Secure API ENgineering Toolkit

Usage no npm install needed!

<script type="module">
  import sapient from '';



Travis CI npm version

Sapient secures your Node.js applications' server-to-server HTTP(S) traffic even in the wake of a TLS security breakdown (compromised certificate authority, etc.).

Sapient allows you to quickly and easily add application-layer cryptography to your API requests and responses.

Features at a Glance

  • Secure APIs:
    • Shared-key encryption
      • XChaCha20-Poly1305
    • Shared-key authentication
      • HMAC-SHA512-256
    • Anonymous public-key encryption
      • X25519 + BLAKE2b + XChaCha20-Poly1305
    • Public-key digital signatures
      • Ed25519
  • Digital signatures and authentication are backwards-compatible with unsigned JSON API clients and servers
    • The signaure and authentication tag will go into HTTP headers, rather than the request/response body.

Installing Sapient

npm install --save sapient


Sapient uses Sodium-Plus internally. The default Sodium-Plus backend is cross-platform, but you can obtain greater performance by installing sodium-native too.

npm install --save sodium-native

This isn't strictly necessary, and sodium-native doesn't work in browsers, but if you're not targeting browsers, you can get a significant performance boost.

Basic Usage

See the request-promise documentation.

To use Sapient, you'll simply need to preprocess your options objects.

const rp = require('request-promise-native');
const {Sapient, SigningSecretKey} = require('sapient');

(async function () {
    let sk = await SigningSecretKey.generate();
    let request = {
        'method': 'POST',
        'uri': '',
        'form': {
            'important': 'some value that needs integrity',
            'test': 12345,
            'now': '2019-07-31T09:00:00+00:00'
    let response = await rp(await Sapient.signFormRequest(request, sk));
    try {
        await Sapient.verifySignedResponse(response, sk.getPublicKey());
    } catch (e) {

Real World Example

This code will fetch data from the PHP Chronicle, verify the signature, return an object representing the JSON data that we authenticated.

const rp = require('request-promise-native');
const {Sapient, SigningPublicKey} = require('sapient');

(async function () {
    let publicKey = SigningPublicKey.fromString(
    let request = {
        'method': 'GET',
        'uri': '',
        'resolveWithFullResponse': true
    let response = await rp(request);
    console.log(await Sapient.decodeSignedJsonResponse(response, publicKey));

This should result in the following (except with differing timestamps):

{ version: '1.1.x',
  datetime: '2019-07-31T03:37:48-04:00',
  status: 'OK',
   [ { contents: '{\n    "repository": "paragonie\\/certainty",\n    "sha256": "cb2eca3fbfa232c9e3874e3852d43b33589f27face98eef10242a853d83a437a",\n    "signature": "d368533011b7e9eb09d1cc3a78faef70adcd1188aaee7a47698e0783339275b9b506a982c98dee119969c599581275f76733e0c2f96380405faed1d8678a0302",\n    "time": "2019-05-15T16:26:42-04:00"\n}',
       prevhash: '1RrlFkZRs6Srb9W2cNh-cGAzk5bkd9sVEes6ZShJ-ZA=',
       currhash: '8wL2OsihjC2ihOfyjqs2YwvZbry11veuWucqjhz4f6Y=',
       summaryhash: 'WQG3tH3CiLHg_upN0ABhKiYWOGwH3n9l4pM04bXwG54=',
       created: '2019-05-15T16:26:45-04:00',
       publickey: 'mPLfrUEV_qnwlsNUhbO_ILBulKysO3rPYYWqWAYCA0I=',
       signature: 'W8OKNuUa8Bma0TpKWmYXxFdyvyuPaq87hvcD6VIwQgfxFowSPM5L_6q7p4FGcXDQtxP41qKHf-ANEfgxOqztAw==' } ] } 

Things that Use Sapient