Download OpenAPI specification:
Implementation guidance for the UNTP Identity Resolver (IDR) specification. This API implements the Discover-Resolve-Verify workflow defined by the UNTP IDR specification, enabling supply chain actors to resolve product and facility identifiers to linked digital credentials such as Digital Product Passports (DPPs), Digital Conformity Credentials (DCCs), Digital Facility Records (DFRs), and Digital Traceability Events (DTEs).
The API is organized into three functional layers:
This API addresses UNTP IDR normative requirements IDR-01 through IDR-14. Key requirements include: IDR-01 (identifier scheme registration), IDR-02 (link registration), IDR-06/07/08 (resolution with link type, language, and context negotiation), IDR-09 (qualifier-based logical grouping), IDR-10 (secure targets with encryption and access roles), and IDR-14 (resolver description discovery).
Public, anonymous resolution of identifiers to linksets or redirect targets. Implements IDR-06 (link type filtering), IDR-07 (linkset response), and IDR-08 (language and context negotiation). Resolution paths conform to the ISO/IEC 18975 structured-path URI syntax: /{namespace}/{identifierKeyType}/{identifierKey}/{qualifiers}.
Core UNTP identity resolution endpoint. Resolves an identifier to its registered link targets using the ISO/IEC 18975 structured-path URI syntax.
Resolution behaviour depends on the linkType parameter:
The path structure follows ISO 18975: /{namespace}/{identifierKeyType}/{identifierKey}/{qualifiers} where the namespace identifies the scheme, the identifierKeyType identifies the class of identifier, and optional qualifiers provide sub-identification (e.g. batch/lot, serial number).
This endpoint is public and does not require authentication.
| namespace required | string Example: example-identifier-scheme Identifies the identifier scheme (e.g. "gs1" for GS1 identifiers, "nlis" for Australian livestock). Maps to the scheme's registered configuration. Must match a namespace previously registered via the /identifiers endpoint. |
| identifierKeyType required | string Example: 01 The application identifier shortcode or AI code that determines the primary identifier class (e.g. "01" for GTIN, "gln" for GLN, "giai" for Global Individual Asset Identifier). Must be a registered shortcode or AI within the specified namespace. |
| identifierKey required | string Example: 12345678901234 The actual identifier value (e.g. GTIN digits "09359502000010", GLN "4000001000005"). Must match the regex pattern registered for this identifier type in the scheme configuration. |
| secondaryIdentifiersPath required | string Example: 10/12345678901234567890 Qualifier path for sub-identification (e.g. "10/LOT123" for batch/lot, "21/SER456" for serial number). May be empty for resolution without qualifiers. Implements IDR-09 logical grouping, allowing different link targets for different batches or serial numbers of the same product. Multiple qualifiers can be chained (e.g. "10/LOT123/21/SER456"). |
| linkType | string Example: linkType=all Filter by link relation type. Use UNTP-defined types (e.g. "untp:dpp" for Digital Product Passport, "untp:dcc" for Digital Conformity Credential, "untp:dfr" for Digital Facility Record, "untp:dte" for Digital Traceability Event) or scheme-specific types (e.g. "gs1:certificationInfo"). Set to "all" to return the full RFC 9264 linkset containing all registered link variants. Implements IDR-07. |
| accessRole | string Example: accessRole=customer Variant-based disclosure filtering per IDR-10 (secure targets). Filters resolution results to only include link variants whose accessRole array includes the specified role. Standard UNTP roles: anonymous (default, public access), customer (supply chain partner), regulator (government authority), recycler (end-of-life processor), auditor (conformity assessment body), owner (identifier registrant). |
| decryptionKey | string Example: decryptionKey=a3f2b8c1d5e6f7a8b9c0d1e2f3a4b5c6 Shared secret for decrypting encrypted content at the target URL. When the matched link variant has fwqs (forward query string) enabled, this key is appended as a query parameter to the target URL on redirect. Supports encrypted credential retrieval per IDR-10 secure targets. Silently ignored when fwqs is disabled for the matched link or when resolution returns a linkset rather than a redirect. |
{- "errors": [
- {
- "field": "identificationKeyType",
- "message": "Identification key type 'invalid_key_type' is not registered with the namespace 'example-identifier-scheme'"
}
]
}Returns the Resolver Description File per ISO/IEC 18975 section 7 and IETF RFC 8615 (well-known URIs). Declares the resolver's supported identifier namespaces, capabilities, and conformance level. Clients SHOULD check this endpoint before assuming a domain hosts an IDR service. Implements IDR-14 (resolver discovery). This endpoint is public and does not require authentication.
