Continuum Ghost — The Secret That Doesn't Exist
Zero-Knowledge Proof verification engine for APIs.
The server never sees, stores, or transmits the client's secret. It stores only mathematical commitments — public values that are useless without the client's secret.
This software is licensed under the Business Source License 1.1.
| Usage | Allowed? |
|---|---|
| Self-host for your own APIs | Yes |
| Modify for internal use | Yes |
| Read, audit, contribute | Yes |
| Offer ZKP auth as a competing managed service | No |
Converts to Apache 2.0 on 2030-03-23.
For managed hosting, see Continuum Ghost Cloud. For alternative licensing: licensing@continuum-identity.com
git clone https://github.com/gthstepsecurity/2fapi-server.git
cd 2fapi-server
# Configure credentials
cp .env.example .env
# Edit .env — set POSTGRES_PASSWORD and REDIS_PASSWORD
# Start PostgreSQL + Redis
docker compose up -d
# Install and run
npm install
npm run migrate
npm run devServer starts at http://localhost:3000. Health check: http://localhost:3000/health.
npm install @2fapi/serverimport { createServer } from "@2fapi/server";
const app = createServer({
enrollClient: enrollmentService,
requestChallenge: challengeService.requestChallenge,
verifyProof: verificationService,
issueToken: accessControlService.issueToken,
validateToken: accessControlService.validateToken,
revokeClient: lifecycleService.revokeClient,
rotateCommitment: lifecycleService.rotateCommitment,
rateLimiting: {
global: { maxRequests: 10000, windowMs: 1000 },
perIp: { maxRequests: 100, windowMs: 1000 },
},
});
await app.listen({ port: 3000 });5 bounded contexts, hexagonal architecture:
src/
├── client-registration/ — Enrollment, commitment storage, rotation, revocation
├── authentication-challenge/ — Nonce generation, session management
├── zk-verification/ — Sigma proof verification, Fiat-Shamir
├── api-access-control/ — Token issuance, audience restriction, validation
├── security-monitoring/ — Lockout, audit trail, anomaly detection
├── api-gateway/ — Fastify routes, middleware, rate limiting
├── config/ — Bootstrap, environment, service wiring
└── shared/ — Constant-time utils, rate limiters
Each bounded context follows hexagonal architecture:
- Domain: models, ports (interfaces), services — zero external dependencies
- Application: use cases implementing driving ports
- Infrastructure: adapters (PostgreSQL, Redis, napi-rs crypto)
- Node.js >= 22
- PostgreSQL >= 16
- Redis >= 7
- napi-rs crypto module (Ristretto255 via curve25519-dalek)
- 28-pass internal red team audit, 109 findings, 0 open
- 1,940+ automated tests
- Constant-time verification, timing-safe error responses
- OPRF-based credential derivation — offline brute-force impossible
- 2-of-2 secret sharing — secret never exists in cleartext
- Provably secure under DLOG assumption on Ristretto255
Pair with @2fapi/client-sdk (Apache 2.0) for client-side proof generation.
See @2fapi/protocol-spec (Apache 2.0) for the canonical protocol definition.