Skip to content
Ratify Protocol

SDK packages

The Ratify Protocol ships reference SDKs in four languages. All four are byte-for-byte interoperable — they produce identical canonical JSON, identical hybrid signatures, and pass the same 59-fixture conformance suite.

Current published versions

Section titled “Current published versions”
LanguageRegistryPackageVersionInstall
Gopkg.go.devgithub.com/identities-ai/ratify-protocolv1.0.0-alpha.6go get github.com/identities-ai/ratify-protocol@v1.0.0-alpha.6
TypeScriptnpm — coming soon@identities-ai/ratify-protocol1.0.0-alpha.6(install from source until org is approved — see below)
PythonPyPIratify-protocol1.0.0a6pip install ratify-protocol==1.0.0a6
Rustcrates.ioratify-protocol1.0.0-alpha.6cargo add ratify-protocol@1.0.0-alpha.6

All four versions are released atomically — every tagged release of the protocol contains the same version of every SDK. A consumer using v1.0.0-alpha.6 in Go and v1.0.0-alpha.6 in Python is guaranteed to produce and verify byte-identical bundles.

Install from source (TypeScript while npm is pending)

Section titled “Install from source (TypeScript while npm is pending)”
Terminal window
git clone https://github.com/identities-ai/ratify-protocol
cd ratify-protocol/sdks/typescript
npm install
npm run build   # → dist/


# Then in your own project, point to the local build:
npm install ../ratify-protocol/sdks/typescript

Once @identities-ai is approved on npm, the canonical install will be:

Terminal window
npm install @identities-ai/ratify-protocol@1.0.0-alpha.6

Verifying you’ve installed the real thing

Section titled “Verifying you’ve installed the real thing”

Each registry exposes the source of every published version. To prove the package you installed matches the repo:

Terminal window
# Python — PyPI lets you download the wheel directly
pip download ratify-protocol==1.0.0a6 --no-deps -d /tmp
# Compare the wheel's sha256 against the GitHub Release's sha256


# Rust — crates.io publishes via the same git tag
cargo install --version 1.0.0-alpha.6 --git https://github.com/identities-ai/ratify-protocol
# Then run cargo test in the install dir → all 59 fixtures pass


# Go — the Go module proxy serves directly from the GitHub tag
GOPROXY=https://proxy.golang.org go get github.com/identities-ai/ratify-protocol@v1.0.0-alpha.6
# pkg.go.dev shows the source view linked back to the GitHub repo

The conformance fixtures are the practical interop check: any SDK passing all 59 produces the same canonical bytes as every other SDK at that version.

Publishing process

Section titled “Publishing process”

All four SDKs are published from a single CI pipeline triggered by a v* tag:

   git tag v1.0.0-alpha.7
   git push origin v1.0.0-alpha.7
              
              
   ┌─────────────────────────────────────────────┐
   │  .github/workflows/release.yml fires        │
   │                                             │
   │  1. gate-tests:                             │
   │     - Go tests + race detector              │
   │     - Test vectors regenerate byte-ident.   │
   │     - Release-sync (versions aligned)       │
   │     - TS conformance (59 fixtures)          │
   │     - Python conformance (59 fixtures)      │
   │     - Rust conformance (59 fixtures)        │
   │     - Tag ↔ SDK version coherence           │
   │                                             │
   │  2. If all pass:                            │
   │     - publish-pypi (Trusted Publisher OIDC) │
   │     - publish-crates (token)                │
   │     - publish-npm (token, when enabled)     │
   │     - publish-go (pkg.go.dev auto-warm)     │
   │     - github-release (notes + testvectors)  │
   └─────────────────────────────────────────────┘

Any conformance failure blocks the entire release. There is no “publish Python but skip the broken Rust” path — versions stay aligned by design.

See the protocol repo’s docs/RELEASES.md for the full release process and recovery procedures.

Pre-release versions

Section titled “Pre-release versions”

During the alpha series, fixture bytes may change between versions. Each alpha release documents the diff in the GitHub Release notes. Consumers pinning to alpha.5 and alpha.6 should expect a small migration.

After 1.0.0 stable ships, fixture bytes are frozen for the entire v1 lifetime. Minor and patch releases add new optional fields and new scopes without changing existing byte representations.

Where to next

Section titled “Where to next”