Reproduce & verify
You shouldn't have to trust the server that served this page. Every score, every rank, every snapshot is independently verifiable against a published signing key, a content-addressed archive on IPFS, and machine-readable JSON APIs. Here is the three-way receipt.
1. The JSON surface
Same numbers as the HTML, in a shape you can curl.
Full leaderboard
curl -sS https://supplierspy.com/api/leaderboard | jq '.items[0]'
Returns every supplier with its final score, rank, weights, and the data_version those numbers were computed against.
One supplier's full record
curl -sS https://supplierspy.com/api/supplier/yakkyo | jq '.score, .rank, .dimensions'
Swap yakkyo for any supplier slug from the leaderboard. The response carries the full per-dimension breakdown, the signals that fed each dimension, and every source URL.
Markdown mirror (for LLMs & agents)
curl -sS https://supplierspy.com/supplier/yakkyo.md
Every HTML page has a .md twin that ingests cleanly. The full dump lives at /llms-full.txt and carries a per-supplier SHA-256 revision hash so you can detect which sections moved since your last ingest.
2. The signed snapshot
ECDSA P-256 JWS. Same key we publish on /.well-known/jwks.json.
Fetch the latest snapshot
curl -sLS https://supplierspy.com/snapshots/latest.json -o snap.json
The snapshot is the canonical JSON payload (leaderboard + scores + revision + data_version) that the HTML pages were rendered from.
Fetch the detached signature
curl -sLS https://supplierspy.com/snapshots/latest.json.sig -o snap.sig.json
A detached ECDSA-P256 signature (JSON envelope: { alg, kid, signature }) over the canonicalized snap.json bytes, signed with the key whose fingerprint is published in /.well-known/trust.txt.
Fetch the public key
curl -sS https://supplierspy.com/.well-known/jwks.json -o jwks.json
Single key, kid supplierspy-2026, ES256, P-256. Fingerprint matches Signing-Key-Fingerprint in trust.txt.
Verify the detached signature
# Node 20+, Web Crypto (no dependencies)
node --input-type=module -e "
import { readFileSync } from 'node:fs';
const { keys } = JSON.parse(readFileSync('jwks.json','utf8'));
const sigEnv = JSON.parse(readFileSync('snap.sig.json','utf8'));
const payload = readFileSync('snap.json');
const sig = Uint8Array.from(atob(sigEnv.signature.replace(/-/g,'+').replace(/_/g,'/')), (c)=>c.charCodeAt(0));
const key = await crypto.subtle.importKey('jwk', keys[0], { name:'ECDSA', namedCurve:'P-256' }, false, ['verify']);
const ok = await crypto.subtle.verify({ name:'ECDSA', hash:'SHA-256' }, key, sig, payload);
console.log(ok ? 'OK' : 'FAIL');
"
A green verification proves two things: the snapshot bytes were not tampered with in transit, and they were signed by whoever controls the private half of the key published at /.well-known/jwks.json.
3. The content address (IPFS)
Same bytes → same CID → same dataset, anywhere.
Grab the CID from the snapshot itself
jq .cid snap.json
The CID is embedded inside the signed snapshot you fetched in step 2. It is a CIDv1 with raw codec over the canonical snapshot bytes (multihash: sha2-256, base32 lowercase, no padding). Because it lives inside the signed payload, the signature covers it — a tampered CID would fail verification.
Fetch from any IPFS gateway
curl -sS https://ipfs.io/ipfs/<cid> -o from-ipfs.json
diff snap.json from-ipfs.json # must be empty
If the bytes from IPFS differ from what the server served, the site served you a different file than it signed. File a correction at /corrections with both hashes.
Recompute the CID yourself
npx multiformats-cid raw sha2-256 snap.json # → matches latest.meta.json
Deterministic. No server trust required — the CID is a function of the bytes.
The contract
For a given data_version, the signed snapshot, the JSON API, and the HTML pages must all carry the same scores and ranks. If they don't, that's a verifiable bug — email hello@supplierspy.com with the mismatch and we'll file a public correction at /corrections.
External review counts (Trustpilot stars, Shopify App Store counts) refresh on a 6-hour cron. A score tied to today's data_version is reproducible against today's signed snapshot. To reconstruct a historical score against the methodology version that produced it, fetch the historical snapshot by revision at /snapshots/<data_version>.json.
Methodology pinned at /methodology/v1.0 · key published at /.well-known/jwks.json · fingerprint at /.well-known/trust.txt.