Getting started

Quickstart

Five minutes from zero to a signed, scannable passport — with a single cURL command. We'll provision an API key, authenticate against the sandbox, issue a battery passport, and verify the signature. No package install, no language client.

Every snippet below is plain cURL against the REST API. If your stack uses an HTTP client (Axios, requests, Guzzle, OkHttp, Insomnia, Postman, …), translate the headers and JSON body verbatim — the wire format is identical.

Get an API key

Sign in to the dashboard and open the API Keys page. Generate a sandbox key — free, rate-limited, isolated from production data — and export it in your shell:

TerminalShell
# Generate one in the dashboard's API Keys page,
# then export it so the rest of the snippets below pick it up.
export DPP_API_KEY="sk_test_..."
  • Sandbox keys start with sk_test_; production keys start with sk_live_. They are not interchangeable.
  • Never hard-code keys in your source tree. Store them in environment variables or a secrets manager (1Password, Doppler, AWS Secrets Manager).
  • If a key leaks, rotate it from the dashboard immediately — the old key is invalidated within a minute.

Authenticate

DPP Automate uses bearer-token authentication. Your cURL commands and HTTP clients should send Authorization: Bearer $DPP_API_KEY on every request. Hit the health endpoint first to confirm your key works:

cURL
curl https://api.dppautomate.com/v1/health \
  -H "Authorization: Bearer $DPP_API_KEY"

A successful response looks like this:

JSON
{
  "status": "ok",
  "tenantId": "ten_01HQ6Y3Z9KX7AAR0DM4FP8VWE2",
  "environment": "sandbox",
  "rateLimitRemaining": 9987
}

A 401 means your key is missing, malformed, or has been rotated. A 403 means the key is valid but lacks the scope for that endpoint.

Issue a passport

POST to /v1/passports with the regulation, GTIN, manufacturer, materials, and carbon payload. Here we issue a Battery Passport under EU 2023/1542:

cURL
curl https://api.dppautomate.com/v1/passports \
  -X POST \
  -H "Authorization: Bearer $DPP_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "category": "battery",
    "regulation": "EU 2023/1542",
    "gtin": "07612345678901",
    "manufacturer": "Lumiform Cells GmbH",
    "placedOnMarket": "2026-09-01",
    "product": {
      "sku": "BAT-18650-A",
      "name": "18650 Lithium Cell",
      "serialNumber": "LF-2026-00042"
    },
    "materials": [
      { "name": "Lithium",  "mass_g": 2.1, "origin": "AU" },
      { "name": "Cobalt",   "mass_g": 1.4, "origin": "CD" },
      { "name": "Graphite", "mass_g": 4.6, "origin": "CN" }
    ],
    "carbon": { "kgCO2e": 8.7, "scope": "cradle_to_gate" }
  }'

The response includes three URLs you'll persist on your side:

JSON
{
  "id": "psp_01HQ7K9ZJX8N4MRB5VS0YQ2F3T",
  "status": "issued",
  "category": "battery",
  "regulation": "EU 2023/1542",
  "qrUrl":     "https://dpp.automate/p/psp_01HQ7K9ZJX",
  "publicUrl": "https://dpp.automate/passport/psp_01HQ7K9ZJX",
  "apiUrl":    "https://api.dppautomate.com/v1/passports/psp_01HQ7K9ZJX",
  "createdAt": "2026-09-01T10:14:22Z"
}
  • qrUrl — the short URL encoded into the QR code on the physical product.
  • publicUrl — the consumer-facing landing page; what shoppers see when they scan.
  • apiUrl — the machine-readable JSON-LD endpoint that notified bodies and other DPP platforms can fetch directly.

Verify the QR

Every passport is signed with an Ed25519 keypair tied to your organisation. Two-step verification: first retrieve the passport back to confirm it's indexed and in issued state, then call the /v1/passports/:id/verify endpoint to confirm the signature is intact.

cURL
curl https://api.dppautomate.com/v1/passports/psp_01HQ7K9ZJX8N4MRB5VS0YQ2F3T \
  -H "Authorization: Bearer $DPP_API_KEY"
cURL
curl https://api.dppautomate.com/v1/passports/psp_01HQ7K9ZJX8N4MRB5VS0YQ2F3T/verify \
  -H "Authorization: Bearer $DPP_API_KEY"

The verify endpoint returns the signature result:

JSON
{
  "id": "psp_01HQ7K9ZJX8N4MRB5VS0YQ2F3T",
  "signature": { "algorithm": "ed25519", "valid": true },
  "verifiedAt": "2026-09-01T10:14:23Z",
  "issuer": {
    "tenantId": "ten_01HQ6Y3Z9KX7AAR0DM4FP8VWE2",
    "publicKeyId": "key_01HQ5...AB"
  }
}

The same endpoint is what consumer apps and notified-body toolchains call when they scan the QR — verification is a first-class public API, not a hidden cryptographic primitive.

Next steps

You've issued and verified a single passport. The natural next moves:

  • Connect your ERP/PIM to POST passports automatically when a new SKU lands.
  • Invite your tier-1 suppliers to upload signed declarations so the material origins on the passport are verified, not asserted.
  • Set up an Audit room ahead of your first ESPR inspection so notified bodies get a time-bounded, scoped view rather than a raw data dump.