Digital Product Passport Example: What a Real DPP Contains and How It Works

This page shows an anonymised example of a real Digital Product Passport record from the Africa DPP Registry. Every field is explained, the SHA-256 forensic hash is demonstrated, and the QR code verification flow is shown step by step. This is what EU customs systems, brand compliance teams, and recyclers see when they scan a product.

Anonymised DPP Record — Textile Example

VERIFIED

SHA-256 FORENSIC HASH

a3f8c2d1e9b47f2a8c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b

Public URL: https://digitalproductpassports.co.za/v/a3f8c2d1e9b47f2a

Unique DPP Identifier

ESPR Art. 9(1)(a)

DPP-ZA-2026-a3f8c2d1e9b47f2a

Issuing Entity

ESPR Art. 9(1)(b)

Gqeberha Textiles (Pty) Ltd

CIPC Registration

Identity Anchor

2018/234567/07

Country of Origin

ESPR Annex III §2(c)

South Africa

Product Name

ESPR Art. 9(1)(c)

100% Organic Cotton Jersey T-Shirt

GTIN

GS1 Digital Link

6009876543210

Batch Number

ESPR Art. 9(1)(d)

GTX-2026-Q1-0042

Fibre Composition

ESPR Annex III §4(a)

100% Organic Cotton (GOTS certified)

Recycled Content

ESPR Annex III §4(b)

0% (virgin organic fibre)

Country of Manufacture

ESPR Annex III §2(c)

South Africa (ZA)

Chemical Substances

ESPR Annex III §5

No REACH substances of concern detected

Carbon Footprint

ESPR Annex III §6

3.2 kg CO₂e per unit (cradle-to-gate)

Certifications

ESPR Annex III §7

GOTS Certificate No. ZA-GOTS-2025-0891 (exp. 2027-03-31)

Repairability

ESPR Art. 7(2)(d)

High — single-material construction, no mixed fibres

End-of-Life Instructions

ESPR Annex III §8

100% recyclable via textile collection stream. No disassembly required.

Minted At (UTC)

Registry Timestamp

2026-04-15T14:23:11Z

How the SHA-256 Hash Makes a DPP Tamper-Proof

The SHA-256 hash is the forensic backbone of every DPP on the Africa DPP Registry. It is generated entirely in the user's browser — the source document never leaves the client machine. The browser reads the compliance document, runs the SHA-256 algorithm on the raw bytes, and produces a 64-character hexadecimal string. That string is what gets submitted to the registry.

The critical property of SHA-256 is determinism: the same document always produces the same hash. If a manufacturer uploads the same PDF twice, they get the same hash. If anyone alters a single character in the document — changing "60% cotton" to "60% polyester" — the hash changes completely. This makes post-minting tampering immediately detectable.

The registry stores the hash, the metadata, and the minting timestamp. It does not store the document. This is the "Privacy-First Forensic Shield" architecture: the registry can prove that a document existed and has not been altered, without ever holding the document itself. This is compliant with POPIA (South Africa's Protection of Personal Information Act) and GDPR.

How the QR Code Verification Flow Works

QR Code on Product

A QR code is printed on the garment's hang tag, care label, or packaging. It encodes the URL: digitalproductpassports.co.za/v/[hash].

Scan Resolves to DPP Record

Any device — EU customs scanner, brand compliance app, consumer smartphone — scans the QR code and loads the DPP's public page. The page renders the structured data in human-readable format.

Machine Reads JSON-LD

EU customs systems and AI verification tools read the JSON-LD structured data embedded in the page's <head>. The data is fully machine-readable without any API call or special integration.

Hash Verified Against Registry

The system extracts the hash from the URL and queries the registry to confirm: (a) the hash exists, (b) the issuing entity is verified, (c) the minting timestamp is valid, and (d) no revocation has been issued.

Compliance Status Returned

The registry returns a VERIFIED or PENDING status in under 50 milliseconds. VERIFIED means all four gates passed. PENDING means one or more fields are awaiting confirmation.

Frequently Asked Questions

What does a Digital Product Passport actually look like?

A Digital Product Passport is a structured JSON-LD data object hosted at a permanent URL. It contains fields for product identity (GTIN, batch number), manufacturer details, material composition, environmental footprint, certifications, and end-of-life instructions. It is accessed via a QR code or NFC tag on the product. The URL format used by the Africa DPP Registry is digitalproductpassports.co.za/v/[SHA-256-hash].

What is the SHA-256 hash in a DPP?

The SHA-256 hash is a 64-character cryptographic fingerprint of the DPP metadata. It is generated client-side from the compliance data before any information is sent to the registry. If any field in the DPP is altered after minting, the hash changes, making tampering immediately detectable. The hash is the DPP's forensic identity — it is what makes the registry a trust anchor rather than just a database.

Can I see a real Digital Product Passport example?

Yes. This page shows an anonymised example of a real DPP record from the Africa DPP Registry for a South African textile manufacturer. The example includes all 12 mandatory data fields, the SHA-256 hash, the public verification URL, and the QR code format. The actual document that generated the DPP was processed in memory and never stored — only the hash and metadata are held by the registry.

How do EU customs systems read a DPP?

EU customs systems read DPPs by scanning the QR code on the product, which resolves to the DPP's public URL. The system then fetches the JSON-LD structured data at that URL and validates it against the EU DPP Registry (which goes live 19 July 2026). The registry confirms the hash, the issuing entity's identity, and the compliance status. This process takes under 50 milliseconds and requires no manual data entry.

Mint Your Own DPP in Under 15 Minutes

Register your business, upload your compliance documents, and receive a forensic hash and QR code. Your DPP will look exactly like the example above — with your data.

Related Resources

DPP Requirements: Complete Data Field Guide DPP for Textiles: Requirements and Timeline DPP Implementation: Step-by-Step Guide DPP Timeline: Every Deadline 2024–2030 SHA-256 Hashing: The Forensic Methodology Verify a DPP Hash — Live Lookup

Explore the Full DPP Regulatory Framework

Every page in this knowledge cluster is cross-referenced to the EU ESPR Regulation (EU) 2024/1781. Navigate the complete framework below.

DPP Knowledge Articles

Sector Compliance Hubs

Regulatory References