Reproduce & verify
You shouldn't have to trust the server that served this page. Every score, every rank, every snapshot is independently verifiable against a published signing key, a content-addressed archive on IPFS, and machine-readable JSON APIs. Here is the three-way receipt.
1. The JSON surface
Same numbers as the HTML, in a shape you can curl.
Full leaderboard
curl -sS https://supplierspy.com/api/leaderboard | jq '.items[0]'Returns every supplier with its final score, rank, weights, and the data_version those numbers were computed against.
One supplier's full record
curl -sS https://supplierspy.com/api/supplier/yakkyo | jq '.score, .rank, .dimensions'Swap yakkyo for any supplier slug from the leaderboard. The response carries the full per-dimension breakdown, the signals that fed each dimension, and every source URL.
Markdown mirror (for LLMs & agents)
curl -sS https://supplierspy.com/supplier/yakkyo.mdEvery HTML page has a .md twin that ingests cleanly. The full dump lives at /llms-full.txt and carries a per-supplier SHA-256 revision hash so you can detect which sections moved since your last ingest.
2. The signed snapshot
ECDSA P-256 JWS. Same key we publish on /.well-known/jwks.json.
Fetch the latest snapshot
curl -sS https://supplierspy.com/snapshots/latest.json -o snap.jsonThe snapshot is the canonical JSON payload (leaderboard + scores + revision + data_version) that the HTML pages were rendered from.
Fetch the detached signature
curl -sS https://supplierspy.com/snapshots/latest.jws -o snap.jwsA compact JWS over the SHA-256 of snap.json, signed with the key whose fingerprint is published in /.well-known/trust.txt.
Fetch the public key
curl -sS https://supplierspy.com/.well-known/jwks.json -o jwks.jsonSingle key, kid supplierspy-2026, ES256, P-256. Fingerprint matches Signing-Key-Fingerprint in trust.txt.
Verify with any JOSE library
# Node 20+, using 'jose'
npm i jose
node --input-type=module -e "
import { importJWK, compactVerify } from 'jose';
import { readFileSync } from 'node:fs';
const { keys } = JSON.parse(readFileSync('jwks.json','utf8'));
const key = await importJWK(keys[0], 'ES256');
const jws = readFileSync('snap.jws','utf8').trim();
const { payload } = await compactVerify(jws, key);
console.log('OK:', JSON.parse(new TextDecoder().decode(payload)));
"A green verification proves two things: the snapshot bytes were not tampered with in transit, and they were signed by whoever controls the private half of the key published at /.well-known/jwks.json.
3. The content address (IPFS)
Same bytes → same CID → same dataset, anywhere.
Grab the CID from the snapshot metadata
curl -sS https://supplierspy.com/snapshots/latest.meta.json | jq .cidThe CID is a CIDv1 with raw codec over the canonical snapshot bytes (multihash: sha2-256, base32 lowercase, no padding).
Fetch from any IPFS gateway
curl -sS https://ipfs.io/ipfs/<cid> -o from-ipfs.json
diff snap.json from-ipfs.json # must be emptyIf the bytes from IPFS differ from what the server served, the site served you a different file than it signed. File a correction at /corrections with both hashes.
Recompute the CID yourself
npx multiformats-cid raw sha2-256 snap.json # → matches latest.meta.jsonDeterministic. No server trust required — the CID is a function of the bytes.
The contract
For a given data_version, the signed snapshot, the JSON API, and the HTML pages must all carry the same scores and ranks. If they don't, that's a verifiable bug — email hello@supplierspy.com with the mismatch and we'll file a public correction at /corrections.
External review counts (Trustpilot stars, Shopify App Store counts) refresh on a 6-hour cron. A score tied to today's data_version is reproducible against today's signed snapshot. To reconstruct a historical score against the methodology version that produced it, fetch the historical snapshot by revision at /snapshots/<data_version>.json.
Methodology pinned at /methodology/v1.0 · key published at /.well-known/jwks.json · fingerprint at /.well-known/trust.txt.