A cloud-native, multi-tenant platform built on a Hub & Spoke model. Eight verticals across two product families (Asset Provenance + Living Identity) plus a B2B sample-auth API — all sharing one NTAG 424 + Polygon engine.
Core Model
Users land at the Command Center, then navigate into isolated verticals. Five asset products, three identity products, and one B2B API — each with its own dashboard, data, and public surfaces.
/app/wine
/app/luxury
/app/warehouse
/app/supplychain
/app/barrels
/app/pet
/auto
/opcls
/api/v1/sample-auth
Data Flow
Every asset event follows a deterministic pipeline — captured, processed, stored, anchored, and broadcast.
Technology
Eight layers working together — from the browser, through cryptographic verification, to the blockchain.
React 18
CRA + Craco, Tailwind CSS, Shadcn/UI
PWA
Service Worker, offline-first, IndexedDB
White-label runtime
Subdomain auto-detection → single-vertical lock at module load
Sentry
Real-time error monitoring & crash reporting
Multi-Tenancy
Every organization operates in its own silo. Data never bleeds between tenants or verticals.
Each client gets a unique organization_id. All queries are scoped to the org. No cross-tenant data access.
Assets tagged with vertical field. Queries pass ?vertical=wine — enforced in both frontend and API.
Each licensed client can configure their own logo, colour scheme, domain, and theme. Managed via the Super Admin onboarding wizard.
// Asset Document
{
"id": "uuid",
"organization_id": "org_uuid",
"vertical": "wine | luxury | warehouse | supplychain | barrels | pets | auto | opcls",
"category": "string",
"name": "string",
"created_at": "ISO datetime"
}
// API Query Pattern
GET /api/assets?vertical=wine
GET /api/assets?vertical=barrels
GET /api/zones?vertical=barrels
GET /api/assets/export/valuation?vertical=barrels
// Enforcement
query = {
"organization_id": user.org_id,
"vertical": request.vertical
}
Security
Token-based auth with session management. Role-based access control per user.
Organization-level data isolation. Each tenant sees only their assets.
Assets tagged by vertical. Cross-contamination impossible at query level.
Per-domain build trims unused vertical code paths. Customer never sees another tenant's product.
Bot captcha on auth + public pet endpoints. Stops scrapers and credential-stuffing.
TLS in transit. BYOK R2 credentials encrypted at rest (Fernet AES-128).
AES-128 cryptographic verification on every tap, rolling counter clone detection, physical tag-tamper loop → immutable Polygon event.
Every scan, transfer, and edit logged immutably. Polygon-anchored — full compliance-ready history.
Integrations
Open APIs, webhooks, and hardware-agnostic scanning. ScanToProve fits into your existing stack.
JWT-authenticated endpoints with interactive Swagger docs. Assets, provenance, scans, analytics.
x-api-key endpoints at `/api/v1/sample-auth/*` for DNA labs — activation → result chain, Polygon-anchored.
Federated chip lookup across 40+ pet registries. Open standard (Apache 2.0), no PII at the gateway.
Real-time event delivery to Slack, Discord, Teams, Zapier, or custom endpoints. HMAC-SHA256.
Resend-powered (`alerts@scantoprove.com`) — lost-pet alerts, claims, geo-fence breaches.
USB HID, Bluetooth LE, Web NFC, REST API readers. Works with Zebra, Impinj, Chainway, and more.
Browser → R2 multipart (5 MB parts, 3 retries). No middleware, no transcode-then-upload.
Subdomain auto-detection locks a deployment to one vertical. One build, many products.