Returns the resolver's supported link type vocabulary. When show=linktypes, lists all registered link types with their definitions, titles, and namespace prefixes. The prefix parameter filters by vocabulary namespace — for example, "untp" returns only UNTP-defined link types (dpp, dcc, dfr, dte, idr), while "gs1" returns GS1-defined types (certificationInfo, hasRetailers, etc.). This endpoint is public and does not require authentication.
| show | string Example: show=linktypes Set to "linktypes" to retrieve the full link type vocabulary. When omitted, returns a summary of available vocabulary categories. |
| prefix | string Example: prefix=gs1 Filter link types by vocabulary namespace prefix (e.g. "untp" for UNTP-defined types, "gs1" for GS1 types). Only applies when show=linktypes. When omitted, all link types across all namespaces are returned. |
Returns the detailed definition of a specific link type, including its namespace, title, description, and any associated metadata. Use this to look up the semantics of a link type encountered in a linkset response. This endpoint is public and does not require authentication.
| linktype required | string The link type identifier to look up (e.g. "gs1:certificationInfo", "untp:dpp"). Must match a link type registered in the resolver's vocabulary. |
Authenticated API for registering link resolver entries that associate an identifier with one or more typed link targets (the responses array). Each entry represents one identified item with multiple link variants differentiated by link type, language, MIME type, context, and access role. Implements IDR-02 (one carrier, many links), IDR-09 (qualifier path grouping), and IDR-10 (secure targets).
Registers a link resolver entry associating an identifier with one or more typed link targets. Each entry in the responses array represents a link variant — a combination of link type, language, MIME type, geographic context, and access role — per UNTP IDR-06. This implements the core IDR-02 requirement: one identified item (carrier) linked to many digital credentials and documents.
Upsert semantics: if a resolver entry already exists for the same namespace + identificationKeyType + identificationKey + qualifierPath combination, new responses are added and existing responses with matching linkType + mimeType + context are updated. hreflang is metadata on the variant (not part of the matching key) — a single variant can serve multiple languages.
| namespace required | string Must reference a previously registered identifier scheme (see POST /identifiers). The namespace identifies which scheme this identifier belongs to (e.g. "gs1", "nlis"). |
| identificationKeyType required | string Must be a registered shortcode within the specified namespace (e.g. "gtin" for GS1 GTIN, "nlisid" for NLIS). Determines which application identifier type this entry is for. |
| identificationKey required | string The specific identifier value being registered (e.g. "09359502000010" for a GTIN). Must match the regex pattern configured for the identificationKeyType in the namespace's scheme definition. |
| description required | string Human-readable description of the identified item (e.g. "Recycled Copper Cathode — 99.99% purity"). Included in linkset responses to help consumers understand what the identifier refers to. |
| itemDescription | string Deprecated Deprecated: Use "description" instead. If both are provided, "description" takes precedence. |
| qualifierPath required | string Path segment for qualifiers providing sub-identification (e.g. "/10/LOT123" for a specific batch, "/21/SER456" for a serial number). Use "/" for the base identifier without qualifiers. Implements IDR-09 logical grouping — different qualifier paths on the same identifier can have different link targets. |
| active required | boolean Whether this resolver entry is live. When false, the identifier returns 404 on resolution even if link variants exist. Useful for pre-registering links before they should be publicly discoverable. |
required | Array of objects (Response) Array of link targets (variants). Each entry represents one link variant per IDR-06 — a unique combination of link type, language, MIME type, geographic context, and access role. For a typical UNTP product, this might include a DPP credential (JSON), a conformity certificate (PDF), and a human-readable product page (HTML), each potentially in multiple languages. |
{- "namespace": "example-identifier-scheme",
- "identificationKeyType": "gtin",
- "identificationKey": "12345678901234",
- "description": "Product description",
- "itemDescription": "Product description",
- "qualifierPath": "/10/12345678901234567890",
- "active": true,
- "responses": [
- {
- "defaultLinkType": true,
- "defaultMimeType": true,
- "defaultContext": true,
- "fwqs": false,
- "active": true,
- "linkType": "example-identifier-scheme:certificationInfo",
- "rel": [
- "edit"
], - "hreflang": [
- "en"
], - "context": "au",
- "title": "Certification Information",
- "mimeType": "application/json",
- "encryptionMethod": "none",
- "accessRole": [
- "untp:accessRole#Anonymous"
], - "public": true,
- "method": "POST"
}
]
}{- "message": "Link resolver registered successfully"
}CRUD operations on individual links within a registered resolver entry. Use these endpoints to update target URLs, rotate credentials, change access roles, toggle active status, or soft/hard delete individual link variants without affecting other links on the same identifier.
