Auth server

[zinderud]

“ https://docs.zksync.io/build/zksync-sso/transaction-flow#_4-auth-server-creates-a-session “ Can the Auth server here be any server that we have developed. or will it be generally used Auth servers. If this will return from a server we have developed, can a security vulnerability occur here? auth0 etc. If we use services, will it be enough for wallet security?

[yuliyaalexiev]

Auth Server is made available as a public good to all ZKsync developers and users today. It is hosted for ZKsync Era at testnet at auth-test.zksync.dev (so far available only on testnet until external audits are complete) and no additional work required for the developers outside of implementing the SDKs.
A ZK chain operator can choose to host another instance of the Auth Server (see source code) on their chain.
As far as security is concerned, the Auth Server has a small exposure footprint. It is stateless (does not store any information or private keys), but rather acts as an intermediary helping create a session onchain and serves as a relaying party for the passkey domain.