ZKAuth
Get started

Verification

Evidence

ZKAuth security claims should be tied to implementation files, tests, formal-model scope, or a caveat. This page explains what evidence exists today and how to interpret it.

Boundary

Evidence is not the same as certification. ZKAuth does not claim a completed external audit, SOC 2, HIPAA, or full formal verification of deployed code.

Current verification snapshot

This snapshot reflects the latest local verification pass, including the Phase 8 federation foundation. It is useful release evidence, not a substitute for an external audit or live-provider certification.

Dashboard

Passed

Type-check, lint, and production build completed for the developer dashboard.

Engine

Passed

Format check, lint, generated API docs currentness, and the full engine test suite completed with the browser WebAuthn E2E still marked as an opt-in pending test.

SDK and CLI

Passed

Node, Next.js, React, Express, Hono, and CLI packages completed type-check, lint, build, and tests.

Policy checks

Passed

Public claims, hosted proxy/security/UI metadata, log hygiene, session security, SDK install checks, public paths, redirects, route metadata, and secret scanning completed.

Hosted acceptance

Partial

Non-destructive hosted and full-platform preflights completed against separate dashboard and engine database targets. An explicitly approved generated-data full-platform run passed 120/120 checks, while broad production cleanup and hosted account-management parity remain outside the claim.

Evidence endpoints

Evidence

/security/evidence

Machine-readable evidence manifest for implemented claims.

Assurance

/security/assurance/policy

Assurance policy metadata for reviewer and operator inspection.

Crypto

/security/crypto-policy

Current cryptographic parameter reporting.

Standards

/security/standards

Standards-alignment map without certification claims.

Readiness

/security/pq-readiness

Crypto-agility and migration-readiness inventory.

Implemented claim map

Evidence ledger

Claims stay narrow unless implementation, tests, or caveats back them.

Proof pathImplemented evidence

Tenant-bound Groth16 login

The main proof path is checked for tenant binding, freshness, replay resistance, and malformed proof rejection.

+Evidence details
Auth controller, ZKP service, auth circuit, and Redis replay integration are covered by tests.
Negative cases include malformed proofs, tampered proofs, public-signal mismatch, stale timestamps, and concurrent replay.
Redis availability is treated as a security boundary; replay validation fails closed when required state is unavailable.
Tenant isolationImplemented evidence

API-key tenant isolation

Project API keys are validated against the tenant they belong to before protected routes run.

+Evidence details
Secure API-key middleware and service enforce project/client matching.
Tenant mismatch tests cover requests that present a valid key for the wrong project.
Machine authImplemented evidence

Project API-key lifecycle, limits, and opaque introspection

Project keys have lifecycle metadata, limits, and server-side opaque introspection.

+Evidence details
Engine and dashboard evidence covers creation metadata, rotation, revocation, per-key limits, and quota tracking.
Opaque machine-token self-introspection is available for trusted server code.
This is not OAuth client credentials or JWT machine-token issuance.
User API keysImplemented evidence

Scoped end-user opaque API keys

End-user keys are scoped, project-bound opaque secrets with reveal-once handling.

+Evidence details
Engine, dashboard, hosted helper, SDK, and tests cover reveal-once creation and HMAC-only storage.
Scopes, expiry, revocation, last-used metadata, and project-bound validation are covered.
These are not OAuth access tokens or full personal-access-token parity.
OrganizationsScoped helper

Preview B2B organization foundation

The organization surface supports preview B2B building blocks without claiming full enterprise identity parity.

+Evidence details
Engine, generated API docs, and dashboard UI cover profiles, memberships, roles, invitations, teams, and verified domains.
Webhooks, audit events, and SCIM Users/Groups/Bulk attachment are included in the preview surface.
Certified enterprise SSO, certified directory sync, and per-seat billing are not shipped.
FederationScoped helper

Preview OAuth/OIDC and SCIM foundation

OAuth/OIDC and SCIM foundations exist as a preview, with conservative linking and explicit SAML non-claim language.

