Verify a .kolm at the edge.

Step 1 . 60 seconds

Install wrangler and the verifier package.

$ npm install -g wrangler
$ wrangler init kolm-edge-verify
$ cd kolm-edge-verify
$ npm install kolm-verify-edge

Step 2 . 2 minutes

Add the worker.

The Worker reads the `X-Kolm-Receipt` header on every inbound request and verifies it against the artifact CID before letting the request reach your origin.

// src/index.ts
import { verifyReceipt, cidFromManifest } from 'kolm-verify-edge';

export default {
  async fetch(req: Request, env: Env): Promise<Response> {
    const receipt = req.headers.get('X-Kolm-Receipt');
    if (!receipt) return new Response('missing receipt', { status: 401 });

    const ok = await verifyReceipt(receipt, env.KOLM_VERIFY_KEY);
    if (!ok) return new Response('invalid receipt', { status: 403 });

    // receipt valid - forward to origin
    return fetch(req);
  },
};

Step 3 . 30 seconds

Add the public verify key as a Worker secret.

$ wrangler secret put KOLM_VERIFY_KEY
# paste the kolm.ai org public key, available at:
# https://kolm.ai/.well-known/kolm/keys.json

Step 4 . 30 seconds

Deploy.

$ wrangler deploy

  k o l m  /  cloudflare
deployed kolm-edge-verify
  endpoint: https://kolm-edge-verify.your-acct.workers.dev
  size:     14.2 KB (uncompressed) / 5.8 KB (gzip)
  p50:      0.84 ms (london .. ord .. sfo)

Step 5 . 60 seconds

Point your origin at the worker.

Either set the Worker as a route on your zone, or point your client traffic at the worker URL directly. Every request that reaches origin has a receipt that passed at the edge.

$ wrangler route add "api.your-domain.com/*" kolm-edge-verify