1. Pick an endpoint to verify
or paste your own signed response URL2. Verification result
pending-
·
Fetch — pull the signed response and the public keys.
-
·
SHA-256 integrity — recompute
sha256(body)and confirm it equals thex-epoch-dkap-resp-hashheader. -
·
Ed25519 classical signature — verify
x-epoch-classical-sigover the 32-byte seal using the published Ed25519 public key (RFC 8032). -
·
ML-DSA-65 post-quantum signature — verify
x-epoch-pqc-sigover the same seal using the published 1952-byte ML-DSA-65 public key (NIST FIPS 204, finalized 13 Aug 2024). -
·
Provenance anchor — check that
x-epoch-dkap-rasandx-epoch-dkap-genesismatch the published RAS root and genesis seal.
3. Envelope inspector
raw headers4. Response body
JSON—
How this works
Every response from q-routed.com/q/* ships a co-signature in
HTTP headers: an Ed25519 signature (the classical algorithm everyone
trusts today) and an ML-DSA-65 signature (the lattice-based algorithm
NIST finalized for the post-quantum era). Both sign the same 32-byte
commitment — the “seal” — that anchors the response into
EpochCore’s D-KaP chain.
This page does the verification entirely in your browser. The crypto comes from @noble/ed25519 and @noble/post-quantum — both audited, dependency-free, pure-JavaScript implementations, vendored locally (served from this origin, never a third-party CDN). Open the dev console: every network request, hash, and signature check is visible.
Why this matters. A skeptic doesn’t have to trust EpochCore that its responses are post-quantum-signed. They run this page, pick any endpoint, and watch the signatures verify against the public keys pinned into this page—not keys handed over by the vendor at request time. The whole audit takes one second. There is no harder claim to falsify.
The same protocol is implemented as a Python CLI for offline audit
(epochcore_verifier.py, in the accompanying buyer package).
This web verifier and the Python CLI agree byte-for-byte.