VerifyKit SDK
VerifyKit is a modular PDF signature verification SDK for JavaScript and TypeScript. It is powered by a Rust/WASM core engine that performs all cryptographic operations with zero external dependencies, delivering 3.7x faster verification than equivalent JavaScript implementations.
The SDK ships as a set of npm packages that work independently or together. Use the headless core for server-side verification, the React library for a full-featured viewer, or the vanilla package for a zero-build drop-in solution.
Key Features
-
8-point verification model -- every signature is checked across eight dimensions: document integrity, signature validity, certificate chain trust, certificate expiry, timestamp verification, revocation status, algorithm strength, and extended key usage (EKU). Each check produces an independent status, giving you full visibility into why a signature passed or failed.
-
Rust/WASM core -- all cryptographic operations (hash computation, RSA/ECDSA verification, ASN.1 parsing, certificate chain building) run inside a compiled WebAssembly module. No OpenSSL, no external crypto libraries, no native add-ons to install. The WASM binary is base64-embedded (v0.3.1+), so it works in Vite, webpack, Next.js, Node.js, Deno, and Bun with zero bundler configuration.
-
PAdES compliant -- supports PAdES B-B (basic), B-T (with trusted timestamp), B-LT (with long-term validation data), and B-LTA (with archival timestamps) conformance levels as defined by ETSI EN 319 142.
-
Plugin architecture -- the React viewer ships with 24 composable plugins covering toolbar actions, sidebar panels, page navigation, search, thumbnails, zoom controls, print, download, and more. Enable only what you need.
-
React + Vanilla JS -- use the full React component library with hooks, context providers, and composable plugins, or drop in a single
<script>tag with the vanilla UMD bundle for zero-build integration. -
Browser + Node.js -- run signature verification client-side in the browser for immediate user feedback, or headless on the server for batch processing and CI pipelines.
-
Theming -- light, dark, and system-auto modes with 100+ CSS custom properties. Every color, spacing value, and border radius can be overridden without touching JavaScript.
-
Accessibility -- built-in UI font scale control with four presets (compact, default, large, extra-large). Scales all viewer text, toolbar buttons, and panel elements. User preferences persist to localStorage automatically.
-
TypeScript first -- complete type definitions ship with every package. All public APIs, hook return types, plugin interfaces, and verification result structures are fully typed.
Packages
All packages follow lockstep versioning.
| Package | Description | Runtime |
|---|---|---|
@trexolab/verifykit-core | Rust/WASM signature verification engine | Browser + Node.js |
@trexolab/verifykit-react | React PDF viewer with plugin-based architecture | Browser (React 19+) |
@trexolab/verifykit-vanilla | Zero-build CDN/UMD drop-in viewer | Browser |
@trexolab/verifykit-plugin-revocation | Online CRL/OCSP revocation checking (proxy mode for browser, direct mode for Node.js) | Browser + Node.js |
How Packages Relate
@trexolab/verifykit-plugin-revocation ──> @trexolab/verifykit-core
@trexolab/verifykit-react ──────────────> @trexolab/verifykit-core
@trexolab/verifykit-vanilla ────────────> @trexolab/verifykit-react ──> @trexolab/verifykit-core
Core (@trexolab/verifykit-core) is the headless verification engine. It loads a compiled Rust/WASM binary, parses PDF signature fields, and runs the full 8-point verification pipeline. All other packages depend on it.
React (@trexolab/verifykit-react) wraps core with a complete PDF viewing UI built on React 19. It provides a context-based provider, hooks for verification state, and a plugin system for composing viewer features.
Vanilla (@trexolab/verifykit-vanilla) wraps the React package into a single UMD script that can be loaded via <script> tag. No build tools, no framework knowledge required -- just include the script and call VerifyKit.create().
Plugin-revocation (@trexolab/verifykit-plugin-revocation) extends core with online certificate revocation checking via CRL and OCSP. Without this plugin, the core engine only reads revocation data embedded in the PDF itself.
The core engine also supports AIA (Authority Information Access) certificate chain resolution -- when a PDF does not embed the full certificate chain, the engine can automatically fetch missing intermediate certificates from AIA URLs to complete the chain. This is enabled by default.
Trust Store
The core engine ships with 119 embedded root CA certificates from the Adobe Approved Trust List (AATL). This means signature verification works out of the box for documents signed with certificates issued by Adobe-trusted CAs.
For enterprise deployments, you can merge your own root certificates into the built-in store or replace it entirely. See the Core API Reference for trustStore configuration details.
Browser and Runtime Support
| Environment | Minimum Version |
|---|---|
| Chrome | 109+ |
| Firefox | 115+ |
| Safari | 16.4+ |
| Edge | 109+ |
| Node.js | 20.19.0+ |
All environments must support ES2022+, structuredClone, and WebAssembly. The React package requires React 19 or later.
Choose Your Path
Building a React application?
Install @trexolab/verifykit-react. It includes core as a dependency and provides a complete viewer with toolbar, sidebar, signature panel, and verification status indicators. One provider component, one hook, and you have a working PDF viewer with signature verification. Note: the workerUrl option is required in VerifyKitProvider config -- use https://unpkg.com/pdfjs-dist@5.5.207/legacy/build/pdf.worker.min.mjs or self-host the worker file.
Need server-side or CLI verification?
Install @trexolab/verifykit-core. The headless engine runs in Node.js with no DOM dependencies. Load a PDF, call verify(), and get structured results with status codes for each signature and each verification check.
Want a viewer on any web page without a build step?
Use @trexolab/verifykit-vanilla via CDN. Add a stylesheet link and a script tag to your HTML, call VerifyKit.create() with a workerUrl, and you have a fully functional viewer with signature verification. No npm, no bundler, no framework required.
Need online revocation checking?
Add @trexolab/verifykit-plugin-revocation alongside any of the above. It performs live CRL downloads and OCSP requests to verify that signer certificates have not been revoked.
Next Steps
- Installation -- registry configuration and package installation
- Quick Start -- working examples in under 5 minutes
- Core Concepts -- the 8-point verification model explained
- Core API Reference -- complete type and function reference
- Revocation Checking -- online CRL/OCSP revocation checking
- Examples -- practical, copy-paste-ready code recipes
- Architecture -- internals, plugin system, and build pipeline
- Customization -- theming, CSS variables, toolbar configuration
- Deployment -- production checklist, CSP, CDN, and environment notes
- Troubleshooting -- common issues and solutions
- Migration -- upgrade paths between SDK versions
- Glossary -- key terms and acronyms