@postcept/receipt
Reference implementation for verifying Postcept Receipts and VCR-audit badges. It runs anywhere JavaScript runs (browser, Node, Deno, edge), and verifying a receipt needs nothing from Postcept except the published public key. You don't have to trust an API to trust the result.
The format and signing scheme are written up in SPEC.md. This is the canonical JS implementation of that spec. The Postcept API signs with a byte-identical implementation in Python.
Install
npm i @postcept/receiptUsage
import { verifyReceipt, verifyBadge, type Receipt } from "@postcept/receipt";
// Grab the public key once, or pin a key id from the receipt.
const { public_key } = await fetch("https://api.postcept.com/v1/signing-key").then((r) => r.json());
const ok = await verifyReceipt(receipt as Receipt, public_key);
// true when the receipt is authentic and unmodified.verifyReceipt and verifyBadge are pure functions. On a bad signature or
malformed input they return false instead of throwing, so they're safe to call
on untrusted data.
Exports
| Export | Purpose |
|---|---|
verifyReceipt |
Verify a receipt's Ed25519 signature against a public key. |
verifyBadge |
Verify a VCR-audit badge. |
verifyReceiptInLog |
Verify a receipt's transparency-log inclusion and signed tree head. |
verifyInclusion / verifySignedTreeHead |
Verify a Merkle inclusion proof or an STH on its own. |
verifyConsistency |
Verify the log only appended between two signed tree heads. |
receiptSigningBody |
The exact body the signature covers, for anyone re-implementing this. |
badgeSigningBody |
The badge signing body. |
canonicalize |
Deterministic JSON encoding (sorted keys, ASCII-escaped). |
@postcept/receipt/schema |
JSON Schema for the receipt object. |
Why a separate package
One source of truth for the verification logic. Postcept's own site and audit tool import this same package, and so can you. The "you don't have to trust us" claim only holds if the reference implementation is open and stands on its own.
License
MIT.