Decentralized Identity (DID)
Every company on FenixTrace receives a decentralized identifier (DID) anchored on-chain through the trace_shack::did_registry Move module on IOTA Rebased. The DID certifies the company's authenticity, is publicly verifiable in the scanner and forms the cryptographic foundation for transparent product traceability in the supply chain.
What is a DID?
A DID (Decentralized Identifier) is a unique digital identifier that does not depend on a central authority. Unlike a username or email, a DID is created and controlled directly by its owner through cryptography. In the context of FenixTrace, the DID represents a company's verifiable digital identity in the supply chain.
FenixTrace uses an approach inspired by the W3C DID Core standard, implemented through a custom Move module on IOTA Rebased (trace_shack::did_registry). Each DID corresponds to a shared on-chain DidRecord object holding owner, company name, document hash and status. DID registration happens during plan checkout or later via self-registration from the company dashboard.
The main advantage of a decentralized identity is that no single entity can modify or revoke it without the wallet owner's consent (except in governance cases, where the Super Admin has limited powers on the off-chain DID status). This ensures that a company's identity in the supply chain is authentic, on-chain verifiable, and censorship-resistant.
DID Technical Structure
| Field | Value | Description |
|---|---|---|
| Method | did:iota | DID method specific to the IOTA network |
| Network | IOTA Rebased (Move L1) | IOTA Rebased network with Move execution |
| Format | did:iota:<network>:<object_id> | The suffix is the object id of the on-chain shared DidRecord |
| Module | trace_shack::did_registry | Move module that creates and updates the DidRecord |
| Standard | Inspired by W3C DID Core 1.0 | Full integration with IOTA Identity Framework on the roadmap |
| Storage | Shared DidRecord object | Each DID lives as an on-chain shared object, inspectable via RPC or Explorer |
| Verification | Wallet signature + DidRegistered event | Notarization is triggered by the wallet owner and emits a verifiable Move event |
DID Example
The DID consists of four parts: the "did" prefix, the "iota" method, the IOTA Rebased network ("testnet" or "mainnet"), and the object id of the shared DidRecord created on-chain by the did_registry module. You can paste the object id into the IOTA Explorer to see the full record.
Identity Lifecycle
The DID identity onboarding process on FenixTrace follows a 6-phase flow, from plan selection to full operation. Each phase involves verifiable on-chain interactions.
Plan Selection
The company visits the Pricing page and selects one of the available plans (Base, Professional, Enterprise). Each plan includes a different number of registrable products, manageable delegates, and subscription duration. Payment occurs in IOTA tokens via smart contract.
On-Chain Transaction Signing
The user signs the subscription transaction with their IOTA wallet. The trace_shack::master_factory Move module verifies the payment, adds the company to the internal registry and sets the subscription expiry. From this moment the address is recognized as a registered company and can move on to DID registration.
On-Chain DID Registration
With a second wallet signature the frontend invokes did_registry::register, passing company name, document hash and document CID. The module creates a shared DidRecord object, stores owner, status (active) and timestamp, and emits a DidRegistered event with the object id. The final DID is did:iota:<network>:<object_id>, resolvable via RPC and visible on Explorer.
DID Notarization
A third wallet signature calls notarization::record with entity_type = did, entity_reference = "<wallet>|<company>" and a content hash. The module emits a NotarizationRecorded event that serves as a public receipt of the onboarding flow, indexable by any on-chain observer.
DID ↔ Company Linking
The backend reads the object id from the DidRegistered event and associates it with the company in the local registry. From that moment the public scanner, /api/companies and /api/public/companies return identityDid = did:iota:<network>:<object_id> that resolves on Explorer.
Full Operation
The company can now register products (every add_product emits a ProductAdded event and can be notarized via notarization::record), manage delegates and appear in the public scanner with the active identity badge.
Identity Statuses
A company's DID identity can be in one of the following three states. The status is visible both in the admin dashboard and the public scanner, ensuring total transparency.
Active
Identity is verified and fully operational. The company can register products, receive delegations, and its products are visible in the public scanner with the "Verified Partner" badge. The smart contract confirms the on-chain DID matches the company's wallet address.
