diff --git a/examples/verification-workers/src/debug-html.ts b/examples/verification-workers/src/debug-html.ts
new file mode 100644
index 0000000..8cfa281
--- /dev/null
+++ b/examples/verification-workers/src/debug-html.ts
@@ -0,0 +1,729 @@
+// Copyright 2025 Cloudflare, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { theme } from "./index-html";
+
+const directoryPath = "/.well-known/http-message-signatures-directory";
+
+function escapeAttribute(value: string): string {
+	return value.replaceAll("&", "&amp;").replaceAll('"', "&quot;");
+}
+
+function turnstileScript(siteKey: string): string {
+	return siteKey.length > 0
+		? '<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>'
+		: "";
+}
+
+function turnstileWidget(siteKey: string): string {
+	return siteKey.length > 0
+		? `<div class="cf-turnstile" data-sitekey="${escapeAttribute(siteKey)}"></div>`
+		: '<p class="text-muted">Turnstile is not configured for this deployment.</p>';
+}
+
+const debugStyle = `<style>
+form {
+  padding: 1.5rem 3rem 3rem;
+  background-color: #DDE8EF;
+}
+input, select, textarea, button {
+  -webkit-appearance: none;
+  -moz-appearance: none;
+  appearance: none;
+  font-family: open sans, sans-serif;
+  font-size: 16px;
+  font-weight: 400;
+  margin-top: 1rem;
+}
+select {
+  background-color: white;
+  border: 1px solid #999;
+  box-sizing: border-box;
+  padding: 8px 10px;
+  width: 100%;
+}
+button {
+  background-color: #2F6F8F;
+  border-radius: 0;
+}
+button:hover { background-color: #255A74; }
+input[type="url"],
+textarea {
+  border: 1px solid #999;
+  box-sizing: border-box;
+  display: block;
+  font: inherit;
+  margin: 0.5rem 0 1rem;
+  max-width: 720px;
+  padding: 8px 10px;
+  width: 100%;
+}
+textarea {
+  min-height: 7rem;
+  resize: vertical;
+}
+.debug-tool {
+  margin-bottom: 3rem;
+}
+.section-heading {
+  align-items: baseline;
+  display: flex;
+  gap: 0.6rem;
+}
+.section-link {
+  opacity: 0;
+  text-decoration: none;
+}
+.debug-tool:hover .section-link,
+.section-link:focus {
+  opacity: 1;
+}
+.header-grid {
+  display: grid;
+  grid-template-columns: 16rem minmax(0, 1fr);
+  gap: 1rem 1.5rem;
+  align-items: start;
+}
+.header-grid .field {
+  min-width: 0;
+}
+.header-grid label {
+  font-weight: 600;
+  margin-top: 1.7rem;
+}
+.header-grid textarea {
+  margin-bottom: 0;
+}
+.header-grid input,
+.header-grid select {
+  margin-bottom: 0;
+  max-width: 720px;
+}
+.validation-result {
+  margin-top: 0.75rem;
+}
+.validation-result ul {
+  padding-left: 1.5rem;
+}
+.validation-result li {
+  margin-bottom: 0.25rem;
+}
+.validation-result pre {
+  border: 1px solid #999;
+  box-sizing: border-box;
+  margin-top: 0.75rem;
+  overflow-x: auto;
+  padding: 1rem;
+  white-space: pre-wrap;
+}
+@media (max-width: 640px) {
+  .header-grid {
+    grid-template-columns: 1fr;
+    gap: 0;
+  }
+  .header-grid label {
+    margin-top: 1rem;
+  }
+}
+</style>`;
+
+export const generateDebugHTML = (turnstileSiteKey: string) => `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+  <title>Debug HTTP Message Signatures</title>
+  ${turnstileScript(turnstileSiteKey)}
+  ${theme}
+  ${debugStyle}
+</head>
+<body>
+  <header id="top">
+    <h1>Debug HTTP Message Signatures</h1>
+    <h3>Validate key directories and inspect signature inputs.</h3>
+  </header>
+  <section>
+    <p>
+      This page collects debugging tools for Web Bot Auth implementations. Start by validating the key directory.
+    </p>
+
+    <div id="validate-directory" class="debug-tool">
+      <h2 class="section-heading">Validate key directory <a class="section-link" href="#section=validate-directory" data-section="validate-directory">#</a></h2>
+      <p>
+        Paste the full HTTPS URL for a <code>/.well-known/http-message-signatures-directory</code> endpoint to check whether it returns a usable directory.
+      </p>
+      <form id="directory-validator">
+        <label for="directory-url">Directory URL</label>
+        <input id="directory-url" name="url" type="url" placeholder="https://example.com/.well-known/http-message-signatures-directory" required />
+        <p class="text-muted">URL path must end with <code>${directoryPath}</code>.</p>
+        ${turnstileWidget(turnstileSiteKey)}
+        <button type="submit">Validate directory</button>
+        <div id="directory-validation-result" class="validation-result" aria-live="polite"></div>
+      </form>
+    </div>
+
+    <div id="get-jwk-keyid" class="debug-tool">
+      <h2 class="section-heading">Get JWK keyid <a class="section-link" href="#section=get-jwk-keyid" data-section="get-jwk-keyid">#</a></h2>
+      <p>
+        Paste a JWK to compute its RFC 7638 SHA-256 thumbprint for use as <code>keyid</code>.
+      </p>
+      <form id="key-id-calculator">
+        <label for="key-id-jwk">JWK</label>
+        <textarea id="key-id-jwk" name="jwk" placeholder='{"kty":"OKP","crv":"Ed25519","x":"..."}' required></textarea>
+        <button type="submit">Get keyid</button>
+        <div id="key-id-result" class="validation-result" aria-live="polite"></div>
+      </form>
+    </div>
+
+    <div id="verify-request-headers" class="debug-tool">
+      <h2 class="section-heading">Verify request headers <a class="section-link" href="#section=verify-request-headers" data-section="verify-request-headers">#</a></h2>
+      <p>
+        Paste the signed request target, verification JWK, and HTTP Message Signature headers here.
+      </p>
+      <form id="signature-header-validator">
+        <div class="header-grid">
+          <label for="signature-jwk">JWK</label>
+          <div class="field">
+            <textarea id="signature-jwk" name="jwk" placeholder='{"kty":"OKP","crv":"Ed25519","x":"..."}' required></textarea>
+          </div>
+
+          <label for="signature-method">Method</label>
+          <div class="field">
+            <select id="signature-method" name="method" required>
+              <option value="GET">GET</option>
+              <option value="POST">POST</option>
+              <option value="PUT">PUT</option>
+              <option value="PATCH">PATCH</option>
+              <option value="DELETE">DELETE</option>
+              <option value="HEAD">HEAD</option>
+              <option value="OPTIONS">OPTIONS</option>
+            </select>
+          </div>
+
+          <label for="signature-url">URL</label>
+          <div class="field">
+            <input id="signature-url" name="url" type="url" placeholder="https://example.com/resource" required />
+          </div>
+
+          <label for="signature-header">Signature</label>
+          <div class="field">
+            <textarea id="signature-header" name="signature" placeholder="sig1=:..." required></textarea>
+          </div>
+
+          <label for="signature-agent-header">Signature-Agent</label>
+          <div class="field">
+            <textarea id="signature-agent-header" name="signature-agent" placeholder='"https://example.com"'></textarea>
+            <p class="text-muted">Accepted forms: <code>"&lt;url&gt;"</code> or <code>&lt;label&gt;="&lt;url&gt;"</code>.</p>
+          </div>
+
+          <label for="signature-input-header">Signature-Input</label>
+          <div class="field">
+            <textarea id="signature-input-header" name="signature-input" placeholder='sig1=("@method" "@target-uri");created=...' required></textarea>
+          </div>
+        </div>
+
+        ${turnstileWidget(turnstileSiteKey)}
+
+        <button type="submit">Verify headers</button>
+        <div id="signature-header-validation-result" class="validation-result" aria-live="polite"></div>
+      </form>
+    </div>
+  </section>
+  <script>
+    const sectionLinks = Array.from(document.querySelectorAll(".section-link"));
+    const form = document.getElementById("directory-validator");
+    const result = document.getElementById("directory-validation-result");
+    const keyIDForm = document.getElementById("key-id-calculator");
+    const keyIDResult = document.getElementById("key-id-result");
+    const keyIDJWK = document.getElementById("key-id-jwk");
+    const signatureForm = document.getElementById("signature-header-validator");
+    const signatureResult = document.getElementById("signature-header-validation-result");
+    const signatureJWK = document.getElementById("signature-jwk");
+
+    const fragmentParams = () => new URLSearchParams(window.location.hash.startsWith("#") ? window.location.hash.slice(1) : window.location.hash);
+
+    const formValue = (id) => {
+      const element = document.getElementById(id);
+      return element !== null ? element.value : "";
+    };
+
+    const prefill = (id, name) => {
+      const value = fragmentParams().get(name);
+      const element = document.getElementById(id);
+      if (value !== null && element !== null) {
