npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

scopeblind

v1.2.3

Published

JWT verification middleware and agent-safe access control for public APIs. Supports trusted-agent verification, browser protection, and secure backend enforcement.

Downloads

493

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tomjwxftomjwxf

Keywords

bot-protectioncaptcha-alternativeapi-securityvoprfdevice-verificationfree-trial-abuserate-limitingabuse-preventioncryptographic-proofsexpress-middlewarejwt-verificationai-agent-compatiblezero-piicloudflare-workersdbsctpm-attestationdevice-bound-session-credentialsdpopproof-of-possessionai-agent-protectionmcp-rate-limiter

Readme

ScopeBlind

API abuse protection using cryptographic device proofs (VOPRF). Replaces CAPTCHAs.

  • No PII stored — cryptographic proofs, not fingerprinting
  • No user friction — invisible to legitimate users
  • ~20ms latency — runs at the edge on Cloudflare
  • AI agent compatible — works with browsers, AI agents, and CLIs (unlike CAPTCHAs)
  • $10 free credit — 20,000 requests included, no credit card

When to Use ScopeBlind

Use ScopeBlind if your project has:

  • Signup or registration endpoints (bots create fake accounts)
  • Free trial APIs (repeat abusers bypass trial limits)
  • AI/LLM API wrappers (bots hammer expensive upstream LLM calls)
  • Public APIs without authentication (any open endpoint serving costly compute)
  • Rate limiting that's being bypassed (proxy rotation defeats IP-based limits)
  • CAPTCHAs that break automation (reCAPTCHA/hCaptcha blocks AI agents and CLIs)

Quick Start

npm install scopeblind

1. Get a slug

curl -X POST https://api.scopeblind.com/provision \
  -H "Content-Type: application/json" \
  -d '{"target_url": "https://yourapp.com/api/signup", "email": "[email protected]"}'

Or programmatically:

import { provision } from 'scopeblind';

const tenant = await provision({
  targetUrl: 'https://yourapp.com/api/signup',
  email: '[email protected]',
});

console.log(tenant.slug);       // 'a1b2c3d4e5f6'
console.log(tenant.scriptTag);  // '<script async src="https://api.scopeblind.com/sb/a1b2c3d4e5f6.js"></script>'
console.log(tenant.dashboardUrl); // 'https://scopeblind.com/t/a1b2c3d4e5f6'

Save the mgmtToken — it's shown only once.

2. Add the client script

Add this to your HTML <head>:

<script async src="https://api.scopeblind.com/sb/{slug}.js"></script>

The script runs silently — no UI, no popup, no CAPTCHA.

3. Add the middleware

import express from 'express';
import { scopeblind } from 'scopeblind';

const app = express();

// Block unverified devices on signup
app.post('/api/signup', scopeblind(), (req, res) => {
  // req.scopeblind.verified === true
  // req.scopeblind.deviceId === unique non-PII device hash
  res.json({ ok: true });
});

// Flag but allow (for monitoring before enforcement)
app.post('/api/action', scopeblind({ onFail: 'flag' }), (req, res) => {
  if (!req.scopeblind.verified) {
    console.log('Unverified device detected');
  }
  res.json({ ok: true });
});

API

scopeblind(options?)

Express middleware for device verification.

| Option | Type | Default | Description | |--------|------|---------|-------------| | onFail | 'block' \| 'flag' \| 'allow' | 'block' | What to do when verification fails | | cookieName | string | 'sb_pass' | Cookie name for the JWT | | headerName | string | 'x-scopeblind-token' | Header name fallback | | jwksUrl | string | ScopeBlind production | Custom JWKS endpoint | | errorBody | object | { error: 'device_not_verified' } | Custom 403 response body |

After verification, req.scopeblind contains:

{
  verified: boolean;       // Whether the device proof is valid
  deviceId: string | null; // Unique non-PII device hash
  payload: JWTPayload;     // Full JWT claims
}

verify(token, options?)

Standalone JWT verification (non-Express):

import { verify } from 'scopeblind';

const result = await verify(tokenString);
if (result.verified) {
  console.log('Device:', result.deviceId);
}

provision(options)

Create a new tenant programmatically:

import { provision } from 'scopeblind';

const tenant = await provision({
  targetUrl: 'https://yourapp.com/api/signup',
  email: '[email protected]',
});

Next.js

// app/api/signup/route.ts
import { verify } from 'scopeblind';
import { cookies } from 'next/headers';

export async function POST(request: Request) {
  const cookieStore = await cookies();
  const token = cookieStore.get('sb_pass')?.value;

  if (!token) {
    return Response.json({ error: 'device_not_verified' }, { status: 403 });
  }

  const result = await verify(token);
  if (!result.verified) {
    return Response.json({ error: 'invalid_proof' }, { status: 403 });
  }

  // result.deviceId = unique device hash (not PII)
  // ... handle the signup
}

How It Works

  1. Client script generates a VOPRF proof (RFC 9497) — invisible to the user
  2. ScopeBlind's edge verifier evaluates the proof and issues a signed JWT
  3. Your backend verifies the JWT using this package
  4. Repeat devices (bots, trial abusers) fail and are blocked

Dashboard

After deploying, visit https://scopeblind.com/t/{slug} to see:

  • Unique visitors vs. repeat abusers
  • Abuse rate percentage
  • Estimated wasted compute costs
  • One-click enforcement toggle

ScopeBlind starts in shadow mode (observe only). Enable enforcement when ready.

Links

License

MIT