npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

scopeblind

v1.3.0

Published

Machine access control middleware with signed decision receipts. Configurable identity disclosure — Private, Scoped, or Named. Ed25519-signed, independently verifiable.

Downloads

67

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tomjwxftomjwxf

Keywords

bot-protectioncaptcha-alternativeapi-securityvoprfdevice-verificationfree-trial-abuserate-limitingabuse-preventioncryptographic-proofsexpress-middlewarejwt-verificationai-agent-compatiblezero-piicloudflare-workersdbsctpm-attestationdevice-bound-session-credentialsdpopproof-of-possessionai-agent-protectionmcp-rate-limiter

Readme

ScopeBlind

Signed receipts for machine decisions. You choose what identity goes in.

  • Signed decision receipts — Ed25519-signed, independently verifiable, exportable
  • Three disclosure modes — Private (unlinkable), Scoped (pseudonymous), Named (attributed)
  • No PII stored — cryptographic proofs, not fingerprinting
  • ~20ms latency — runs at the edge on Cloudflare
  • AI agent compatible — works with browsers, AI agents, and MCP servers

For MCP servers: Use protect-mcp instead — trust-tier gating, credential vault, signed receipts, per-tool policies. npx protect-mcp -- node your-server.js

When to Use ScopeBlind

Use ScopeBlind if your project needs:

  • Signed evidence of machine access decisions (who was allowed, denied, challenged)
  • Configurable identity disclosure (from fully private to fully named)
  • Agent-compatible access control without CAPTCHAs
  • Protection for API endpoints, MCP tool servers, or AI agent-facing services
  • Audit-ready exports with independently verifiable signatures

Quick Start

npm install scopeblind

1. Get a slug

curl -X POST https://api.scopeblind.com/provision \
  -H "Content-Type: application/json" \
  -d '{"target_url": "https://yourapp.com/api/signup", "email": "[email protected]"}'

Or programmatically:

import { provision } from 'scopeblind';

const tenant = await provision({
  targetUrl: 'https://yourapp.com/api/signup',
  email: '[email protected]',
});

console.log(tenant.slug);       // 'a1b2c3d4e5f6'
console.log(tenant.scriptTag);  // '<script async src="https://api.scopeblind.com/sb/a1b2c3d4e5f6.js"></script>'
console.log(tenant.dashboardUrl); // 'https://scopeblind.com/t/a1b2c3d4e5f6'

Save the mgmtToken — it's shown only once.

2. Add the client script

Add this to your HTML <head>:

<script async src="https://api.scopeblind.com/sb/{slug}.js"></script>

The script runs silently — no UI, no popup, no CAPTCHA.

3. Add the middleware

import express from 'express';
import { scopeblind } from 'scopeblind';

const app = express();

// Block unverified devices on signup
app.post('/api/signup', scopeblind(), (req, res) => {
  // req.scopeblind.verified === true
  // req.scopeblind.deviceId === unique non-PII device hash
  res.json({ ok: true });
});

// Flag but allow (for monitoring before enforcement)
app.post('/api/action', scopeblind({ onFail: 'flag' }), (req, res) => {
  if (!req.scopeblind.verified) {
    console.log('Unverified device detected');
  }
  res.json({ ok: true });
});

API

scopeblind(options?)

Express middleware for device verification.

| Option | Type | Default | Description | |--------|------|---------|-------------| | onFail | 'block' \| 'flag' \| 'allow' | 'block' | What to do when verification fails | | cookieName | string | 'sb_pass' | Cookie name for the JWT | | headerName | string | 'x-scopeblind-token' | Header name fallback | | jwksUrl | string | ScopeBlind production | Custom JWKS endpoint | | errorBody | object | { error: 'device_not_verified' } | Custom 403 response body |

After verification, req.scopeblind contains:

{
  verified: boolean;       // Whether the device proof is valid
  deviceId: string | null; // Unique non-PII device hash
  payload: JWTPayload;     // Full JWT claims
}

verify(token, options?)

Standalone JWT verification (non-Express):

import { verify } from 'scopeblind';

const result = await verify(tokenString);
if (result.verified) {
  console.log('Device:', result.deviceId);
}

provision(options)

Create a new tenant programmatically:

import { provision } from 'scopeblind';

const tenant = await provision({
  targetUrl: 'https://yourapp.com/api/signup',
  email: '[email protected]',
});

Next.js

// app/api/signup/route.ts
import { verify } from 'scopeblind';
import { cookies } from 'next/headers';

export async function POST(request: Request) {
  const cookieStore = await cookies();
  const token = cookieStore.get('sb_pass')?.value;

  if (!token) {
    return Response.json({ error: 'device_not_verified' }, { status: 403 });
  }

  const result = await verify(token);
  if (!result.verified) {
    return Response.json({ error: 'invalid_proof' }, { status: 403 });
  }

  // result.deviceId = unique device hash (not PII)
  // ... handle the signup
}

How It Works

  1. Client completes a privacy-preserving proof (RFC 9497) — invisible to the user
  2. ScopeBlind's edge verifier issues a signed JWT and decision receipt
  3. Your backend verifies the JWT using this package — every decision is independently verifiable
  4. Enforcement decisions produce signed receipts with configurable identity disclosure

Dashboard

After deploying, visit https://scopeblind.com/t/{slug} to see:

  • Unique visitors vs. repeat abusers
  • Abuse rate percentage
  • Estimated wasted compute costs
  • One-click enforcement toggle

ScopeBlind starts in observe mode (observe only). Enable enforcement when ready.

Links

Related

  • protect-mcp — If you're securing an MCP tool server (not a web API), use protect-mcp instead. Wraps any stdio MCP server with per-tool policies, rate limiting, and structured decision logs. Zero dependencies, no account required.
  • scopeblind-agent — DPoP-based cryptographic identity for AI agents and CLIs.

License

MIT