+        element.value = value;
+      }
+    };
+
+    prefill("directory-url", "directory-url");
+    prefill("key-id-jwk", "key-id-jwk");
+    prefill("signature-jwk", "signature-jwk");
+    if (formValue("key-id-jwk") === "") {
+      prefill("key-id-jwk", "jwk");
+    }
+    if (formValue("signature-jwk") === "") {
+      prefill("signature-jwk", "jwk");
+    }
+    prefill("signature-method", "method");
+    prefill("signature-url", "url");
+    prefill("signature-header", "signature");
+    prefill("signature-agent-header", "signature-agent");
+    prefill("signature-input-header", "signature-input");
+
+    const currentSectionURL = (section) => {
+      const params = new URLSearchParams();
+      const directoryURL = formValue("directory-url");
+      const values = [
+        ["section", section],
+        ["directory-url", directoryURL],
+        ["key-id-jwk", formValue("key-id-jwk")],
+        ["signature-jwk", formValue("signature-jwk")],
+        ["method", formValue("signature-method")],
+        ["url", formValue("signature-url")],
+        ["signature", formValue("signature-header")],
+        ["signature-agent", formValue("signature-agent-header")],
+        ["signature-input", formValue("signature-input-header")],
+      ];
+      for (const [name, value] of values) {
+        if (value !== "") {
+          params.set(name, value);
+        }
+      }
+      const url = new URL(window.location.href);
+      url.search = "";
+      url.hash = params.toString();
+      return url.toString();
+    };
+
+    const scrollToFragmentSection = () => {
+      const section = fragmentParams().get("section");
+      if (section !== null) {
+        const element = document.getElementById(section);
+        if (element !== null) {
+          element.scrollIntoView();
+        }
+      }
+    };
+
+    const updateSectionLink = (link) => {
+      const section = link.getAttribute("data-section") || "";
+      link.href = currentSectionURL(section);
+    };
+
+    for (const link of sectionLinks) {
+      link.addEventListener("pointerenter", () => updateSectionLink(link));
+      link.addEventListener("focus", () => updateSectionLink(link));
+      link.addEventListener("click", (event) => {
+        event.preventDefault();
+        updateSectionLink(link);
+        history.pushState(null, "", link.href);
+        scrollToFragmentSection();
+      });
+    }
+
+    scrollToFragmentSection();
+
+    const appendMessagesTo = (target, heading, messages) => {
+      if (messages.length === 0) {
+        return;
+      }
+      const paragraph = document.createElement("p");
+      paragraph.textContent = heading;
+      const list = document.createElement("ul");
+      for (const message of messages) {
+        const item = document.createElement("li");
+        item.textContent = message;
+        list.append(item);
+      }
+      target.append(paragraph, list);
+    };
+
+    const appendMessages = (heading, messages) => {
+      appendMessagesTo(result, heading, messages);
+    };
+
+    const directoryURLValidation = (value) => {
+      try {
+        const url = new URL(value);
+        if (!url.pathname.endsWith("${directoryPath}")) {
+          return "Directory URL path must end with ${directoryPath}";
+        }
+      } catch {
+        return "Directory URL must be valid";
+      }
+
+      return undefined;
+    };
+
+    const signatureAgentValidation = (value) => {
+      if (value.trim() === "") {
+        return undefined;
+      }
+
+      const match = value.trim().match(/^(?:[a-z*][a-z0-9_.*-]*=)?"([^"]+)"$/);
+      if (!match) {
+        return 'Signature-Agent must be "<url>" or <label>="<url>"';
+      }
+
+      try {
+        new URL(match[1]);
+      } catch {
+        return "Signature-Agent must contain a valid URL";
+      }
+
+      return undefined;
+    };
+
+    const validateKeys = async (directory) => {
+      const errors = [];
+      const warnings = [];
+      let imported = 0;
+
+      for (const [index, key] of directory.keys.entries()) {
+        if (key.kty !== "OKP" || key.crv !== "Ed25519") {
+          warnings.push("keys[" + index + "] is not an Ed25519 OKP key");
+          continue;
+        }
+        try {
+          await crypto.subtle.importKey("jwk", key, { name: "Ed25519" }, true, ["verify"]);
+          imported += 1;
+        } catch {
+          errors.push("keys[" + index + "] could not be imported as Ed25519");
+        }
+      }
+
+      if (imported === 0) {
+        errors.push("Directory does not contain an importable Ed25519 key");
+      }
+
+      return { errors, warnings };
+    };
+
+    const validateDirectory = (directory) => {
+      const errors = [];
+      if (directory === null || typeof directory !== "object") {
+        return { errors: ["Directory must be a JSON object"], warnings: [] };
+      }
+
+      if (!Array.isArray(directory.keys)) {
+        errors.push("Directory must include a keys array");
+      } else if (directory.keys.length === 0) {
+        errors.push("Directory keys array must not be empty");
+      } else {
+        for (const [index, key] of directory.keys.entries()) {
+          if (key === null || typeof key !== "object") {
+            errors.push("keys[" + index + "] must be a JSON object");
+          }
+        }
+      }
+
+      if (directory.purpose !== undefined && typeof directory.purpose !== "string") {
+        errors.push("Directory purpose must be a string when present");
+      }
+
+      return { errors, warnings: [] };
+    };
+
+    const appendDirectory = (directory) => {
+      const heading = document.createElement("p");
+      heading.textContent = "Fetched directory";
+      const output = document.createElement("pre");
+      output.textContent = JSON.stringify(directory, null, 2);
+      result.append(heading, output);
+    };
+
+    const firstDirectoryKey = (directory) => {
+      if (directory === null || typeof directory !== "object" || !Array.isArray(directory.keys) || directory.keys.length === 0) {
+        return undefined;
+      }
+      const key = directory.keys[0];
+      return key !== null && typeof key === "object" ? key : undefined;
+    };
+
+    const fillJWK = (jwk) => {
+      const value = JSON.stringify(jwk, null, 2);
+      keyIDJWK.value = value;
+      signatureJWK.value = value;
+    };
+
+    const parseJWK = (value) => {
+      let jwk;
+      try {
+        jwk = JSON.parse(value);
+      } catch {
+        throw new Error("JWK must be valid JSON");
+      }
+      if (jwk === null || typeof jwk !== "object" || Array.isArray(jwk)) {
+        throw new Error("JWK must be a JSON object");
+      }
+      return jwk;
+    };
+
+    const jwkThumbprintInput = (jwk) => {
+      switch (jwk.kty) {
+        case "EC":
+          return { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
+        case "OKP":
+          return { crv: jwk.crv, kty: jwk.kty, x: jwk.x };
+        case "RSA":
+          return { e: jwk.e, kty: jwk.kty, n: jwk.n };
+        default:
+          throw new Error("Unsupported JWK kty");
+      }
+    };
+
+    const bytesToBase64URL = (bytes) => {
+      let binary = "";
+      for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+      }
+      return btoa(binary).replaceAll("+", "-").replaceAll("/", "_").replaceAll("=", "");
+    };
+
+    const computeJWKKeyID = async (jwk) => {
+      const input = JSON.stringify(jwkThumbprintInput(jwk));
+      const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(input));
+      return bytesToBase64URL(new Uint8Array(digest));
+    };
+
+    const base64ToBytes = (value) => {
+      const decoded = atob(value);
+      const bytes = new Uint8Array(decoded.length);
+      for (let index = 0; index < decoded.length; index += 1) {
+        bytes[index] = decoded.charCodeAt(index);
+      }
+      return bytes;
+    };
+
+    const parseSignatureHeader = (key, header) => {
+      const match = header.match(/^([\\w-]+)=:([A-Za-z0-9+/=]+):$/);
+      if (!match) {
+        throw new Error("Invalid Signature header");
+      }
+      if (match[1] !== key) {
+        throw new Error("Signature label does not match Signature-Input label");
+      }
+      return base64ToBytes(match[2]);
+    };
+
+    const parseSignatureInputHeader = (header) => {
+      const match = header.match(/^([\\w-]+)=\\(([^)]*)\\)(.*)$/);
+      if (!match) {
+        throw new Error("Invalid Signature-Input header");
+      }
+
+      const components = [];
+      for (const component of match[2].matchAll(/"([^"]+)"/g)) {
+        components.push(component[1].toLowerCase());
+      }
+      if (components.length === 0) {
+        throw new Error("Signature-Input must contain at least one component");
+      }
+
+      const params = {};
