Post-quantum deploy verifier

Paste a URL that exposes a kxco-post-quantum attestation endpoint (typically /api/attestation or /api/.well-known/kxco-pq-attestation). We run the signature math in your browser using kxco-verify. Nothing is sent to a KXCO server.

Try:

Site doesn't allow cross-origin fetch? Paste the JSON instead.

If the attestation endpoint doesn't serve Access-Control-Allow-Origin: *, your browser will block the fetch. Run curl <url> in a terminal, paste the JSON body here, and we'll verify it the same way.

What "verified" means here

It means: the signature mathematically checks out against the public key the site itself declared, AND that public key currently matches the one served at the site's well-known endpoint.
It does not mean: KXCO has vetted this site, its content, its operator, or anything else about it. A signature only proves the publisher possesses the private key — nothing about who that publisher is or whether you should trust them.
Three possible results: VALID (signature checks out, kid matches live), ROTATED (signature is valid but the live key has changed since the attestation — usually mid-rotation), INVALID (signature does not check out).