Developer Resources
Everything you need to implement DSPIP shipping protocol: test vectors for all privacy modes,
SDKs, live infrastructure, and implementation guidelines.
SDKs & Packages
Developer Tools
Test Vectors
⚠️
Test Keys Only
The private key below is PUBLIC and MUST NOT be used for any production purpose.
It is provided solely for verifying implementation correctness.
Standard Key Pair (secp256k1)
Private Key (hex)
e8f32e723decf4051aefac8e2c93c9c5b214313817cdb01a1494b917c8436b35
Public Key Compressed (hex)
0339a36013301597daef41fbe593a02cc513d0b55527ec2df1050e2e8ff49c85c2
Public Key Base64 (for DNS)
AzmjYBMwFZfa70H75ZOgLMUT0LVVJ+wt8QUOLo/0nIXC
Split-Key Label (Ed25519)
For physical anti-cloning labels with scratch-off zones.
Label Serial
LABEL-2025-ABC123
Zone A Private Key (hex) - Sender Reveal
9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60
Zone B Public Key (hex) - Receiver Reveal
d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a
Standard Mode Payload
Traditional shipping with full recipient information visible.
{
"type": "SHIP",
"issuer": {
"organization": "ACME Logistics",
"address": {
"city": "Omaha",
"state": "NE",
"country": "US"
}
},
"subject": {
"name": "Bob Jones",
"address": {
"street1": "456 Main Street",
"city": "Lincoln",
"state": "NE",
"postalCode": "68501",
"country": "US"
}
},
"itemId": "TRACK-2025-000123",
"timestamp": 1703548800000,
"typeData": {
"privacyMode": "standard",
"parcelId": "TRACK-2025-000123",
"carrier": "ACME",
"service": "Ground"
}
}
Encrypted Mode Payload
Privacy-preserving with encrypted recipient. Only the last mile provider can decrypt.
{
"type": "SHIP",
"issuer": {
"organization": "ACME Logistics",
"address": {"country": "US"}
},
"subject": {
"lastMileProvider": "omaha-main._dspip.usps.gov"
},
"itemId": "TRACK-2025-000124",
"timestamp": 1703548800000,
"typeData": {
"privacyMode": "encrypted",
"parcelId": "TRACK-2025-000124",
"lastMileProvider": "omaha-main._dspip.usps.gov",
"encryptedRecipient": "QTFCMkMzRDRFNUY2Li4u"
}
}
Split-Key Mode Payload
Maximum security with physical anti-cloning labels. Signed with Ed25519 key from Zone A.
{
"type": "SHIP",
"issuer": {
"organization": "ACME Logistics"
},
"subject": {
"lastMileProvider": "omaha-main._dspip.usps.gov"
},
"itemId": "TRACK-2025-000125",
"timestamp": 1703548800000,
"typeData": {
"privacyMode": "split-key",
"parcelId": "TRACK-2025-000125",
"lastMileProvider": "omaha-main._dspip.usps.gov",
"encryptedRecipient": "encrypted_data",
"authenticationProfile": "PHYSICAL-SPLIT-KEY",
"publicKeyLocation": "Zone B - Reveal at delivery",
"labelSerial": "LABEL-2025-ABC123"
}
}
DNS TXT Records
Shipping warehouse key (with lifecycle fields):
warehouse._dspip.example.com. IN TXT "v=DSPIP1; k=ec; c=secp256k1;
p=AzmjYBMwFZfa70H75ZOgLMUT0LVVJ+wt8QUOLo/0nIXC; types=SHIP;
t=1703548800; exp=1735084800; exp-v=1766620800; s=active; seq=1"
Last mile provider key (with coverage and address):
omaha-main._dspip.usps.gov. IN TXT "v=DSPIP1; k=ec; c=secp256k1;
p=AzmjYBMwFZfa70H75ZOgLMUT0LVVJ+wt8QUOLo/0nIXC; types=SHIP;
auth=government; address=86HJW222+22; coverage=68101,68102,68103,68104,68105"
Key revocation record:
_revoked-key._dspip.example.com. IN TXT "v=DSPIP1; type=key-revocation;
selector=warehouse; revoked=1703548900; reason=compromised; replacement=warehouse-v2"
QR Data Format
Serialized with pipe delimiters. Must have exactly 6 or 7 fields:
DSPIP|<version>|<type>|<keyLocator>|<encodedPayload>|<signature>[|<privateMessage>]
Example complete QR data (standard shipping):
DSPIP|1.0|SHIP|warehouse._dspip.example.com|eyJ0eXBlIjoiU0hJUCJ9...|304502203a8b4c9d2e1f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f022100f9e8d7c6b5a4938271605f4e3d2c1b0a9988776655443322110fedcba987654
Revocation List Example
For tracking lost/stolen packages (auto-prunes after 180 days):
{
"version": "1.0",
"issuer": "warehouse._dspip.example.com",
"updated": 1703548800,
"revoked": [
{
"itemId": "TRACK-2025-000123",
"revoked": 1703548900,
"reason": "lost"
}
],
"signature": "base64_signature"
}
Live Test Infrastructure
The DSPIP project maintains live endpoints for implementation testing.
These can be queried to verify your implementation against known-good data.
Live DNS Record
test._dspip.dspip.io. IN TXT "v=DSPIP1; k=ec; c=secp256k1;
p=AzmjYBMwFZfa70H75ZOgLMUT0LVVJ+wt8QUOLo/0nIXC"
You can query this record using: dig TXT test._dspip.dspip.io
⚠️
Not for Production
These test endpoints are provided for convenience but are not part of the normative
specification. They may change or become unavailable. Implementations MUST NOT
depend on these endpoints for production use.
Implementation Checklist
Use this checklist to verify your DSPIP shipping implementation is complete:
Parsing & Validation
- Parse QR data with exactly 6 or 7 pipe-delimited fields
- Validate protocol equals "DSPIP", version compatible (1.0)
- Validate type equals "SHIP"
- Base64 decode and parse JSON payload
- Check privacyMode field (standard, encrypted, split-key)
DNS & Key Verification
- Query DNS TXT record at keyLocator (skip for split-key mode)
- Parse semicolon-delimited tags from DNS record
- Validate v=DSPIP1, k=ec, c=secp256k1
- Verify types includes "SHIP"
- Base64 decode public key (33 bytes compressed)
- Check key lifecycle:
s status, exp (signing), exp-v (verification)
- Verify
rsig if present (protects against DNS cache manipulation)
- Query
_revoked-key._dspip.<domain> for key revocation status
Signature Verification
- Reconstruct signable: protocol|version|type|keyLocator|encodedPayload
- SHA-256 hash the signable content
- Hex decode the signature
- For split-key: Request Zone B reveal, use Ed25519
- For standard/encrypted: Verify ECDSA with secp256k1
Privacy Mode Handling
- For encrypted mode: Decrypt with ECIES if last mile provider
- For split-key mode: Verify physical label authenticity
- Query revocation list and check if itemId is revoked
- Implement delivery confirmation protocol if required
Community