Skip to main content

Architecture

High-level view of how aZKey turns Google OAuth into private Aztec accounts using zero-knowledge proofs.

Components

  • SvelteKit interface: UI for Google OAuth and account flows.
  • SDK: Orchestrates OAuth, derives the deterministic accountId = hash(sub, aud), generates ZK proofs, and interacts with Aztec.
  • Noir circuits: Verify the JWT signature with the provider public key, ensure the accountId matches hashed claims, and expose only public inputs (account_id, session_owner_nonce, google_public_key).
  • Aztec account contract: Stores the immutable account_id, mutable session_owner, and verifies proofs on-chain.

End-to-end flow

  1. Authenticate: Redirect to Google; get an auth code and exchange for a JWT.
  2. Derive identity: Hash the JWT sub and aud to compute account_id.
  3. Generate proof: Client uses Noir to prove:
    • JWT signature is valid with the provider public key
    • account_id matches hash(sub, aud)
    • Private JWT contents never leave the client
  4. Deploy or recover: SDK deploys the account contract (or reuses an existing one) and sets a new session_owner via set_owner using the proof and public inputs.
  5. Transact: The session owner key signs Aztec transactions until rotated/recovered.

Extensibility for new providers

  • Add a provider implementation with OAuth URLs, token exchange, JWT parsing, and public key retrieval.
  • Reuse the same account derivation model; adjust the Noir circuit only if the signature scheme or JWT structure differs.
  • Minimal on-chain changes: contract still validates the proof and enforces the stored account_id.

Security & privacy notes

  • JWT content and signatures remain private inputs to the circuit.
  • Only google_public_key, account_id, and session_owner_nonce are public.
  • Session owners are ephemeral—rotate on recovery to limit exposure.