+      for (const parameter of match[3].matchAll(/;([^=]+)=("[^"]*"|[^;]+)/g)) {
+        const name = parameter[1];
+        const rawValue = parameter[2];
+        const value = rawValue.startsWith('"') ? rawValue.slice(1, -1) : rawValue;
+        params[name] = name === "created" || name === "expires" ? Number.parseInt(value, 10) : value;
+      }
+
+      return { key: match[1], components, params, input: header.replace(/^[^=]+=/, "") };
+    };
+
+    const componentValue = (component, request, headers) => {
+      switch (component) {
+        case "@method":
+          return request.method.toUpperCase();
+        case "@target-uri":
+          return request.url.toString();
+        case "@authority": {
+          const port = request.url.port;
+          const includePort = port !== "" && port !== "80" && port !== "443";
+          return request.url.hostname + (includePort ? ":" + port : "");
+        }
+        case "@scheme":
+          return request.url.protocol.slice(0, -1);
+        case "@request-target":
+          return request.url.pathname + request.url.search;
+        case "@path":
+          return request.url.pathname;
+        case "@query":
+          return request.url.search;
+        default:
+          return headers[component] || "";
+      }
+    };
+
+    const buildSignedData = (parsed, request, headers) => {
+      const parts = parsed.components.map((component) => '"' + component + '": ' + componentValue(component, request, headers));
+      parts.push('"@signature-params": ' + parsed.input);
+      return parts.join("\\n");
+    };
+
+    const validateWebBotAuthParams = (params) => {
+      const warnings = [];
+      if (params.tag !== "web-bot-auth") {
+        throw new Error("tag must be 'web-bot-auth'");
+      }
+      if (!params.keyid) {
+        throw new Error("keyid MUST be defined");
+      }
+      const now = Date.now() / 1000;
+      if (typeof params.created === "number" && params.created > now) {
+        throw new Error("created in the future");
+      }
+      if (typeof params.expires === "number" && params.expires < now) {
+        warnings.push("signature has expired");
+      }
+      return warnings;
+    };
+
+    const verifySignatureLocally = async (data) => {
+      const signatureAgentError = signatureAgentValidation(data.get("signature-agent") || "");
+      if (signatureAgentError !== undefined) {
+        throw new Error(signatureAgentError);
+      }
+
+      const key = parseJWK(data.get("jwk"));
+      const keyID = await computeJWKKeyID(key);
+
+      const parsed = parseSignatureInputHeader(data.get("signature-input"));
+      const warnings = validateWebBotAuthParams(parsed.params);
+      if (parsed.params.keyid !== keyID) {
+        throw new Error("JWK keyid does not match Signature-Input keyid");
+      }
+
+      const url = new URL(data.get("url"));
+      const headers = {
+        "signature": data.get("signature"),
+        "signature-agent": data.get("signature-agent") || "",
+        "signature-input": data.get("signature-input"),
+      };
+      const request = { method: data.get("method"), url };
+      const signedData = buildSignedData(parsed, request, headers);
+      const signature = parseSignatureHeader(parsed.key, data.get("signature"));
+      const cryptoKey = await crypto.subtle.importKey("jwk", key, { name: "Ed25519" }, true, ["verify"]);
+      const valid = await crypto.subtle.verify({ name: "Ed25519" }, cryptoKey, signature, new TextEncoder().encode(signedData));
+      return { valid, warnings };
+    };
+
+    keyIDForm.addEventListener("submit", async (event) => {
+      event.preventDefault();
+      keyIDResult.textContent = "Computing keyid...";
+
+      try {
+        const jwk = parseJWK(new FormData(keyIDForm).get("jwk"));
+        const keyID = await computeJWKKeyID(jwk);
+        keyIDResult.textContent = keyID;
+        signatureJWK.value = JSON.stringify(jwk, null, 2);
+      } catch (error) {
+        keyIDResult.textContent = "Keyid calculation failed: " + (error instanceof Error ? error.message : String(error));
+      }
+    });
+
+    signatureForm.addEventListener("submit", async (event) => {
+      event.preventDefault();
+      const data = new FormData(signatureForm);
+      signatureResult.textContent = "Verifying signature...";
+
+      try {
+        const verification = await verifySignatureLocally(data);
+        signatureResult.replaceChildren();
+        const message = document.createElement("p");
+        if (verification.valid) {
+          message.textContent = "Signature is valid.";
+          signatureResult.append(message);
+          appendMessagesTo(signatureResult, "Warnings", verification.warnings);
+        } else {
+          message.textContent = "Signature check failed: invalid signature";
+          signatureResult.append(message);
+        }
+      } catch (error) {
+        signatureResult.textContent = "Signature check failed: " + (error instanceof Error ? error.message : String(error));
+      } finally {
+        if (window.turnstile) {
+          window.turnstile.reset("#signature-header-validator .cf-turnstile");
+        }
+      }
+    });
+
+    form.addEventListener("submit", async (event) => {
+      event.preventDefault();
+      const data = new FormData(form);
+      const directoryURL = data.get("url");
+      result.textContent = "Checking directory...";
+
+      const directoryError = directoryURLValidation(directoryURL);
+      if (directoryError !== undefined) {
+        result.replaceChildren();
+        appendMessages("Directory check failed", [directoryError]);
+        return;
+      }
+
+      try {
+        const response = await fetch("/v0/api/proxy-directory", { method: "POST", body: data });
+        const errors = [];
+        const warnings = [];
+        let directory;
+
+        if (!response.ok) {
+          const body = await response.json();
+          errors.push(body.error || "Directory fetch failed");
+        } else {
+          const contentType = response.headers.get("Content-Type");
+          const mediaType = contentType ? contentType.split(";", 1)[0].trim().toLowerCase() : "";
+          if (mediaType !== "application/http-message-signatures-directory+json" && mediaType !== "application/json") {
+            warnings.push("Directory returned unexpected Content-Type " + (contentType || "none"));
+          }
+
+          directory = await response.json();
+          const shapeValidation = validateDirectory(directory);
+          errors.push(...shapeValidation.errors);
+          warnings.push(...shapeValidation.warnings);
+
+          if (errors.length === 0) {
+            const keyValidation = await validateKeys(directory);
+            errors.push(...keyValidation.errors);
+            warnings.push(...keyValidation.warnings);
+          }
+        }
+
+        result.replaceChildren();
+        if (errors.length === 0) {
+          const paragraph = document.createElement("p");
+          paragraph.textContent = "Directory looks valid.";
+          result.append(paragraph);
+        } else {
+          appendMessages("Directory check failed", errors);
+        }
+        appendMessages("Warnings", warnings);
+        if (typeof directory !== "undefined") {
+          appendDirectory(directory);
+          const key = firstDirectoryKey(directory);
+          if (key !== undefined) {
+            fillJWK(key);
+          }
+        }
+      } catch {
+        result.textContent = "Directory check failed.";
+      } finally {
+        if (window.turnstile) {
+          window.turnstile.reset("#directory-validator .cf-turnstile");
+        }
+      }
+    });
+  </script>
+</body>
+</html>`;
diff --git a/examples/verification-workers/src/html.ts b/examples/verification-workers/src/index-html.ts
similarity index 98%
rename from examples/verification-workers/src/html.ts
rename to examples/verification-workers/src/index-html.ts
index 7d2e850..7e55316 100644
--- a/examples/verification-workers/src/html.ts
+++ b/examples/verification-workers/src/index-html.ts
@@ -12,13 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-const generateHTML = (status?: boolean) => `<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-  <title>Identify Bots with HTTP Message Signatures</title>
-  <style>* {
+export const theme = `<style>* {
   margin: 0;
   padding: 0;
   border: none;
@@ -205,7 +199,15 @@ footer {
   font-size: 13px;
   color: #888;
 }
-</style>
+</style>`;
+
+const generateHTML = (status?: boolean) => `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
+  <title>Identify Bots with HTTP Message Signatures</title>
+  ${theme}
 </head>
 <body>
   <header id="top" ${status !== undefined ? `class="${status ? "success" : "failure"}"` : ""}>
@@ -275,7 +277,7 @@ footer {
 
