Most Shopify merchants who sell numbered editions, limited drops, or anything that can be counterfeited eventually need a certificate. Jewellery makers, art print sellers, sneaker collab issuers, small-batch spirit distillers, ceramic studios, every category has the same problem: how does the buyer prove what they bought is real, in three years, on a resale platform, in a different country?
This guide is the long answer. It covers the definitions, the four implementation approaches and their trade-offs, what the EU regulation actually says, and a concrete five-minute setup for a hosted certificate using Editioned (the app we built for our own Guild 79 atelier and now ship to other Shopify stores).
What is a provenance certificate?
A provenance certificate is a verifiable record that ties a physical object to its origin story. For a Shopify merchant, the typical fields are:
- Edition number (e.g. “Edition I of III”), establishes scarcity and individual identity
- Studio or maker, who created it, often with a city or atelier name
- Origin / site, where it was made, sometimes with geographic coordinates
- Material composition, gold karat, fabric blend, paper grade, clay type
- Verification token, a unique cryptographic string that proves the certificate URL hasn't been forged
- Issue date and (optionally) buyer trail, when it was sold, who has scanned it
The certificate itself takes one of four forms, paper hangtag, blockchain NFT, hosted web page, or hybrid. Most 2026 implementations are hosted web pages reached by a QR code or short URL printed on the product, packaging, or insert.
If you want the deeper definition, our certificate of authenticity on Shopify post walks through the wallet-free COA workflow in more detail.
Why provenance matters in 2026
Three things changed between 2022 and 2026 that made provenance certificates table stakes rather than a nice-to-have:
- EU regulation pulled the goalposts. The Ecodesign for Sustainable Products Regulation (ESPR 2024/1781) mandates a Digital Product Passport for every product sold into the EU across multiple sectors, rolling out from 2027 to 2030. See our EU DPP timeline post for the per-sector dates.
- Resale platforms started authenticating. StockX, Vestiaire, The RealReal, and dozens of niche platforms now actively scan certificates before accepting consignments. A piece without a verifiable cert is increasingly worth less on the secondary market, sometimes unsellable on premium platforms.
- Counterfeit production scaled. AI-assisted dupes, 3D-printed components, and high-quality fakes shipped via dropshipping have collapsed the cost of producing convincing replicas. Anti-counterfeit defense is no longer about hologram stickers; it's about verifiable digital records. See our broader anti-counterfeit playbook for Shopify brands.
The brands who skip this in 2026 lose three things at once: resale support, EU sales access, and the trust premium that buyers increasingly demand at the high end.
The four approaches, compared
Every provenance certificate implementation is some combination of four primitives. Picking the right one for your brand depends on what you sell, where, and to whom.
| Approach | What it is | Best for | Watch out for |
|---|---|---|---|
| Paper hangtag | Printed cert with serial number, sometimes a hologram or watermark | Small editions, gift-shop sales | Forgery, loss, no online verification |
| Hosted web certificate | URL + QR code per piece, page on merchant's domain, token-verified | Most Shopify merchants in 2026 | Lifecycle: what happens when product deleted? |
| NFT / blockchain | Token minted on a blockchain, wallet required to claim | Transferable digital twins, royalty enforcement | Wallet onboarding, per-mint fees, token volatility |
| EU DPP (federated registry) | JSON-LD record published per product, resolvable via GS1 Digital Link QR | Brands selling into EU, regulatory compliance | Currently only mandatory for batteries; rolling out by sector |
For why the EU chose a federated registry over a blockchain, see our deep-dive: Why the EU rejected blockchain for the Digital Product Passport.
What makes a good provenance certificate
Independent of which approach you pick, five properties separate a robust certificate from a vanity badge:
1. Non-enumerable identifier
If your certificate URL is /cert/1, /cert/2, /cert/3, an attacker can iterate through every certificate on your site by changing the number. A good tool uses cryptographically random tokens (10+ characters, 2.8 trillion+ combinations) so that knowing one certificate URL tells the attacker nothing about the next one. See our cert integrity section for the math.
