npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

aeo-record

v0.3.0

Published

Check a domain's AEO record (v=AEO1) — /.well-known/aeo.json first, then the _aeo DNS TXT record via DNS-over-HTTPS — and independently verify its Ed25519 sig= against the catalog's published facts. The open checker for the AEO record standard (aeorecord.

Readme

aeo-record

Check a domain's AEO record (v=AEO1) — the DNS-layer standard for AI answer-engine verification, the way SPF/DKIM/DMARC work for email — and independently verify its Ed25519 signature against the catalog's published facts. Spec: aeorecord.org.

Zero dependencies. Node ≥18 (uses global fetch; signature verification uses WebCrypto Ed25519 with a node:crypto fallback). Checks /.well-known/aeo.json first (works with any crawler today), then the authoritative _aeo.<domain> DNS TXT record via DNS-over-HTTPS — so it also works in browsers, edge runtimes, and hosts where port-53 DNS is blocked.

CLI

npx aeo-record groundedaeo.com

Prints the record plus a signature block. Exit code 0 if a record is found, 1 if not.

Library

import { checkAeo, verifyAeo } from 'aeo-record'

// Discovery only
const record = await checkAeo('groundedaeo.com')
// { found: true, source: 'well-known' | 'dns', tier: 'listed', catalog: '…', sig: '…', ... }

// Discovery + independent signature verification
const verified = await verifyAeo('groundedaeo.com')
// { ...record, signature: { present: true, checked: true, valid: true, key_id: 'grd-2026-07' } }

The record format

_aeo.yourdomain.com  TXT  "v=AEO1; id=grd_abc123; catalog=https://groundedaeo.com/c/yourdomain.com; tier=listed; ts=20260703; sig=BASE64URL_ED25519_SIGNATURE"

| Tag | Required | Meaning | |-----|----------|---------| | v=AEO1 | yes | Record version | | id= | verified tiers | Issued token proving the domain authorized its catalog entry | | catalog= | yes | Stable URL of the verified catalog record (none for self-declared) | | tier= | yes | self_declared / listed / verified / grounded | | ts= | yes | Date of last verification (YYYYMMDD) — freshness signal | | sig= | paid tiers | base64url Ed25519 signature of the catalog record (see below) |

Signature verification

sig= cryptographically binds the record to the catalog content, so anyone can confirm the facts haven't been tampered with — without trusting the catalog API (tampered facts change the hash and the signature fails). Issued for all paid tiers (listed/verified/grounded); self-declared records are honestly unsigned.

message    = "AEO1|" + domain + "|" + tier + "|" + ts + "|" + facts_hash
facts_hash = sha256 hex of JSON.stringify(published facts as {fact_type, key, value}
             objects, sorted by fact_type, then key, then value — codepoint order)
sig        = base64url Ed25519 signature of the UTF-8 message

Everything is discovered from the record's own catalog= origin (issuer-neutral):

  • published facts: {origin}/api/companies/{domain}.facts[]
  • verification keys: {origin}/.well-known/aeo-public-key.json.keys[] (public_key = base64url raw 32-byte Ed25519 key)

Key status (spec v0.2): keys marked active or retired are used for verification — retired is normal rotation, so records signed before a rotation keep verifying. Keys marked revoked are skipped entirely (compromised key; even old signatures made with it are untrusted). A key with no status is treated as active. The isUsableKey(key) helper is exported if you iterate keys yourself.

verifyAeo() does all of this for you. Semantics of the result:

  • valid: true — the record matches the catalog's current published facts.
  • valid: falsestale or tampered: either the facts changed since the record was issued (the domain owner should re-issue the record) or the content doesn't match what was signed. Fetch the current record from the catalog to tell which.
  • checked: false — a signature is present but couldn't be verified (catalog or keys unreachable); the reason says why.

Low-level building blocks are exported too: parseAeoTxt, canonicalFactsHash, verifyRecordSignature, isUsableKey.

Generate a free self-declared record at groundedaeo.com/free-record — no account needed. Verified, signed, continuously-refreshed records: groundedaeo.com.

License

MIT © Meadow Mountain AI LLC