npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@algovoi/rfc9421-verifier

v0.2.1

Published

AlgoVoi RFC 9421 HTTP Message Signatures + RFC 9530 Content-Digest reference verifier

Downloads

508

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

algovoialgovoi

Keywords

rfc9421rfc9530http-signaturesed25519agentic-paymentscompliance

Readme

algovoi-rfc9421-verifier

PyPI npm Apache 2.0 IETF I-D

AlgoVoi-authored reference verifier for RFC 9421 (HTTP Message Signatures) plus RFC 9530 (Digest Fields for HTTP). Python and TypeScript, byte-for-byte parity, Apache 2.0.

Use cases:

  • Verify an incoming RFC 9421-signed HTTP request against a known public key.
  • Re-validate a captured request after it traverses a TLS-re-terminating proxy chain (the property pinned in the rfc9421_proxy_chain_v0 conformance fixture).
  • Build conformance test harnesses anchored to the RFC 8032 Section 7.1 deterministic Ed25519 reference keypair.

Packages

| Language | Package | Install | |---|---|---| | Python | algovoi-rfc9421-verifier | pip install algovoi-rfc9421-verifier | | TypeScript | @algovoi/rfc9421-verifier | npm install @algovoi/rfc9421-verifier |

Both packages are byte-deterministic on identical inputs and tested against the same RFC 8032 Section 7.1 Test 1 reference fixture.

Quick start

Python

from algovoi_rfc9421_verifier import verify_request

result = verify_request(
    method="GET",
    authority="api.algovoi.co.uk",
    path="/compliance/attestation",
    headers={
        "content-digest": "sha-256=:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=:",
        "signature-input": (
            'sig=("@method" "@authority" "@path" "content-digest" "created");'
            'created=1778955520;keyid="did:web:api.algovoi.co.uk";alg="ed25519"'
        ),
        "signature": (
            "sig=:Xj1peMjEYi75R/QQFYpU9q/gHwQKYwgt1etjAX1qc0zugTMJoJ86Uhy/jTZ175b3"
            "zFhp0j8cLjmDJvGmySDBAQ==:"
        ),
    },
    body=b"",
    public_key="d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
)
assert result.valid

TypeScript

import { verifyRequest } from "@algovoi/rfc9421-verifier";

const result = await verifyRequest({
  method: "GET",
  authority: "api.algovoi.co.uk",
  path: "/compliance/attestation",
  headers: {
    "content-digest": "sha-256=:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=:",
    "signature-input":
      'sig=("@method" "@authority" "@path" "content-digest" "created");created=1778955520;keyid="did:web:api.algovoi.co.uk";alg="ed25519"',
    signature:
      "sig=:Xj1peMjEYi75R/QQFYpU9q/gHwQKYwgt1etjAX1qc0zugTMJoJ86Uhy/jTZ175b3zFhp0j8cLjmDJvGmySDBAQ==:",
  },
  body: new Uint8Array(),
  publicKey:
    "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
});
if (result.valid) console.log("verified");

API surface (v0.1.0)

| Function | Purpose | |---|---| | verify_request / verifyRequest | High-level: parse all headers, build signing base, verify Content-Digest, verify Ed25519 signature, return a VerifyResult with per-step success flags. | | verify_signature / verifySignature | Lower-level: caller supplies the signing base; library verifies Ed25519 only. | | verify_content_digest / verifyContentDigest | Validate RFC 9530 Content-Digest header against a body. SHA-256 and SHA-512 supported. | | build_signing_base / buildSigningBase | Construct the RFC 9421 §2.5 signing base from covered components + values. | | parse_signature_input / parseSignatureInput | Parse a Signature-Input header. Accepts the strict labelled form and the unlabelled real-world form. | | parse_signature_value / parseSignatureValue | Parse a Signature header. | | compute_content_digest / computeContentDigest | Compute a Content-Digest header value for a body. |

Scope (v0.1.0)

  • Algorithms: Ed25519 only. ECDSA-P256 and RSA-PSS are roadmap.
  • Derived components: @method, @authority, @path, @target-uri, @scheme, @status, plus created and expires parameters. @request-target, @query, @query-param are roadmap.
  • Header forms: strict labelled <label>=(...) and unlabelled (...);created=... real-world forms both accepted.
  • Content-Digest: SHA-256 (mandatory per RFC 9530) and SHA-512. Other algorithms in the IANA registry are roadmap.

The v0.1.0 surface is sufficient to verify any AlgoVoi production compliance receipt and the rfc9421_proxy_chain_v0 conformance fixture. Multi-algorithm + multi-label support arrives in v0.2.0.

Conformance fixture

The reference fixture for the verifier is at chopmob-cloud/algovoi-jcs-conformance-vectors/vectors/rfc9421_proxy_chain_v0/. It uses the RFC 8032 Section 7.1 Test 1 deterministic Ed25519 keypair and includes a tcpdump wire-capture record (E2E_PROOF.md) demonstrating that the RFC 9421 headers survive a 3-hop TLS-re-terminating proxy chain (Cloudflare edge → nginx → FastAPI) byte-identical.

Companion IETF Internet-Draft

This library is part of the AlgoVoi substrate that anchors draft-hopley-x402-compliance-receipt-00 (Independent Submission, Informational; posted 2026-05-23). The receipt-format audit-chain property in the I-D assumes signed receipts can be transported and re-verified independently of the originating gateway — exactly the property this verifier checks.

Related AlgoVoi substrate packages

| Package | Purpose | |---|---| | algovoi-substrate / @algovoi/substrate | JCS RFC 8785 canonicalisation, action_ref, transactional lifecycle, compliance receipt builder | | algovoi-audit-verifier / @algovoi/audit-verifier | Selective-disclosure audit bundle verifier; consumes substrate output | | algovoi-rfc9421-verifier / @algovoi/rfc9421-verifier | This package. RFC 9421/9530 HTTP signature verifier |

Relationship to the canonicalisation discipline

This package verifies HTTP message signatures per RFC 9421 + RFC 9530 -- a different canonicalisation surface from the AlgoVoi JCS RFC 8785 receipt-body discipline at docs.algovoi.co.uk/canonicalisation-substrate. HTTP signature verification (this package) and receipt-content verification (@algovoi/audit-verifier + the receipt-format packages) are complementary surfaces: this verifier confirms wire-level message integrity; the AlgoVoi JCS substrate confirms receipt-body canonical integrity. Both are AlgoVoi-authored under sole authorship.

Parties anchoring to the AlgoVoi canonicalisation discipline are recorded in the Substrate Adopters Registry; the registry's canon_version pin criterion applies to receipt-body artefacts, not to HTTP signatures as such.

Licence

Apache 2.0. See LICENSE.

Author

AlgoVoi (Christopher Hopley, GitHub chopmob-cloud).