This module implements a Roughtime client for Node.js v6.x and up.
Roughtime is a project that aims to provide secure time synchronisation.
With NTP, a third party can intercept and modify replies from the server. The reply you get is not necessarily and certainly not provably what the server sent.
Roughtime replies cannot be forged: they are cryptographically signed using Ed25519. Clients can also create audit trails to help weed out misbehaving servers (another common problem with NTP.)
See the Roughtime homepage for more information.
Midpoint is the server's idea of "now" relative to the UNIX epoch, expressed in microseconds.
Radius is the server's uncertainty about the midpoint, also expressed in microseconds.
The server asserts that the true time is within midpoint - radius/2 and
midpoint + radius/2.
Return-trip network latency is not accounted for. Expect that to be on the order of several milliseconds.
Leap seconds are smeared out over the course of a day.
Good ol' callback-style:
const roughtime = require('roughtime')
roughtime('roughtime.cloudflare.com', (err, result) => {
if (err) throw err
const {midpoint, radius} = result
console.log(midpoint, radius) // ex. "1537907399109000 1000000"
})
With promises:
const {promise: roughtime} = require('roughtime')
roughtime('roughtime.cloudflare.com').then(result => {
const {midpoint, radius} = result
console.log(midpoint, radius) // ex. "1537907399109000 1000000"
})
Or with async/await:
const {promise: roughtime} = require('roughtime')
async function f() {
const {midpoint, radius} = await roughtime('roughtime.cloudflare.com')
console.log(midpoint, radius) // ex. "1537907399109000 1000000"
}
f() // no top-level await yet in Node.js
roughtime currently knows about two public servers:
roughtime.cloudflare.comroughtime.sandbox.google.comTo query other servers, provide the host name and optionally the port number, and include the server's public key as a Buffer or Uint8Array:
const roughtime = require('roughtime')
const pubkey = Uint8Array.from([0,0,0,0,/*...*/]) // must be 32 bytes
const options = {
host: 'roughtime.example.com',
port: 1337, // default is 2002
pubkey: pubkey,
}
roughtime(options, (err, result) => {
// ...
})
If you want to plug in your own nonce or UDP socket, you can: the options are
called .nonce and .socket respectively. The nonce must be a 64 byte
Buffer or Uint8Array:
const roughtime = require('roughtime')
const {randomBytes} = require('crypto')
const host = 'roughtime.cloudflare.com'
const nonce = randomBytes(64)
const options = {host, nonce}
roughtime(options, (err, result) => {
// ...
})
Auditing is not implemented. The ecosystem isn't large enough yet to make it practical.
Merkle tree verification has only been lightly tested. I have yet to see a server in the wild return a reply that contains one.
FAQs
Secure time synchronisation
We found that roughtime demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
/Research
Socket found a Rust typosquat (finch-rust) that loads sha-rust to steal credentials, using impersonation and an unpinned dependency to auto-deliver updates.
Research
/Security Fundamentals
A pair of typosquatted Go packages posing as Googleâs UUID library quietly turn helper functions into encrypted exfiltration channels to a paste site, putting developer and CI data at risk.
Security News
November CVE publications fell 25% YoY even as 2025 totals rose, showing how a few major CNAs can swing âglobalâ counts and skew perceived risk.