/source/ · Node 20+ · Browser ESM · Apache-2.0

reference-typescript

v1.0.0

Node 20+ and browser ESM build of the SignedReceipts producer and verifier. SubtleCrypto-backed in browsers, node:crypto on the server, zero runtime dependencies.

ratified March 2026commit 8af4c92d31 files · 184 KB

About this artefact

@signedreceipts/core is the reference TypeScript package. It exposes a tiny producer API and a strict verifier that share a single canonicalisation pipeline. On Node 20+ the package uses node:crypto; on modern browsers it uses SubtleCrypto. The package is ESM-only, ships TypeScript declarations directly, and has zero runtime dependencies. Release artefacts are published to npm with provenance attestations.

A separate @signedreceipts/cli wrapper exposes the same verifier through a small command-line shim, but the canonical CLI is the Rust binary in verifier-cli — the TS shim exists to make local development inside JavaScript projects friction-free. The build is deterministic: the published tarball matches the on-disk tree byte-for-byte, with a top-level signature over MANIFEST.sha256.

Manifest

Tar.gz tarball download is published at the spec ratification cadence. Below is the current public manifest (SHA-256 fingerprints, file count, ratification commit).
PathSizeSHA-256
package.json0.9 KB7b68d7e2d4074bbc892f9ab312f3f88d8a6a132e3778d5be690aa6e387b87072
src/index.ts3.2 KB15ecb98e1133d913784e847c5f6b503c55a19d8ffd22f68e720352934b9dd74a
src/canonical.ts4.8 KB078cc5e8b25ae96df26f379e4565949dd20fe032e975f513637ca3523a76470a
src/verify.ts7.1 KBb83cb2fc4cb1d5753eae408eef096ac4c6573bc78db74bba12370f9bc4a7b78e
src/jwks.ts2.6 KBec2719a88bfb945c3df2ce1739ef09ce94153c45f8730a8ee21a1fc72362451c
31 files · 184 KB · ratification commit 8af4c92d · signed by working-group key wg-2026-03

Quick start

shell
pnpm add @signedreceipts/core
# or: npm i @signedreceipts/core
# or: yarn add @signedreceipts/core
verify.ts
import { Verifier } from "@signedreceipts/core";

const verifier = await Verifier.fromJwksUrl(
  "https://api.cloakapi.io/.well-known/jwks.json",
);
const result = await verifier.verify(receiptJson);
if (!result.ok) throw new Error(result.reason);

Issues / questions

Bug reports, patches, and security advisories all go to the working-group inbox.

open-source@cloakapi.io

Back to /source/ · related: spec · conformance · implementations