SupplyTrust is a decentralized supply chain data management tool for supply chain entities, such as manufacturers, retailers, or consumers. Through SupplyTrust supply chains become tracable, trackable, and trustworthy.
The current test version of SupplyTrust can be found here. In order to receive and present the Verifiable Credentials (VCs) issued by SupplyTrust, grant.io's Data Wallet is recommended.
-
Set up:
-
run
npm installin terminal while being in root folder to download packages for backend (Note: NodeJS v20.8.1 was used for implementing _SupplyTrust.) -
run
cd frontendand runnpm installagain to download packages for frontend -
go back to root folder by running
cd ..in terminal -
add
.envfile in the root folder and add the following env variables:ISSUER_DID=did:key:aSq9DsNNvGhYxYyqA9wd2eduEAZ5AXWgJTbTG9Z6LxMLKbAityif1p6YXTrinwVe928dtvFn89RFLfxRTjzmB1uZ7BT2S7dL3vXFUsMxXr89FpD6AXQYPmAyBqvk
Note: This did:key was automatically generated by running the script inside
generatePubPrivKey.js. This did:key corresponds to the public and private key stored in the publicly accessiblecertsfolder in thebackendfolder. -
add
.envfile in folderbackendand add the following env variables:CHEQD_CREDENTIAL_SERVICE_TOKEN(get it here)PINATA_API_JWT(get it following this guide)PINATA_API_GATEWAY(get it following this guide)BASE_URL="http://localhost:3001"
-
add
.envfile in folderfrontendand add the following env variables:DANGEROUSLY_DISABLE_HOST_CHECK=true
-
-
Start running SupplyTrust web app on localhost:
- run
npm startin terminal while in root folder (this command automatically starts the backend and frontend)
Note: Ensure that
package.jsonin folderfrontendcontainsproxy=http://localhost:3001as JSON attribute. - run
-
Test SupplyTrust's tracing and tracking by entering
did:cheqd:testnet:ecc1d9b3-cd24-4abc-9440-a27f77a38643in tracing and tracking form
How to use SupplyTrust can be seen in this demo video.
- Documenting Supply Chain: SupplyTrust enables its users to document supply chain items and the events in the item's lifecycle, such as production, shipping, receiving, or manufacturing. The supply chain documentation functionality is demonstrated from minute 1:36 onwards in this video.
- Private documentation: SupplyTrust gives its users the option to store a supply chain item's events in the priavte IPFS environment powered by Pinata. This feature strengthens privacy, desired by users which do not want to publicly reveal their supply chain data, possibly containing business secrets.
- Tracing and tracking: SupplyTrust provides a simple-to-use interface for tracing and tracking supply chain items based on their DID. The tracking and tracing functionality is demonstrated till minute 1:35 in this video
- Managing documents: SupplyTrust enables its users to manage their documents through a simple user interface, giving users an ideal overview of their documents and, in the case of private documents, to whom they have granted access through VC issuance. (Note: this functionality is only showcased and not implemented in the current version of SupplyTrust)
The idea for SupplyTrust emerged from a pressing need for accountability across supply chains. Currently, many supply chain entities can operate without transparency, allowing room for potential violations of environmental standards, human rights, and legal regulations. SupplyTrust aims to offer a solution that distinguishes responsible entities from those that are less compliant, encouraging ethical practices by providing a trustworthy platform for tracking and tracing supply chain activities. This transparency puts pressure on less responsible actors to disclose their practices or risk losing credibility with consumers.
Furthermore, consumers often lack insight into the origin and handling of the products they purchase, making it difficult to align purchases with personal ethics, dietary restrictions, or environmental concerns. SupplyTrust bridges this gap, empowering consumers with verifiable information about product histories.
For regulators, auditing and enforcing compliance across complex supply chains remains a significant challenge. By adopting SupplyTrust, regulators gain a powerful tool to verify that entities adhere to established standards in health, environmental protection, and human rights. Through this system, SupplyTrust can play a vital role in fostering more transparent, accountable, and ethical global supply chains.
-
DIDs: SupplyTrust uses Decentralized Identifiers (DIDs) to uniquely identify supply chain items, where each version of a DID Document reflects a specific event in that item's lifecycle, such as production, shipping, receiving, or manufacturing. By leveraging the did:cheqd method, SupplyTrust stores these document versions on-chain and sequentially linked, enabling full traceability and transparency for any item identified by its DID. Additionally, DIDs serve to identify users within SupplyTrust, which are supply chain entities (e.g. manufacturers, distributors, retailers etc.).