+Evidence details
Provider configuration, encrypted provider secrets, OAuth state/nonce/PKCE, and OIDC discovery/JWKS refresh are covered.
Account linking is conservative; local sessions are created only for active trusted links.
SCIM evidence covers bearer-token lifecycle, Users/Groups provisioning, signed cursor pagination, and bounded Bulk writes.
Dashboard setup exists for provider configuration, OIDC refresh, and reveal-once SCIM token issuance.
SAML groundwork is internal only; SAML is planned for a later enterprise release and is not public-launch enabled.
Credential-gated live E2E harnesses exist, but broad provider certification is not complete.
OPAQUEScoped helper

OPAQUE helper flow

OPAQUE helper routes exist for preview testing, but production setup still requires persistent server configuration.

+Evidence details
Preview helper routes use DB-backed registration records.
Registration-before-login checks, tenant/user record binding, and single-use login-session tests are covered.
Production requires persistent OPAQUE server setup.
WebAuthnScoped helper

WebAuthn helper flow

WebAuthn helper routes cover challenge ownership and mismatch rejection in the preview helper flow.

+Evidence details
Virtual authenticator E2E covers the preview helper route.
DB-backed single-use challenge tests and ceremony challenge mismatch rejection are covered.
Credential tenant/user ownership checks are included.
Hosted foundationScoped helper

Project-bound hosted proxy

Hosted routes are project-bound helpers; the developer application still owns the final app session.

+Evidence details
Hosted settings and proxy routes cover slug/client binding, callback and origin allowlists, and server-side key injection.
No-store responses, request-context checks, bounded result pages, and hosted sign-up/sign-in/recovery helpers are covered.
Hosted passkey helper, account-security helper controls, and single-use handoff-code redemption are included.
The developer app still owns its session cookie.
Public metadataDocumented boundary

Standards-aware metadata

Public security metadata exists with explicit non-claims instead of certification language.

+Evidence details
Assurance, standards alignment, crypto policy, and post-quantum readiness endpoints exist.
The endpoints document boundaries and non-claims instead of implying certification.

Formal model scope

The formal model is intentionally scoped. Use this wording when describing it publicly:

text
We provide a focused symbolic Tamarin model for tenant binding, replay uniqueness, API-key tenant matching, recovery-code single-use, OPAQUE registration-before-login, passkey registration-before-step-up, stale-proof rejection, and cross-tenant rejection. The model abstracts Groth16 proof soundness and does not constitute a full formal verification of the deployed implementation.

Verified Tamarin lemmas

Proof acceptance

Freshness, replay, and tenant binding properties.

replay_accepted_at_most_onceaccepted_proof_is_tenant_boundstale_timestamp_proof_never_accepted

Tenant and key isolation

API-key matching and cross-tenant rejection.

accepted_login_requires_api_key_matchcross_tenant_registered_credential_never_accepted

Helper-flow guards

Single-use and registration-before-authentication checks.

recovery_code_used_at_most_onceopaque_login_requires_opaque_registrationpasskey_stepup_requires_registered_credential

Local verification commands

The engine and SDK repositories contain the security-sensitive tests. Run focused checks after any auth, proof, replay, callback, session, or device change. Run each block from the matching repository root.

Proof and replay gates. Use these targeted checks before relying on any tenant-bound proof, freshness, or replay claim.

engine: proof and replaypowershell
npm exec -- mocha "tests/unit/zkpService.test.js" --require tests/setup.js --timeout 30000npm run test:integrationnpm run test:property
enginepowershell
npm run format:checknpm run lintnpm run testnpm run test:unitnpm run test:integrationnpm run test:property
sdkpowershell
npm run type-checknpm run lintnpm run buildnpm run test

For public product boundaries, read Limitations. For the attacker model, read Threat model.