     <h2>It's hard to debug. How can this website help?</h2>
     <p>
-    This website expose an endpoint dropping incoming request headers on <a>/debug</a>
+      Use the <a href="/debug">debug page</a> to validate key directories and signature headers.
     </p>
 
     <h2>I have comments and want to contribute. Where do I go?</h2>
diff --git a/examples/verification-workers/src/index.ts b/examples/verification-workers/src/index.ts
index 1e683b0..37a7793 100644
--- a/examples/verification-workers/src/index.ts
+++ b/examples/verification-workers/src/index.ts
@@ -24,10 +24,16 @@ import {
 	signatureHeaders,
 	verify,
 } from "web-bot-auth";
-import { invalidHTML, neutralHTML, validHTML } from "./html";
+import { generateDebugHTML } from "./debug-html";
+import { invalidHTML, neutralHTML, validHTML } from "./index-html";
+import { proxyDirectoryRequest } from "./proxy-directory";
 import jwk from "../../rfc9421-keys/ed25519.json" assert { type: "json" };
 import { Ed25519Signer } from "web-bot-auth/crypto";
 
+function errorMessage(error: unknown): string {
+	return error instanceof Error ? error.message : String(error);
+}
+
 async function getExampleDirectory(): Promise<Directory> {
 	const key = {
 		kid: await jwkToKeyID(
@@ -51,7 +57,7 @@ async function fetchDirectory(signatureAgent: string): Promise<Directory> {
 	let parsed: string;
 	try {
 		parsed = JSON.parse(signatureAgent);
-	} catch (_e) {
+	} catch {
 		const e = new Error(
 			`Failed to validate Signature-Agent header: ${signatureAgent}`
 		);
@@ -99,6 +105,7 @@ function verifyEd25519(
 	params: VerificationParams
 ) => Promise<void> {
 	return async (data, signature, _params) => {
+		void _params;
 		const key = await crypto.subtle.importKey(
 			"jwk",
 			directory.keys[0],
@@ -146,13 +153,13 @@ async function verifySignature(
 			directory = await getExampleDirectory();
 		}
 	} catch (e) {
-		return SignatureValidationStatus.INVALID((e as Error).message);
+		return SignatureValidationStatus.INVALID(errorMessage(e));
 	}
 
