How-to 5 July 2026 · 8 min read

QR code certificates on Shopify: from cert card to GS1 Digital Link

A hosted certificate has two halves: a page on your domain that carries the record, and a QR code that gets the buyer there. This post is about the second half, the printed square that ties a physical piece to its URL. Where to put it, what it should encode, how to print it so it actually scans, and how the same pattern scales up to the EU Digital Product Passport's GS1 Digital Link QR.

Quick answer The certificate QR code should encode a full HTTPS URL on your own domain containing a cryptographically random verification token, never a sequential ID. Print it on a DL cert card (210×99 mm) that ships with the piece, repeat the link on the product page and in your shipping email, and test scans with real phones before a drop. The EU Digital Product Passport uses the same architecture at regulatory scale: a QR code (GS1 Digital Link) resolving to a structured JSON-LD record. If your cert QR already works this way, the DPP is a syntax upgrade, not a rebuild.

Every certificate system, from a paper hangtag to the EU's federated registry, has to answer one question: how does the person holding the object reach the record about it? In 2026 the answer is almost always a QR code. This post covers the practical decisions behind that little square for a Shopify store selling numbered pieces, using the setup from our complete guide to provenance certificates as the baseline.

Scan-and-verify vs look-and-trust

A traditional certificate of authenticity works by looking impressive: heavy stock, a foil seal, a signature. The buyer looks and decides to trust. But everything one printer produced, another printer can reproduce, and a counterfeiter's card only has to survive a glance.

A QR-backed certificate flips the model. The printed card is an artifact, a beautiful thing to keep in the box, but it is not the proof. The proof is the URL the QR resolves to: a tamper-evident page on the merchant's own domain, at your-store.com/apps/provenance/..., showing the edition number, the piece, and the verification state right now. Scan-and-verify, not look-and-trust.

The card carries the pointer, the server carries the facts. Lose the card and the record still exists; photocopy it and the copy points at the same single source of truth. For how this fits into a broader defence against fakes, see the anti-counterfeit playbook for Shopify brands.

What the QR code must encode

One thing: a full HTTPS URL to the hosted certificate, containing a cryptographically random token.

The token is the part most DIY implementations get wrong. If your certificates live at /cert/1, /cert/2, /cert/3, anyone with a browser can enumerate every certificate you have ever issued by changing the number, harvest the details, and print convincing fakes with valid-looking data. This is the enumeration attack, and sequential IDs walk straight into it.

Random tokens close the door. Editioned's verification tokens are 10+ characters drawn from a space of 2.8 trillion+ combinations, so knowing one certificate URL tells an attacker nothing about any other. The cert integrity section on the homepage walks through the maths.

Two more rules for what goes in the square:

Where to put the QR code

At jewellery scale, the piece itself is the one place the QR does not go. A ring band or a pendant bail has no room for a reliably scannable code, and the marks that belong on the metal, the hallmark and the maker's mark, already do the physical identification work. The QR lives on everything around the piece:

Back of the Light style DL certificate card, showing the QR code alongside the masked verification token and the edition number
The back of the Light cert card, DL size on standard 210×99 mm cardstock: QR code, masked verification token, edition number.

The layers are redundant on purpose: as long as one carrier survives, the buyer can reach the record. About 30-50% of buyers scan within the first week, and many more come back months later at resale or gifting time, so the carriers that persist matter more than the ones that convert on day one.

Print a cert card with the QR built in

Editioned generates a DL-size cert PDF per edition: QR code, masked token, edition number on the back. Install free, 30-day Pro trial, no card.

Install free on Shopify

A QR code that does not scan is worse than no QR code, because the failed scan reads as a failed verification. Four basics keep a jewellery-scale card reliable:

Then the step that actually catches problems: test scans from real phones before a drop. Scan the printed proof, not the PDF on screen, with at least one iPhone and one Android, in the light a buyer will actually use. Repeat for each print batch; stock and ink changes quietly kill scannability.

The pattern this post describes, a printed QR resolving to a hosted structured record, is not just a boutique trick. It is the architecture the EU chose for the Digital Product Passport.

GS1 Digital Link is a GS1 standard that packs the identifiers already used in barcodes, most commonly a GTIN, into an ordinary web URL. One QR code then serves both audiences: a buyer's phone opens it as a normal link, while supply-chain systems parse the identifiers out of the URL path. Add a serial segment and the same URL identifies an individual item rather than a SKU, the certificate use case exactly: one URL per piece.

