Skip to main content

Platform Capabilities

This page describes the current capabilities and roadmap of the ZeroAuth platform.

Production-Ready Features

  • ZKP biometric authentication — Full Groth16 proof verification with Poseidon commitments
  • Multi-tenant API platform — Scoped API keys, per-tenant rate limiting, usage metering
  • API key lifecycle — Create, list, revoke keys with SHA-256 hashed storage
  • Developer console — Account management, key management, usage monitoring
  • JWT session management — Access tokens, refresh tokens, session invalidation
  • Base Sepolia blockchain integration — On-chain DID registry and proof verification
  • Enterprise federation endpoints — SAML 2.0 and OIDC/OAuth 2.0 authentication paths
  • Plan-based limits — Free, Starter, Growth, and Enterprise tiers with configurable quotas
  • Security middleware — helmet, CORS, PKCE, scoped permissions

API Endpoints

All authentication and identity endpoints are available under the /v1/ versioned API:

CategoryEndpointsStatus
ZKP Authenticationregister, verify, nonce, circuit-infoProduction
SAML SSOlogin, callback, metadataAvailable
OIDC / OAuth 2.0authorize, callbackAvailable
Identityme, logout, refreshProduction
Developer Consolesignup, login, keys, usage, accountProduction
Healthhealth checkProduction

Integration Model

ZeroAuth is a hosted API platform. Integration requires:

  1. Sign up at https://zeroauth.dev/api/console/signup
  2. Get an API key — shown once at creation, stored as SHA-256 hash
  3. Make API calls with Authorization: Bearer za_live_YOUR_KEY
  4. Monitor usage via the developer console API

No packages to install. No infrastructure to manage. No biometric data stored.

Plans

FeatureFreeStarterGrowthEnterprise
Monthly requests1,00025,000250,000Unlimited
Rate limit (per 15 min)1005002,00010,000
API keys10101010
On-chain verification--YesYesYes
SupportCommunityEmailPriorityDedicated

Security Architecture

  • API keys stored as SHA-256 hashes (raw key shown once)
  • Tenant passwords hashed with scrypt
  • Per-tenant sliding window rate limiting
  • Monthly quota enforcement
  • Scope-based API key permissions
  • Zero biometric data persistence
  • On-chain data limited to irreversible SHA-256 hashes

For the full security model, see Privacy and Security.