 	try {
 		await verify(request, verifyEd25519(directory));
 	} catch (e) {
-		return SignatureValidationStatus.INVALID((e as Error).message);
+		return SignatureValidationStatus.INVALID(errorMessage(e));
 	}
 
 	console.log("Signature verified successfully");
@@ -165,14 +172,13 @@ async function verifySignature(
 
 export default {
 	async fetch(request, env, ctx): Promise<Response> {
+		void ctx;
 		const url = new URL(request.url);
 
 		if (url.pathname.startsWith("/debug")) {
-			return new Response(
-				[...request.headers]
-					.map(([key, value]) => `${key}: ${value}`)
-					.join("\n")
-			);
+			return new Response(generateDebugHTML(env.TURNSTILE_SITE_KEY ?? ""), {
+				headers: { "content-type": "text/html; charset=utf-8" },
+			});
 		}
 
 		if (url.pathname.startsWith("/v0/api/verify")) {
@@ -180,20 +186,26 @@ export default {
 			return new Response(status);
 		}
 
+		if (url.pathname === "/v0/api/proxy-directory") {
+			return proxyDirectoryRequest(request, env);
+		}
+
 		if (url.pathname.startsWith(HTTP_MESSAGE_SIGNATURES_DIRECTORY)) {
 			const directory = await getExampleDirectory();
+			const response = new Response(JSON.stringify(directory), {
+				headers: {
+					"content-type": MediaType.HTTP_MESSAGE_SIGNATURES_DIRECTORY,
+				},
+			});
 
 			const signedHeaders = await directoryResponseHeaders(
-				request,
+				{ request, response },
 				[await getSigner()],
 				{ created: new Date(), expires: new Date(Date.now() + 300_000) }
 			);
-			return new Response(JSON.stringify(directory), {
-				headers: {
-					...signedHeaders,
-					"content-type": MediaType.HTTP_MESSAGE_SIGNATURES_DIRECTORY,
-				},
-			});
+			response.headers.set("Signature", signedHeaders.Signature);
+			response.headers.set("Signature-Input", signedHeaders["Signature-Input"]);
+			return response;
 		}
 
