SupplyTrust

What is SupplyTrust?

SupplyTrust is a decentralized supply chain data management tool for supply chain entities, such as manufacturers, retailers, or consumers. Through SupplyTrust supply chains become tracable, trackable, and trustworthy. The current test version of SupplyTrust is online available here.

What inspired us to create SupplyTrust?

The idea for SupplyTrust emerged from a pressing need for accountability across supply chains. Currently, many supply chain entities can operate without transparency, allowing room for potential violations of environmental standards, human rights, and legal regulations. SupplyTrust aims to offer a solution that distinguishes responsible entities from those that are less compliant, encouraging ethical practices by providing a trustworthy platform for tracking and tracing supply chain activities. This transparency puts pressure on less responsible actors to disclose their practices or risk losing credibility with consumers.

Furthermore, consumers often lack insight into the origin and handling of the products they purchase, making it difficult to align purchases with personal ethics, dietary restrictions, or environmental concerns. SupplyTrust bridges this gap, empowering consumers with verifiable information about product histories.

For regulators, auditing and enforcing compliance across complex supply chains remains a significant challenge. By adopting SupplyTrust, regulators gain a powerful tool to verify that entities adhere to established standards in health, environmental protection, and human rights. Through this system, SupplyTrust can play a vital role in fostering more transparent, accountable, and ethical global supply chains.

How we built SupplyTrust?

DIDs: SupplyTrust uses Decentralized Identifiers (DIDs) to uniquely identify supply chain items, where each version of a DID Document reflects a specific event in that item's lifecycle, such as production, shipping, receiving, or manufacturing. By leveraging the did:cheqd method, SupplyTrust stores these document versions on-chain and sequentially linked, enabling full traceability and transparency for any item identified by its DID. Additionally, DIDs serve to identify users within SupplyTrust, which are supply chain entities (e.g. manufacturers, distributors, retailers etc.).
Pinata: SupplyTrust uses Pinata to efficiently interact with its off-chain storage: IPFS, essential for addressing the DID Document size limitations with did:cheqd. Pinata ensures high data availability and permanence, enhancing SupplyTrust's reliability and performance. Furthermore, Pinata’s private IPFS environment, accessible through the File API, provides SupplyTrust users with a secure option for storing sensitive information. This private IPFS environment is critical, as supply chain entities often require confidentiality for their proprietary data, making Pinata an essential element in fostering transparency and traceability while respecting user privacy and business secrets.
VCs: SupplyTrust utilizes Verifiable Credentials (VCs) to verify ownership of supply chain entities over their private IPFS files, contributing to Pinata’s hackathon challenge, "Verifiable File Storage." Moreover, these Ownership VCs also enable their holders to access their private IPFS files and to issue VCs granting others access permission. This VC-based access system contributes to Pinata's challenge, "Identity-Based Access Controls for Private Files".
Used Technologies and Tools:
- did:cheqd as DID method for integrating DIDs
- cheqd Studio for simplified creation and management of DID of type did:cheqd
- OpendID for Verifiable Credential Issuance (OID4VCI) as protocol for issuing VCs to supply chain entities to attest their ownership of their recorded supply chain events
- OpendID for Verifiable Presentation (OID4VP) as protocol for verifying VCs that grant access to private IPFS powered by Pinata
- InterPlanetary File System (IPFS) for off-chain storage to bypass limited DID Document size with did:cheqd
- Pinata for integrating IPFS while offering supply chain entities the option to store their supply chain data in IPFS via´Web3 API or in the private IPFS environment powered by Pinata via its File API
- ReactJS for creating the frontend of SupplyTrust
- NodeJS and ExpressJS for creating the backend of SupplyTrust
- Heroku for deploying production version of SupplyTrust
- grant.io's Data Wallet for testing OID4VC based issuance and verification in production

What we learned creating SupplyTrust

Creating SupplyTrust deepened our understanding of DIDs and VCs, especially as we explored the potential and limitations of the did:cheqd ecosystem in detail. Working extensively with did:cheqd gave us insights into how DIDs can enhance transparency and accountability in supply chains. Additionally, building websockets was a valuable experience, allowing SupplyTrust to handle real-time data flow efficiently. Implementing OpenID protocols to issue and verify VCs was a significant challenge, but it strengthened our grasp of how VCs can be used for secure, decentralized identity verification, highlighting both their capabilities and current limitations in practical applications.

What challenges did we face during creation of SupplyTrust?

implementing OID4VP and OID4VPI from scratch following the official documentation published by OpenID
testing SupplyTrust in production with grant.io's Data Wallet

What's next for SupplyTrust?

The ultimate objective is to transition SupplyTrust from its current Minimum Viable Product stage to a fully developed first-release version. To accomplish this, we need to:

Explore alternative DID methods: To reduce dependency on did:cheqd, we plan to explore other DID methods, particularly did:ipfs. Adopting an alternative method could potentially lower costs and improve performance, addressing two key areas necessary for SupplyTrust’s practical adoption, which currently hinge on did:cheqd.
Switch to client secret mode for DID creation: Transitioning from an internal secret mode to a client secret mode by using the Universal Registrar API for cheqd instead of cheqd Studio will eliminate the last centralization point within SupplyTrust, helping it achieve full decentralization as a supply chain data management tool.
Standardize IPFS data for each supply chain event: We aim to establish data standards for supply chain events - such as production, shipping, receiving, and manufacturing - with the help of industry experts. In addition, each standard would be represented as a verifiable credential, adding verification capabilities to each event’s data. These credentials would be stored as Linked Verifiable Presentations within the DID Document for each item, ensuring transparent and reliable records that allign with standards of W3C and DIF.
Create an identity registrar for official access: To restrict SupplyTrust access to verified supply chain entities only, we plan to implement an identity registrar. This will involve developing a login interface and authentication process, advancing SupplyTrust beyond its current test version toward secure, entity-restricted access.