npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

0cert-middleware

v1.0.0

Published

Drop-in Express middleware for 0Cert identity-based encryption. Zero certificates. Zero renewals.

Readme

0cert-middleware

Drop-in Express middleware for 0Cert — identity-based encryption for Node.js.
Zero certificates. Zero renewals. Zero CAs.


Install

npm install 0cert-middleware

Usage

const express   = require('express')
const zerocert  = require('0cert-middleware')

const app = express()

app.use(zerocert({
  identity:    'mysite.com',               // your domain
  fullPrivKey: process.env.IBC_PRIV_KEY,   // from 0 Browser app or KGC API
  userSecret:  process.env.IBC_USER_SECRET, // generated during key setup
  kgc:         'https://kgc.0cert.io'      // public KGC (or your own)
}))

app.get('/', (req, res) => {
  res.send('Hello! This site is 0Cert protected.')
})

app.listen(3000)

That's it. Your site now:

  • Serves /.well-known/0cert — verified by 0 Browser automatically
  • Adds X-0Cert-* headers to all responses
  • Shows 0Cert Verified badge to 0 Browser users

Get your keys

Option 1 — 0 Browser app (easiest)

  1. Download 0 Browser on iOS
  2. Go to My Sites tab → tap +
  3. Enter your domain
  4. Copy the keys shown

Option 2 — KGC API directly

# 1. Generate user secret
curl -X POST https://kgc.0cert.io/user/generate-secret

# 2. Issue partial key for your domain
curl -X POST https://kgc.0cert.io/issue-partial-key \
  -H "Content-Type: application/json" \
  -d '{"identity": "mysite.com"}'

# 3. Combine keys
curl -X POST https://kgc.0cert.io/user/combine-keys \
  -H "Content-Type: application/json" \
  -d '{
    "identity": "mysite.com",
    "partialKey": "...",
    "userSecret": "..."
  }'

Store the keys as environment variables:

IBC_PRIV_KEY=your_full_priv_key
IBC_USER_SECRET=your_user_secret

Add DNS TXT record

In your domain registrar, add:

TXT  @  ibc-kgc=https://kgc.0cert.io

This tells 0 Browser which KGC to use for your domain.


Options

zerocert({
  // Required
  identity:    'mysite.com',
  fullPrivKey: '...',
  userSecret:  '...',

  // Optional
  kgc:              'https://kgc.0cert.io', // KGC server URL
  verifyPath:       '/.well-known/0cert',   // verification endpoint path
  verifyOnStartup:  true,                   // verify with KGC on startup
  debug:            false,                  // verbose logging
})

Verification endpoint

The middleware automatically serves /.well-known/0cert:

{
  "ok": true,
  "version": "1.0.0",
  "identity": "mysite.com",
  "kgc": "https://kgc.0cert.io",
  "status": "verified",
  "keyId": "...",
  "algorithm": "CL-PKC-ECDH-v2"
}

0 Browser calls this endpoint when visiting your site to show the verified badge.


Response headers

Added to every response:

X-0Cert-Identity:  mysite.com
X-0Cert-KGC:       https://kgc.0cert.io
X-0Cert-Status:    verified
X-0Cert-Version:   1.0.0
X-0Cert-Algorithm: CL-PKC-ECDH-v2

Decrypt messages (optional)

If you receive encrypted messages via the 0Cert protocol:

const zerocert = require('0cert-middleware')

const config = {
  identity:    'mysite.com',
  fullPrivKey: process.env.IBC_PRIV_KEY,
  userSecret:  process.env.IBC_USER_SECRET,
}

// Decrypt an envelope received from a 0Cert client
const plaintext = zerocert.decrypt(config, envelope)
console.log(plaintext) // → original message

Enterprise / private KGC

Point to your own KGC server:

app.use(zerocert({
  identity:    'mysite.com',
  fullPrivKey: process.env.IBC_PRIV_KEY,
  userSecret:  process.env.IBC_USER_SECRET,
  kgc:         'https://kgc.yourcompany.com', // private KGC
}))

See github.com/0cert/kgc-server to self-host.


How it works

Traditional SSL:
  CA signs certificate → browsers trust ~150 CAs → encrypted connection
  Problem: any CA can fake any certificate

0Cert (CL-PKC):
  KGC issues partial key → you generate user secret → combined = full key
  Encryption uses ECDH P-256 against your public key
  Even the KGC cannot decrypt your traffic

Read more at 0cert.io


License

MIT — 0cert.io