npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@zoza/auth

v0.1.0

Published

Zoza Auth SDK. Phishing-resistant device authentication using per-device Curve25519 key pairs + signed challenges. Replaces SMS OTP and TOTP with a one-tap approve on the user's already-registered device — no shared secrets, no SIM-swap risk.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

sadhikasadhika

Keywords

authenticationpasswordlessfido-alternativedevice-authanti-phishingcurve25519

Readme

@zoza/auth

Device-keypair authentication. Replaces SMS OTP and TOTP with a one-tap approve on the user's already-registered device. No shared secrets. No SIM-swap risk. Per-challenge metadata shows users exactly what they're approving.

npm license

Install

npm install @zoza/auth

Why

| | SMS OTP | TOTP (Google Authenticator) | Zoza Auth | |---|:---:|:---:|:---:| | Shared secret on the server | ❌ | ❌ | ✅ none (device holds private key) | | SIM-swap survivable | ❌ | ✅ | ✅ | | Shows what is being approved | ❌ | ❌ | ✅ per-challenge metadata | | Phishing-resistant | ❌ | ❌ | ✅ signature bound to nonce | | SMS cost per login | ₹0.10-0.25 | ₹0 | ~₹0 |

Quick start (server side)

import { AuthClient } from '@zoza/auth';

const auth = new AuthClient({ apiKey: process.env.ZOZA_AUTH_KEY! });

// 1. Register each user's device at enrolment
await auth.registerDevice({
  user_id:    'user_123',
  device_id:  'dev_iphone15_abc',
  device_name: 'Rahul — iPhone 15',
  public_key: deviceCurve25519HexFromEnrollmentFlow,
});

// 2. Issue a challenge whenever you need an auth
const challenge = await auth.issueChallenge({
  user_id:  'user_123',
  context:  'payment',
  metadata: 'Transfer ₹5000 to Rahul Sharma',
  ttl:      30,
});
// push challenge.id to the user's device via your existing push/WebSocket

// 3. Poll for the signed response (or use v0.2 webhooks when they land)
const result = await auth.getChallengeStatus(challenge.id);
// → { status: 'approved' | 'rejected' | 'expired' | 'pending', ... }

Quick start (device side)

// On the user's already-registered device:
import { AuthClient } from '@zoza/auth';

const auth = new AuthClient({ apiKey: 'unused-for-device-endpoints' });

// Fetch the challenge details (public endpoint — ID is the capability)
const details = await auth.getChallengeDetails(challengeId);
// Show user details.metadata; let them approve/reject.

// Sign and submit
await auth.respondChallenge(challengeId, {
  device_id:  'dev_iphone15_abc',
  client_pub: ephemeralPubHex,
  proof:      sigHex,
  approved:   true,
});

The proof is produced with the device's Curve25519 private key over (nonce || challenge.id || client_pub || approved). See the Auth whitepaper for the exact derivation.

API

new AuthClient({ apiKey, apiUrl?, fetch? })

| Option | Type | Notes | |---|---|---| | apiKey | string (required) | Issued at zoza.world/developers/auth. Format auth_<base64>. | | apiUrl | string | Default https://auth-api.zoza.world. | | fetch | typeof fetch | Optional — Node <18 or custom signers. |

Methods

| Method | Auth | Purpose | |---|---|---| | registerDevice({...}) | API key | Add a device public key under a user | | issueChallenge({...}) | API key | Mint a challenge for a user | | getChallengeStatus(id) | API key | Poll challenge result | | getChallengeDetails(id) | public | Device-side: fetch metadata to display | | respondChallenge(id, {...}) | public | Device-side: submit signed response | | getAppAudit(appId) | API key | Tamper-evident app audit log |

Tests

npm install
npm test

License

MIT © Zoza