ZeroAuth is the developer-facing auth API for Pramaan — the patented zero-knowledge biometric identity protocol from Yushu Excellence Technologies. Raw biometrics never leave the device. Commitments & Groth16 proofs are all the server ever sees. Ship signup, login, and device attestation in minutes.
Spin up a tenant from the dashboard, grab an API key, and start issuing zero-knowledge proofs from any backend.
Sign up to create a tenant. You’ll get a za_test_… key for development and a separate za_live_… key for production.
POST a Poseidon commitment from the client SDK. ZeroAuth stores the commitment — never the underlying biometric.
On every login, send the Groth16 proof to /v1/verifications. Get back a verified principal in <100 ms.
# 1. Register a user with a commitment curl -X POST https://api.zeroauth.dev/v1/users/register \ -H "Authorization: Bearer $ZEROAUTH_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "external_id": "user_42", "commitment": "0x1f3c…" }' # 2. Verify a Groth16 proof at login curl -X POST https://api.zeroauth.dev/v1/verifications \ -H "Authorization: Bearer $ZEROAUTH_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "external_id": "user_42", "proof": { "a": [...], "b": [...], "c": [...] }, "public_signals": ["0x1f3c…"] }'
import { ZeroAuth } from '@zeroauth/sdk'; const za = new ZeroAuth({ apiKey: process.env.ZEROAUTH_API_KEY }); // 1. Register a user from your backend await za.users.register({ externalId: 'user_42', commitment, // from client SDK }); // 2. Verify a proof on login const { verified, principal } = await za.verifications.create({ externalId: 'user_42', proof, publicSignals, }); if (verified) issueSession(principal);
from zeroauth import ZeroAuth za = ZeroAuth(api_key=os.environ["ZEROAUTH_API_KEY"]) # 1. Register a user za.users.register( external_id="user_42", commitment=commitment, ) # 2. Verify a proof result = za.verifications.create( external_id="user_42", proof=proof, public_signals=public_signals, ) if result.verified: issue_session(result.principal)
A typed REST API, a developer console, granular audit logs, and a separation between live and test environments — so you can ship without flying blind.
A typed REST API with first-party SDKs for Node and Python. Predictable error codes and idempotent writes.
Two isolated environments per tenant. Mint, rotate, and revoke za_live_ / za_test_ keys from the dashboard.
Every signup, verification, key rotation, and device event — searchable, exportable, and tamper-evident.
Register hardware devices, attach battery + location telemetry, and tie verifications back to a specific endpoint.
Groth16 verification on a single core. Run it inside our API or self-host the verifier — the math is the same.
API, dashboard, circuits, and docs are all on GitHub. Audit it. Self-host it. Fork it.
ZeroAuth implements the Pramaan protocol: the user proves they hold a biometric on their device, and only a Poseidon hash commitment + a Groth16 proof ever cross the network. Raw embeddings stay in browser/app memory and are GC’d after hashing.
The user creates a credential on their own device. A cryptographic commitment is generated and stored — never the credential itself. Your server never sees the secret.
At login, a zero-knowledge proof is generated client-side. It mathematically proves the user knows the credential — without transmitting any part of it.
Proofs are verified against the commitment using succinct verification. Works on-chain via smart contracts or off-chain with a lightweight verifier.
Watch a complete Pramaan flow through the ZeroAuth API: biometric capture, Poseidon commitment, Groth16 proof generation on-device, server-side verification, and a simulated breach that exposes nothing.
In 2023, Okta’s breach exposed every support customer’s data. In May 2024 an Indian Army contractor leaked 496 GB of biometric data. Here is the same scenario with Pramaan.
Pramaan is the zero-knowledge biometric identity protocol behind every ZeroAuth verification — commitment hashing, Groth16 proof, on-chain anchoring on Base L2, and DDIL-grade offline verification. Granted to Yushu Excellence Technologies Pvt. Ltd. Read the full technical whitepaper →
Self-serve gets you to production for most workloads. For regulated industries or on-prem requirements, our team works directly with your security org — no rip-and-replace required.
Your database becomes worthless to attackers. No password hashes, no tokens, no session secrets to exfiltrate.
Works alongside your existing IdP. Integrates via standard APIs and SDKs. Deploy in days, not quarters.
Designed for SOC 2, GDPR, and HIPAA. Less data stored means less data to govern.
Built on peer-reviewed cryptographic primitives: Groth16 proofs, Poseidon hashing, and elliptic curve pairings.
For SOC 2, SSO, on-prem, or pilot deployments. We’ll reach out within one business day.
For self-serve: create an account →
Our team will contact you within one business day to schedule your technical walkthrough.
25 pages on the protocol that ZeroAuth implements: architecture, cryptographic design, security analysis against 9 attack vectors, performance benchmarks, and regulatory compliance posture.
Technical architecture & security analysis. Covers system design, registration + authentication + offline flows, Sybil/identity-binding model with LSH deduplication, Poseidon hash construction, Circom 2.1.9 circuit details, Groth16 proof system, on-chain anchoring on Base L2, threat analysis (server DB breach, device capture, MITM, replay, …), and a regulatory annex covering DPDP 2023, RBI Video-KYC, UIDAI independence, and GDPR.
Thanks — your download is starting. Click here if it does not begin automatically.