A drop-in identity API built on zero-knowledge cryptography. The biometric never leaves the device. The server never sees it. What we store cannot be reversed, replayed, or sold.
A real-time simulation of the protocol — enrollment, client-side proof generation, on-chain anchoring, and verification. The biometric never leaves the simulated device.
Spin up a tenant from the dashboard, grab an API key, and start issuing zero-knowledge proofs from any backend. SDKs for Node and Python; the REST API works from anywhere.
Sign up to create a tenant. You'll get a za_test_… key for development and a separate za_live_… key for production.
POST a Poseidon commitment from the client SDK. ZeroAuth stores the commitment — never the underlying biometric.
On every login, send the Groth16 proof to /v1/verifications. Get back a verified principal in under 100 ms.
# 1. Register a user with a commitment curl -X POST https://api.zeroauth.dev/v1/users/register \ -H "Authorization: Bearer $ZEROAUTH_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "external_id": "user_42", "commitment": "0x1f3c…" }' # 2. Verify a Groth16 proof at login curl -X POST https://api.zeroauth.dev/v1/verifications \ -H "Authorization: Bearer $ZEROAUTH_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "external_id": "user_42", "proof": { "a": [...], "b": [...], "c": [...] }, "public_signals": ["0x1f3c…"] }'
import { ZeroAuth } from '@zeroauth/sdk'; const za = new ZeroAuth({ apiKey: process.env.ZEROAUTH_API_KEY }); // 1. Register a user from your backend await za.users.register({ externalId: 'user_42', commitment, // from client SDK }); // 2. Verify a proof on login const { verified, principal } = await za.verifications.create({ externalId: 'user_42', proof, publicSignals, }); if (verified) issueSession(principal);
from zeroauth import ZeroAuth za = ZeroAuth(api_key=os.environ["ZEROAUTH_API_KEY"]) # 1. Register a user za.users.register( external_id="user_42", commitment=commitment, ) # 2. Verify a proof result = za.verifications.create( external_id="user_42", proof=proof, public_signals=public_signals, ) if result.verified: issue_session(result.principal)
The user proves they hold a biometric on their device. Only a Poseidon commitment and a Groth16 proof ever cross the network. Raw embeddings stay in memory and are destroyed after hashing.
The user creates a credential on their own device. A cryptographic commitment is generated and stored — never the credential itself.
// On the user's device const secret = generateCredential(); const commitment = poseidonHash(secret); register({ commitment });
At login, a Groth16 zero-knowledge proof is generated on the device. It mathematically proves the user knows the credential — without transmitting any part of it.
// Client-side proof generation const proof = await groth16.prove( circuit, { secret, commitment } ); authenticate({ proof });
Proofs are verified against the commitment using succinct verification. Works on-chain via smart contracts or off-chain with a lightweight verifier.
// Server or smart contract const valid = groth16.verify( verificationKey, proof, signals ); // secrets exposed: 0
A typed REST API, a developer console, granular audit logs, and a separation between live and test environments — so you can ship without flying blind.
A typed REST API with first-party SDKs for Node and Python. Predictable error codes and idempotent writes.
Two isolated environments per tenant. Mint, rotate, and revoke za_live_ / za_test_ keys from the dashboard.
Every signup, verification, key rotation, and device event — searchable, exportable, and tamper-evident.
Register hardware devices, attach battery + location telemetry, and tie verifications back to a specific endpoint.
Groth16 verification on a single core. Run it inside our API or self-host the verifier — the math is the same.
API, dashboard, circuits, and docs are on GitHub. Audit it. Self-host it. Fork it.
In October 2023, Okta's support breach exposed every support customer's data and shaved more than 11% off the share price. In May 2024 an Indian contractor leaked 496 GB of biometric data. Here is the same scenario, with ZeroAuth.
Every cryptographic choice, every architectural decision, every threat is documented in the open. The full source — verifier, circuit, on-chain contracts — is MIT licensed.
Self-serve gets you to production for most workloads. For regulated industries or on-prem requirements, our team works directly with your security org — no rip-and-replace required.
Your database becomes worthless to attackers. No password hashes, no tokens, no session secrets to exfiltrate.
Works alongside your existing IdP. Integrates via standard APIs and SDKs. Deploy in days, not quarters.
Designed for SOC 2, GDPR, DPDP, and HIPAA. Less data stored means less data to govern.
Built on peer-reviewed cryptographic primitives: Groth16 proofs, Poseidon hashing, and elliptic-curve pairings.
Pramaan is the zero-knowledge biometric identity protocol underlying ZeroAuth. The paper describes the construction, the security reductions, the on-chain anchoring model, and the operational guarantees in detail.
Written for cryptographers and platform engineers. Includes the formal proof of soundness, the circuit specification, and the recommended deployment topology.
