MatchPass
MatchPass
Ten durable public commitments that bound what MatchPass is. Published so partners, regulators, and fans can hold us to them.
Community ownership is only as strong as what you refuse to do.
MatchPass is an open-source matchday identity, reputation, and event-chain component. It is community-owned, privacy-first, and designed to sit inside compliance stacks as an embeddable layer — not to become a gate-kept commercial bundle.
Principles stated loosely are principles that get negotiated away under pressure. The commitments below are stated concretely so breaking them would be an obvious, public violation. They apply to the MatchPass project, its maintainers, its reference implementations, and any partnership we enter into. Partners who want MatchPass embedded in their stack accept these commitments as part of the integration.
If MatchPass is ever on a path to break one of these, expect that decision to be argued through in public, in the project's ADR log, before it happens.
No face prints. No fingerprints. No iris scans. No gait analysis. No voice prints. Fan identity is held on the fan's own device, verified cryptographically against a photo that fans control and can rotate.
Why: biometric data is the category where consent is most often theoretical and harm is most often permanent. The only way to never leak it is to never hold it.
No central database of fan names, addresses, contact details, or incident histories. Fan data lives on the fan's device and on a public relay network the fan controls. The gate server is stateless; when it shuts down, nothing of the fan remains on it.
Why: centralised fan databases become the target of breaches, subpoenas, and feature creep. Not holding the data is the only reliable protection.
Events, cards, sanctions, reviews, and roster changes are append-only. A correction is a new event that references the earlier one, not a rewrite of the earlier one. The chain is the history; the history cannot be silently revised.
Why: Hillsborough Law's duty of candour says officials must tell the truth about what went wrong. A club cannot rewrite its own history, and neither can we.
The gate server, credential chain protocol, steward and admin PWA, verification library, and every component a club depends on to operate remain open source under a permissive licence. No dual-licence traps. No "source available" sleight-of-hand.
Why: clubs depend on the software continuing to exist under terms they control. Closed-source ingredients can be withdrawn; open-source ingredients cannot.
The fan-facing identity (Signet) is free forever. The matchday QR code is free forever. Nothing a fan needs to walk through a turnstile with a MatchPass-using club ever costs money.
Why: paying to exist as a fan is the line. Football's community depends on the people who cannot and should not have to pay an identity tax to attend.
Clubs may pay partners and operators for hosting, support, training, integration, and adjacent services. Clubs will never pay MatchPass itself for the ability to verify fans at the gate. The core is permanently free-to-clubs.
Why: safety is not a premium feature, and lower-league clubs must not be priced out of the network they most need.
No advertising business. No analytics resale. No demographic products sold to sponsors, leagues, or brands. No partnerships that monetise who fans are or what they do. MatchPass revenue, where it exists, comes from value delivered to clubs and partners — never from selling the community it serves.
Why: community ownership is meaningless if the community is the product.
Card issuance, sanction decisions, review outcomes, and roster changes are visible on the public chain. No opaque server-side scoring. No secret sauce that decides whether a fan is admitted. No algorithms the fan cannot inspect.
Why: a system that judges people must be inspectable by the people it judges. That is the minimum bar for legitimacy.
Fans may choose to attach verified attestations (age, address, eligibility) via Signet when a specific context calls for them. Holding a MatchPass identity is never conditional on a passport, driving licence, national ID, or any state-issued credential match.
Why: community ownership, not government dependency. Football identity must not become an ID-card-by-the-back-door.
If a potential partner requires fans to give up their chain reputation, hand credentials to a central authority, accept a non-portable identity, or surrender keys to a vendor, we do not integrate. Portability across clubs, across contexts, and across time is the core of the thesis.
Why: a closed scheme that wraps MatchPass inside itself would defeat the reason MatchPass exists. The component is only valuable if it remains open at every edge.