-
Pinata: SupplyTrust uses Pinata to efficiently interact with its off-chain storage: IPFS, essential for addressing the DID Document size limitations with did:cheqd. Pinata ensures high data availability and permanence, enhancing SupplyTrust's reliability and performance. Furthermore, Pinata’s private IPFS environment, accessible through the File API, provides SupplyTrust users with a secure option for storing sensitive information. This private IPFS environment is critical, as supply chain entities often require confidentiality for their proprietary data, making Pinata an essential element in fostering transparency and traceability while respecting user privacy and business secrets.
-
VCs: SupplyTrust utilizes Verifiable Credentials (VCs) to verify ownership of supply chain entities over their private IPFS files. Moreover, these Ownership VCs also enable their holders to access their private IPFS files and to issue VCs granting others access permission.
-
Used Technologies and Tools:
- did:cheqd as DID method for integrating DIDs
- cheqd Studio for simplified creation and management of DID of type did:cheqd
- OpendID for Verifiable Credential Issuance (OID4VCI) as protocol for issuing VCs to supply chain entities to attest their ownership of their recorded supply chain events
- OpendID for Verifiable Presentation (OID4VP) as protocol for verifying VCs that grant access to private IPFS files stored in the private IPFS powered by Pinata
- InterPlanetary File System (IPFS) for off-chain storage to bypass limited DID Document size in cheqd
- Pinata for integrating IPFS while offering supply chain entities the option to store their possibly business relevant supply chain event metadata files in IPFS via´Web3 API or in the private IPFS environment powered by Pinata via its File API
- ReactJS for creating the frontend of SupplyTrust
- NodeJS and ExpressJS for creating the backend of SupplyTrust
- Heroku for deploying production version of SupplyTrust
- grant.io's Data Wallet for testing OID4VC based issuance and verification in production
How can private IPFS supply chain event metadata files be kept secure yet accessible to authorized verifiers?
To enable secure but accessible private supply chain event metadata files, SupplyTrust provides a few methods for verifier access:
-
Private IPFS Access Credentials: Verifiers can receive specific access credentials, allowing them to view designated private files. These credentials are VCs that are valid only for specified supply chain event metadata files. Only the file’s author, who is verifiable through SupplyTrust's Private IPFS Ownership Credentials, can issue these access credentials. To further ensure that the issuer of the Private IPFS Access Credentials is indeed the author of the relevant private files, SupplyTrust can verify the controller of the DID Document version that references the specific private file containing the supply chain event metadata.
-
Ownership-Based Access: Another way to gain access to private event metadata files is through ownership of the supply chain item itself. SupplyTrust links each supply chain item to a unique DID, controlled by the item's current owner. By verifying the ownership of the item's DID, SupplyTrust can grant the current owner access to the entire history of private event metadata files associated with the item.
These mechanisms ensure that sensitive data remains protected while providing authorized verifiers with seamless access to relevant supply chain information.
-
Explore alternative DID methods: To reduce dependency on did:cheqd, we plan to explore other DID methods, particularly did:ipfs. Adopting an alternative method could potentially lower costs and improve performance, addressing two key areas necessary for SupplyTrust's practical adoption, which currently hinge on did:cheqd.
-
Switch to client secret mode for DID creation: Transitioning from an internal secret mode to a client secret mode by using the Universal Registrar API for cheqd instead of cheqd Studio will eliminate the last centralization point within SupplyTrust, helping it achieve full decentralization as a supply chain data management tool.
-
Standardize IPFS data for each supply chain event: We aim to establish data standards for supply chain events - such as production, shipping, receiving, and manufacturing - with the help of industry experts. Each standard would be represented as a verifiable credential, adding verification capabilities to each event’s data. These credentials would be stored as Linked Verifiable Presentations within the DID Document for each item, ensuring transparent and reliable records that allign with standards of W3C and DIF.
-
Create an identity registrar for official access: To restrict SupplyTrust access to verified supply chain entities only, we plan to implement an identity registrar. This will involve developing a login interface and authentication process, advancing SupplyTrust beyond its current test version toward secure, entity-restricted access.
-
See tasks in file
TODO