diff --git a/public/index.html b/public/index.html index c1a4d7a..0fd887d 100644 --- a/public/index.html +++ b/public/index.html @@ -1,1704 +1,1015 @@ - + - - - ZeroAuth — Auth API powered by Pramaan™ zero-knowledge biometric IP - - - + + + + + + ZeroAuth — Authentication where a breach exposes nothing. + + + + + + + + + + + - + + - - - - -
-
-
- - Built on Pramaan™ · Indian Patent IN202311041001 (Granted) -
-

- Authentication where a breach exposes nothing.
- Drop-in API. Zero-knowledge biometric proofs. -

-

- ZeroAuth is the developer-facing auth API for Pramaan — the patented zero-knowledge biometric identity protocol from Yushu Excellence Technologies. - Raw biometrics never leave the device. Commitments & Groth16 proofs are all the server ever sees. - Ship signup, login, and device attestation in minutes. -

-
- Start building free - Read the docs - Live demo -
-
-
-
0
-
Secrets Stored
-
-
-
0
-
Secrets Transmitted
-
-
-
0%
-
Mathematically Verified
+ + +
+ + +
+
+
+
+ + ZeroAuth · Live in production +
+

+ Authentication where a breach exposes nothing. +

+

+ A drop-in identity API built on zero-knowledge cryptography. + The biometric never leaves the device. The server never sees it. + What we store cannot be reversed, replayed, or sold. +

+
+ Start building + Read the docs +
+ +
+
+ Cryptography +

Groth16 zero-knowledge proofs over BN128, Poseidon commitments, SHA-256.

+
+
+ Open +

MIT licensed reference implementation. Public threat model. Open ADRs.

+
+
+ Standards +

Drop-in SAML 2.0 and OAuth 2.0 / OIDC. Any IdP, no client changes.

+
+
-
-
+ - -
-
-
Quickstart
-

Up and running in five lines.

-

- Spin up a tenant from the dashboard, grab an API key, and start issuing zero-knowledge proofs from any backend. -

-
-
-

1. Get an API key

-

- Sign up to create a tenant. You’ll get a za_test_… key for development and a separate za_live_… key for production. -

-

2. Register a user

+ +
+
+ A new standard +

- POST a Poseidon commitment from the client SDK. ZeroAuth stores the commitment — never the underlying biometric. + Passwords leak. Templates leak. Even hashes leak — given a database and time.

-

3. Verify the proof

- On every login, send the Groth16 proof to /v1/verifications. Get back a verified principal in <100 ms. + We removed the thing an attacker could steal. There is no stored credential, no + retained biometric, no shared secret. Just a proof — generated on the + user's device, verified by mathematics, gone in a hundred milliseconds.

-
- Create free account - Quickstart guide -
-
-
-
- - - - -
- 
# 1. Register a user with a commitment
-curl -X POST https://zeroauth.dev/v1/users/register \
-  -H "Authorization: Bearer $ZEROAUTH_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "external_id": "user_42",
-    "commitment": "0x1f3c…"
-  }'
-
-# 2. Verify a Groth16 proof at login
-curl -X POST https://zeroauth.dev/v1/verifications \
-  -H "Authorization: Bearer $ZEROAUTH_API_KEY" \
-  -H "Content-Type: application/json" \
-  -d '{
-    "external_id": "user_42",
-    "proof": { "a": [...], "b": [...], "c": [...] },
-    "public_signals": ["0x1f3c…"]
-  }'
- 
import { ZeroAuth } from '@zeroauth/sdk';
-
-const za = new ZeroAuth({ apiKey: process.env.ZEROAUTH_API_KEY });
-
-// 1. Register a user from your backend
-await za.users.register({
-  externalId: 'user_42',
-  commitment,                       // from client SDK
-});
-
-// 2. Verify a proof on login
-const { verified, principal } = await za.verifications.create({
-  externalId: 'user_42',
-  proof,
-  publicSignals,
-});
-
-if (verified) issueSession(principal);
- 
from zeroauth import ZeroAuth
-
-za = ZeroAuth(api_key=os.environ["ZEROAUTH_API_KEY"])
-
-# 1. Register a user
-za.users.register(
-    external_id="user_42",
-    commitment=commitment,
-)
-
-# 2. Verify a proof
-result = za.verifications.create(
-    external_id="user_42",
-    proof=proof,
-    public_signals=public_signals,
-)
-
-if result.verified:
-    issue_session(result.principal)
-
-
- - -
-
-
Built for developers
-

