npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

attestix

v0.4.1

Published

TypeScript SDK for Attestix - Attestation Infrastructure for AI Agents. REST client plus offline, cross-engine verification of Ed25519 W3C VCs and UCAN delegation chains issued by Attestix 0.4.0. Conforms to the shared verifier conformance vectors (spec/v

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

vibe-a1729vibe-a1729

Keywords

attestixattestationai-agentsverifiable-credentialsdidcompliancereputationprovenanceed25519jcsdid-keyucanoffline-verificationvibetensor

Readme

attestix

version

TypeScript SDK and offline verifier for Attestix - Attestation Infrastructure for AI Agents.

This is the JavaScript/TypeScript engine in the Attestix family. Version 0.4.0 is aligned with the Attestix 0.4.0 release line: the same name, the same version, and the same conformance suite across every ecosystem (Python on PyPI, this package on npm, and the Go / Rust / Java / R verifier ports). A credential or delegation issued by Attestix 0.4.0 (in any engine) verifies here, byte-for-byte, offline.

Provides typed client methods for identity management, verifiable credentials, compliance tracking, reputation scoring, provenance recording, delegation chains, DID operations, and blockchain anchoring.

Installation

npm install attestix

Heads-up on the package name (transition state). The unscoped attestix name on npm is claimed but not yet published: the unscoped publish is pending a registry token. Until that lands, the published artifact is the scoped, stale @vibetensor/[email protected]:

npm install @vibetensor/attestix   # currently published (0.2.0)

Once [email protected] is published, @vibetensor/attestix will be deprecated with a pointer to the unscoped name. Prefer attestix in new code.

Quick Start

import { AttestixClient } from 'attestix';

const client = new AttestixClient({
  baseUrl: 'https://api.attestix.io',
  apiKey: 'your-api-key',
});

// Create an agent identity
const identity = await client.createIdentity({
  name: 'My AI Agent',
  type: 'autonomous',
  capabilities: ['text-generation', 'code-review'],
});

console.log(identity.agent_id);

// Issue a credential
const credential = await client.issueCredential({
  issuer: identity.agent_id,
  subject: identity.agent_id,
  type: 'SafetyAudit',
  claims: { passed: true, score: 95 },
});

// Verify it
const result = await client.verifyCredential(credential.credential_id);
console.log(result.valid); // true

Offline verification (cross-engine interop)

Since v0.2.0 the package can verify Attestix Ed25519-signed W3C Verifiable Credentials / Presentations and UCAN-style delegation chains entirely offline (no API call), in Node or the browser. The canonical-JSON rules, did:key codec, and signed-field sets are byte-compatible with the Python Attestix engine, so a credential or delegation issued by the Python server verifies in JS/TS and vice-versa. This is the cross-engine interop path tracked in attestix#7; the exact wire format and canonicalization rules are documented in SPEC.md.

It adds one small, audited dependency (@noble/curves) for Ed25519 and no network access.

Cross-language conformance

The verifier is held to the shared conformance vectors maintained in the foundation repo at spec/verify/v1 (canonical-form rules in README.md, verifier surface in CONFORMANCE.md). These are the same vectors every port (Go, Rust, Java, R, JS) must reproduce byte-for-byte. This package runs them in CI (tests/conformance.test.ts) against the vectors.json for attestix 0.4.0, so the npm engine stays on the exact same suite as the others.

Verify a credential

import { verifyCredential } from 'attestix';

// `vc` is the raw VC JSON (e.g. from issueCredential, a file, or a QR payload)
const result = verifyCredential(vc);

if (result.valid) {
  console.log('Issuer:', result.issuer);   // did:key:z...
  console.log('Subject:', result.subject);
} else {
  console.log('Invalid:', result.reason);   // e.g. "Invalid signature"
}

// Per-check detail:
// result.checks = { structure_valid, signature_valid, not_expired, not_revoked }

verifyCredential recomputes the canonical bytes over the signed fields (everything except the mutable proof and credentialStatus), then verifies the Ed25519Signature2020 proof against the issuer's did:key. Revocation can only be confirmed against the embedded credentialStatus; live revocation is a server-side lookup, so not_revoked reflects only what is present in the document offline.

Verify a delegation chain

import { verifyDelegationChain } from 'attestix';

// Pass the leaf JWT (its `prf` parent chain is walked automatically),
// or an explicit array of tokens ordered leaf..root.
const result = verifyDelegationChain(leafToken);

if (result.valid) {
  console.log('Effective capabilities:', result.capabilities);
  console.log('Chain length:', result.links.length);
}

verifyDelegationChain verifies every link's EdDSA JWS signature against its issuer did:key, walks the full prf proof chain, detects cycles, enforces expiry/nbf, and re-checks capability attenuation (each child's att must be a subset of its parent's att) so a forged chain that escalates scope is rejected.

