npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@atlasent/verify

v0.1.0

Published

Offline verifier for AtlaSent Proof bundles. Recomputes the audit chain, re-checks Ed25519 signatures, and re-hashes payloads against bound proofs — without touching the API.

Readme

@atlasent/verify

Offline verifier for AtlaSent Proof bundles. It recomputes every audit hash, re-walks the hash-linked chain, and re-checks every Ed25519 signature — with zero network calls and zero database access. A passing verification here is identical to the check the API runs, so it's suitable as a third-party / auditor-side integrity gate.

Install

npm i -g @atlasent/verify   # or: npx @atlasent/verify ...

CLI

# Verify a bundle exported from GET /v1/proofs/export.
# Signatures are checked against the bundle's embedded key registry.
atlasent-verify bundle.json

# Pin trust to a key you obtained out-of-band (e.g. the AtlaSent trust
# center). The bundle's own key claim is then ignored — this is the
# assurance that matters for an audit.
atlasent-verify bundle.json --pubkey @atlasent-audit-key.pem

Exit code is 0 when every proof verifies, 1 otherwise — and 2 for usage/IO errors. The summary line reports the key source (out-of-band pinned key vs bundle-embedded registry).

--pubkey formats

The flag (or the ATLASENT_PUBLIC_KEY_PEM / ATLASENT_AUDIT_PUBLIC_KEY env var) accepts the key as:

  • PEM (-----BEGIN PUBLIC KEY-----, SPKI),
  • base64 / base64url of the SPKI DER, or
  • base64 / base64url of the raw 32-byte Ed25519 key.

Prefix the value with @ to read it from a file. Passing --pubkey without a value is an error — the verifier fails closed rather than silently falling back to the bundle's key.

Library

import { verifyBundle, importPublicKey } from "@atlasent/verify";

const pinnedKey = await importPublicKey(pem); // or raw/SPKI base64
const result = await verifyBundle(bundle, { pinnedKey });

result.status;      // "valid" | "invalid"
result.key_source;  // "pinned" | "bundle"
result.results;     // per-proof checks + failure_reasons

License

Apache-2.0