@zoza/verify

Sign your outbound SMS, email, and WhatsApp so recipients can prove the sender. One line of code, no phone-number verification hurdles, no SMS tax, no SIM-swap risk.

Install

npm install @zoza/verify

Quick start

import { VerifyClient } from '@zoza/verify';

const verify = new VerifyClient({ apiKey: process.env.ZOZA_VERIFY_KEY! });

const signed = await verify.sign({
  channel: 'sms',
  content: 'Your ICICI OTP is 482194. Do not share.',
});

// Send signed.full_message via your SMS gateway:
//   "Your ICICI OTP is 482194. Do not share. [zoza:bid=icici&sig=...&mid=...&ch=sms]"
// Recipient opens zoza.world/verify, pastes the message, gets a green check.

Why

Every bank, exchange, and healthcare app sends OTPs and transactional SMS. Recipients have no way to tell a real message from a phishing copy, and SIM swaps let attackers intercept legitimate traffic. Zoza Verify adds an Ed25519 signature — produced server-side using your registered business key — so recipients can cryptographically verify the sender with one tap.

API

new VerifyClient({ apiKey, apiUrl?, fetch? })

| Option | Type | Notes | |---|---|---| | apiKey | string (required) | Issued at zoza.world/developers/verify. Format vfy_<base64>. | | apiUrl | string | Default https://verify-api.zoza.world. Override for self-host. | | fetch | typeof fetch | For Node <18 or custom request signers. |

verify.sign({ channel, content })

Returns { message_id, channel, signature, compact, signed_at, full_message }.

verify.signBatch({ channel, messages })

Signs up to 1000 messages in one call.

verify.verify({ business_id, channel, content, message_id, signature })

Public endpoint (no API key needed). Returns { valid, business_name?, reason? }.

verify.getRegistry()

Fetches the signed public registry of verified businesses.

Tests

npm install
npm test

Offline mocked tests for speed + determinism. Live round-trip lives in examples/live-api.mjs and requires a real vfy_* key.

License

MIT © Zoza