Deploy the Hive certificate verifier to your own Cloudflare account in 5 minutes. Ed25519 + ML-DSA-65 hybrid verification — completely independent of hivemorph.onrender.com on the hot path.
The verifier runs in your Cloudflare account — not on hivemorph.onrender.com. JWKS public keys are cached at each Cloudflare POP with a 5-minute TTL via Workers KV. The hot verification path makes zero outbound requests.
Cold JWKS fetches (once per 5 min per POP) hit hivemorph in the background via ctx.waitUntil, so the response to your caller is never blocked.
The verifier ships as a Cloudflare Worker. You need a Cloudflare account (free tier works) and Node.js 18+.
Request access at [email protected] — you'll receive a private GitHub link within 24 hours.
git clone [email protected]:hiveciv/hive-edge-verifier.git cd hive-edge-verifier npm install
The verifier uses Cloudflare KV to cache the JWKS public keys at each edge POP.
npx wrangler kv:namespace create JWKS_CACHE
Copy the output id and paste it into wrangler.toml under [[kv_namespaces]].
npx wrangler login
npx wrangler deploy
Your verifier is live at https://hive-edge-verifier.<account>.workers.dev
# Health check curl https://hive-edge-verifier.<account>.workers.dev/v1/health # Verify a Hive cert curl -X POST https://hive-edge-verifier.<account>.workers.dev/v1/verify \ -H "Content-Type: application/json" \ -d '{ "cert": { "cert_id": "04364b3e08d54264b06443693ddf504b", "agent_did": "did:hive:agent:edge-verifier-001", "controller_did": "did:hive:controller:thehiveryiq", "ed25519_signature": "fJD7UEYzekkAGCXIMFfhu5Umw...", "mldsa65_signature": "RFNBLVNUVUIt...", ... } }'
All libraries run without Node.js APIs — pure Workers runtime compatible. No WASM blobs required for Ed25519 (native WebCrypto). ML-DSA-65 runs as pure JS with @noble/post-quantum.
BASE=https://hive-edge-verifier.<account>.workers.dev # Health — returns { ok, version, edge_pop, ts, runtime } curl "$BASE/v1/health" # JWKS — Ed25519 + ML-DSA-65 public keys (5-min cached) curl "$BASE/v1/verify/jwks" # Verifier metadata curl "$BASE/.well-known/hive-verifier" # Verify a cert (hybrid mode, both sigs checked) curl -X POST "$BASE/v1/verify" \ -H "Content-Type: application/json" \ -d '{"cert": {...}, "mode": "hybrid"}' # Ed25519 only (skip ML-DSA-65) curl -X POST "$BASE/v1/verify" \ -H "Content-Type: application/json" \ -d '{"cert": {...}, "mode": "ed25519_only"}'
Verifier is 100% independent from hivemorph.onrender.com on the hot path. JWKS cached at the Workers edge.
Ed25519 (WebCrypto native) + ML-DSA-65 (@noble/post-quantum). Both must pass in hybrid mode.
RFC 8949 deterministic CBOR encoding of cert body before signature verification — matches the did:hive spec signing domain.
Workers KV caches JWKS per POP with 5-min TTL. Background refresh via ctx.waitUntil — no blocking on cache miss.
Cert body accepted as JSON object or CBOR base64 string. Content-type auto-detected from request headers.
Full CORS support, /.well-known/hive-verifier metadata endpoint, and /v1/verify/jwks for key discovery.
hivemorph will publish the FIPS 204 ML-DSA-65 public key in its JWKS endpoint. The verifier auto-upgrades from stub-mode to full lattice verification — no code change required.
When /v1/purity/cert/issue ships, the verifier will support a unified 24-axis entropy bundle spanning Wave-Lattice (6-axis MAPET) + Loess (18-axis environmental anchor). POST /v1/verify will accept type: "bundle".
Verify the kem_ct field in receipt_envelope using FIPS 203 key encapsulation.
Real-time revocation status query against the did:hive registry at verification time, with configurable caching TTL.
Distributed rate limiting for bulk verification workloads using Cloudflare Durable Objects — per-DID and per-IP quotas.
The repo is available to security partners and enterprises on request. Contact [email protected] with subject line Edge Verifier Access — we'll send you the private GitHub link within 24 hours.