2. Revocation that actually invalidates
When a product is returned, transferred, or removed, the certificate should provably become invalid. Editioned does this two ways: revoked editions rotate to a new token (the old URL stops resolving), and deleted products return HTTP 410 Gone, a standard status code meaning “this resource is permanently gone, not just temporarily missing.”
Here's the lifecycle in action, a real deleted product on our test store:
3. No per-certificate fees
If your provenance tool charges $0.25-0.75 per certificate, you're penalised every time you sell. A Studio merchant generating 100,000 certs a year would pay $25,000-75,000 just for the privilege of issuing them. The cleaner pricing model is a flat monthly subscription with unlimited certs, Editioned's structure at every tier.
4. Brand-controlled hosting
The certificate URL should live on your domain (or a sub-path of it), not on a third-party SaaS domain. If the tool you picked goes out of business, your buyers' certificates shouldn't turn into broken links. With Editioned, the certificate lives at your-store.com/apps/provenance/..., even if Editioned disappeared, the data structure is open JSON-LD that you could re-host anywhere.
5. Export to standard formats
The certificate data should be exportable as JSON-LD aligned with established schemas (Schema.org, GS1, CIRPASS). This is what makes the certificate portable across resale platforms, customs authorities, and the EU DPP registry. For the technical fields involved, see our DPP JSON-LD fields and schema validators walkthrough.
How the EU Digital Product Passport changes everything
The Ecodesign for Sustainable Products Regulation (ESPR 2024/1781) mandates a Digital Product Passport for every product sold into the EU. The rollout schedule is sector-by-sector:
| Date | What becomes mandatory |
|---|---|
| 19 Jul 2026 | ESPR full application; EU Central DPP Registry goes live |
| 18 Feb 2027 | Batteries (EV + industrial >2 kWh + LMT) under Regulation 2023/1542 |
| ~2027-2028 | Electronics, ICT (laptops, phones, peripherals) |
| ~Late 2028 | Textiles + apparel (delegated act adopted Q2 2027) |
| 2028-2030 | Iron, steel, aluminium, furniture, construction products |
The practical implication: any Shopify merchant selling into the EU in a covered sector needs to publish a DPP record per product by these dates. The good news is that the schema is open, the technical primitives are simple (JSON-LD + QR), and tools that export CIRPASS-aligned records today (like Editioned) require no work on the merchant's end when the official CEN/CENELEC EN 1821x standards publish in late 2026, the tool swaps the schema namespace and continues working.
If you sell jewellery, art, prints, ceramics, or general fashion outside the regulated sectors, you're not required to publish a DPP. But customers and resale platforms will increasingly expect a DPP-shaped record because the EU pattern is becoming the de-facto global standard.
Choosing the right tool for your product type
The right setup varies meaningfully by category. Pick the one closest to what you sell:
Setup walkthrough, five minutes
Setting up a hosted provenance certificate on Shopify with Editioned takes about five minutes from install to first cert. Here's the path in motion:
- Install Editioned from the Shopify App Store (apps.shopify.com/editioned). The install handshake takes ~30 seconds. Every new install starts with 30 days of full Pro features unlocked, no card required.
- Pick a product to certify. Open it in the Editioned admin → Edition Total: set a number (e.g. 3 for a three-piece run). Editions are generated immediately with unique tokens.
- Add provenance details. Studio name, origin, year, materials. Pick a Category (Jewellery, Art, Spirits, Fashion, Ceramics, General), this enables category-specific fields.
- Pick a cert style. Pro unlocks the Light style (cream & gold). Studio unlocks all three (Light · Dark · Minimal). See the style options.
- Download the cert PDF, DL card size, prints on standard 210×99 mm cardstock. Includes QR code, masked verification token, edition number on the back. Ships with the product.
When an order is placed, the next available edition auto-assigns to the buyer. When returned or refunded, the edition revokes and the token rotates. The buyer's scanned QR resolves to a tamper-evident page on your storefront.
Set up your first cert in 5 minutes
30-day Pro trial on install, no card required. Auto-downgrades to Free after the trial unless you upgrade.
