zkLogin backend setup
Plain-language checklist for wiring Sui-native verification. If you have never set up zkLogin before, start at Step 1 and go in order.
What you are building
Users sign in with Google on /passport. Abraxas derives a Sui address (zkLogin), runs Veriff for identity stamps, and anchors the stamp bitmask on a Sui Passport object. No seed phrase for verification.
Step 1. Google OAuth app
If Google says doesn't comply with OAuth 2.0 policy, the redirect URI in the error must be added exactly in Google Cloud Console β Credentials β your Web client β Authorized redirect URIs.
- Google Cloud Console β APIs & Services β Credentials β OAuth Web client
- Authorized JavaScript origins: http://localhost:3000, https://abraxas-app.vercel.app, plus each Vercel preview origin you test on
- Authorized redirect URIs: {origin}/auth/zklogin/callback for each origin above
- Production redirect: https://abraxas-app.vercel.app/auth/zklogin/callback
- Optional pin: NEXT_PUBLIC_ZKLOGIN_REDIRECT_URI=https://abraxas-app.vercel.app/auth/zklogin/callback (only prod URI needed in Google)
- Set NEXT_PUBLIC_GOOGLE_ZKLOGIN_CLIENT_ID in Vercel
Step 2. Supabase migration
Run supabase/migrations/007_sui_zklogin.sql in the SQL editor. Creates sui_zklogin_identities and adds sui_address columns.
- NEXT_PUBLIC_SUPABASE_URL
- NEXT_PUBLIC_SUPABASE_ANON_KEY
- SUPABASE_SERVICE_ROLE_KEY
Step 3. Test sign-in
- Visit /passport β Continue with Google
- Should land on /auth/zklogin/callback then /passport?signed_in=1
- Check sui_zklogin_identities table for a 0x⦠address
Step 4. Veriff (identity stamp)
- Veriff Station β API keys: VERIFF_API_KEY, VERIFF_SECRET
- Webhook: https://abraxas-app.vercel.app/api/idv/webhook
- vendorData carries sui:0x⦠so webhook issues did:sui credentials
Step 5. Credential signing keys
node scripts/generate-abraxas-key.js β ABRAXAS_SIGNING_KEY + ABRAXAS_PUBLIC_KEY
Step 6. On-chain stamps (your next build)
Move package is on devnet (see live panel). After Veriff approves, add an API that calls issue_stamps_entry and stores the Passport object ID per Sui address.
- Fund a sponsor wallet with devnet SUI
- npm run sui:deploy:devnet if you need a fresh package
- New table sui_passport_objects (sui_address β object_id)
Step 7. Proving service (transactions only)
Reading passports via RPC does not need the prover. Set NEXT_PUBLIC_ZKLOGIN_PROVER_URL when users sign Sui transactions with zkLogin.
Repo map
app/api/auth/zklogin/register/route.ts
app/api/idv/webhook/route.ts
app/api/sui/passport/route.ts
sui/abraxas_passport/sources/passport.move
Full markdown: docs/ZKLOGIN_BACKEND_SETUP.md in the GitHub repo.