability and compliance certificates (GOTS, OEKO-TEX, GRS, ISO 14001, …) carry a verified status. A certificate is only marked verified after Pasera reviews it — at which point Pasera records a signed attestation credential (also under did:web:pasera.app) stating that the certificate was checked, by whom, and when. Unverified certificates are shown without the verified mark, so the badge always reflects a real review.

Why this matters

The EU DPP framework is built on verifiable, machine-readable data. As the verified-data network grows across brands, factories, and tiers, cryptographic signing is what lets downstream parties — customers, customs, auditors, marketplaces — trust passport data without trusting any single intermediary.

Circularity ScoringQR Codes