Install Editioned →Common implementation mistakes to avoid
Using sequential certificate IDs
The most common mistake we see in DIY implementations: certificates at /cert/1, /cert/2, etc. Anyone with a browser can iterate through every certificate you've ever issued. Use cryptographically random tokens with enough entropy that guessing one tells the attacker nothing about the next.
Not handling deletion or returns
If a buyer returns a product and you re-sell that edition, the original cert URL should stop validating the new buyer. Or if you delete a product entirely, the cert URL should not silently fall through to a different product with the same handle. This is the lifecycle problem; HTTP 410 + token rotation are the standard answers.
Hosting certificates on a third-party SaaS domain
If your certificate URLs look like https://provenance-saas.io/cert/abc123 instead of https://your-store.com/..., you're effectively renting your buyers' verifiable history. The day the SaaS shuts down, the certs go with it. Insist on URLs that live on your domain.
Treating the printed certificate as the source of truth
Paper certificates degrade, get lost, or get separated from the product. The printed cert should be a beautiful artifact, but the source of truth is the verifiable URL it points to. Scan-and-verify, not look-and-trust.
Per-certificate fees that scale with success
A per-mint fee structure punishes growth. If you go from selling 100 pieces a year to 10,000, your provenance bill grows 100x, for no additional value. Flat-subscription tools mean your unit economics improve as you scale.
What about NFTs and blockchain?
Blockchain-based provenance still has a real use case: transferable digital twins where you want the certificate itself to change hands when the physical product is resold, with on-chain royalty payments back to the original artist. For pure fine art, high-end auction-house pieces, and some collectibles, this can be valuable.
For 99% of Shopify merchants, jewellery, fashion, prints, ceramics, spirits, accessories, the cost (wallet onboarding for every buyer, per-mint fees, gas volatility, ecosystem dependency) is dramatically higher than the benefit. The buyer who just wants to know “is my pendant real” doesn't want to install MetaMask. The EU agreed: their DPP architecture is explicitly federated, not blockchain-based. See our deep dive for the full reasoning.
Frequently asked questions
Do I need this if my products aren't luxury?
Increasingly yes, especially if you sell anything that can be counterfeited or that has a secondary market. Even mid-tier streetwear and craft goods benefit from a verifiable trail, buyers screenshot the cert, share it in resell channels, use it as proof of legitimacy.
Will my buyer actually scan the QR code?
About 30-50% of buyers scan within the first week, based on view-tracking data from Editioned-using stores. Many more scan months later when they go to resell or gift the piece. The cert isn't valuable because every buyer scans, it's valuable because the buyer can.
What if my Shopify theme is custom?
Editioned's theme blocks work on any Shopify Online Store 2.0 theme, Dawn, Sense, Studio, custom themes built on the Liquid 2.0 architecture. The blocks read metafields directly with no JavaScript runtime, so they don't break theme updates or page-speed scores.
How do I make my certificate visible to resale platforms?
Two ways: (1) include the cert URL on the cert PDF and in your packaging insert, so the resale-platform authenticator scans it on intake; (2) embed the cert page link block on your product page so the certificate URL is part of the public-facing product record. Most authenticators check for both.
Can I migrate from another provenance tool to Editioned?
Yes, but each migration is a manual job, there isn't (yet) a universal import format. Editioned's data structure is plain JSON-LD, so you can also export out at any time if you ever need to migrate elsewhere. Lock-in is anti-pattern for provenance tools; insist on data portability.
Where to go next
If this guide answered your high-level question, the deep dives below cover specific angles:
Sources
- EU Ecodesign for Sustainable Products Regulation (ESPR 2024/1781), eur-lex.europa.eu/eli/reg/2024/1781
- EU Battery Regulation 2023/1542 (DPP for batteries from Feb 2027), eur-lex.europa.eu/eli/reg/2023/1542
- CIRPASS-2 Core Ontology (April 2025 proposal), cirpass2.eu
- GS1 Digital Link standard, gs1.org/digital-link
- Schema.org Product specification, schema.org/Product