npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@powforge/ratelimit

v0.2.0

Published

Proof-of-work rate limiting middleware for Express/Fastify. No API keys, no third-party services. Clients prove computational work to access your API.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

zekebuildszekebuilds

Keywords

rate-limitingproof-of-workmiddlewareexpressfastifybot-protectionapi-securityddospowhashcashsoftwar

Readme

@powforge/ratelimit

Proof-of-work rate limiting for Express APIs. No API keys, no accounts, no third-party services.

Clients solve a SHA-256 puzzle to prove computational work before accessing your API. Solved proofs grant time-limited tokens for subsequent requests.

Install

npm install @powforge/ratelimit

Quick Start

const express = require('express');
const { powRateLimit } = require('@powforge/ratelimit');

const app = express();

// Protect your API with PoW rate limiting
app.use('/api', powRateLimit({ difficulty: 14 }));

app.get('/api/data', (req, res) => {
  res.json({ message: 'You proved computational work to get here' });
});

app.listen(3000);

How It Works

  1. Client requests /api/data without proof
  2. Server responds 429 with a SHA-256 challenge
  3. Client finds nonce where SHA256(salt + nonce) has N leading zero bits
  4. Client retries with X-PoW-Proof: salt:nonce:signature header
  5. Server verifies and issues X-PoW-Token for subsequent requests (5 min TTL)

Client Integration

async function fetchWithPoW(url) {
  let res = await fetch(url);
  
  if (res.status === 429) {
    const { challenge } = await res.json();
    const nonce = await solveChallenge(challenge);
    const proof = `${challenge.salt}:${nonce}:${challenge.signature}`;
    res = await fetch(url, {
      headers: { 'X-PoW-Proof': proof }
    });
  }
  
  return res;
}

async function solveChallenge({ salt, difficulty }) {
  for (let nonce = 0; ; nonce++) {
    const hash = await sha256(salt + nonce);
    const bits = parseInt(hash.substring(0, 8), 16);
    if (bits < Math.pow(2, 32 - difficulty)) return nonce;
  }
}

Options

| Option | Default | Description | |--------|---------|-------------| | difficulty | 14 | Leading zero bits (14 = ~16k hashes, <1s) | | tokenTTL | 300 | Token validity in seconds | | challengeTTL | 120 | Challenge validity in seconds | | secret | auto | HMAC signing secret | | skipIf | null | (req) => boolean to bypass PoW |

Difficulty Guide

| Difficulty | Expected Hashes | Browser Time | Use Case | |-----------|----------------|-------------|----------| | 10 | 1,024 | ~25ms | Light protection | | 14 | 16,384 | ~350ms | Standard API protection | | 18 | 262,144 | ~12s | High-value endpoints | | 20 | 1,048,576 | ~23s | Rate-limit heavy consumers |

Data from empirical experiments on AMD EPYC 7443P. Browser times ~5x slower than server.

Why PoW Instead of API Keys?

  • No accounts needed: Clients prove work, not identity
  • No rate limit state: Server is stateless (tokens are self-contained HMACs)
  • Bot deterrence: Automated scrapers must spend real CPU time per request
  • Privacy-first: No tracking, no IP logging, no third-party calls
  • Softwar thesis: Access costs energy, not credentials

Part of the PowForge Project

Built as part of the Softwar thesis research, testing proof-of-work as a universal access control mechanism.

License

MIT