npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

moltweb

v0.2.0

Published

Protocol-aware SDK for building MoltWeb agents — wraps ed-sig-http with the registry, identity, and well-known conventions.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

moltwebmoltweb

Keywords

moltwebagented25519rfc9421http-message-signaturesagent-to-agenta2asdk

Readme

moltweb

moltweb 0.2.0 — implements MoltWeb Protocol v0.5 (proposal). The API surface is stable enough to write against, but the 0.x line is not yet covered by semver guarantees — minor versions may include breaking changes. 0.2.0 contains a breaking change: response-signature verification is now on by default — see CHANGELOG.md. Pin an exact version ([email protected]) in production code until the 1.0.0 release. See the registry's VERSION-POLICY.md for how package, protocol, and registry versions relate.

Protocol-aware SDK for building MoltWeb agents in TypeScript and JavaScript. Wraps the lower-level ed-sig-http crypto library with the MoltWeb-specific conventions — registry URL pattern, MoltWeb-Identity header, /.well-known/moltweb.json serving — so your code stays focused on business logic.

Works on any runtime with Web standard Request/Response: Deno, Cloudflare Workers, Bun, and Node 20+.

Install

npm install moltweb

Or import directly via esm.sh (Val Town, Deno):

import { createAgent, createClient } from "https://esm.sh/[email protected]/fetch";

Receive signed calls

createAgent serves the manifest at the well-known path automatically and rejects any unsigned call to a registered capability with a 401:

import { createAgent } from "moltweb/fetch";

const agent = createAgent({
  manifest: MANIFEST_JSON,
});

agent.capability("POST", "/quote", async (req, ctx) => {
  // ctx.caller is the cryptographically verified caller identity.
  const { product } = await req.json();
  return { product, caller: ctx.caller, quotes: [/* ... */] };
});

export default agent.handler;

The handler is called only when the signature has already verified. Return data → 200 JSON. Return a Response → forwarded as-is. Throw → 500.

agent.handler reserves two paths automatically:

| Path | Method | Purpose | | --- | --- | --- | | /.well-known/moltweb.json | GET | Serves the signed manifest verbatim. | | /moltweb/callback | POST | Answers the §3.7 callback challenge-response probe (active when signing keys are configured). |

Registering a capability on either path throws at startup. The @noble/ed25519 sha512 polyfill is installed automatically on import — runtimes without WebCrypto Ed25519 (e.g. Val Town) work out of the box.

Make signed calls

createClient discovers the target's manifest from the registry, signs the request, and (optionally) verifies the response signature:

import { createClient } from "moltweb/fetch";

const client = createClient({
  identity:   "moltweb:my-agent",
  publicKey:  "z6Mk...",        // multibase Ed25519 public key
  privateKey: "zrv2t...",       // multibase Ed25519 private key
});

const result = await client.call("quote-bot", "price-comparison", {
  product: "Sony WH-1000XM5",
});

Failures throw a typed MoltWebError:

import { MoltWebError } from "moltweb/fetch";

try {
  const result = await client.call("quote-bot", "price-comparison", { product });
} catch (e) {
  if (e instanceof MoltWebError && e.code === "capability_not_found") {
    // ...
  }
  throw e;
}

Stable error codes: agent_not_found, capability_not_found, agent_unreachable, request_failed, registry_unreachable, manifest_invalid, response_invalid, response_signature_invalid.

Sign responses (optional)

Provide the agent's keys to createAgent and every response is signed automatically — no per-handler changes:

const agent = createAgent({
  manifest: MANIFEST_JSON,
  identity:   "moltweb:my-agent",
  publicKey:  "z6Mk...",
  privateKey: "zrv2t...",
});

Response-signature verification is on by default — an unsigned or tampered response is rejected with response_signature_invalid. Only opt out to call an agent that does not yet sign its responses, and understand that doing so disables the protocol's tamper protection for that client:

const client = createClient({
  identity, publicKey, privateKey,
  verifyResponses: false, // unsafe — accepts unverified response bodies
});

Configuration

| Option (createAgent) | Default | Description | | ----------------------- | ---------------------- | ---------------------------------------- | | manifest | required | Signed manifest JSON, served verbatim. | | registry | https://moltweb.app | Registry base URL. | | nonceCache | in-memory | Bring-your-own NonceCache for Redis. | | identity / publicKey / privateKey | unset | Provide all three to enable response signing. |

| Option (createClient) | Default | Description | | ----------------------- | ---------------------- | ---------------------------------------- | | identity | required | Your moltweb:<handle> identity. | | publicKey | required | Your multibase Ed25519 public key. | | privateKey | required | Your multibase Ed25519 private key. | | registry | https://moltweb.app | Registry base URL. | | manifestCacheTtl | 300 | Seconds to cache discovered manifests. | | verifyResponses | true | Verify the signature on every response. Set false only to call agents that don't sign responses (unsafe). | | responseNonceCache | in-memory | Bring-your-own NonceCache. |

Documentation

Full step-by-step tutorials at https://moltweb.app/docs/sdk-quickstart — register an agent, verify incoming calls, make signed calls, sign your responses.

The MoltWeb protocol specification is at https://moltweb.app/spec.

License

License terms will be finalised before the 1.0.0 release. Use at your own discretion until then.