Transpareo Time Machine

Transpareo Time Machine

Open-source consumer app for any Transpareo DPP: scan, leaf through the product's history, share a version. A time machine for DPPs.

A time machine for DPPs

Imagine holding a product in your hand and scanning the QR code on it. Instead of a PDF, a small app opens. You see the product as it is now: what it is made of, where it comes from, what to watch out for. A swipe leafs back through time - every version ever published can be viewed.

That is exactly what you can try out now: the demo shows a complete product passport with sample data.

This is Transpareo Time Machine, our open-source consumer app for any Digital Product Passport. The code is published under GPL v3 on GitHub.

We build it because the EU Digital Product Passport regulation was written for consumers - for the person holding the product in their hand. Most providers turn it into a compliance form that nobody scans twice. We turn it into an app that the consumer actually opens.

In use

What the app does

Four touchpoints from the point of view of the person holding the product. No login, no app installation.

1

Scan

Scan the QR code with your smartphone camera. The app opens in the browser.

2

View the current state

The product appears as it is now - components, materials, origin, care, recycling.

3

Leaf through history

A swipe leafs back through time. Every earlier version with the date and the reason for the change.

4

Share

Every version has its own link. A person shares a specific version with friends or authorities.

Why at all

The EU Digital Product Passport regulation is the biggest shift towards product transparency in decades. Read the underlying texts carefully and it is - explicitly - written for consumers. The authorities, the recyclers, the repair shops come along too; but the primary recipient is the person holding the product in their hand.

In numbers the case is clear-cut. An average European private individual will be able to scan dozens to hundreds of product passports per year by the end of the decade. Across 200 million households that adds up to billions of consumer interactions a year. The world of authorities and recyclers is, by comparison, numerically tiny.

If the regulation is to reach the consumer, then the consumer side has to be well built - fast, beautiful, coherent. Otherwise it misses its purpose. We have decided to build this consumer side open-source, so that it does not depend on any single provider.

Verified in the browser, not on our server

At the top of every product passport a badge appears: Verified by Transpareo. It shows the result of a check that does not take place on our server, but in the visitor’s browser - from the loaded bytes and the manufacturer’s public keys.

Two mutually independent parties sign every DPP version: the manufacturer and Transpareo. Both signatures must be verifiable for the badge to turn green. With Bring Your Own Key (BYOK) the manufacturer runs their own signing endpoint - Transpareo never holds the private key and only adds the independent counter-signature. This produces an issuer signature that Transpareo itself cannot create. A compromised server cannot forge the tick, because the check happens at the visitor’s end.

Anyone who wants the detail clicks on the badge. Behind it you see the signature chain, the hashes and the chained version history. Anyone who just wants the information simply ignores this and reads on in the product passport.

The same check is also available as a standalone page: on DPP verification you paste in the manifest URL of any product passport and see the full check result - without opening the passport itself.

We release the code

Transpareo Time Machine is published under GPL v3 on GitHub. Clone, fork, self-host - all permitted. Published modifications must in turn be under GPL v3, so that every further development serves the community.

Three ways to embed the bundle:

  • Via a script tag: one <script> and one <transpareo-time-machine src="…"> in the page, done - no build step.
  • Via npm: npm install transpareo-time-machine in your own app.
  • Self-host: build the bundle, your own infrastructure, zero third-party dependencies at runtime.

Anyone who needs only the signature check without the full product view imports the sister element <dpp-verifier> - ideal for auditor tools. See it live on DPP verification.

Who puts the app to good use

The app is built for consumers first. But it works for everyone who wants to view or verify product data independently.

  • End consumers scan, view, leaf through, share. No login, no trackers.
  • Market surveillance and authorities see the product passport in software whose source code is publicly auditable.
  • Repair shops and recyclers see the material composition and disassembly notes right on the product.
  • Brands and fork operators adapt the bundle to their own brand - CSS tokens, their own components, self-hosting.

What happens when Transpareo is no longer around

The EU requires that a registered product passport remains available for at least ten years - even after the manufacturer’s insolvency or liquidation. A SaaS provider rarely lasts that long. We therefore build the platform from the outset so that the product passports remain usable independently of us:

  • Every signed DPP version sits in publicly readable storage. The bytes plus the published public keys are enough for later verification.
  • Once the product passports are registered with the EU register, a second, write-protected store additionally mirrors every DPP version and the event log for ten years. Nobody - not even us - can alter these mirror copies after the fact.
  • After a cancellation, the short product passport URLs remain reachable via a redirect on the Transpareo platform.
  • Transpareo Time Machine runs unchanged against archived holdings too. The bundle does not call back to us at runtime; it needs only the bytes and the keys.

If the Transpareo platform vanished tomorrow, the DPP versions and the open-source renderer would remain.

For the technically curious

Here is what happens under the hood. Anyone who does not need to know this in detail can skip this section - the app works either way.

  • GS1 Digital Link (ISO/IEC 18975): the product passport URL carries the product identification in a standardised form - resolver-neutral, interchangeable between providers.
  • JSON Canonicalization Scheme (RFC 8785): a deterministic serialisation. This keeps the hash reproducible regardless of field order or whitespace - anyone can recompute it themselves.
  • W3C Data Integrity Proofs (eddsa-jcs-sha256): an Ed25519 signature over the canonicalised form (JCS).
  • /.well-known/dpp-keys/ (RFC 8615): the issuers’ public keys sit at a standardised path - no call to Transpareo needed, every verifier finds them itself.

Everything is documented in the README on GitHub - including the frontend architecture (its own reactive core, zero external frameworks) and the build guide for self-hosting.

View the code on GitHub

The full source, all releases and the issue discussion can be found in the public repository.

Open the GitHub repository