Full dashboard access • Products visible in scanner • Green "DID active" chip • Can manage delegates
Suspended
Identity is temporarily suspended by the administrator. The company can still access the dashboard in read-only mode but cannot register new products or manage delegates. Already registered products remain visible in the scanner but with a suspension notice. This action is reversible: a Super Admin can reactivate the identity at any time.
Dashboard read-only • No new registrations • Yellow "DID suspended" chip • Products visible with notice
Revoked
Identity has been permanently revoked. This is an irreversible action performed only in severe cases (fraud, terms of service violation, illegal activity). The company loses dashboard access and its products are marked as "Identity Revoked" in the scanner. To operate again on the platform, a new DID registration with a new wallet is required.
No dashboard access • Products marked "DID revoked" • Red chip in scanner • Requires new registration
Administrative Actions (Governance)
Platform-side DID status governance is reserved for the Super Admin (the wallet that deployed the Move package). Admin endpoints require a cryptographically verified wallet signature: every status change is logged as an anomaly record and stored in the audit log. The on-chain shared DidRecord remains owned by the company wallet — the owner keeps cryptographic control over their identifier.
Identity Reactivation
A Super Admin can reactivate a previously suspended identity. The action restores all company functionalities: full dashboard access, ability to register new products, delegate management. The scanner badge returns to "DID Active" (green). Reactivation is immediate and does not require re-notarization.
Identity Suspension
A Super Admin can temporarily suspend an identity for compliance reasons, investigation of reports, or at the company's own request. During suspension, the company retains read access to the dashboard but cannot perform write operations (new products, delegates). Existing products remain in the scanner with a notice.
Identity Revocation
Irreversible action reserved for severe cases. The Super Admin permanently revokes a company's DID identity. The wallet address is blocked, the DID is marked as "revoked" on-chain, and all company products are marked with a warning badge in the scanner. The company can no longer access the platform with the same wallet.
Public Scanner Visibility
FenixTrace's public scanner is the main access point for identity verification. Every registered company is visible with the following identity information:
"Verified Partner" Chip
Indicates the company has an active, on-chain verified DID
DID status chip
Shows the current status (DID active / suspended / revoked) with the matching color
"On-chain proofs" card
Owner, contract, full DID and DID transaction digests — each with a copy button and an Explorer link
DidRecord object id
The DID suffix is the shared DidRecord object id; clicking it opens the on-chain object
Registration date
Derived from the company creation event or the plan notarization
DID transactions
Digests of the did_registry::register and notarization::record transactions, opened on Explorer
All this information is accessible without authentication, ensuring maximum transparency. The scanner's public APIs also allow programmatic access to this data.
Frequently Asked Questions
The DID is cryptographically linked to your wallet. If you lose wallet access, you can no longer manage your identity on FenixTrace. You will need to contact support for the recovery procedure, which may require creating a new DID with a new wallet and migrating existing products.
Yes. The DID in the form did:iota:<network>:<object_id> is exposed both in the public scanner and via /api/public/companies, and the shared DidRecord is readable by anyone via IOTA Explorer or an RPC client. The status (active/suspended/revoked) tracks the on-chain DidRecord and is reflected in the chip shown on the company page.
DID registration is included in the subscription cost. There are no additional costs for DID creation. The only additional cost is IOTA network gas fees for notarization transactions, which are extremely low (fractions of a cent).
Technically the did_registry module does not block multiple DidRecord creations from the same wallet, but the platform resolves the most recent DidRegistered event per wallet, so a second register would override the company DID resolution. If you need multiple identities (e.g., for different branches), use separate wallets and a dedicated plan for each. You can still manage multiple companies as a delegate through the delegation system.
When the subscription expires the on-chain shared DidRecord stays where it is — nobody can delete it — but dashboard functionalities become limited. Already registered products remain visible in the scanner together with their on-chain proofs. To restore full functionalities just renew the subscription from the Pricing page.
Verify Identities
Visit the public scanner to verify the DID status of any company registered on FenixTrace. You can also use the public APIs to integrate verification into your system.