Launching Drops by Legitimate

Legitimate is an open ecosystem of physical NFTs, unique physical products featuring unforgettable digital experiences.

Drops by Legitimate is the first of many steps Legitimate is taking in creating an ecosystem and marketplace around physical NFTs. The inspiration came from our work with creators and brands seeking a digital identity for their physical goods, whether to prevent counterfeit, benefit from the NFT ecosystem, or create digital experiences around their physical goods. One of our biggest brand partners is FAITH CONNEXION and we have learned a lot about the fashion space through our collaboration with them.



Our first foray into creating and selling physical NFTs was our collaboration with FAITH CONNEXION during Art Basel Miami 2021. We helped them mint their physical NFTs and set up a website to auction off their pieces, both in US Dollars with credit card and on-chain with ETH. We even created a one-off NFT ATM where event attendees could obtain NFTs minted specifically for the event. We learned that launching a successful physical NFT collection requires much more than just an NFC chip on a product and a minted NFT.

It requires:

  • an audience that has been onboarded to web3, crypto, and NFTs
  • a marketplace to sell and exchange the digital and the physical goods together

In order to support the growing number of creators and brands that want to create physical NFTs and fulfill our vision of creating a physical NFT ecosystem, we have grown our team significantly since the end of 2021. We added some amazing storytellers to help market physical NFTs and onboard people into crypto and web3. We also hired a few more engineers and product people to build out a curated marketplace for physical NFTs so the entire process can be streamlined with technology.

Beyond a Prototype

Drops by Legitimate for FAITH CONNEXION

The initial site we created specifically for FAITH CONNEXION was very limited. It only needed to sell a handful of physical NFTs to a small audience at Art Basel. Creating a platform that serves many artists and creators is entirely different. We had to make some decisions and tradeoffs so we can build a new site from the ground up to launch Drops to a wider audience.

Ship early, ship often. Done is better than perfect.

Dropping support for fiat currency

Allowing off-chain transactions goes against the ethos and premise of web3 and a proper fiat on-ramp is more complex than our engineering team can handle at the moment. Our initial use of Stripe for off-chain credit card payments introduced complex arbitrage opportunities that were hard to mitigate in a volatile crypto market. Fiat on-ramps such as Moonpay are often rejected by credit card issuing banks and impose strict limits on buying so they are not perfect solutions either.

This was not a decision we took lightly because we know many of the bidders on our platform will be web3 beginners. Instead, we will shift are efforts to onboarding beginners onto web3 and we will do our best to guide them to buy ETH through exchanges and make on-chain bids so they can participate in our future auctions.

Zora Auction House

We’re leveraging Zora, their Auction House, and indexer because we see the power and potential in their ecosystem of SDKs and developer tools for NFTs. Replicating what they have is not only time consuming and expensive, but potentially insecure and unreliable if not done properly, especially when transactions involve cryptocurrency.

We hope to one day launch an auction contract more tailored to transactions involving physical NFTs, but until then, we will be relying on Zora.

Locked NFT v2

Royalties are high on the list of why many artists want to create physical NFTs. The first iteration of the Locked NFT restricted transfers to specific auction contracts to discourage peer to peer off-chain sales and prevent the use of on-chain contracts that circumvent royalties. We realized this constraint was limiting, time consuming to enforce, and ultimately encouraged a scenario where the physical goods may be resold separately from the NFTs because of the on-chain restrictions. Instead, we should be incentivizing the use of on-chain marketplaces that respect royalties and encouraging both the physical and the digital to be sold together.

We have removed the transfer restrictions on our new Locked NFT v2 contract in favor of a locking mechanism that displays a reduced set of metadata in the locked state after each transfer. To unlock, tap the NFC tag on the item and a website pops up that will display the NFT and guide the user through the unlock process. We are restricting the unlock process to only wallets that hold the digital NFT on a page linked by the NFC tag to discourage separating the digital NFT from the physical item and NFC tag. Legitimate will manually unlock any physical NFT placed in an auction or sale contract that respects royalties so it displays the proper metadata during the sale process. We will also unlock the NFT during the sale process on our Drops by Legitimate platform as well.

