npm.io
1.1.0 • Published 7h ago

@postcept/receipt

Licence
MIT
Version
1.1.0
Deps
1
Size
34 kB
Vulns
0
Weekly
0

@postcept/receipt

Reference implementation for verifying Postcept Receipts and VCR-audit badges. It runs anywhere JavaScript runs (browser, Node, Deno, edge), and verifying a receipt needs nothing from Postcept except the published public key. You don't have to trust an API to trust the result.

The format and signing scheme are written up in SPEC.md. This is the canonical JS implementation of that spec. The Postcept API signs with a byte-identical implementation in Python.

Install

npm i @postcept/receipt

Usage

import { verifyReceipt, verifyBadge, type Receipt } from "@postcept/receipt";

// Grab the public key once, or pin a key id from the receipt.
const { public_key } = await fetch("https://api.postcept.com/v1/signing-key").then((r) => r.json());

const ok = await verifyReceipt(receipt as Receipt, public_key);
// true when the receipt is authentic and unmodified.

verifyReceipt and verifyBadge are pure functions. On a bad signature or malformed input they return false instead of throwing, so they're safe to call on untrusted data.

Exports

Export Purpose
verifyReceipt Verify a receipt's Ed25519 signature against a public key.
verifyBadge Verify a VCR-audit badge.
verifyReceiptInLog Verify a receipt's transparency-log inclusion and signed tree head.
verifyInclusion / verifySignedTreeHead Verify a Merkle inclusion proof or an STH on its own.
verifyConsistency Verify the log only appended between two signed tree heads.
receiptSigningBody The exact body the signature covers, for anyone re-implementing this.
badgeSigningBody The badge signing body.
canonicalize Deterministic JSON encoding (sorted keys, ASCII-escaped).
@postcept/receipt/schema JSON Schema for the receipt object.

Why a separate package

One source of truth for the verification logic. Postcept's own site and audit tool import this same package, and so can you. The "you don't have to trust us" claim only holds if the reference implementation is open and stands on its own.

License

MIT.

Keywords