npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@foxbook/sdk-claim

v0.2.1

Published

Verifiable agent identity for Agent2Agent (A2A) and MCP. TypeScript reference SDK for the Foxbook claim flow + verification. Six functions: claimStart / claimVerifyGist / claimRevoke / verify / foxbookVerify / verifyAgentCard.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

cloakmastercloakmaster

Keywords

a2aagent2agentmcpagent-identitytransparency-logrfc-9162merkle-treeed25519verifiableagent-card

Readme

@foxbook/sdk-claim

Verifiable agent identity for A2A and MCP. The reference TypeScript SDK for the Foxbook claim flow + verification: claim a handle, verify the claim landed in the public transparency log, and check another agent's card before dispatching work.

Install

pnpm add @foxbook/sdk-claim
# or: npm install @foxbook/sdk-claim
# or: yarn add @foxbook/sdk-claim

Use

import { verifyAgentCard } from "@foxbook/sdk-claim";

const result = await verifyAgentCard(otherAgent.card, {
  asset_type: "github_handle",
  requireFreshSTH: 3600, // optional: reject STHs older than 1h
});

if (result.status !== "verified") {
  // block, log, fall through to your risk policy
  return;
}
// Verified. Safe to call.

verifyAgentCard returns one of four discriminated outcomes:

| Outcome | Meaning | Mapping | |---|---|---| | verified | Card's handle is in the transparency log AND inclusion proof reconstructs cleanly | allowed | | unverified | Handle not in the log OR proof failed | blocked (or retry, see reason_code) | | handle-mismatch | Card claims a different DID than the log attests for the handle | blocked | | stale-proof | STH older than requireFreshSTH threshold | warning (caller decides) |

The verified branch carries verified_signing_key_hex — the agent's currently active Ed25519 signing key — so an enforcement gateway can verify the AgentCard's JWS signature in one call rather than two.

The unverified branch carries an optional structured reason_code (handle-not-claimed / inclusion-proof-failed / key-not-yet-logged / card-malformed) so callers can branch on retry-vs-block without parsing the free-form reason string. key-not-yet-logged is reserved for the rotation transition window — when an AgentCard's signing-key-registration leaf has been written but isn't yet in the latest STH; callers should retry shortly rather than permanent-block.

No numeric trust score, no reputation field — verification is kept separate from reputation by design.

API surface

| Function | What it does | |---|---| | claimStart(input) | POST /api/v1/claim/start — mint did + verification code | | claimVerifyGist(input) | POST /api/v1/claim/verify-gist — transition to tier 1 via GitHub Gist | | claimRevoke(input) | POST /api/v1/claim/revoke — recovery-key signed revocation | | verify(input) | RFC 9162 inclusion-proof primitive against the transparency Worker | | foxbookVerify(input) | Handle → {tier, revoked, did, leafIndex} (or not-claimed) | | verifyAgentCard(card, options) | Runtime-safety gate; chains foxbookVerify + handle-mismatch + verify + freshness |

All functions accept per-call apiBase / worker_base overrides; the defaults point at the canonical reference deployment:

  • DEFAULT_API_BASE = "https://api.foxbook.dev"
  • DEFAULT_WORKER_BASE = "https://transparency.foxbook.dev"

What this is

Foxbook is a verifiable identity primitive for agents. A receiving agent reading an A2A AgentCard has no cryptographic basis for trusting the handle field on its own. Foxbook fixes that with an Ed25519 + RFC-9162-shaped public Merkle transparency log: claim your handle, the claim lands as a leaf in the log, and any other agent can verify the binding before dispatching work to you.

This SDK is the TypeScript surface anyone calls to:

  1. Claim a handle (claimStart → publish verification code → claimVerifyGist).
  2. Revoke a claim (claimRevoke with a recovery-key-signed JWS).
  3. Verify another agent's card before calling them (verifyAgentCard).

Live verification you can run right now

The transparency log is live and unauthenticated. Walk the proof yourself:

curl -s https://transparency.foxbook.dev/root | jq
curl -s https://transparency.foxbook.dev/inclusion/0 | jq

The signed tree head returned by /root matches what verifyAgentCard reconstructs internally.

Compose with Foxbook

If you're building an evidence-layer, verdict-layer, or other identity-anchored system that wants to cite Foxbook-verified identity, see:

Foxbook is in stable / maintenance mode; composition is welcome.

Design rationale

The SDK was first proposed as the upstream reference for the A2A spec's identity layer. See the design context, four-discriminated-outcomes rationale, and CTEF v0.3.1 byte-match interop validation:

License

Apache 2.0. The protocol contract is open; anyone can run a parallel deployment, the spec is the standard, not the host.