Verify post-quantum signatures in your own stack.
@trelyan/verify-pqc is an MIT, dependency-light toolkit to verify post-quantum signatures — Falcon-1024, ML-DSA-87 (FIPS-204), and SLH-DSA (FIPS-205) — in Node and the browser, plus a free cryptographic bill-of-materials (CBOM) badge, a GitHub Action, and a TLS posture scan. Free and open, forever. Commercial support and a hosted API are there when you need a contract behind it.
Everything you need to start — at no cost.
- The SDK —
npm install @trelyan/verify-pqc. Verify on-chain Falcon-1024 inscriptions and dual-PQC (ML-DSA-87 ∧ SLH-DSA) transparency proofs against pinned keys. - CBOM A–F badge + GitHub Action — scan a repo for quantum-vulnerable cryptography and get a gradeable badge in CI.
- TLS posture scan — check whether an endpoint negotiates a post-quantum key exchange.
- Public verifier — paste a proof, verify it in the browser, no install.
Don't want to run it yourself?
A managed endpoint for verification, signed evidence, and CBOM scans — an API key instead of infrastructure. Currently in early access; tell us your use case and we'll set you up.
A contract behind it, when you ship.
- The full SDK + badge + Action + scan + verifier
- Community issue tracker
- Best-effort, no SLA
- Annual support subscription — distinct from the one-time Evidence Pack Express diagnostic
- Priority email support (response-time target)
- Integration, key-handling & trust-model guidance
- Early access to new modules + breaking-change notice
- Named contact · SBOM attestation on request
- Everything in Priority Support
- Private / pre-release modules under a separate non-MIT license
- Best-effort prioritized fixes (no SLA) + roadmap input
- Architecture / integration review (not a security audit)
The SDK is open source under the MIT License and is provided "as is", without warranty. It is an unaudited reference implementation; an independent cryptographic and side-channel audit is on our roadmap. Commercial support sells priority and services around the toolkit — it does not turn it into a certified product and adds no warranty of cryptographic correctness. Private or pre-release modules are earlier-stage — they carry the same unaudited status as the public code (not more mature or audited), and are licensed separately (not MIT). The CBOM badge is a preview signal, not an assurance or a certification. Nothing here is an offer of any security, token, or financial instrument.