 		const status = await verifySignature(env, request);
@@ -214,6 +226,7 @@ export default {
 	},
 	// On a schedule, send a web-bot-auth signed request to a target endpoint
 	async scheduled(ctx, env, ectx) {
+		void ectx;
 		const headers = { "Signature-Agent": JSON.stringify(env.SIGNATURE_AGENT) };
 		const request = new Request(env.TARGET_URL, { headers });
 		const created = new Date(ctx.scheduledTime);
diff --git a/examples/verification-workers/src/proxy-directory.ts b/examples/verification-workers/src/proxy-directory.ts
new file mode 100644
index 0000000..eb929de
--- /dev/null
+++ b/examples/verification-workers/src/proxy-directory.ts
@@ -0,0 +1,203 @@
+// Copyright 2025 Cloudflare, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import { HTTP_MESSAGE_SIGNATURES_DIRECTORY } from "web-bot-auth";
+
+const DIRECTORY_FETCH_TIMEOUT_MS = 5_000;
+const DIRECTORY_RESPONSE_MAX_BYTES = 64_000;
+const TURNSTILE_VERIFY_URL =
+	"https://challenges.cloudflare.com/turnstile/v0/siteverify";
+
+function getProperty(value: unknown, name: string): unknown {
+	if (value === null || typeof value !== "object") {
+		return undefined;
+	}
+	for (const [key, property] of Object.entries(value)) {
+		if (key === name) {
+			return property;
+		}
+	}
+	return undefined;
+}
+
+function errorResponse(error: string, status = 400): Response {
+	return Response.json({ error }, { status });
+}
+
+function getStringFormValue(
+	formData: FormData,
+	name: string
+): string | undefined {
+	const value = formData.get(name);
+	return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+
+async function validateTurnstile(
+	env: Env,
+	token: string,
+	remoteIP: string | null
+): Promise<boolean> {
+	const formData = new FormData();
+	formData.append("secret", env.TURNSTILE_SECRET_KEY);
+	formData.append("response", token);
+	if (remoteIP !== null) {
+		formData.append("remoteip", remoteIP);
+	}
+
+	let response: Response;
+	try {
+		response = await fetch(TURNSTILE_VERIFY_URL, {
+			body: formData,
+			method: "POST",
+		});
+	} catch {
+		return false;
+	}
+
+	if (!response.ok) {
+		return false;
+	}
+
+	try {
+		const body: unknown = await response.json();
+		return getProperty(body, "success") === true;
+	} catch {
+		return false;
+	}
+}
+
+function validateDirectoryURL(url: string): URL | string {
+	let parsed: URL;
+	try {
+		parsed = new URL(url);
+	} catch {
+		return "URL must be valid";
+	}
+
+	if (parsed.protocol !== "https:") {
+		return 'Directory URL must use "https:"';
+	}
+	if (parsed.username !== "" || parsed.password !== "") {
+		return "Directory URL must not include credentials";
+	}
+	if (parsed.port !== "") {
+		return "Directory URL must not use a custom port";
+	}
+	if (!parsed.pathname.endsWith(HTTP_MESSAGE_SIGNATURES_DIRECTORY)) {
+		return `Directory URL path must end with ${HTTP_MESSAGE_SIGNATURES_DIRECTORY}`;
+	}
+
+	return parsed;
+}
+
+async function readTextWithLimit(
+	response: Response,
+	byteLimit: number
+): Promise<string> {
+	if (response.body === null) {
+		return "";
+	}
+
+	const reader = response.body.getReader();
+	const decoder = new TextDecoder();
+	let bytesRead = 0;
+	let text = "";
+
+	while (true) {
+		const result = await reader.read();
+		if (result.done) {
+			return text + decoder.decode();
+		}
+
+		bytesRead += result.value.byteLength;
+		if (bytesRead > byteLimit) {
+			await reader.cancel();
+			throw new Error("Directory response is too large");
+		}
+		text += decoder.decode(result.value, { stream: true });
+	}
+}
+
+export async function proxyDirectoryRequest(
+	request: Request,
+	env: Env
+): Promise<Response> {
+	if (request.method !== "POST") {
+		return errorResponse("Method not allowed", 405);
+	}
+
+	const origin = request.headers.get("Origin");
+	if (origin !== new URL(request.url).origin) {
+		return errorResponse("Bad request");
+	}
+
+	let formData: FormData;
+	try {
+		formData = await request.formData();
+	} catch {
+		return errorResponse("Request body must be form data");
+	}
+
+	const url = getStringFormValue(formData, "url");
+	const turnstileToken = getStringFormValue(formData, "cf-turnstile-response");
+	if (url === undefined || url.length === 0) {
+		return errorResponse("Missing url");
+	}
+	if (turnstileToken === undefined || turnstileToken.length === 0) {
+		return errorResponse("Missing Turnstile token");
+	}
+
+	const parsed = validateDirectoryURL(url);
+	if (typeof parsed === "string") {
+		return errorResponse(parsed);
+	}
+
+	const turnstileOK = await validateTurnstile(
+		env,
+		turnstileToken,
+		request.headers.get("CF-Connecting-IP")
+	);
+	if (!turnstileOK) {
+		return errorResponse("Turnstile verification failed", 403);
+	}
+
+	let response: Response;
+	try {
+		response = await fetch(parsed.toString(), {
+			redirect: "manual",
+			signal: AbortSignal.timeout(DIRECTORY_FETCH_TIMEOUT_MS),
+		});
+	} catch {
+		return errorResponse("Directory fetch failed", 502);
+	}
+
+	if (!response.ok) {
+		return errorResponse(`Directory returned HTTP ${response.status}`, 502);
+	}
+
+	let text: string;
+	try {
+		text = await readTextWithLimit(response, DIRECTORY_RESPONSE_MAX_BYTES);
+	} catch {
+		return errorResponse("Directory response is too large", 502);
+	}
+
+	return new Response(text, {
+		headers: {
+			"Access-Control-Allow-Origin": origin,
+			"Content-Type":
+				response.headers.get("Content-Type") ?? "application/json",
+		},
+	});
+}
diff --git a/examples/verification-workers/test/index.spec.ts b/examples/verification-workers/test/index.spec.ts
index 2e1950b..f4fbb63 100644
--- a/examples/verification-workers/test/index.spec.ts
+++ b/examples/verification-workers/test/index.spec.ts
@@ -19,7 +19,7 @@ import {
 	waitOnExecutionContext,
 	SELF,
 } from "cloudflare:test";
-import { describe, it, expect } from "vitest";
+import { afterEach, describe, it, expect, vi } from "vitest";
 import worker from "../src/index";
 
