Verification
Evidence
ZKAuth security claims should be tied to implementation files, tests, formal-model scope, or a caveat. This page explains what evidence exists today and how to interpret it.
Boundary
Current verification snapshot
This snapshot reflects the latest local verification pass, including the Phase 8 federation foundation. It is useful release evidence, not a substitute for an external audit or live-provider certification.
Dashboard
PassedType-check, lint, and production build completed for the developer dashboard.
Engine
PassedFormat check, lint, generated API docs currentness, and the full engine test suite completed with the browser WebAuthn E2E still marked as an opt-in pending test.
SDK and CLI
PassedNode, Next.js, React, Express, Hono, and CLI packages completed type-check, lint, build, and tests.
Policy checks
PassedPublic claims, hosted proxy/security/UI metadata, log hygiene, session security, SDK install checks, public paths, redirects, route metadata, and secret scanning completed.
Hosted acceptance
PartialNon-destructive hosted and full-platform preflights completed against separate dashboard and engine database targets. An explicitly approved generated-data full-platform run passed 120/120 checks, while broad production cleanup and hosted account-management parity remain outside the claim.
Evidence endpoints
Evidence
/security/evidenceMachine-readable evidence manifest for implemented claims.
Assurance
/security/assurance/policyAssurance policy metadata for reviewer and operator inspection.
Crypto
/security/crypto-policyCurrent cryptographic parameter reporting.
Standards
/security/standardsStandards-alignment map without certification claims.
Readiness
/security/pq-readinessCrypto-agility and migration-readiness inventory.
Implemented claim map
Evidence ledger
Claims stay narrow unless implementation, tests, or caveats back them.
Tenant-bound Groth16 login
The main proof path is checked for tenant binding, freshness, replay resistance, and malformed proof rejection.
+-Evidence details
API-key tenant isolation
Project API keys are validated against the tenant they belong to before protected routes run.
+-Evidence details
Project API-key lifecycle, limits, and opaque introspection
Project keys have lifecycle metadata, limits, and server-side opaque introspection.
+-Evidence details
Scoped end-user opaque API keys
End-user keys are scoped, project-bound opaque secrets with reveal-once handling.
+-Evidence details
Preview B2B organization foundation
The organization surface supports preview B2B building blocks without claiming full enterprise identity parity.
+-Evidence details
Preview OAuth/OIDC and SCIM foundation
OAuth/OIDC and SCIM foundations exist as a preview, with conservative linking and explicit SAML non-claim language.
+-Evidence details
OPAQUE helper flow
OPAQUE helper routes exist for preview testing, but production setup still requires persistent server configuration.
+-Evidence details
WebAuthn helper flow
WebAuthn helper routes cover challenge ownership and mismatch rejection in the preview helper flow.
+-Evidence details
Project-bound hosted proxy
Hosted routes are project-bound helpers; the developer application still owns the final app session.
+-Evidence details
Standards-aware metadata
Public security metadata exists with explicit non-claims instead of certification language.
+-Evidence details
Formal model scope
The formal model is intentionally scoped. Use this wording when describing it publicly:
We provide a focused symbolic Tamarin model for tenant binding, replay uniqueness, API-key tenant matching, recovery-code single-use, OPAQUE registration-before-login, passkey registration-before-step-up, stale-proof rejection, and cross-tenant rejection. The model abstracts Groth16 proof soundness and does not constitute a full formal verification of the deployed implementation.Verified Tamarin lemmas
Proof acceptance
Freshness, replay, and tenant binding properties.
replay_accepted_at_most_onceaccepted_proof_is_tenant_boundstale_timestamp_proof_never_acceptedTenant and key isolation
API-key matching and cross-tenant rejection.
accepted_login_requires_api_key_matchcross_tenant_registered_credential_never_acceptedHelper-flow guards
Single-use and registration-before-authentication checks.
recovery_code_used_at_most_onceopaque_login_requires_opaque_registrationpasskey_stepup_requires_registered_credentialLocal verification commands
The engine and SDK repositories contain the security-sensitive tests. Run focused checks after any auth, proof, replay, callback, session, or device change. Run each block from the matching repository root.
Proof and replay gates. Use these targeted checks before relying on any tenant-bound proof, freshness, or replay claim.
npm exec -- mocha "tests/unit/zkpService.test.js" --require tests/setup.js --timeout 30000npm run test:integrationnpm run test:propertynpm run format:checknpm run lintnpm run testnpm run test:unitnpm run test:integrationnpm run test:propertynpm run type-checknpm run lintnpm run buildnpm run testFor public product boundaries, read Limitations. For the attacker model, read Threat model.