What shipped, when.

Cloudflare Pages Function at /api/status probes 4 surfaces every 15s from the edge: full mint→verify pipeline (not just a /health endpoint that could be green while verify is broken), demo issuer mint, snapshot store, MCP server. Returns roll-up status: operational / degraded / down. /status page renders component cards with live latency, 7-day verdict ribbon (green / yellow / red per day based on allow share), incident log. Cache: 15s edge + 60s SWR.

Drop a live verdict badge on any page. Two APIs from one 2.7 KB gzipped script: web component `<agentpki-verify token size theme>` for frameworks, data-attribute `<div data-agentpki-verify="…">` for plain HTML. Shadow DOM (no global CSS leak), MutationObserver auto-rescan for SPAs, three sizes × light/dark/auto themes, four verdict states (verified / revoked / unverified / error). Pinned-version URL + SRI hash for vendor compliance. Showcase + copy-paste at /widget.

Dedicated full-page interactive playground. Three panels: Token (paste / mint clean / mint with revoked kid / tamper sig|payload|footer / copy / share-as-URL), Decoded (live local-only JSON syntax highlight), Verify (real POST to /v1/verify with verdict banner + raw response). Shareable token URLs via ?token= param so devs can paste broken tokens for support. ~250 lines of JS, no framework.

New toolbar above Swagger UI: "Try in Postman" (opens Postman web with our collection JSON pre-loaded) · "Try in Insomnia" (insomnia:// scheme to import our OpenAPI yaml) · "openapi.yaml" + "postman.json" downloads · "Copy OpenAPI URL" button. Plus a paste-ready "First call · 30 seconds, no signup" code block at the top so curl-first developers don't have to scroll for a working example.

Three URLs: /v1/sdk.js (4.9 KB dev source, commented + readable) · /v1/sdk.min.js (3.6 KB raw, 1.6 KB gzipped, latest production) · /v1/sdk-v0.1.0.min.js (version-pinned, immutable, max-age=1y). All three carry SRI sha256-fwS61oHOxj4oU5SvLOovLwht+QcNkn+p4u6kb4VKKp8= via X-AgentPKI-SDK-SRI response header. Vendor-friendly: pin once, never refetch.

Verifier now increments KV-backed counters on every /v1/verify call (non-blocking via ctx.waitUntil — zero latency added). Public JSON endpoint at /v1/stats exposes total, total_by_verdict, total_by_reason, and last_7_days breakdown. Privacy: no token, jti, issuer, or sub stored — only verdict counts. /stats marketing page now shows live counter tiles and a 7-day stacked bar chart.

Hover any v4.public token in any file → decoded claims inline (iss, sub, iat, exp with ⏰/⚠ tags, tier, scope, jti, kid, sig). CodeLens above every token for one-click Verify or Decode. Diagnostics flag expired or near-expiry tokens. Four palette commands including "Mint demo passport" (auto-copies to clipboard). Hover and decode are local-only; verify and mint only call out when explicitly invoked.

Reverse-chronological archive of every public release. Color-coded category stripes (protocol / sdk / dev-tool / page / extension / infra). Linked from every page via the footer. The homepage "Just shipped" panel covers the most recent week; this page is the durable archive of everything before.

Live status page: runs the 3-scenario trust contract (allow / tampered / revoked) against the production verifier on page load, shows the demo issuer's CRL live, lists 16 GitHub repos + 15 production surfaces + spec version + heuristic phishing list count. If the trust contract ever regresses, the status dot turns red and shouts "INVESTIGATE."

5-line YAML to drop AgentPKI verification into any CI workflow. Asserts allow / deny / specific failure_reason against the live verifier. Composite action — runs on ubuntu, macos, and self-hosted runners with no Node, Docker, or jq required. Self-tests itself daily against the live demo issuer.

7 folders, 9 requests covering Mint → Verify → Abuse → Snapshots → Heuristic → Directory → Bootstrap Claim. Mint request auto-populates {{sample_token}} via test script so the Verify request chains zero-setup. Imports cleanly into Postman or Insomnia.

