DPP settings
The Digital Product Passport (DPP) settings page is at
Settings > Digital Product Passport.
It has four tabs: General, Branding, GS1 Digital Link, and Products & Distribution.
Domain configuration and product visibility both live inside the Products &
Distribution tab. Data export is provided through the API (/api/v1/dpp/export),
not as a separate tab.
General
Enable DPP turns on the public DPP feature for your organisation. When enabled,
every published product version gets a public page at
https://dpp.craevidence.com/{org-slug}/{product-slug}/{version}.
Auto-publish controls when changes reach the public page:
| Mode | Behaviour |
|---|---|
| On (default) | Any SBOM upload, VEX publish, vulnerability status change, or CRA status change immediately updates the public DPP page. |
| Off | Changes are queued for manual review. Use the Review queue link to approve or reject each update before it goes live. Useful when your team needs a sign-off before customer-facing content changes. |
Branding
Customise how your DPP pages appear to customers and regulators.
| Field | Notes |
|---|---|
| Logo URL | Direct URL to your company logo (PNG or SVG). Displayed in the DPP page header. Must be publicly accessible. |
| Primary colour | Hex colour used for headings and accents. Defaults to the CRA Evidence brand colour. |
| Display mode | Full shows all CRA compliance detail (components, vulnerabilities, assessment status). Minimal shows a summary only, suitable for consumer-facing products where full technical detail is not appropriate. |
| Show vulnerability details | When off, the vulnerability section is hidden from the DPP page. On by default. |
| Show component count | When off, the component count is hidden. On by default. |
GS1 Digital Link
To use this feature, your organisation must hold valid GTINs. GTINs are issued exclusively by GS1 member organisations. Membership fees are based on annual turnover and vary by country. Contact your local GS1 organisation to apply. Leave both fields blank if you are not using GS1-registered products.
GS1 Digital Links are structured URIs that encode a product's GTIN and batch/lot number into a globally resolvable URL, used in supply chain compliance.
| Field | Notes |
|---|---|
| GS1 resolver domain | Resolver hostname (for example id.gs1.org). id.gs1.org only works if your GTINs are registered in the GS1 Global Registry Platform. Most organisations use a commercial resolver service (for example a GS1 member resolver) or self-host the open-source GS1 Resolver Community Edition. Enter the hostname only (no https://, no trailing slash). Leave blank to default to id.gs1.org. |
| GS1 company prefix | Your GS1-issued company prefix (4 to 12 digits). Required for GS1 URI generation. Contact GS1 to obtain one if you do not have one. Leave blank if you are not using GS1 barcodes. |
When both fields are configured, each version's DPP short URL generates a GS1 Digital
Link URI of the form https://{resolver}/dpp/01/{gtin}/10/{version}, where the GTIN is
always expressed as a 14-digit string per GS1 Digital Link Standard v1.4+. The GS1
Digital Link URI is displayed as text on the Digital Passport tab. When GS1 is
configured, the QR code encodes this GS1 Digital Link URI; otherwise it encodes the
DPP short URL.
Products & Distribution
This tab controls which products are publicly visible and which domains serve your DPP pages.
Product visibility
Select which products have their DPP pages publicly visible. Products not selected here are excluded even if DPP is globally enabled.
This lets you stage a rollout: enable DPP globally, then expose only the products whose documentation is ready.
Domain Pool
You can register multiple custom domains in a Domain Pool and assign products to
them, so different product lines can be served from different hostnames. By default
DPP pages are served at dpp.craevidence.com. If you want them served
from your own domain (for example dpp.yourcompany.com) so that QR codes on physical
product packaging are permanently independent of CRA Evidence infrastructure, follow
these steps:
Step 1. Enter your domain
Enter the hostname only (for example dpp.yourcompany.com), with no https:// and no trailing slash.
Save. A verification token is generated and shown.
Step 2. Add a CNAME record
In your DNS provider, create a CNAME pointing your domain to the CNAME target shown for your domain in the DPP settings UI:
dpp.yourcompany.com CNAME {cname-target-shown-in-dpp-settings}
Note: use the exact CNAME target value displayed next to your domain in the DPP settings UI. Do not use
dpp.craevidence.com. TLS will not terminate correctly without the CloudFront SaaS Manager endpoint shown in the UI.
Step 3. Add a TXT record to prove ownership
Create a DNS TXT record to confirm you control the domain:
_dpp-verify.dpp.yourcompany.com TXT {your-verification-token}
The verification token is shown in the settings UI after saving your domain.
Step 4. Click Verify
The settings UI polls every 30 seconds and shows a status badge once your TXT record is visible. When the badge turns green, click Verify domain. CRA Evidence checks the TXT record and, on success, calls AWS to provision a TLS certificate for your domain.
Both records are required. The CNAME (Step 2) and the TXT record (Step 3) must both be in place before verification passes. The TXT record proves ownership and the CNAME routes traffic to the CloudFront SaaS Manager endpoint.
Certificate provisioning takes approximately 45 to 60 minutes after verification. During this window the custom domain returns an SSL error. This is expected. QR codes continue to use
dpp.craevidence.comuntil provisioning completes. Once the certificate is live, all new QR codes encode your custom domain automatically.
Changing your domain resets verification. Existing QR codes already printed with the old domain continue to work. Only new QR codes are updated.
Data export (API)
Data export is an API feature rather than a settings tab. Call /api/v1/dpp/export
to download a ZIP archive of all your published DPP pages for data portability or
self-hosting. The archive contains:
{org-slug}/{product-slug}/{version}/index.html DPP page
{org-slug}/{product-slug}/{version}/index.json JSON-LD structured data
{org-slug}/{product-slug}/{version}/qr.png QR code (PNG)
{org-slug}/{product-slug}/{version}/qr.svg QR code (SVG)
{org-slug}/{product-slug}/{version}/passport.pdf PDF passport
short-codes.json Short URL → canonical path map
README.txt Self-hosting instructions
The archive is generated on demand from live S3 files. Rate limit: 5 downloads per hour per IP address.
Help us improve. What was missing or unclear?