title: DPP settings description: Configure your Digital Product Passport: branding, GS1 integration, domain verification, and data export.
DPP settings
The Digital Product Passport (DPP) settings page is at Settings > Digital Product Passport. It has five tabs: General, Products, Branding, GS1 Digital Link, and Domain & Export.
General
Enable DPP turns on the public DPP feature for your organisation. When enabled,
every published product version gets a public page at
https://dpp.craevidence.com/{org-slug}/{product-slug}/{version}.
Auto-publish controls when changes reach the public page:
| Mode | Behaviour |
|---|---|
| On (default) | Any SBOM upload, VEX publish, vulnerability status change, or CRA status change immediately updates the public DPP page. |
| Off | Changes are queued for manual review. Use the Review queue link to approve or reject each update before it goes live. Useful when your team needs a sign-off before customer-facing content changes. |
Products
Select which products have their DPP pages publicly visible. Products not selected here are excluded even if DPP is globally enabled.
This lets you stage a rollout: enable DPP globally, then expose only the products whose documentation is ready.
Branding
Customise how your DPP pages appear to customers and regulators.
| Field | Notes |
|---|---|
| Logo URL | Direct URL to your company logo (PNG or SVG). Displayed in the DPP page header. Must be publicly accessible. |
| Primary colour | Hex colour used for headings and accents. Defaults to the CRA Evidence brand colour. |
| Display mode | Full shows all CRA compliance detail (components, vulnerabilities, assessment status). Minimal shows a summary only, suitable for consumer-facing products where full technical detail is not appropriate. |
| Show vulnerability details | When off, the vulnerability section is hidden from the DPP page. On by default. |
| Show component count | When off, the component count is hidden. On by default. |
GS1 Digital Link
To use this feature, your organisation must hold valid GTINs. GTINs are issued exclusively by GS1 member organisations. Membership fees are based on annual turnover and vary by country. Contact your local GS1 organisation to apply. Leave both fields blank if you are not using GS1-registered products.
GS1 Digital Links are structured URIs that encode a product's GTIN and batch/lot number into a globally resolvable URL, used in supply chain compliance.
| Field | Notes |
|---|---|
| GS1 resolver domain | Resolver hostname (for example id.gs1.org). id.gs1.org only works if your GTINs are registered in the GS1 Global Registry Platform. Most organisations use a commercial resolver service (for example a GS1 member resolver) or self-host the open-source GS1 Resolver Community Edition. Enter the hostname only (no https://, no trailing slash). Leave blank to default to id.gs1.org. |
| GS1 company prefix | Your GS1-issued company prefix (4 to 12 digits). Required for GS1 URI generation. Contact GS1 to obtain one if you do not have one. Leave blank if you are not using GS1 barcodes. |
When both fields are configured, each version's DPP short URL generates a GS1 Digital
Link URI of the form https://{resolver}/01/{gtin}/10/{version}, where the GTIN is
always expressed as a 14-digit string per GS1 Digital Link Standard v1.4+. The GS1
Digital Link URI is displayed as text on the Digital Passport tab. The QR code encodes
the canonical DPP page URL, not the GS1 URI.
Domain & Export
Custom domain
By default DPP pages are served at dpp.craevidence.com. If you want them served
from your own domain (for example dpp.yourcompany.com) so that QR codes on physical
product packaging are permanently independent of CRA Evidence infrastructure, follow
these steps:
Step 1. Enter your domain
Enter the hostname only (for example dpp.yourcompany.com), with no https:// and no trailing slash.
Save. A verification token is generated and shown.
Step 2. Add a CNAME record
In your DNS provider, create a CNAME pointing your domain to the CRA Evidence CloudFront endpoint:
dpp.yourcompany.com CNAME d1m8pwwmqljs8i.cloudfront.net
Note: this CNAME target is the same for all customers. Do not use
dpp.craevidence.com. TLS will not terminate correctly without the CloudFront SaaS Manager endpoint above.
Step 3. Add a TXT record to prove ownership
Create a DNS TXT record to confirm you control the domain:
_dpp-verify.dpp.yourcompany.com TXT {your-verification-token}
The verification token is shown in the settings UI after saving your domain.
Step 4. Click Verify
The settings UI polls every 30 seconds and shows a status badge once your TXT record is visible. When the badge turns green, click Verify domain. CRA Evidence checks the TXT record and, on success, calls AWS to provision a TLS certificate for your domain.
Certificate provisioning takes approximately 45 to 60 minutes after verification. During this window the custom domain returns an SSL error. This is expected. QR codes continue to use
dpp.craevidence.comuntil provisioning completes. Once the certificate is live, all new QR codes encode your custom domain automatically.
Changing your domain resets verification. Existing QR codes already printed with the old domain continue to work. Only new QR codes are updated.
Data export
Download a ZIP archive of all your published DPP pages for data portability or self-hosting. The archive contains:
{org-slug}/{product-slug}/{version}/index.html DPP page
{org-slug}/{product-slug}/{version}/index.json JSON-LD structured data
{org-slug}/{product-slug}/{version}/qr.png QR code (PNG)
{org-slug}/{product-slug}/{version}/qr.svg QR code (SVG)
{org-slug}/{product-slug}/{version}/passport.pdf PDF passport
short-codes.json Short URL → canonical path map
README.txt Self-hosting instructions
The archive is generated on demand from live S3 files. Rate limit: 5 downloads per hour per IP address.
Help us improve. What was missing or unclear?