MatchPass
MatchPass
The open-source portable identity, reputation, and event-chain component that any IFR-aligned compliance stack can embed. Fan-held Signet identity, append-only credential chain, community-owned.
We are a component, not a stack. We do one thing well and embed inside anyone else's.
Independent Football Regulator staff, club safety officers, supporter trusts, the Football Supporters' Association, the Football Safety Officers Association, the Sports Grounds Safety Authority, compliance-stack vendors evaluating components, journalists, and anyone else researching how football's new licensing regime will be discharged in practice at club level.
This is not a vendor pitch for a full-stack compliance product. MatchPass does not aspire to cover every aspect of IFR licensing. MatchPass covers one aspect — fan and steward identity on an open, portable, append-only chain — and does it under durable published principles (see what we will never do). Other parts of the compliance stack (financial reporting, fit-and-proper, administrative dashboards, safety-operations software) are left to vendors and partners better placed to provide them.
The Independent Football Regulator begins statutory work on 5 May 2026. 116 clubs across the Premier League, Championship, League One, League Two, and National League require provisional licences before the 2027/28 season. Non-compliance penalties include unlimited fines, licence suspension, and closure.
The pattern is clear: fewer people are being arrested, but the ones who are are doing more severe things more often. Hate crime (420 matches), thrown missiles (363), and pyrotechnics (319) lead the incident categories. The existing enforcement infrastructure has not kept pace, and lower-league clubs lack the budget for closed commercial safety platforms built for Premier League economics.
MatchPass is one end of a two-part identity system:
A ban at one club is visible at every club on the network. A clean record travels too. Fan data lives on the fan's device and on a public relay network the fan controls.
The strategic consequence is deliberate. Clubs adopt MatchPass to run safer matchdays. Fans gain a Signet identity they can carry beyond matchday — age verification at the bar, login at the supporter-trust portal, verified-fan proof in any consultation, reputation at any venue that wants to recognise it. MatchPass is, in effect, a bottom-up distribution channel that puts portable cryptographic identity in mainstream UK hands via the familiar matchday doorway. Closed biometric schemes cannot produce this outcome, because their templates are useless outside the scheme.
Full-stack IFR compliance vendors will emerge. Some will be better resourced than us. Some will bundle licensing-application tooling, financial reporting, administrative dashboards, and fan management into a single invoice. That is a legitimate product shape for a club that wants to hand the compliance problem to one vendor.
MatchPass is not that product. MatchPass is the identity and reputation layer that any such stack can embed, the same way countless products embed payment, mapping, or authentication components rather than building them from scratch. If you are building an IFR-aligned compliance stack for football clubs, MatchPass is a licence-ready component. If you are a club evaluating compliance stacks, ask your vendor whether they embed MatchPass — because the fan-held portable identity is the piece no closed stack can replicate.
MatchPass also works standalone for clubs that want to self-host the gate verification layer directly. Component-first does not mean stack-only.
The credential chain is append-only. Once an event, card, or sanction is published, it cannot be retroactively edited or removed. A club cannot rewrite its own history. This is culturally aligned with Hillsborough Law's duty of candour and is the single strongest reason a safety regulator should prefer an open chain over a closed club-controlled system. It is also the first of our durable commitments; the full list is published.
IFR's licence framework is not yet published. Three areas where MatchPass provides component-level capability a stack can embed:
Every matchday emits a structured chain of scans, events, cards, reviews, and sanctions. MatchPass exposes these as cryptographically signed, auditable exports that a compliance stack can fold into a licence-application package. The stack composes the full submission; MatchPass provides the part of the evidence that covers matchday identity, incident lifecycle, and sanction history.
MatchPass identifies verified fans cryptographically without revealing their personal data. This is the primitive the IFR fan-engagement standard needs: a way to know someone is a bona fide fan of a specific club without handing over name, address, or contact details. Fan-engagement platforms, heritage-voting systems, and independent reporting channels can authenticate against MatchPass credentials and build whatever interface suits their audience. We do not build the consultation UI or the reporting dashboard ourselves — we provide the credential spec so the rest of the ecosystem can build them correctly.
Stewards are hard to recruit and retain — the FSOA has described the worst recruitment crisis in five years, with pay averages at £12.27 per hour nationally and stewards able to earn more at a supermarket. MatchPass supports portable steward reputation: competencies, years of service, cross-club endorsements, and incidents handled can be cryptographically recorded and carried between clubs. A steward who works two seasons at one club arrives at another with verifiable reputation. Workforce-management platforms can embed this as the credentialling layer under their rota, pay, and training tools.
Things MatchPass deliberately does not build: administrative compliance dashboards, financial reporting tools, fit-and-proper checks, real-time safety-operations telemetry, closed biometric identification, centralised fan CRMs. Those belong in the compliance stack that embeds MatchPass, or in adjacent vendor products.
staff_manager role with per-entry expiry) for matchday temp and agency stewards.MatchPass is community-owned. There is no gatekeeping vendor. Clubs do not pay to participate. The protocols are open (built on Nostr). The code is public. Design decisions are recorded openly in the project's decision log. Any club can self-host; any regulator, supporter body, or partner stack vendor can inspect, audit, and extend the implementation.
Because "community-owned" is only as strong as what you refuse to do, we have published a list of commitments at matchpass.club/never — concrete, specific things MatchPass will never do, including never capturing biometric templates, never centralising fan data, never retroactively editing published records, never charging fans, never reselling fan data, and never integrating with closed schemes that break portability. The list is protective: it makes the privacy-first, community-ownership posture an enforceable public artifact rather than an implicit value.
Two tracks:
Integration partners (compliance-stack vendors, workforce-management vendors, fan-engagement platforms, supporter-trust tech providers). If you are building a product that covers aspects of IFR licensing we deliberately don't, we would like to discuss embedding MatchPass as the identity and reputation layer. Your stack ships with an open portable fan identity; your competitors cannot provide that. Terms must preserve the published principles; no exclusive partnerships.
Clubs, safety officers, supporter trusts, and regulators (IFR, SGSA, FSOA, FSA). If you want MatchPass operating standalone — as a self-hosted matchday gate and credential chain — we can demonstrate what is currently shipping and walk through how the component is designed to interoperate with whatever wider compliance tooling you use. Conversations, not contracts.
Contact: via the public project on GitHub at renegaid-org/matchpass-app, or via the club directory at matchpass.club. An introductory email via GitHub issues or via a club already on the directory will reach the project lead.