 // For now, you'll need to do something like this to get a correctly-typed
@@ -27,6 +27,49 @@ import worker from "../src/index";
 const IncomingRequest = Request<unknown, IncomingRequestCfProperties>;
 
 const sampleURL = "https://example.com";
+const proxyURL = `${sampleURL}/v0/api/proxy-directory`;
+const directoryURL = `${sampleURL}/.well-known/http-message-signatures-directory`;
+const turnstileVerifyURL =
+	"https://challenges.cloudflare.com/turnstile/v0/siteverify";
+
+const validatorHeaders = {
+	"CF-Connecting-IP": "192.0.2.1",
+	Origin: sampleURL,
+};
+
+function validatorRequest(body: Record<string, string>): Request {
+	const formData = new FormData();
+	for (const [name, value] of Object.entries(body)) {
+		formData.append(name, value);
+	}
+	return new IncomingRequest(proxyURL, {
+		body: formData,
+		headers: validatorHeaders,
+		method: "POST",
+	});
+}
+
+function mockedFetch(targetResponse: Response): ReturnType<typeof vi.fn> {
+	return vi.fn((input: RequestInfo | URL) => {
+		const url = input instanceof Request ? input.url : input.toString();
+		if (url === turnstileVerifyURL) {
+			return Promise.resolve(Response.json({ success: true }));
+		}
+		return Promise.resolve(targetResponse.clone());
+	});
+}
+
+async function fetchValidator(body: Record<string, string>): Promise<Response> {
+	const ctx = createExecutionContext();
+	const response = await worker.fetch(validatorRequest(body), env, ctx);
+	await waitOnExecutionContext(ctx);
+	return response;
+}
+
+afterEach(() => {
+	vi.unstubAllGlobals();
+	vi.restoreAllMocks();
+});
 
 describe("/ endpoint", () => {
 	it("responds with HTTP 200", async () => {
@@ -36,16 +79,295 @@ describe("/ endpoint", () => {
 		await waitOnExecutionContext(ctx);
 		expect(response.status).toEqual(200);
 	});
+
+	it("does not render the directory validator", async () => {
+		const request = new IncomingRequest(sampleURL);
+		const ctx = createExecutionContext();
+		const response = await worker.fetch(request, env, ctx);
+		await waitOnExecutionContext(ctx);
+
+		expect(await response.text()).not.toContain("directory-validator");
+	});
 });
 
