ZKAuth
Get started

Documentation

AI handoff brief

Safe markdown for Cursor, Claude, ChatGPT, and code reviews.

Authentication that never
sees the password.

ZKAuth adds zero-knowledge password proofs, OPAQUE, and passkeys to your app over a single HTTPS API. You get tenant-bound keys, replay protection, and audit logs; your users’ secrets never leave their device.

Early accesszkauth-client v1.4.16

ZKAuth and zkauth-client are in active development. The stable contract is the HTTPS API plus your generated keys. Pin a client version and check release notes before upgrading.

Getting startedCreate an account, make a project, and verify your first login.InstallationInstall zkauth-client or call the HTTPS API directly.Quick startA full register + login flow in a few lines.API referenceEndpoints, headers, and key formats.

Three ways to authenticate

Every method shares the same principle: the server verifies that a user knows their secret without ever receiving it. Pick one, or offer several.

ZK password proofs

The password is turned into a zero-knowledge proof on the client and verified server-side with a Groth16 verifier. The raw password is never sent.

OPAQUE

A password-authenticated key exchange (PAKE). The server stores an opaque credential it can never use to learn the password.

WebAuthn passkeys

Hardware- and platform-backed passkeys through the dashboard proxy, so your project key stays out of frontend code.

A login in a few lines

Install zkauth-client, point it at your project key, and the proof handshake happens for you:

auth.tsts
import { ZKAuthSDK } from 'zkauth-client'
const zkauth = new ZKAuthSDK({  // a test key is scoped to one project and safe to rotate  apiKey: process.env.ZKAUTH_API_KEY, // zka_test_... or zka_live_...})
const deviceInfo = { deviceName: 'Chrome on Mac', deviceType: 'desktop' }
// Register: the password becomes a commitment on the deviceawait zkauth.register({ email: 'ada@example.com', password, deviceInfo })
// Log in: the server verifies a proof, never the passwordconst res = await zkauth.login({ email: 'ada@example.com', password, deviceInfo })
console.log(res.data.user.id)

Prefer no dependency? Every operation is a plain HTTPS call. See the API reference.

AI and developer handoff

Use the copy bar above when you want another engineer, Cursor, Claude, ChatGPT, or a review tool to understand the project without exposing private configuration. It copies a safe markdown brief with the public API URL, SDK usage, integration flow, and security rules.

  • Safe to share: public URLs, endpoint names, SDK examples, callback flow, and development rules.
  • Never share: API keys, JWT secrets, database URLs, Redis URLs, Resend keys, webhook secrets, deployment tokens, or local.env contents.
  • Machine-readable brief: /llms.txt.
  • Tool behavior: Cursor can open a short prompt link to this brief. Most other tools should be opened normally, then pasted with the copied markdown so long prompts do not leak through URLs.

What the platform gives you

  • Projects & keys: live and test keys (zka_live_ / zka_test_), each bound to a single project.
  • Replay protection: proof freshness checks and tampered-proof rejection on the hot path.
  • Usage & audit logs: per-project request logs and a developer audit trail.
  • Teams & webhooks: invite collaborators and subscribe to events with signed, test-deliverable webhooks.

Browse the docs

Every section, end to end.

What we don't claim. No SOC 2, no post-quantum security, no external audit, and no broad authenticator certification, and billing is not yet enforced. We’d rather be precise than impressive. See Security for the exact boundaries.
Next Getting started