AUTHENTICATED POST-DEPLOYMENT CONTROL
Runtime protection for npm packages. Encrypt your source code with server-side key management. The key never exists in the bundle.
Copy the prompt below and paste it to Claude, ChatGPT, or Cursor to integrate REGISTRY automatically.
Get API key
Encrypt dist folder
npm publish
Auto-decrypts
Authenticate with the CLI. Browser opens automatically.
# Run the protect command
npx sekyuriti-protect ./dist
# If not logged in, browser opens automatically
# Complete login in browser → CLI receives tokenRun the CLI command
npx sekyuriti-protect ./dist
Browser opens to login page
sekyuriti.build/auth/cli?token=...
Sign in with your account
Google, GitHub, or email
CLI receives authentication
Token stored locally, protection continues
Optional. CLI handles authentication automatically.
Encrypt your dist folder. Source is transformed with SYKRYPT v6.
# Basic protection
npx sekyuriti-protect ./dist
# With explicit package ID
npx sekyuriti-protect ./dist --package-id abc123
# With output directory
npx sekyuriti-protect ./dist --out ./protected-distEach .js file is encrypted with SYKRYPT v6
6 transformation layers + AES-256-GCM
A manifest is generated with file metadata
Hashes, sizes, entry points
A loader.js is created that handles runtime decryption
Calls /verify endpoint, decrypts in memory
Key is stored server-side
Never in the bundle
Update package.json and publish normally. Zero friction.
{
"name": "@your-org/protected-package",
"version": "1.0.0",
"main": "dist/index.js",
"exports": {
".": {
"types": "./dist/index.d.ts",
"import": "./dist/index.mjs",
"require": "./dist/index.js"
},
"./loader": {
"types": "./dist/loader.d.ts",
"import": "./dist/loader.mjs",
"require": "./dist/loader.js"
}
},
"files": [
"dist"
]
}# Publish as normal
npm publish
# Or with scope
npm publish --access publicThey npm install and require() normally. The loader handles everything transparently.
The /verify endpoint is public. End users never need credentials.
Multi-layer protection at every stage.
The decryption key never exists in the published package. When require() is called, the loader contacts the /verify endpoint to retrieve the key. This happens in memory only.
Decrypted code runs in an isolated Node.js VM context. Dangerous globals are blocked.
The loader validates that the global fetch is native and unmodified. Hooked or polyfilled fetch implementations are rejected to prevent request interception.
CLI commands and verification endpoint.
Encrypt a dist folder for npm distribution.
sekyuriti-protect <dist-path> [options]
Options:
--package-id <id> Package ID from dashboard
--out <path> Output directory (default: overwrites dist)
--api-key <key> API key (or use env var)
--help Show help
Examples:
sekyuriti-protect ./dist
sekyuriti-protect ./dist --package-id abc123 --out ./protectedVerify package and retrieve decryption key. No API key required.
// Request
POST https://sekyuriti.build/api/v2/registry/verify
Content-Type: application/json
{
"package_id": "abc123",
"file": "index.js"
}
// Response (success)
{
"verified": true,
"key": "base64-encoded-key",
"algorithm": "aes-256-gcm"
}
// Response (failure)
{
"verified": false,
"error": "Package not found"
}require('@your-org/package')Standard require. Loader intercepts, verifies, decrypts, and returns exports.
require('@your-org/package/loader')Direct loader access. Returns loader utilities if needed.