Everything you expect from a modern auth API.

-

- A typed REST API, a developer console, granular audit logs, and a separation between live and test environments — so you can ship without flying blind. -

-
-
-
- -
-

REST & SDKs

-

A typed REST API with first-party SDKs for Node and Python. Predictable error codes and idempotent writes.

-
-
-
- -
-

Live + Test keys

-

Two isolated environments per tenant. Mint, rotate, and revoke za_live_ / za_test_ keys from the dashboard.

-
-
-
- -
-

Audit log

-

Every signup, verification, key rotation, and device event — searchable, exportable, and tamper-evident.

+
+ + +
+
+
+
00
+
Secrets stored. The database holds commitments, not credentials.
-
-
- -
-

Devices & attestation

-

Register hardware devices, attach battery + location telemetry, and tie verifications back to a specific endpoint.

+
+
00
+
Biometric bytes transmitted. The proof leaves the device. The biometric never does.
-
-
- -
-

Verify in <100 ms

-

Groth16 verification on a single core. Run it inside our API or self-host the verifier — the math is the same.

-
-
-
- -
-

Open source

-

API, dashboard, circuits, and docs are all on GitHub. Audit it. Self-host it. Fork it.

+
+
100%
+
Mathematically verified. Soundness reduces to discrete-log on BN128.
-
-
+ + + +
+
+
+
+ The product +

One verifier. Three surfaces.

+
+

+ ZeroAuth replaces the credential database with a verifier. The same engine + powers zero-knowledge biometric, SAML 2.0, and OIDC under one API and one + audit trail. +

+
- -
-
-
How Pramaan Works
-

Three steps. Zero secrets exposed.

-

- ZeroAuth implements the Pramaan protocol: the user proves they hold a biometric on their device, and only a Poseidon hash commitment + a Groth16 proof ever cross the network. Raw embeddings stay in browser/app memory and are GC’d after hashing. -

-
-
-
01
-

User Enrolls Locally

-

The user creates a credential on their own device. A cryptographic commitment is generated and stored — never the credential itself. Your server never sees the secret.

-
- // On user's device
- const secret = generateCredential();
- const commitment = poseidonHash(secret);
- // Only commitment is sent to server
- register({ commitment }); -
+
+
+
01
+

Zero-knowledge biometric

+

Client-generated Groth16 proofs. The verifier sees the proof, not the user.

+ /v1/verifications +
+
+
02
+

SAML 2.0

+

Standards-compliant Service Provider for any IdP — Okta, Azure AD, Ping, ADFS.

+ /v1/saml +
+
+
03
+

OAuth 2.0 · OIDC

+

Authorization-code flow with PKCE, discovery, JWKS, and userinfo.

+ /v1/oidc +
-
-
02
-

Prove Without Revealing

-

At login, a zero-knowledge proof is generated client-side. It mathematically proves the user knows the credential — without transmitting any part of it.

-
- // Client-side proof generation
- const proof = await groth16.prove(
-   circuit, { secret, commitment }
- );
- // Server verifies math, not secrets
- authenticate({ proof }); -
+
+
+ + +
+
+
+
+ How it works +

Three calls. End to end.

+
+

+ The complete flow, from enrollment to verification, is three HTTP calls — each + replay-safe, each idempotent, each producing a row in a tamper-evident audit log. +

-
-
03
-

Verify On-Chain or Off

-

Proofs are verified against the commitment using succinct verification. Works on-chain via smart contracts or off-chain with a lightweight verifier.

