Users Api
Zero-Knowledge Authentication for Every User
Features
  • Zero-Knowledge Authentication: Login runs a twelve-round Hamiltonian cycle challenge-response protocol. The password is never transmitted and the server stores no hash.
  • Per-User Encryption: Each user's data is encrypted with a unique key stored in the Keys Api. The server never possesses the user's data keys.
  • Account Registration: New accounts are created with an email address. A UserId is issued and email verification is initiated through the Tokens and Email Apis.
  • Session Token Management: Login issues a session token bound to the authenticated user. Sessions can be validated and expired through the API.
  • Password Reset Workflow: Reset flows deliver a time-bound token to the user's email address. Validation and commitment complete the reset in two authorized steps.
  • Email Verification Workflow: Email addresses are verified through opaque tokens that carry no identity information. Verification state is tracked per address.
  • Account Deletion: Deletion requires a confirmation token delivered by email. Both initiation and commitment are required to complete removal.
  • Primary Email Management: Users can update their primary email address. The new address is verified before it replaces the existing one.
  • Email Abuse Reporting: Addresses involved in abuse can be flagged. The Email Api tracks and enforces delivery status per address.
  • Relay Client Support: A relay client variant supports Blazor and browser-based applications by proxying requests through server endpoints.
  • Envelope Encryption on All Requests: All sensitive parameters travel inside Protected<T> envelopes. Raw credentials and PII never appear in transit in plaintext.
  • Authorization-Enforced Access: Every request to the Users Api is validated by the Application Api. A service must be registered and authorized before it can manage user accounts.
How It Compares
Beyond What Cloud Identity Providers Offer
The Credential Breach Problem, Solved
Cloud identity providers and self-hosted frameworks authenticate users by storing and comparing password hashes. The Users Api stores no hash and conducts no hash-based comparison — the zero-knowledge protocol proves identity without the server ever learning the credential. A breach of the Users Api database yields nothing that enables offline cracking.
Capability
Users Api
US Cloud (AWS/Azure/GCP)
EU Cloud (OVH/Hetzner/Scaleway)
ABP Framework
Auth0 / Okta
Keycloak
ASP.NET Identity
Zero-knowledge authentication
No password hash stored
Per-user data encryption
Complete account lifecycle
Email verification workflow
Password reset workflow
Token-based verification (no raw IDs)
Database schema and migrations
Envelope encryption on all requests
Air-gappable
CLOUD Act exempt
✓¹
No third-party data custody
¹ EU cloud providers (OVHcloud, Hetzner, Scaleway) are not subject to the US CLOUD Act. However, data remains on the provider's infrastructure — CLOUD Act exemption does not mean sole data custody.
Tech Sovereignty
Arch
Company
About Contact