Retrieves all active links registered for a specific identifier, optionally filtered by linkType, mimeType, or language. Returns the full link variant details including target URLs, access roles, and encryption metadata. This is a management endpoint for inspecting registered links — for public resolution, use the /{namespace}/{identifierKeyType}/{identifierKey} path instead.
| namespace required | string Example: namespace=example-identifier-scheme The namespace of the identifier scheme (e.g. "gs1", "nlis"). Must match a registered identifier scheme. |
| identificationKeyType required | string Example: identificationKeyType=gtin The application identifier shortcode (e.g. "gtin", "nlisid"). Must be a registered shortcode within the specified namespace. |
| identificationKey required | string Example: identificationKey=12345678901234 The actual identifier value (e.g. GTIN digits "09359502000010"). Must match the regex pattern registered for this identifier type. |
| qualifierPath | string Default: "/" Example: qualifierPath=/10/12345678901234567890 Optional qualifier path segment for sub-identification (e.g. "/10/LOT123" for batch). Use "/" for the base identifier without qualifiers. Implements IDR-09 logical grouping. |
| linkType | string Example: linkType=example-identifier-scheme:certificationInfo Filter results by link type. Use UNTP link relations (e.g. "untp:dpp", "untp:dcc") or scheme-specific types (e.g. "gs1:certificationInfo"). |
| mimeType | string Example: mimeType=application/json Filter results by MIME type of the target resource (e.g. "application/json", "application/vc+ld+json", "application/pdf"). |
| hreflang | string(^\w{2}$)|(^\w{2}-\w{2}$) Example: hreflang=en Filter results by BCP 47 language tag (e.g. "en", "de", "ja"). Returns only link variants whose hreflang array contains the specified tag. |
{- "errors": [
- {
- "field": "identificationKeyType",
- "message": "Identification key type 'invalid_key_type' is not registered with the namespace 'example-identifier-scheme'"
}
]
}Retrieves the full details of a single link variant by its server-generated identifier. Returns all properties including target URL, link type, access roles, encryption metadata, and active status.
| linkId required | string Example: a1b2c3d4-e5f6-7890-abcd-ef1234567890 The server-generated unique identifier for the link variant (UUID format). |
Updates properties of a single link variant. All fields are optional (partial update semantics) — only the fields included in the request body are modified. Useful for rotating target URLs, changing access roles, toggling active status, or updating encryption methods without recreating the entire resolver entry.
| linkId required | string Example: a1b2c3d4-e5f6-7890-abcd-ef1234567890 The server-generated unique identifier for the link variant to update (UUID format). |
| targetUrl | string The URL that resolution redirects to or includes in the linkset. Update this to rotate credential hosting URLs or point to a new version of the target resource. |
| linkType | string IANA or scheme-specific link relation type (e.g. "untp:dpp", "gs1:certificationInfo"). Changing the link type changes how this variant is classified in resolution and linkset responses. |
| rel | Array of strings Additional IANA or extension link relation types that qualify this link beyond its primary linkType. Replaces the existing rel array (does not merge). "predecessor-version" is reserved — see Response schema. |
| title | string Human-readable title for this link variant. |
| mimeType | string\w+/[-+.\w]+ Media type of the target resource — any well-formed MIME type per RFC 6838 is accepted (e.g. "application/vc+ld+json", "application/json", "application/pdf", "application/linkset+json"). |
| hreflang | Array of strings[ items(^\w{2}$)|(^\w{2}-\w{2}$) ] BCP 47 language tags supported by the resource at the target URL — content negotiation is handled at the target. |
| context | string Geographic or situational context code (e.g. "au", "eu", "us"). |
| active | boolean Whether this link variant is live and included in resolution responses. Set to false to deactivate without deleting. |
| fwqs | boolean Forward Query String. When true, query parameters from the resolution request are appended to the targetUrl on redirect. |
| defaultLinkType | boolean When true, this variant is the default for its link type dimension. |
| defaultContext | boolean When true, this variant is the default for its context dimension. |
| defaultMimeType | boolean When true, this variant is the default for its MIME type dimension. |
| encryptionMethod | string Enum: "none" "AES-128" "AES-256" Encryption algorithm applied to the target resource. "none" for unencrypted, "AES-128" or "AES-256" for encrypted credentials requiring a decryptionKey. |
| accessRole | Array of strings Items Enum: "untp:accessRole#Anonymous" "untp:accessRole#Customer" "untp:accessRole#Regulator" "untp:accessRole#Recycler" "untp:accessRole#Auditor" "untp:accessRole#Owner" UNTP access roles permitted to retrieve this link variant. Updates the full role list (replaces, does not merge). |
| public | boolean Whether the link itself is safe to share publicly. Distinct from accessRole — see Response schema for full semantics. |
| method | string HTTP method for accessing the target. "GET" for retrieval, "POST" for creating new linked resources. |
{- "linkType": "example-identifier-scheme:certificationInfo",
- "rel": [
- "edit"
], - "title": "Certification Information",
- "mimeType": "application/json",
- "hreflang": [
- "en"
], - "context": "au",
- "active": true,
- "fwqs": true,
- "defaultLinkType": true,
- "defaultContext": true,
- "defaultMimeType": true,
- "encryptionMethod": "none",
- "accessRole": [
- "untp:accessRole#Anonymous"
], - "public": true,
- "method": "POST"
}{- "message": "Link updated successfully"
}Removes a link variant. By default, performs a soft delete: the link is deactivated (active=false) and excluded from resolution responses, but retained in storage for audit trail purposes. When hard=true, the link is permanently removed from the database. Soft-deleted links can be reactivated by updating their active status via PUT.
