Verify without trusting us

Reproduce & verify

You shouldn't have to trust the server that served this page. Every score, every rank, every snapshot is independently verifiable against a published signing key, a content-addressed archive on IPFS, and machine-readable JSON APIs. Here is the three-way receipt.

1. The JSON surface

Same numbers as the HTML, in a shape you can curl.

A

Full leaderboard

curl -sS https://supplierspy.com/api/leaderboard | jq '.items[0]'

Returns every supplier with its final score, rank, weights, and the data_version those numbers were computed against.

B

One supplier's full record

curl -sS https://supplierspy.com/api/supplier/yakkyo | jq '.score, .rank, .dimensions'

Swap yakkyo for any supplier slug from the leaderboard. The response carries the full per-dimension breakdown, the signals that fed each dimension, and every source URL.

C

Markdown mirror (for LLMs & agents)

curl -sS https://supplierspy.com/supplier/yakkyo.md

Every HTML page has a .md twin that ingests cleanly. The full dump lives at /llms-full.txt and carries a per-supplier SHA-256 revision hash so you can detect which sections moved since your last ingest.

2. The signed snapshot

ECDSA P-256 JWS. Same key we publish on /.well-known/jwks.json.

1

Fetch the latest snapshot

curl -sLS https://supplierspy.com/snapshots/latest.json -o snap.json

The snapshot is the canonical JSON payload (leaderboard + scores + revision + data_version) that the HTML pages were rendered from.

2

Fetch the detached signature

curl -sLS https://supplierspy.com/snapshots/latest.json.sig -o snap.sig.json

A detached ECDSA-P256 signature (JSON envelope: { alg, kid, signature }) over the canonicalized snap.json bytes, signed with the key whose fingerprint is published in /.well-known/trust.txt.

3

Fetch the public key

curl -sS https://supplierspy.com/.well-known/jwks.json -o jwks.json

Single key, kid supplierspy-2026, ES256, P-256. Fingerprint matches Signing-Key-Fingerprint in trust.txt.

4

Verify the detached signature

# Node 20+, Web Crypto (no dependencies)
node --input-type=module -e "
  import { readFileSync } from 'node:fs';
  const { keys } = JSON.parse(readFileSync('jwks.json','utf8'));
  const sigEnv  = JSON.parse(readFileSync('snap.sig.json','utf8'));
  const payload = readFileSync('snap.json');
  const sig     = Uint8Array.from(atob(sigEnv.signature.replace(/-/g,'+').replace(/_/g,'/')), (c)=>c.charCodeAt(0));
  const key     = await crypto.subtle.importKey('jwk', keys[0], { name:'ECDSA', namedCurve:'P-256' }, false, ['verify']);
  const ok      = await crypto.subtle.verify({ name:'ECDSA', hash:'SHA-256' }, key, sig, payload);
  console.log(ok ? 'OK' : 'FAIL');
"

A green verification proves two things: the snapshot bytes were not tampered with in transit, and they were signed by whoever controls the private half of the key published at /.well-known/jwks.json.

3. The content address (IPFS)

Same bytes → same CID → same dataset, anywhere.

1

Grab the CID from the snapshot itself

jq .cid snap.json

The CID is embedded inside the signed snapshot you fetched in step 2. It is a CIDv1 with raw codec over the canonical snapshot bytes (multihash: sha2-256, base32 lowercase, no padding). Because it lives inside the signed payload, the signature covers it — a tampered CID would fail verification.

2

Fetch from any IPFS gateway

curl -sS https://ipfs.io/ipfs/<cid> -o from-ipfs.json
diff snap.json from-ipfs.json  # must be empty

If the bytes from IPFS differ from what the server served, the site served you a different file than it signed. File a correction at /corrections with both hashes.

3

Recompute the CID yourself

npx multiformats-cid raw sha2-256 snap.json  # → matches latest.meta.json

Deterministic. No server trust required — the CID is a function of the bytes.

The contract

For a given data_version, the signed snapshot, the JSON API, and the HTML pages must all carry the same scores and ranks. If they don't, that's a verifiable bug — email hello@supplierspy.com with the mismatch and we'll file a public correction at /corrections.

External review counts (Trustpilot stars, Shopify App Store counts) refresh on a 6-hour cron. A score tied to today's data_version is reproducible against today's signed snapshot. To reconstruct a historical score against the methodology version that produced it, fetch the historical snapshot by revision at /snapshots/<data_version>.json.

Methodology pinned at /methodology/v1.0 · key published at /.well-known/jwks.json · fingerprint at /.well-known/trust.txt.