Users Api
Zero-Knowledge Authentication for Every User
Zero-Knowledge Authentication
The Protocol Has No Hash to Steal
A Proof, Not a Password
At registration, the client derives an origin graph from the user's password using SHA-512 and generates a Hamiltonian cycle across it. The server receives only the unlabeled graph structure — no password, no hash, no labels. Every detail that could reconstruct the credential stays on the client device.
Twelve Rounds Per Login
Each login runs twelve independent challenge rounds. The server generates a fresh isomorphic graph for each round by relabeling nodes with a random seed. The client answers two challenges per round: the isomorphism mapping and the Hamiltonian cycle remapped onto the challenge graph. All twelve rounds must pass. A forger without the origin graph cannot produce valid answers to any of them.
Per-User Encryption
The Server Holds the Data, Not the Keys
Keys Derived From What the User Holds
Every user's data is encrypted with a unique key stored in the Keys Api. The key material is derived from something the user holds — not from anything the server knows. A breach of the database yields ciphertext. A breach of the server yields ciphertext. A combined breach of both yields ciphertext.
No Single Point of Exposure
Traditional identity systems are high-value targets because a single breach exposes every user's credential. The Users Api distributes that risk across cryptographic boundaries. An attacker who compromises the server must separately compromise each user's key derivation path to reach that user's data. The system has no single record that decrypts everything.
A Complete Identity Layer
Every Account Operation, Built In
Registration to Deletion
The Users Api manages the entire account lifecycle without requiring the application to build any identity infrastructure. Registration issues a UserId and initiates email verification. Login runs the zero-knowledge protocol and issues a session token. Password reset delivers a time-bound token through the Email Api and completes when the user proves ownership. Account deletion requires a confirmation token and removes all associated records.
No Raw Identity in Outbound Communications
The Users Api never exposes a UserId in an email link. Verification and password reset flows use opaque tokens from the Tokens Api — time-limited values that carry no information about the underlying user record. The email address is managed by the Email Api under per-record encryption. Your application never has to handle raw identity data in outbound communications.
Breach-Proof by Design
What an Attacker Finds After a Full Compromise
Nothing to Crack
Every major credential breach follows the same path: extract the database, crack the hashes offline. The Users Api closes that path at the source. The database stores no hashes. Offline cracking requires something to crack.
A Breach That Yields Ciphertext
Compromising the Users Api server delivers encrypted user data and an unlabeled graph per account. The unlabeled graph proves a user exists. It does not prove their password, reveal their email address, or unlock their data. Recovery would require independently solving the zero-knowledge protocol, which provides no shortcut to the credential.
Connected by Design
Users Is Built on the Full Arch Stack
Keys, Tokens, and Email
The Users Api coordinates three Arch services for every user-facing operation. The Keys Api holds per-user encryption keys. The Tokens Api issues time-bound identifiers for verification and reset flows. The Email Api delivers transactional messages without exposing a raw UserId.
Your Application
Your microservice works with users through the IUsersApiClient interface. Every authentication call — registration, login, password reset, account deletion — invokes a proven implementation of a protocol that is genuinely difficult to build correctly. The zero-knowledge guarantee, the key coordination, and the token flows are already in place. Your team steps over months of security-critical engineering.
Tech Sovereignty
Arch
Company
About Contact