Lower-level primitives

The canonicalizer, did:key codec, and raw Ed25519 verify are also exported:

import {
  canonicalize,        // JSON value -> canonical UTF-8 bytes (Python-compatible)
  didKeyToPublicKey,   // did:key:z... -> 32-byte Ed25519 public key
  publicKeyToDidKey,   // 32-byte Ed25519 public key -> did:key:z...
  verifyEd25519,       // (signature, message, publicKey) -> boolean
  verifyPresentation,  // verify a Verifiable Presentation + its embedded VCs
} from 'attestix';

API Reference

Identity

| Method | Description | |--------|-------------| | createIdentity(params) | Register a new agent identity | | getIdentity(agentId) | Retrieve an identity by agent ID | | listIdentities(params?) | List identities with optional filters | | verifyIdentity(agentId) | Verify an identity's validity | | translateIdentity(agentId, format) | Translate identity to another format | | revokeIdentity(agentId, reason?) | Revoke an identity | | purgeAgentData(agentId) | Delete all data for an agent |

Credentials

| Method | Description | |--------|-------------| | issueCredential(params) | Issue a new verifiable credential | | getCredential(credentialId) | Retrieve a credential | | listCredentials(params?) | List credentials with filters | | verifyCredential(credentialId) | Verify a credential | | verifyExternalCredential(credential) | Verify an externally-issued credential | | revokeCredential(credentialId, reason?) | Revoke a credential | | createPresentation(params) | Create a verifiable presentation |

Compliance

| Method | Description | |--------|-------------| | createComplianceProfile(params) | Create a compliance profile | | getComplianceProfile(profileId) | Get a compliance profile | | listComplianceProfiles() | List all compliance profiles | | getComplianceStatus(profileId) | Get compliance status | | recordAssessment(params) | Record a compliance assessment | | generateDeclaration(params) | Generate a declaration of conformity |

Reputation

| Method | Description | |--------|-------------| | recordInteraction(params) | Record an agent interaction | | getReputation(agentId) | Get reputation score for an agent | | queryReputation(params?) | Query reputation scores with filters |

Provenance

| Method | Description | |--------|-------------| | recordTrainingData(params) | Record training data provenance | | recordModelLineage(params) | Record model lineage | | logAction(params) | Log an auditable action | | getProvenance(agentId) | Get provenance entries for an agent | | getAuditTrail(params?) | Query the audit trail |

Delegation

| Method | Description | |--------|-------------| | createDelegation(params) | Create a delegation chain | | listDelegations(params?) | List delegations | | verifyDelegation(token) | Verify a delegation token | | revokeDelegation(delegationId) | Revoke a delegation |

DID

| Method | Description | |--------|-------------| | createDidKey() | Create a did:key document | | createDidWeb(domain) | Create a did:web document | | resolveDid(did) | Resolve a DID to its document |

Blockchain Anchoring

| Method | Description | |--------|-------------| | anchorIdentity(agentId) | Anchor an identity on-chain | | anchorCredential(credentialId) | Anchor a credential on-chain | | anchorAuditBatch(entryIds?) | Anchor a batch of audit entries | | verifyAnchor(anchorId) | Verify an on-chain anchor | | getAnchorStatus(anchorId) | Get anchor status | | estimateAnchorCost() | Estimate anchoring cost |

Offline Verification

| Function | Description | |--------|-------------| | verifyCredential(vc, options?) | Verify a W3C VC's Ed25519 proof, structure, and expiry offline | | verifyPresentation(vp, options?) | Verify a VP's holder proof and every embedded credential offline | | verifyDelegationChain(token \| tokens, options?) | Verify a UCAN/JWT delegation chain (signatures, attenuation, expiry, cycles) | | canonicalize(value) | Canonical UTF-8 bytes matching the Python engine's JCS form | | didKeyToPublicKey(did) / publicKeyToDidKey(bytes) | did:key (Ed25519) decode / encode | | verifyEd25519(sig, msg, pubKey) | Raw Ed25519 signature verification |

Error Handling

The SDK throws typed errors based on HTTP status codes:

import {
  AttestixAuthError,
  AttestixNotFoundError,
  AttestixValidationError,
  AttestixRateLimitError,
} from 'attestix';

try {
  await client.getIdentity('nonexistent');
} catch (error) {
  if (error instanceof AttestixNotFoundError) {
    console.log('Agent not found');
  } else if (error instanceof AttestixAuthError) {
    console.log('Invalid API key');
  } else if (error instanceof AttestixRateLimitError) {
    console.log(`Rate limited, retry after ${error.retryAfter}s`);
  }
}

Configuration

const client = new AttestixClient({
  baseUrl: 'https://api.attestix.io',  // Required: API server URL
  apiKey: 'your-api-key',               // Required: API key
  timeout: 30000,                        // Optional: request timeout in ms (default: 30000)
});

The SDK automatically retries on 429 (rate limit) and 503 (service unavailable) responses with exponential backoff.

License

Apache-2.0

Links