About

verify.kxco.ai is an independent verifier for post-quantum signed deploy attestations produced by sites using kxco-post-quantum.

How it works

You paste a URL that exposes a JSON attestation manifest.
Your browser fetches the manifest directly from that site (no KXCO proxy).
The kxco-verify library — loaded in this tab — runs the ML-DSA-65 (NIST FIPS 204) signature math against the public key the manifest declared.
Your browser fetches the site's /.well-known/...-pq-pubkey endpoint to confirm the declared key is still the live one.
You see one of three results: VALID, ROTATED, or INVALID.

"Verified" is a math claim, not an endorsement. A green card means the site possesses the private key that corresponds to the public key it published. It does not mean KXCO has vetted the site, its operator, its contents, or its trustworthiness.
There is no KXCO-controlled registry of approved sites. Anyone can run kxco-post-quantum, generate a keypair in 30 seconds, and publish a self-signed attestation. The verifier confirms the signature is internally consistent — nothing about who the signer is.
KXCO operates this verifier but does not perform any of the cryptography on a KXCO server. All verification runs inside your browser tab. You can read the source of kxco-verify on GitHub, run it yourself locally with npm install kxco-verify, or implement an alternative verifier from the wire format spec — and get the same result.
The verifier itself is open source under Apache 2.0. The library and this web app's source are independent of the (MIT-licensed) signer. The two never share code, so the verifier cannot be tricked into trusting an unverified key by any change to the signer.

A domain ↔ key registry (Phase 2) that lets sites declare an authoritative kid via a discoverable record. The verifier will warn loudly when a key was used outside that record.
A transparency log of every attestation seen by the verifier, anchored to a public chain — so a fraudulent self-signing can't be backdated.
Browser extension that surfaces the verification result in the URL bar of any kxco-signed site without having to paste anything.