-
- // Server / smart contract
- const valid = groth16.verify(
-   verificationKey, proof, signals
- );
- // true — identity confirmed
- // secrets exposed: 0 + +
+
+ 01 +

Register a commitment

+

+ The client submits a Poseidon commitment derived from the user's biometric. + The commitment is one-way. The original buffer is destroyed in memory before + the response is sent. +

+
+
+ 02 +

Generate a proof

+

+ On every sign-in the client constructs a Groth16 zero-knowledge proof that + the commitment matches what only the user can produce. The proof is opaque + and bound to a server-issued challenge. +

+
+
+ 03 +

Verify and proceed

+

+ Your server posts the proof to /v1/verifications. + ZeroAuth verifies it cryptographically and returns a signed principal, + audited and rate-limited per tenant. +

-
-
+
+ + +
+
+
+
+ Quickstart +

Five lines, two endpoints.

+
+

+ Sign up, generate an API key, and verify a proof. The full reference + implementation runs locally on Docker in under two minutes. +

+
- -
-
-
Live Demo
-

See Pramaan in action — 60 seconds, zero secrets.

-

- Watch a complete Pramaan flow through the ZeroAuth API: biometric capture, Poseidon commitment, Groth16 proof generation on-device, server-side verification, and a simulated breach that exposes nothing. -

-
- -
-
- Open fullscreen ↗ -
-
-
+
+
+ POST /v1/verifications + +
+
# Verify a Groth16 proof at login.
+curl -X POST https://zeroauth.dev/v1/verifications \
+  -H "Authorization: Bearer $ZEROAUTH_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "external_id": "user_42",
+    "proof": { "a": [...], "b": [...], "c": [...] },
+    "public_signals": ["0x1f3c…"]
+  }'
 
-  
-  

-    

-      
The Math

-      
What a breach actually costs.

-      

-        In 2023, Okta’s breach exposed every support customer’s data. In May 2024 an Indian Army contractor leaked 496 GB of biometric data. Here is the same scenario with Pramaan.
-      

-      

-        

-          

-            

-              
-            

-            

-              
Traditional Auth (Okta Breach)

-              
October 2023

-            

-          

-          

-            Records exposed
-            All support customers
-          

-          

-            Incident response
-            $2.1M+
-          

-          

-            Legal & regulatory
-            $8M+
-          

-          

-            Customer churn
-            $15M+
-          

-          

-            Stock price impact
-            -11.6%
-          

-          

-            Total damage
-            $25M+
-          

-        

-        
vs

-        

-          

-            

-              
-            

-            

-              
Pramaan + ZeroAuth

-              
Same breach scenario

-            

-          

-          

-            Records exposed
-            0 usable records
-          

-          

-            Incident response
-            $0
-          

-          

-            Legal & regulatory
-            $0
-          

-          

-            Customer churn
-            $0
-          

-          

-            Credential reset needed
-            None
-          

-          

-            Total damage
-            $0
-          

+# → 200 OK · { "verified": true, "principal": "…" }
+
-
- -
- -
-
-
Pramaan™ — The Underlying IP
-

ZeroAuth is the API. Pramaan is the patent.

-

- Pramaan is the zero-knowledge biometric identity protocol behind every ZeroAuth verification — commitment hashing, Groth16 proof, on-chain anchoring on Base L2, and DDIL-grade offline verification. Granted to Yushu Excellence Technologies Pvt. Ltd. Read the full technical whitepaper → -

-
-
-
- -
-
-
Granted
-
Pramaan™ Protocol
-
IN202311041001 · India
-
-
-
-
- -
-
-
Owned by
-
Yushu Excellence Technologies Pvt. Ltd.
-
Inventors: Amit Dua, Pulkit Pareek
-
+
+ Full API reference
-
-
- - -
-
-
Enterprise
-

Need SOC 2, SSO, or a private deployment?