Glowing emerald-bordered panel on the homepage between the 4 main layer cards and the Layer 05+ teaser. 8 cards (CLI, MCP, Scopes, OpenAPI, Browser SDK, GitHub Action, Postman, VS Code, plus a "Try them together" CTA). Animated pulse dot + shimmer border. Pill counter ("8 NEW") visible from across the page.

npm i -g agentpki. Subcommands: mint, verify, decode, tamper, check, crl, init, help. Pipe-friendly: every command writes the canonical result to stdout. `agentpki mint | agentpki verify -` and `agentpki mint | agentpki tamper - | agentpki verify -` work. Exit codes 0/1/2 make it CI-shaped.

5 Model Context Protocol tools so Claude Desktop / Cursor / any MCP-aware client can verify, mint, decode, look up kid status, and check any URL's AgentPKI-Token header — all from chat. Cloudflare Workers. JSON-RPC 2.0 over HTTP.

Pre-built scope packages so issuers, agents, and verifiers all speak the same language. Categories: commerce, scheduling, news, medical, financial. Helpers: union(), satisfies(), parse(). Published to npm under @agentpki/scopes.

Full machine-readable spec at /openapi.yaml covering every public endpoint (verifier, demo issuer, claim API, snapshot store, abuse pipeline, heuristic check, directory). /api-docs renders Swagger UI from it. Import to Postman, Insomnia, or any OpenAPI tool.

5 KB drop-in script tag for any webpage. agentpki.verify(token), agentpki.decode(token), agentpki.mintDemo(), agentpki.tamper(), agentpki.checkUrl(). No build step. CORS open. Cache-Control: max-age=3600.

Real Node project with @agentpki/sdk pre-wired. Three npm scripts (demo:allow / demo:tamper / demo:revoked) that exercise the full trust contract end-to-end with honest exit codes — doubles as a CI regression check. Includes .devcontainer/devcontainer.json so Codespaces and StackBlitz both work out of the box. Bonus demo:agent shows the 5-line signed-Anthropic drop-in.

curl -fsSL https://agentpki.dev/bootstrap | sh (or iwr https://agentpki.dev/bootstrap.ps1 | iex on Windows). Prompts for email, derives a deterministic subdomain via /api/v1/bootstrap-claim, runs three scenarios (allow / tampered / revoked) against the live verifier, prints all three verdicts with real failure_reason codes plus a 24h shareable permalink. Six real HTTP calls in ~1 sec.

Interactive accordion of 4 paths (browser, cloud IDE, terminal, existing agent) — only one path open at a time, strong open-state styling. Tamper Lab and Revoked-Key Lab let the user pick what to corrupt or which kid to sign with, in 3 stages each. CI-style runner that streams all 3 trust-contract verdicts from the browser. All real HTTP, no animations.

Adds: CRL (/.well-known/agentpki-crl.json), abuse aggregation (POST /v1/abuse), replay cache (5-min jti window), KV-backed directory cache (<5ms cache hits). Spec markdown indexed at /spec/v0.1 and /spec/v0.2 for diff visibility.

Paste any PASETO token, see a structured verdict card. Heuristic checks against 5,000+ phishing domains (PhishStats + OpenPhish + URLhaus, daily refresh GitHub Actions cron). Shareable result permalinks at /check/result/<id> with 24h TTL. /widget.js embed for third-party sites. Scam-reporting flow with optional consented screenshot.

Watches outbound HTTPS for AgentPKI-Token response headers as you browse. Inline-verifies via verify.agentpki.dev. Popup shows trusted-issuer ✓ or reputation warning. Activity log. One-click abuse-report modal. Settings UI for trust-tier preferences. Built across a 7-day cycle. Submitted to Chrome Web Store (in review).

Next.js + Postgres + magic-link auth via Resend. Bring a domain → verify via DNS TXT → generate Ed25519 signing keys (one-time reveal) → mint production passports. Full self-serve flow, including delete-issuer.

Production-grade Cloudflare Worker template. Real-issuer with full wrangler.toml coverage and static-directory Path B fallback. We are our own first issuer.

Exports signPassport, verifyPassport, AgentPKI client (drop-in fetch wrapper that attaches PASETO + RFC 9421 Content-Digest + Signature). 21/21 tests passing. Initial 0.1.0-alpha.1, then 0.2.0-alpha.1 with v0.2 features.

Byte-compatible wire format with the TypeScript SDK. 21/21 tests passing.

Cloudflare Worker. Sub-50ms p99 globally. KV-backed issuer-pubkey cache. Durable Object replay detection. CRL revocation checking.

RFC-style document at /spec/v0.1. PASETO v4 + Ed25519. Apache 2.0.