Authentication where a breach exposes nothing.
Zero-knowledge identity verification for regulated industries — BFSI, healthcare, government. Built on Pramaan™, the patented cryptographic system behind it (Indian Patent 202311041001).
zeroauth.dev · Documentation · Quickstart · API reference
A hosted identity API that lets your users prove who they are without you — or us — ever holding the credential. The biometric never leaves the device; what the server sees is a Groth16 zero-knowledge proof, a Poseidon commitment, and a DID anchored on an L2.
If the database is exfiltrated tomorrow, the attacker gets cryptographic commitments and expired proofs. Nothing reversible. Nothing replayable.
Three authentication surfaces share the same API key and verifier:
| Surface | Use case |
|---|---|
| ZK biometric | Bank KYC, attendance, transaction confirmation — any flow that previously stored a biometric template. |
| SAML 2.0 | Enterprise SSO with Okta / Azure AD / Ping. ZeroAuth acts as the SP. |
| OAuth 2.0 / OIDC | Authorization-code + PKCE with discovery + JWKS. |
We separate the invention from the product:
- Pramaan™ is the patented cryptographic protocol — the irreversibility guarantee, the proof construction, the DID derivation, the audit chain. It is the IP. Indian Patent 202311041001, owned by Yushu Excellence Technologies Pvt. Ltd.
- ZeroAuth is the open-source reference implementation of Pramaan — the developer-facing API, SDKs, dashboard, and docs that ship at zeroauth.dev.
You can build on ZeroAuth without a patent license; you cannot independently implement Pramaan and call it Pramaan.
| Repo | What it is |
|---|---|
| ZeroAuth | The live reference implementation — central API, developer console, React dashboard, Docusaurus docs, Solidity contracts, Circom circuit, the in-tree @zeroauth/verifier workspace, and the Docker stack that runs at zeroauth.dev. |
| ZeroAuth-Governance | The audit surface — shared security policy, naming conventions, threat models, compliance mappings (DPDP, IRDAI, RBI, MeitY), and the evidence-pack manifest sources buyers receive at SOW. |
| .github | This profile + org-level community health files. |
Coming as standalone repos when their first external consumer ships:
ZeroAuth-Mobile-SDK, ZeroAuth-IoT, ZeroAuth-Verifier (the workspace
graduates out of the monorepo once a second service consumes it).
| Primitive | What it does | Source of truth |
|---|---|---|
| Groth16 over BN128 | Succinct proof of biometric possession | ZeroAuth/circuits/identity_proof.circom |
| Poseidon | ZK-friendly commitment to the biometric hash | Circom + on-chain |
| SHA-256 | Hash chain over append-only audit events | ZeroAuth/verifier/src/audit-log.ts |
| Ed25519 / secp256k1 | Device signing + on-chain identity | Standard libs |
| TLS 1.3 | Transport | Caddy + Let's Encrypt |
All primitives are peer-reviewed. We do not invent crypto; we compose it.
Engineering discipline is a first-class artifact, not a side effect.
- Threat model (canonical) lives in the governance repo and is cross-referenced from every mitigating commit (
A-NNmarkers). - ADRs under
ZeroAuth/adr/— every direct dependency, every architectural pivot, gets a numbered record. - CLAUDE.md at the root of each repo is the constitution for AI-assisted development: language rules, non-goals, source-of-truth pointers.
- Compliance mappings for DPDP, IRDAI, RBI, MeitY are in
ZeroAuth-Governance/docs/compliance/— marked provisional until external counsel review (target Q3 2026).
Each release ships an evidence pack — a buyer-facing bundle of the threat
model, audit-log integrity report, dep trail, ADRs, and SHA-256 checksums of
every governance source. The manifest is tracked in
evidence-pack-sources/.
git clone https://github.com/zeroauth-dev/ZeroAuth.git
cd ZeroAuth
cp .env.example .env
./scripts/deploy.sh dev
# → http://localhost:3000Or hit the live deployment directly:
curl https://zeroauth.dev/api/healthAPI reference, SAML/OIDC integration guides, and the SDK quickstart are at zeroauth.dev/docs.
We are in pilot phase. The reference implementation runs in production at
zeroauth.dev and is used by us; the first commercial pilot is in
negotiation. We are deliberately not chasing scale until the pilot validates
the deployment model with a regulated tenant.
Roadmap-of-record:
- Verifier graduates out of the workspace into its own service repo (gated on second consumer)
- Mobile SDK (iOS / Android) cuts its first private beta
- IoT firmware lands for Orange Pi reference hardware
- External counsel review of DPDP / IRDAI mappings (target Q3 2026)
- External cryptographer review of Pramaan (scheduled)
If you are a regulated entity considering ZeroAuth for a pilot, reach out at pilot@zeroauth.dev.
Vulnerabilities go to security@zeroauth.dev with the subject line [vuln].
We respond within 72 hours. Coordinated disclosure timeline lives in
ZeroAuth-Governance/docs/shared/incident-response.md.
Do not file security-sensitive issues on the public tracker.