 describe("/debug endpoint", () => {
-	it("responds with request headers", async () => {
-		const headers = { test: "this is a test header" };
-		const request = new Request(`${sampleURL}/debug`, { headers });
+	it("responds with HTML", async () => {
+		const request = new Request(`${sampleURL}/debug`);
 		const response = await SELF.fetch(request);
-		const headersString = Object.entries(headers)
-			.map(([k, v]) => `${k}: ${v}`)
-			.join("\n");
-		expect(await response.text()).toMatch(headersString);
+
+		expect(response.status).toEqual(200);
+		expect(response.headers.get("content-type")).toContain("text/html");
+	});
+
+	it("renders directory validation tools", async () => {
+		const request = new Request(`${sampleURL}/debug`);
+		const response = await SELF.fetch(request);
+		const body = await response.text();
+
+		expect(body).toContain("directory-validator");
+		expect(body).toContain("Validate key directory");
+		expect(body).toContain(
+			"URL path must end with <code>/.well-known/http-message-signatures-directory</code>"
+		);
+		expect(body).toContain("Fetched directory");
+		expect(body).toContain("fillJWK(key)");
+		expect(body).not.toContain('data-sitekey=""');
+	});
+
+	it("renders section fragment tooling", async () => {
+		const request = new Request(`${sampleURL}/debug`);
+		const response = await SELF.fetch(request);
+		const body = await response.text();
+
+		expect(body).toContain("section-link");
+		expect(body).toContain('data-section="validate-directory"');
+		expect(body).toContain('data-section="get-jwk-keyid"');
+		expect(body).toContain('data-section="verify-request-headers"');
+		expect(body).toContain("fragmentParams");
+		expect(body).toContain('prefill("key-id-jwk", "key-id-jwk")');
+		expect(body).toContain('prefill("signature-jwk", "signature-jwk")');
+		expect(body).toContain('prefill("key-id-jwk", "jwk")');
+		expect(body).toContain('prefill("signature-jwk", "jwk")');
+		expect(body).toContain('["section", section]');
+		expect(body).toContain('["key-id-jwk", formValue("key-id-jwk")]');
+		expect(body).toContain('["signature-jwk", formValue("signature-jwk")]');
+		expect(body).toContain("currentSectionURL");
+		expect(body).toContain("updateSectionLink");
+		expect(body).toContain('link.addEventListener("pointerenter"');
+		expect(body).toContain('link.addEventListener("focus"');
+		expect(body).toContain("url.hash = params.toString()");
+		expect(body).toContain("history.pushState");
+	});
+
+	it("renders JWK keyid tools", async () => {
+		const request = new Request(`${sampleURL}/debug`);
+		const response = await SELF.fetch(request);
+		const body = await response.text();
+
+		expect(body).toContain("Get JWK keyid");
+		expect(body).toContain("key-id-calculator");
+		expect(body).toContain("computeJWKKeyID");
+		expect(body).toContain("signatureJWK.value");
+	});
+
+	it("renders signature header placeholders", async () => {
+		const request = new Request(`${sampleURL}/debug`);
+		const response = await SELF.fetch(request);
+		const body = await response.text();
+
+		expect(body).toContain("Verify request headers");
+		expect(body).toContain("signature-jwk");
+		expect(body).not.toContain("signature-directory-url");
+		expect(body).toContain("Method");
+		expect(body).toContain("URL");
+		expect(body).toContain("Signature");
+		expect(body).toContain("Signature-Agent");
+		expect(body).toContain("Signature-Input");
+		expect(body).toContain("Accepted forms:");
+		expect(body).toContain(
+			'Signature-Agent must be "<url>" or <label>="<url>"'
+		);
+		expect(body).toContain('parts.join("\\n")');
+		expect(body).toContain('warnings.push("signature has expired")');
+		expect(body).toContain(
+			'appendMessagesTo(signatureResult, "Warnings", verification.warnings)'
+		);
+	});
+});
+
+describe("/.well-known/http-message-signatures-directory endpoint", () => {
+	it("responds with a signed directory", async () => {
+		const request = new IncomingRequest(directoryURL);
+		const ctx = createExecutionContext();
+		const response = await worker.fetch(request, env, ctx);
+		await waitOnExecutionContext(ctx);
+
+		expect(response.status).toEqual(200);
+		expect(response.headers.get("content-type")).toContain(
+			"application/http-message-signatures-directory+json"
+		);
+		expect(response.headers.get("Signature")).toBeTruthy();
+		expect(response.headers.get("Signature-Input")).toBeTruthy();
+		expect(await response.json()).toMatchObject({ purpose: "rag" });
+	});
+});
+
+describe("/v0/api/proxy-directory endpoint", () => {
+	it("rejects non-POST requests", async () => {
+		const request = new IncomingRequest(proxyURL, {
+			headers: validatorHeaders,
+		});
+		const ctx = createExecutionContext();
+		const response = await worker.fetch(request, env, ctx);
+		await waitOnExecutionContext(ctx);
+
+		expect(response.status).toEqual(405);
+		expect(await response.json()).toEqual({
+			error: "Method not allowed",
+		});
+	});
+
+	it("requires same-origin requests", async () => {
+		const fetch = vi.fn();
+		vi.stubGlobal("fetch", fetch);
+		const request = validatorRequest({
+			url: directoryURL,
+			"cf-turnstile-response": "token",
+		});
+		request.headers.set("Origin", "https://attacker.example");
+		const ctx = createExecutionContext();
+		const response = await worker.fetch(request, env, ctx);
+		await waitOnExecutionContext(ctx);
+
+		expect(response.status).toEqual(400);
+		expect(fetch).not.toHaveBeenCalled();
+		expect(await response.json()).toEqual({ error: "Bad request" });
+	});
+
+	it("requires a Turnstile token", async () => {
+		const response = await fetchValidator({ url: directoryURL });
+
+		expect(response.status).toEqual(400);
+		expect(await response.json()).toEqual({
+			error: "Missing Turnstile token",
+		});
+	});
+
+	it("rejects failed Turnstile verification", async () => {
+		vi.stubGlobal(
+			"fetch",
+			vi.fn(() => Promise.resolve(Response.json({ success: false })))
+		);
+
+		const response = await fetchValidator({
+			url: directoryURL,
+			"cf-turnstile-response": "token",
+		});
+
+		expect(response.status).toEqual(403);
+		expect(await response.json()).toEqual({
+			error: "Turnstile verification failed",
+		});
+	});
+
+	it("rejects custom target ports", async () => {
+		const fetch = vi.fn();
+		vi.stubGlobal("fetch", fetch);
+
+		const response = await fetchValidator({
+			url: "https://example.com:8443/.well-known/http-message-signatures-directory",
+			"cf-turnstile-response": "token",
+		});
+
+		expect(response.status).toEqual(400);
+		expect(fetch).not.toHaveBeenCalled();
+		expect(await response.json()).toEqual({
+			error: "Directory URL must not use a custom port",
+		});
+	});
+
+	it("rejects target paths outside the directory endpoint", async () => {
+		const fetch = vi.fn();
+		vi.stubGlobal("fetch", fetch);
+
+		const response = await fetchValidator({
+			url: "https://example.com/.well-known/other",
+			"cf-turnstile-response": "token",
+		});
+
+		expect(response.status).toEqual(400);
+		expect(fetch).not.toHaveBeenCalled();
+		expect(await response.json()).toEqual({
+			error:
+				"Directory URL path must end with /.well-known/http-message-signatures-directory",
+		});
+	});
+
+	it("reports target fetch failures", async () => {
+		vi.stubGlobal(
+			"fetch",
+			vi.fn((input: RequestInfo | URL) => {
+				const url = input instanceof Request ? input.url : input.toString();
+				if (url === turnstileVerifyURL) {
+					return Promise.resolve(Response.json({ success: true }));
+				}
+				return Promise.reject(new Error("network failed"));
+			})
+		);
+
+		const response = await fetchValidator({
+			url: directoryURL,
+			"cf-turnstile-response": "token",
+		});
+
+		expect(response.status).toEqual(502);
+		expect(await response.json()).toEqual({
+			error: "Directory fetch failed",
+		});
+	});
+
+	it("does not follow target redirects", async () => {
+		const fetch = mockedFetch(
+			new Response(null, {
+				headers: { Location: "https://example.com:8443/anything" },
+				status: 302,
+			})
+		);
+		vi.stubGlobal("fetch", fetch);
+
+		const response = await fetchValidator({
+			url: directoryURL,
+			"cf-turnstile-response": "token",
+		});
+
+		expect(response.status).toEqual(502);
+		expect(fetch).toHaveBeenLastCalledWith(directoryURL, {
+			redirect: "manual",
+			signal: expect.any(AbortSignal),
+		});
+		expect(await response.json()).toEqual({
+			error: "Directory returned HTTP 302",
+		});
+	});
+
+	it("rejects oversized directory responses", async () => {
+		vi.stubGlobal("fetch", mockedFetch(new Response("x".repeat(64_001))));
+
+		const response = await fetchValidator({
+			url: directoryURL,
+			"cf-turnstile-response": "token",
+		});
+
+		expect(response.status).toEqual(502);
+		expect(await response.json()).toEqual({
+			error: "Directory response is too large",
+		});
+	});
+
+	it("proxies a directory response", async () => {
+		const directory = {
+			keys: [{}],
+			purpose: "",
+		};
+		vi.stubGlobal(
+			"fetch",
+			mockedFetch(
+				new Response(JSON.stringify(directory), {
+					headers: { "Content-Type": "text/plain" },
+				})
+			)
+		);
+
+		const response = await fetchValidator({
+			url: directoryURL,
+			"cf-turnstile-response": "token",
+		});
+
+		expect(response.status).toEqual(200);
+		expect(response.headers.get("Access-Control-Allow-Origin")).toEqual(
+			sampleURL
+		);
+		expect(response.headers.get("Content-Type")).toEqual("text/plain");
+		expect(await response.json()).toEqual(directory);
 	});
 });
diff --git a/examples/verification-workers/worker-configuration.d.ts b/examples/verification-workers/worker-configuration.d.ts
index 585c1b9..6ddc697 100644
--- a/examples/verification-workers/worker-configuration.d.ts
+++ b/examples/verification-workers/worker-configuration.d.ts
@@ -5,6 +5,8 @@ declare namespace Cloudflare {
 	interface Env {
 		SIGNATURE_AGENT: "http-message-signatures-example.research.cloudflare.com";
 		TARGET_URL: "https://http-message-signatures-example.research.cloudflare.com/debug";
+		TURNSTILE_SECRET_KEY: string;
+		TURNSTILE_SITE_KEY: string;
 	}
 }
 interface Env extends Cloudflare.Env {}