-

- Self-serve gets you to production for most workloads. For regulated industries or on-prem requirements, our team works directly with your security org — no rip-and-replace required. -

-
-
-
-
- -
-
-

Zero-Trust by Default

-

Your database becomes worthless to attackers. No password hashes, no tokens, no session secrets to exfiltrate.

-
-
-
-
- -
-
-

Drop-In Integration

-

Works alongside your existing IdP. Integrates via standard APIs and SDKs. Deploy in days, not quarters.

-
-
-
-
- -
-
-

Compliance-Ready

-

Designed for SOC 2, GDPR, and HIPAA. Less data stored means less data to govern.

-
-
-
-
- -
-
-

Mathematically Proven

-

Built on peer-reviewed cryptographic primitives: Groth16 proofs, Poseidon hashing, and elliptic curve pairings.

-
-
+
+ + +
+
+
+
+ Engineering +

No magic. Just primitives, written down.

+
+

+ Every cryptographic choice, every architectural decision, every threat is + documented in the open. The full source — including the verifier, the circuit, + and the on-chain contracts — is MIT licensed. +

-
-
-

Talk to our team

-

For SOC 2, SSO, on-prem, or pilot deployments. We’ll reach out within one business day.

-
-
- - + +
+
+
+
+
Stack
+
TypeScript · PostgreSQL · Circom · SolidityNode 20, strict mode. Hardhat for contracts. snarkjs for verification.
-
- - +
+
Crypto
+
Groth16 · BN128 · Poseidon · SHA-256Peer-reviewed primitives. Soundness reduces to discrete-log on BN128.
-
- - +
+
L2
+
Base Sepolia · DIDRegistry · Groth16VerifierOn-chain anchoring of identity commitments. Publicly auditable.
-
- - +
+
Audit
+
Append-only event log · Hash-chainedEvery write produces a verifiable row. Chain integrity is checkable from any commit.
- - -

For self-serve: create an account →

+
-
-
- -
-

Request received

-

Our team will contact you within one business day to schedule your technical walkthrough.

+ +
+ Architecture decision records + Public threat model + API contract + Reference implementation on GitHub + MIT license
-
-
+ + + +
+
+
+
+ White paper +

The cryptographic foundation.

+
+
+

+ Pramaan is the zero-knowledge biometric identity protocol underlying ZeroAuth. + The paper describes the construction, the security reductions, the on-chain + anchoring model, and the operational guarantees in detail. +

+

+ Written for cryptographers and platform engineers. Includes the formal proof + of soundness, the circuit specification, and the recommended deployment + topology. +

+ +
+
+
Patent
+
Indian Patent IN202311041001 · Granted
+
+
+
Format
+
PDF · 36 pages
+
+
- -
-
-
Technical Deep Dive
-

Pramaan™ Whitepaper

-

- 25 pages on the protocol that ZeroAuth implements: architecture, cryptographic design, security analysis against 9 attack vectors, performance benchmarks, and regulatory compliance posture. -

-
-
- -
PDF · 25 pp
-
-
-
- ZK-SNARKs - Groth16 - Poseidon - Base L2 - DPDP 2023 - DDIL -
-

Pramaan: Zero-Knowledge Biometric Authentication

-

- Technical architecture & security analysis. Covers system design, registration + authentication + offline flows, Sybil/identity-binding model with LSH deduplication, Poseidon hash construction, Circom 2.1.9 circuit details, Groth16 proof system, on-chain anchoring on Base L2, threat analysis (server DB breach, device capture, MITM, replay, …), and a regulatory annex covering DPDP 2023, RBI Video-KYC, UIDAI independence, and GDPR. -

-
-
- - -
-
-
-

Thanks — your download is starting. Click here if it does not begin automatically.

+
+ + Download white paper + + View as HTML +
-
-
+
+ + - +