Get started
Quick start
The whole lifecycle in four calls. Each one carries a proof, never the password.
Register a user
The client derives a zero-knowledge proof from the password locally and sends only that proof; the engine stores a verifier.
import { zkauth } from './lib/zkauth'
await zkauth.register({ email: 'ada@example.com', password: 'correct horse battery staple', deviceInfo: { deviceName: 'Chrome on Mac', deviceType: 'desktop' },})Log in
Login repeats the handshake. The engine verifies the proof, applies replay protection, and returns a session token.
const res = await zkauth.login({ email: 'ada@example.com', password: 'correct horse battery staple', deviceInfo: { deviceName: 'Chrome on Mac', deviceType: 'desktop' },})
// The token lives on the instance; persist it in an http-only cookie too.const token = res.data.session.tokenRead the current user
The client keeps the session after login, so read the current user with no arguments.
const user = await zkauth.getCurrentUser() // uses the active sessionconsole.log(user?.email)Log out
Invalidate the session when the user signs out.
await zkauth.logout()Handle email callbacks
Set a primary redirect URL in the dashboard, then add it to the allowlist. ZKAuth sends users there after email verification, device approval, device denial, and password reset links. If no safe redirect is configured, ZKAuth shows a hosted fallback page instead of redirecting to an unknown URL.
// Example callback handler in your appconst params = new URL(request.url).searchParamsconst action = params.get('zkauth_action')
if (action === 'password_reset') { return showResetPasswordForm(params.get('token'))}
if (params.get('success') === 'true') { // Email verified, device approval completed, or device denial recorded. redirect('/app')}
// Show a recoverable auth message to the user.return showAuthError(params.get('error'))