| linkId required | string Example: a1b2c3d4-e5f6-7890-abcd-ef1234567890 The server-generated unique identifier for the link variant to delete (UUID format). |
| hard | boolean Set to true for permanent deletion. When false or omitted, the link is soft-deleted (deactivated but retained for audit). |
{- "message": "Link deleted successfully"
}Manage permitted identifier schemes (namespaces and their application identifiers). An identifier scheme must be registered before any link registration can reference it. Each scheme defines a namespace, a set of application identifiers (primary keys, qualifiers, data attributes) with regex validation patterns, and their relationships. Implements IDR-01 (scheme registration), IDR-03 (identifier validation), and IDR-04 (scheme configuration).
Registers or updates an identifier scheme configuration. Defines the namespace, application identifiers (primary keys, qualifiers, data attributes), their regex validation patterns, and relationships. An identifier scheme MUST be registered before any link registration can occur for that namespace. If the namespace already exists, the configuration is replaced (upsert semantics).
| namespace required | string Unique name for the identifier scheme (e.g. "gs1", "nlis", "integrity-systems"). Must match the scheme's registration in the UNTP IDR register. This value appears as the first path segment in resolution URLs. |
| namespaceURI | string Optional URI providing an authoritative reference for the identifier scheme (e.g. the scheme owner's domain or specification URL). Informational — used for documentation and provenance, not for resolution. |
| namespaceProfile | string Optional profile identifier for scheme-specific resolver configuration. Allows a single namespace to support multiple resolution profiles (e.g. different validation rules or link type vocabularies for different use cases). |
required | Array of objects (ApplicationIdentifier) The set of identifier types supported within this scheme. Must include at least one primary identifier (type "I"). Qualifiers and data attributes are optional. |
{- "namespace": "example-identifier-scheme",
- "namespaceURI": "",
- "namespaceProfile": "",
- "applicationIdentifiers": [
- {
- "title": "Global Trade Item Number (GTIN)",
- "label": "GTIN",
- "shortcode": "gtin",
- "ai": "01",
- "type": "I",
- "qualifiers": [
- "10"
], - "regex": "(\\d{12,14}|\\d{8})"
}, - {
- "title": "Batch or lot number",
- "label": "BATCH/LOT",
- "shortcode": "lot",
- "ai": "10",
- "type": "Q",
- "regex": "([\\x21-\\x22\\x25-\\x2F\\x30-\\x39\\x41-\\x5A\\x5F\\x61-\\x7A]{0,20})"
}
]
}{- "message": "Application identifier upserted successfully"
}Permanently removes an identifier scheme and all its application identifier configurations. Existing link resolver entries that reference this namespace will no longer resolve.
| namespace required | string Example: namespace=example-identifier-scheme The namespace of the identifier scheme to delete (e.g. "gs1", "nlis"). Must match an existing registered scheme. |
{- "message": "Application identifier deleted successfully"
}Retrieves the configuration for one or all registered identifier schemes. When a namespace is specified, returns that scheme's configuration. When omitted, returns all registered schemes. Useful for inspecting which identifier types and validation patterns are currently configured.
| namespace | string Example: namespace=example-identifier-scheme The namespace of the identifier scheme to retrieve (e.g. "gs1", "nlis"). If not provided, all registered identifier schemes are returned. |
{- "namespace": "example-identifier-scheme",
- "applicationIdentifiers": [
- {
- "title": "Global Trade Item Number (GTIN)",
- "label": "GTIN",
- "shortcode": "gtin",
- "ai": "01",
- "type": "I",
- "qualifiers": [
- "10"
], - "regex": "(\\d{12,14}|\\d{8})"
}, - {
- "title": "Batch or Lot Number",
- "label": "BATCH/LOT",
- "shortcode": "lot",
- "ai": "10",
- "type": "Q",
- "regex": "([\\x21-\\x22\\x25-\\x2F\\x30-\\x39\\x41-\\x5A\\x5F\\x61-\\x7A]{0,20})"
}
]
}