A zero-knowledge session authentication architecture featuring a Next.js frontend and a FastAPI backend. This project demonstrates a highly secure, JWT-less authentication flow using cryptographic challenge-response proofs and secure HttpOnly sessions, engineered for seamless deployment as a Vercel monorepo.
The application relies on a decoupled architecture where cryptographic operations are offloaded to the client, preventing private keys from ever being transmitted across the network.
- Registration: The user registers an identity by binding a username to a cryptographic public key.
- Challenge Request: During login, the server issues a unique cryptographic challenge.
- Proof Verification: The client computes a zero-knowledge proof, which the server verifies against the registered public key.
- Session Establishment: Upon successful verification, the server issues a secure, short-lived HttpOnly session cookie.
- Zero-Knowledge Authentication: Secure login flow without transmitting or storing passwords or JWTs.
- Challenge-Response Mechanism: Prevents replay attacks by issuing unique, time-bound challenges.
- Secure HttpOnly Sessions: Mitigates Cross-Site Scripting (XSS) risks associated with local token storage.
- Monorepo Design: Integrated Next.js and FastAPI stack optimized for Vercel Serverless deployments with custom rewrites.
auth-project/
├── api/ # Vercel Python Serverless Function
│ ├── index.py # FastAPI entry point (Mangum-wrapped)
│ └── requirements.txt # Python dependencies for the function
├── app/ # FastAPI application package (shared)
│ ├── config.py
│ ├── db.py
│ ├── schemas.py
│ ├── routes/
│ ├── services/
│ └── crypto/
├── frontend/ # Next.js application
│ ├── app/
│ ├── components/
│ ├── lib/
│ ├── services/
│ └── ...
├── vercel.json # Monorepo deploy config and edge rewrites
└── requirements.txt # Local dev Python dependencies (with uvicorn)
This project is configured for one-click deployment to Vercel via the vercel.json and Next.js configuration rewrites.
- Push this repository to GitHub, GitLab, or Bitbucket.
- Go to Vercel and import the repository.
- Leave the Root Directory as
/(the repository root). Thevercel.jsonhandles the build pipeline for both Next.js and FastAPI. - Configure the following environment variables in your Vercel project settings:
| Variable | Default | Description |
|---|---|---|
AUTH_MODE |
dev_bypass |
Set to zk in production to enable real ZK proof verification. |
COOKIE_SECURE |
false |
Set to true in production to enforce HTTPS-only cookies. |
COOKIE_SAMESITE |
lax |
Cookie SameSite policy configuration. |
SESSION_TTL_SECONDS |
900 |
Session timeout duration (15 minutes). |
CHALLENGE_TTL_SECONDS |
60 |
Challenge expiration duration. |
REDIS_URL |
In-memory store | Required for persistent sessions across serverless cold starts. Add an Upstash Redis URL for production. |
- Click Deploy.
# Create and activate a virtual environment
python -m venv .venv
.venv\Scripts\activate # Windows
# source .venv/bin/activate # macOS/Linux
# Install dependencies
pip install -r requirements.txt
# Start the FastAPI server (watches the app directory to prevent wiping in-memory sessions)
uvicorn app.main:app --reload --reload-dir appcd frontend
# Set the backend URL for local proxying
cp .env.example .env.local
# Ensure NEXT_PUBLIC_BACKEND_URL=http://127.0.0.1:8000 is set
# Install dependencies and start the development server
npm install
npm run devIf you have just deployed the project or are running it locally, follow this flow to test the application:
- Navigate to the
/loginroute. - Switch to the register tab.
- Enter a desired username.
- Enter a public key (or a dummy string if running in
dev_bypassmode). - Submit the form. The cryptographic pipeline terminal will display the registration progression.
- After registration, switch to the login tab.
- Enter the registered username.
- Run the authentication sequence. The client will automatically request a challenge, generate a mathematical proof, and send it for verification.
- Upon successful verification, you will be redirected to the secure
/dashboard.