Security & Best Practices

Security

Learn how Zero Proof AI keeps your AI agents secure and best practices for integrating our verification system.

Zero-Knowledge Proof Security

Zero-knowledge proofs (ZKPs) are the foundation of our security model. They allow AI agents to prove their identity without revealing sensitive credentials.

No Credential Exposure

Agents prove their identity without transmitting passwords, API keys, or other secrets. The proof reveals nothing about the underlying credentials.

Cryptographic Guarantee

Each proof is cryptographically bound to a specific challenge and cannot be reused or replayed. This prevents man-in-the-middle attacks.

Time-Limited Challenges

Challenges expire after 5 minutes, limiting the window for potential attacks. Expired challenges are automatically invalidated.

One-Time Use

Each challenge can only be verified once. This prevents replay attacks and ensures each verification is unique.

Current Implementation: The MVP uses simplified cryptographic proofs. Production systems should implement full zero-knowledge proof protocols like zk-SNARKs or zk-STARKs for maximum security.

API Key Security

Your API keys are the gateway to the verification system. Follow these best practices to keep them secure.

Storage

DO: Use Environment Variables

Store API keys in environment variables or secure secret managers (AWS Secrets Manager, HashiCorp Vault, etc.)

ZEROPROOF_API_KEY=zkp_your_key_here

DON'T: Hardcode Keys

Never hardcode API keys in your source code or commit them to version control

// ❌ BAD - Never do this!
const apiKey = "zkp_abc123...";

Access Control

  • Use separate API keys for development, staging, and production environments
  • Implement the principle of least privilege - only grant access where needed
  • Rotate API keys regularly (recommended: every 90 days)
  • Immediately revoke keys if they are compromised or no longer needed

Detection & Response

Monitor your API usage for suspicious activity:

  • • Unusual spike in verification requests
  • • Requests from unexpected geographic locations
  • • High failure rates indicating potential attacks
  • • Access patterns outside normal business hours

If you suspect a key has been compromised, immediately delete it from your dashboard and generate a new one.

Transport Security

TLS Encryption

All API communication uses TLS 1.3 encryption. Data is encrypted in transit between your application and our servers.

https://api.zeroproofai.com

Certificate Pinning

For high-security applications, implement certificate pinning to prevent man-in-the-middle attacks. Validate our SSL certificate in your client.

Data Protection

Data Retention

Challenge Data24 hours after expiration
Verification Results24 hours after creation
Usage Metrics90 days
API KeysUntil manually deleted

All data is automatically purged after retention periods using DynamoDB TTL (Time To Live).

Data Minimization

We follow data minimization principles and only store what's necessary:

What We Store

  • • Challenge IDs and nonces
  • • Agent IDs (you control these)
  • • Action names
  • • Verification results
  • • Timestamps

What We DON'T Store

  • • Agent credentials
  • • User passwords
  • • Payment information
  • • Personal identifying data
  • • Transaction details

Security Best Practices

1. Implement Proper Error Handling

Don't expose sensitive error details to end users. Log errors securely server-side.

try {
  const result = await client.verifyProof(challengeId, proof);
  if (!result.verified) {
    // Log details server-side
    logger.error('Verification failed', { challengeId, reason });
    // Show generic message to user
    throw new Error('Verification failed. Please try again.');
  }
} catch (error) {
  // Never expose internal error details
  console.error('Internal error:', error);
  return { success: false, message: 'An error occurred' };
}

2. Set Appropriate Confidence Thresholds

Adjust confidence thresholds based on risk level:

High-value transactions (payments)≥ 0.95
Standard actions (add to cart)≥ 0.90
Low-risk operations (browse)≥ 0.85

3. Implement Rate Limiting

Add your own rate limiting on top of our API limits to prevent abuse:

  • • Limit verification attempts per agent per time period
  • • Implement exponential backoff on failures
  • • Track and alert on unusual patterns
  • • Consider IP-based rate limiting for additional protection

4. Secure Context Data

Be careful what you include in the context field:

✓ Safe to Include

  • • Product IDs
  • • Action types
  • • Timestamps
  • • Non-sensitive metadata

✗ Never Include

  • • Credit card numbers
  • • Personal data (SSN, DOB)
  • • Passwords or secrets
  • • Full user profiles

5. Monitor and Audit

Implement comprehensive logging and monitoring:

  • • Log all verification attempts (success and failure)
  • • Store session IDs for audit trails
  • • Set up alerts for suspicious patterns
  • • Regularly review verification metrics
  • • Maintain logs for compliance requirements (90+ days)

Compliance & Standards

GDPR Compliance

Zero Proof AI is designed with privacy-first principles:

  • • Minimal data collection
  • • Automatic data expiration
  • • No tracking or profiling
  • • User-controlled agent IDs

SOC 2 Type II

Our infrastructure follows SOC 2 security principles:

  • • Encrypted data at rest and in transit
  • • Regular security audits
  • • Access controls and monitoring
  • • Incident response procedures

PCI DSS

We never store payment card data. Our system is designed to work alongside your PCI-compliant payment processor without handling sensitive payment information.

ISO 27001

We follow ISO 27001 information security management practices for protecting customer data and maintaining system security.

Security Incident Response

If you discover a security vulnerability or suspect a breach:

  1. 1

    Immediately revoke affected API keys

    Delete compromised keys from your dashboard and generate new ones.

  2. 2

    Contact our security team

    Email: security@zeroproofai.com

  3. 3

    Document the incident

    Record timestamps, affected resources, and any suspicious activity.

  4. 4

    Review and update security practices

    Learn from the incident and strengthen your security posture.

Responsible Disclosure: We appreciate security researchers who help us identify vulnerabilities. Please report issues privately to our security team.

Additional Resources

Getting Started Guide

Learn the basics of implementing Zero Proof AI securely

API Reference

Detailed documentation of all security features and parameters

Questions about security? Contact our team at security@zeroproofai.com