Reference

API reference

The engine is REST over JSON and enforces HTTPS. Most endpoints are plain requests, but register and login carry zero-knowledge material that the client computes from the password, which is why the SDK generates it for you.

Base URL

text

https://api.zkauth.dev

Authentication

Send your project key in x-api-key on every request. Routes that act on a signed-in user also need the session token as a bearer token. Bearer-only requests and invalid keys are rejected.

http

x-api-key: zka_live_your_api_key        # every requestAuthorization: Bearer <session-token>   # user routes only

Validate a key

GET/api/v1/client/me

Returns the client that owns a key: a fully self-contained request, so it’s the best first call to confirm your setup in any language.

curl https://api.zkauth.dev/api/v1/client/me \  -H "x-api-key: zka_test_your_api_key"

Register

POST/api/v1/auth/register

The body carries a client-derived salt and commitment, never the password. The SDK computes these; if you implement them yourself you must reproduce the Argon2id + Poseidon derivation.

json

POST /api/v1/auth/register{  "email": "ada@example.com",  "salt": "...",          // derived from the password on the client  "commitment": "...",    // Poseidon commitment, computed on the client  "deviceInfo": { "deviceName": "Chrome on Mac", "deviceType": "desktop" }}

You'll want the SDK here. Generating a valid commitment (register) and Groth16 proof (login) requires the circuits and crypto bundled in zkauth-client. Raw HTTP is best for the read, session, password-reset, OPAQUE, and WebAuthn endpoints below.

Log in

GET/api/v1/auth/salt/:email

Returns the public salt for a user (the SDK fetches this for you).

POST/api/v1/auth/login

Verifies a Groth16 proof, applies replay protection, and starts a session.

json

POST /api/v1/auth/login{  "email": "ada@example.com",  "proof": { "pi_a": [...], "pi_b": [...], "pi_c": [...], "protocol": "groth16", "curve": "bn128" },  "publicSignals": ["..."],  "deviceInfo": { "deviceName": "Chrome on Mac", "deviceType": "desktop" },  "proofNonce": "...",  "proofTimestamp": 1730000000000}

Response

json

{  "success": true,  "data": {    "token": "eyJ...",    "user": { "id": "usr_...", "email": "ada@example.com", "emailVerified": true },    "session": { "sessionId": "...", "expiresAt": "..." }  }}

Session

These require the session token as a bearer token.

GET/api/v1/auth/me

Return the authenticated user.

POST/api/v1/auth/logout

Invalidate the current session.

GET/api/v1/auth/verify-email/:token

Confirm an email with the token from registration.

Password reset

POST/api/v1/password/forgot-passwordGET/api/v1/password/verify-reset-tokenPOST/api/v1/password/reset-password

Request a reset, verify the token, then set a new commitment. Resets may require approval depending on your project policy. Password reset emails redirect to the project callback URL with zkauth_action=password_reset and token.

Devices

GET/api/v1/devicesPOST/api/v1/devices/registerPOST/api/v1/devices/verifyDELETE/api/v1/devices/:deviceId

List, trust, verify, and remove a user’s devices.

OPAQUE

GET/api/v1/opaque/statusPOST/api/v1/opaque/register/responsePOST/api/v1/opaque/register/finishPOST/api/v1/opaque/login/startPOST/api/v1/opaque/login/finishPOST/api/v1/opaque/migration/startPOST/api/v1/opaque/migration/finish

Migration endpoints support user-mediated movement from legacy password proof credentials to persisted OPAQUE records.

WebAuthn

POST/api/v1/webauthn/register/optionsPOST/api/v1/webauthn/register/verifyPOST/api/v1/webauthn/authenticate/optionsPOST/api/v1/webauthn/authenticate/verify

Route these through your backend proxy so the key stays server-side. See Authentication.

Sessions & account security

User-scoped controls under /api/v1/security, all bearer-authenticated.

GET/api/v1/security/sessionsDELETE/api/v1/security/sessions/:sessionId

List active sessions and revoke a specific one.

GET/api/v1/security/mfa/statusPOST/api/v1/security/mfa/totp/setupPOST/api/v1/security/mfa/totp/verifyPOST/api/v1/security/mfa/backup-codes/generateGET/api/v1/security/recovery-codes/statusPOST/api/v1/security/recovery-codes/generatePOST/api/v1/security/recovery-codes/regeneratePOST/api/v1/security/recovery-codes/download

Set up TOTP and issue one-time recovery codes.

POST/api/v1/security/emergency-reset/requestPOST/api/v1/security/emergency-reset/confirmGET/api/v1/security/emergency-reset/statusPOST/api/v1/security/emergency-reset/cancel

Start, confirm, inspect, or cancel account recovery. Confirming is gated by the configured delay.

POST/api/v1/auth/refresh

Refresh a session token.

Webhooks

Project-scoped webhook management endpoints.

GET/api/v1/client/webhooksPOST/api/v1/client/webhooksGET/api/v1/client/webhooks/eventsGET/api/v1/client/webhooks/:webhookIdPUT/api/v1/client/webhooks/:webhookIdDELETE/api/v1/client/webhooks/:webhookIdPOST/api/v1/client/webhooks/:webhookId/testGET/api/v1/client/webhooks/:webhookId/deliveriesPUT/api/v1/client/webhooks/bulk

Use signed test deliveries before enabling production event delivery.

Transparency & evidence

Read-only endpoints that expose how the engine is actually configured, so you can verify our security claims instead of taking them on faith.

GET/api/v1/security/crypto-policy

The active cryptographic parameters (curve, hash, Argon2id settings).

GET/api/v1/security/standards

Standards mappings, published without claiming certification.

GET/api/v1/security/pq-readiness

Post-quantum readiness posture.

GET/api/v1/security/evidenceGET/api/v1/security/assurance/policy

Assurance and evidence records for operator and auditor review.

Key formats & limits

Prefix	Use
`zka_live_...`	Production traffic.
`zka_test_...`	Development and CI.

Rate limits apply per client. Failed requests return a non-2xx status with a JSON body: { success: false, message, code }.