Pre-audit reference work — deliverables are self-attested and independently verifiable; third-party audit in procurement. No certification implied.
§ Developers · Open-source SDK

Verify post-quantum signatures in your own stack.

@trelyan/verify-pqc is an MIT, dependency-light toolkit to verify post-quantum signatures — Falcon-1024, ML-DSA-87 (FIPS-204), and SLH-DSA (FIPS-205) — in Node and the browser, plus a free cryptographic bill-of-materials (CBOM) badge, a GitHub Action, and a TLS posture scan. Free and open, forever. Commercial support and a hosted API are there when you need a contract behind it.

Everything you need to start — at no cost.

npm install @trelyan/verify-pqc · const { verifyOnChain } = require('@trelyan/verify-pqc')

Don't want to run it yourself?

A managed endpoint for verification, signed evidence, and CBOM scans — an API key instead of infrastructure. Currently in early access; tell us your use case and we'll set you up.

A contract behind it, when you ship.

Community
$0 · MIT
  • The full SDK + badge + Action + scan + verifier
  • Community issue tracker
  • Best-effort, no SLA
Priority Support
$7,500 / yr
  • Annual support subscription — distinct from the one-time Evidence Pack Express diagnostic
  • Priority email support (response-time target)
  • Integration, key-handling & trust-model guidance
  • Early access to new modules + breaking-change notice
  • Named contact · SBOM attestation on request
Enterprise
from ~$15,000 / year
  • Everything in Priority Support
  • Private / pre-release modules under a separate non-MIT license
  • Best-effort prioritized fixes (no SLA) + roadmap input
  • Architecture / integration review (not a security audit)
MIT open source · reference implementation · unaudited

The SDK is open source under the MIT License and is provided "as is", without warranty. It is an unaudited reference implementation; an independent cryptographic and side-channel audit is on our roadmap. Commercial support sells priority and services around the toolkit — it does not turn it into a certified product and adds no warranty of cryptographic correctness. Private or pre-release modules are earlier-stage — they carry the same unaudited status as the public code (not more mature or audited), and are licensed separately (not MIT). The CBOM badge is a preview signal, not an assurance or a certification. Nothing here is an offer of any security, token, or financial instrument.