npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@liveauth-labs/sdk

v0.2.4

Published

LiveAuth browser SDK (PoW + Lightning human verification)

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

dulzuradevdulzuradev

Keywords

captchaproof-of-worklightningbitcoinbot-protectionauthverification

Readme

LiveAuth JS SDK

Human verification through economics, not heuristics.

npm version License: MIT

What is LiveAuth?

LiveAuth verifies humans economically instead of heuristically.

Instead of CAPTCHAs or tracking, LiveAuth asks the browser to perform a short cryptographic proof. If that fails or is skipped, it falls back to a small Bitcoin Lightning payment.

  • No cookies
  • No fingerprinting
  • No behavioral profiling

How It Works

When a user triggers verification:

  1. Browser attempts Proof-of-Work (PoW)
    Takes ~200–800ms for a real device. Bots pay CPU/battery cost.

  2. If PoW fails → Lightning fallback
    Small payment (e.g. 21 sats). Real economic cost to bots.

  3. LiveAuth returns a short-lived JWT
    Verifiable on your backend. No user identity required.

Most humans never see the Lightning step.

Installation

npm install @liveauth-labs/sdk

Quick Start

import { LiveAuth } from '@liveauth-labs/sdk';

const liveauth = new LiveAuth({
  publicKey: 'la_pk_XXXXXXXX'
});

const result = await liveauth.verify();

if (result.method === 'pow') {
  // PoW succeeded - send token to your backend
  console.log('Verified via PoW:', result.token);
} else {
  // Lightning fallback - show invoice to user
  console.log('Pay invoice:', result.lightning.invoice);
  
  // Poll for payment confirmation
  const token = await liveauth.pollLightning(result.lightning.sessionId);
  console.log('Verified via Lightning:', token);
}

API Reference

new LiveAuth(config)

| Option | Type | Required | Description | |--------|------|----------|-------------| | publicKey | string | ✓ | Your LiveAuth public key | | baseUrl | string | | API base URL (default: https://api.liveauth.app) |

verify(options?)

Attempts verification, starting with PoW and falling back to Lightning if needed.

| Option | Type | Default | Description | |--------|------|---------|-------------| | forceLightning | boolean | false | Skip PoW, go straight to Lightning | | onProgress | function | | Callback: (hashesPerSec, iterations) => void | | powTimeoutMs | number | 30000 | Max time for PoW before fallback | | maxPowIterations | number | 50000000 | Max iterations before fallback |

Returns: Promise<LiveAuthResult>

// PoW success
{
  method: 'pow',
  token: 'eyJhbGciOi...',
  solveMs: 412,
  difficultyBits: 18
}

// Lightning fallback
{
  method: 'lightning',
  lightning: {
    sessionId: 'sess_xxx',
    invoice: 'lnbc...',
    amountSats: 21,
    expiresAtUnix: 1234567890,
    mode: 'LIVE'
  },
  diagnostics: {
    reason: 'pow_unsupported'
  }
}

pollLightning(sessionId, options?)

Polls for Lightning payment confirmation.

| Option | Type | Default | Description | |--------|------|---------|-------------| | timeoutMs | number | 300000 | Max wait time (5 min) | | intervalMs | number | 2000 | Poll interval | | signal | AbortSignal | | Cancellation signal |

Returns: Promise<string> - The verification token

Error Handling

import { 
  LiveAuth,
  LiveAuthTimeoutError,
  LiveAuthCancelledError,
  LiveAuthNetworkError,
  LiveAuthPowTimeoutError
} from '@liveauth-labs/sdk';

try {
  const result = await liveauth.verify();
} catch (err) {
  if (err instanceof LiveAuthNetworkError) {
    console.error('Network issue:', err.message);
  } else if (err instanceof LiveAuthPowTimeoutError) {
    console.error('PoW took too long');
  }
}

Progress Feedback

Show users what's happening during PoW:

const result = await liveauth.verify({
  onProgress: (hashesPerSec, iterations) => {
    console.log(`${(iterations / 1000).toFixed(0)}k hashes @ ${hashesPerSec}/sec`);
  }
});

Backend Verification

Send the JWT to your backend and verify it using your LiveAuth secret key.

Example (Node.js)

import jwt from 'jsonwebtoken';

app.post('/api/verify-liveauth', (req, res) => {
  const { token } = req.body;
  
  try {
    // Verify JWT signature with your LiveAuth secret key
    const decoded = jwt.verify(token, process.env.LIVEAUTH_SECRET_KEY);
    
    // Check expiration (JWT library handles this, but you can also check manually)
    if (decoded.exp && decoded.exp < Date.now() / 1000) {
      return res.status(401).json({ error: 'Token expired' });
    }
    
    // Extract claims
    const { projectId, projectPublicKey, authType, sub } = decoded;
    
    // Verify it matches your project
    if (projectPublicKey !== process.env.LIVEAUTH_PUBLIC_KEY) {
      return res.status(401).json({ error: 'Invalid project' });
    }
    
    // Success - user is verified
    res.json({ 
      verified: true, 
      authType, // 'pow' or 'lightning'
      userId: sub 
    });
    
  } catch (err) {
    res.status(401).json({ error: 'Invalid token' });
  }
});

Token Claims

The JWT contains:

  • sub - Unique user identifier (format: pow:{projectId}:{challengeHex} or lightning:{invoiceId})
  • projectId - Your project's UUID
  • projectPublicKey - Your public API key
  • authType - Verification method: pow or lightning
  • exp - Expiration timestamp (default: 10 minutes from issuance)
  • iat - Issued at timestamp

Security Notes:

  • Always verify the JWT signature using your secret key
  • Check the projectPublicKey claim matches your expected key
  • Respect the exp (expiration) claim
  • The sub claim is ephemeral - don't use it as a permanent user ID unless you're tracking sessions

Debug Mode

Add ?liveauth_debug=1 to your URL to see:

  • Verification method used
  • PoW difficulty and solve time
  • Lightning fallback triggers

Why LiveAuth?

| Traditional CAPTCHA | LiveAuth | |--------------------|----------| | Tracks behavior | No tracking | | ML heuristics | Cryptography | | CAPTCHA farms | Real economic cost | | Bad UX | Invisible to most humans |

License

MIT