In a future version, we hope to maintain a whitelist of secure and royalty compliant auction and sale contracts that do not auto lock the NFT when transferred to them for a potential sale. We will also explore ways to extend the security functionality on-chain and only allow unlocks by the NFT owners who have a token generated by the NFC tags.

NFC Tags

Our NFC chips currently come in 2 different versions, a sticker and a cloth tag. Both are from a German manufacturer of IoT goods used by many of your favorite brands and come with a host of security features. We utilize those features to ensure that when tapping the NFC tag, the viewer of the website actually has access to the physical item and that the item is original.

Legitimate tag sewn onto a t-shirt

The tag has a small bit of memory that stores how many times a tag has been tapped and read from and the ability to detect tampering via its many antennae in the chip. It also has a write-only memory slot that stores a secret key inserted during Legitimate’s encoding process.

With this data, the NFC chip generates an AES-CMAC, a single use token embedded into the URL passed back to the device scanning the tag along with how many times the tag has been tapped and if it has been tampered with. Much like two factor authentication codes, this token cannot be used more than once and we validate this token on our servers. This insures that the NFC chip cannot be duplicated and has a 1:1 mapping between the NFT and the physical item.

The URL generated by our NFC chip looks something like this:

The uid refers to the NFC chip’s unique identification, the ctr counts how many times the chip has been tapped and read from, and the cmac is the single use token generated by the secret key and the ctr.

In the future, we can activate the tamper detection mechanism so that we prevent tags from being ripped off an item and placed on a replica. The technical implementation is rather straightforward, but we want to ensure that creators and NFT holders are heard when making any final decisions about how a tempered tag should be handled.

Drops by Legitimate

Marriage between Web2 and Web3

Like many web3 companies today, we try to utilize as much web3 infrastructure as possible while falling back on web2 when there are no comparable alternatives in the web3 space. This list of vendors and partners will always be evolving but we hope this provides transparency into our technology stack.

  • Our servers are hosted on Heroku
  • The NFT metadata is hosted on our servers — We learned that in the lifecycle of the sale of a physical NFT, there is a need to add or edit the metadata including the item name and description anytime during the sale process. While uploading them to IPFS is not a big technical change, it goes against the workflow of many of our artists and creators. (If in the event that we need to shut down or migrate our servers, we will upload the existing metadata to IPFS and update the base URL on the NFT contract so the NFT metadata will be available indefinitely.)
  • We store some transactional data on our servers — We need your email so we can contact you for shipping information and provide post-sale support. We also store some data about the auctions so we can properly render the items in the auction page before that data is made available from Zora’s indexer.
  • We use Cloudinary for image optimization and content delivery — As an e-commerce platform, the potential loading times for IPFS images of 30 seconds to a minute are simply not acceptable, even when accessing through gateways. Cloudinary lets us cache images from IPFS on their servers and then resize or optimize them to fit your device screen.
  • The Drops site runs on Next.js and React
  • Our backend systems use a combination of Node.js, PostgreSQL, and Ruby on Rails
  • Pinata for pinning NFT images on IPFS
  • Infura for reading and writing to the blockchain

What’s next?

Drops by Legitimate is just the beginning. We want to enable more creators and brands, big and small, to have access to the same Marketplace we created for our partners with Drops. We want to enable more ways of selling and transacting physical NFTs more securely. We want to make more physical NFTs available to a wider audience.

Stay tuned and check out our current Drops at!



Legitimate is an open ecosystem of physical NFTs, unique physical products featuring unforgettable digital experiences. https//

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Legitimate - Physical NFTs, Metaphysical Apps

Legitimate is an open ecosystem of physical NFTs, unique physical products featuring unforgettable digital experiences. https//