Product / July 5, 2026
Hosted auth with hard edges
Why ZKAuth hosted pages are intentionally constrained: exact callbacks, bounded branding, and no arbitrary code in the authentication surface.

Mohith · 5 min read

Hosted authentication is useful because it removes a dangerous class of app code from the login path. It can also become dangerous when it tries to be a full website builder. Authentication pages should be flexible enough to feel first-party, but not so flexible that every project gets to run arbitrary code inside the most sensitive page of the product.
ZKAuth hosted pages are built with that line in mind. The project can enable or disable hosted entry points, set bounded branding, and configure where verified users are allowed to return. It cannot inject custom JavaScript into the hosted login surface, widen the Content Security Policy by accident, or redirect users to a URL that was never allowlisted.
{ "hostedPagesEnabled": true, "primaryRedirectUrl": "https://app.example.com/auth/callback", "allowedRedirectUrls": [ "https://app.example.com/auth/callback", "https://staging.example.com/auth/callback" ], "allowedBrowserOrigins": [ "https://app.example.com", "https://staging.example.com" ]}The redirect is part of the security model
A hosted auth page is only as safe as its handoff. If a verification link or hosted sign-in can bounce to any URL, the auth provider has become an open redirect with better typography. ZKAuth stores exact redirect URLs and exact browser origins per project, then validates requests against those lists before completing the flow.
That means the dashboard UI is deliberately strict: no wildcard domains, no query-string shortcuts, no path guessing. Teams can add production and staging origins, but every origin is explicit. It is less magical, and that is the point.
What hosted auth does today
- Project-hosted sign-in, sign-up, password recovery, reset, and passkey helper pages.
- Bounded logo and color branding that keeps the secure ZKAuth layout and CSP intact.
- Runtime controls for enabling hosted pages and individual hosted entry points.
- Callback and browser-origin allowlists for verification, recovery, device approval, and handoff flows.
Preview boundary
The philosophy is simple: hosted auth should reduce security work for the application, not move that work into a theme editor. The more sensitive the surface, the more boring the escape hatches should be.

Mohith
Founder, ZKAuth
July 5, 2026
Next post
API keys are environment slots, not identities