The Ecodesign for Sustainable Products Regulation (ESPR 2024/1781) built the DPP on this stack: a federated registry, JSON-LD records, and a QR data carrier using GS1 Digital Link. Not a blockchain, a decision we unpack in why the EU rejected blockchain for the DPP. The rollout is sector by sector: ESPR reaches full application on 19 July 2026 alongside the EU Central DPP Registry, batteries become mandatory on 18 February 2027 under Regulation 2023/1542, textiles follow around late 2028, and the CEN/CENELEC EN 1821x standards that pin down the technical details publish around late 2026. The full schedule is in our EU DPP timeline.

For a certificate-issuing merchant, the scaling path is already laid: a hosted certificate QR and a DPP QR differ in URL syntax and schema vocabulary, not in architecture. Editioned's certificate data is open JSON-LD with a CIRPASS-aligned export, portable out at any time, so when a sector you sell into comes under the mandate, the move is a namespace change rather than a re-platform. The field-level detail lives in DPP JSON-LD fields and schema validators.

QR carrier options, compared

Pulling the placement options and the DPP carrier into one view:

Carrier Where it lives Strengths Watch out
DL cert card Ships in the box with the piece (210×99 mm cardstock) Tangible artifact, kept with the piece, scanned by resale authenticators at intake Can be lost or separated from the piece; print quality is on you
Packaging insert Box lid, wrap band, or tissue seal Catches the buyer at unboxing, when scan intent peaks Usually discarded with the packaging
Product-page link block On the storefront product page Public, persistent, no printing; part of the product record second owners find Buyer has to navigate to the page; it is a link, not a scan
Shipping email link The buyer's inbox, sent by your own email tool Arrives before the piece, searchable years later, your sender and your voice Needs the metafield wiring once; Editioned never sends email for you
GS1 Digital Link QR On product or packaging, per the EU DPP rules One code for humans and machines; the EU regulatory path Mandatory only by sector, starting with batteries in Feb 2027

The honest summary: ship the card, wire the email, embed the page block, and treat the GS1 Digital Link QR as the standard your setup grows into rather than a separate project.

One QR per piece, $0 per certificate

Flat monthly subscription at every tier, no per-certificate fees. 30-day Pro trial on install, no card required, auto-downgrades to Free after the trial.

Install Editioned →

Frequently asked questions

Should the QR code go on the jewellery piece itself or the packaging?

At jewellery scale the QR belongs on the cert card and the packaging, not the piece. A ring band or pendant bail has no room for a reliably scannable code, and the marks that belong on the metal (hallmark, maker's mark) already do the physical identification work. Ship the DL cert card in the box, then repeat the link on the product page and in the shipping email.

What should a certificate QR code encode?

A full HTTPS URL to the hosted certificate, containing a cryptographically random verification token. Editioned tokens are 10+ characters with 2.8 trillion+ combinations, so knowing one URL tells an attacker nothing about any other. Never encode a sequential ID, and avoid third-party redirect QR services that put another company between the buyer and the certificate.

Do buyers actually scan certificate QR codes?

About 30-50% of buyers scan within the first week, based on view-tracking data from Editioned-using stores. Many more scan months later, when the piece is resold or gifted. The value is that the buyer can verify at any time, not that every buyer scans on day one.

Is a GS1 Digital Link QR required for the EU DPP today?

Not for most categories. ESPR (2024/1781) reaches full application on 19 July 2026 alongside the EU Central DPP Registry, batteries become mandatory on 18 February 2027 under Regulation 2023/1542, and textiles follow around late 2028. Jewellery is not in the first mandated waves. The architecture, a QR resolving to a structured record, is the same one a hosted certificate already uses.

What happens to the QR code if the certificate is revoked?

The printed QR never changes; the URL behind it does. On a return or refund the edition revokes and the token rotates, so the old URL stops resolving. If the product is deleted, the certificate URL returns HTTP 410 Gone with a “Certificate no longer valid” page. Anyone scanning the old card sees a provably invalid certificate, not a stale valid one. Details in the certificate lifecycle post.

Where to go next

The QR is one link in the chain. These cover the rest of it:

Sources