Open Source v0.1.1

Auth sucks.
Well, used to.

A high-security, asymmetric authentication system for Django that ensures cleartext passwords and reversible hashes never touch your server.

Get Started
$ pip install django-voidauth
voidauth/backend.py
class VoidAuthBackend(ModelBackend):
    def authenticate(self, request, username):
        challenge = generate_challenge()
        request.session['challenge'] = challenge
        return { 'challenge': challenge }
// SEE IT IN ACTION

One library. Total security.

Choose the flow that fits your app. Mix them as needed.

signup_view.js
const result = await VoidAuth.register(username);
if (result.success) {
  // Show 12-word mnemonic to user
  showRecoveryModal(result.mnemonic);
}

Zero-Knowledge Signup

During registration, VoidAuth generates an Ed25519 keypair locally. The server only receives the public key, creating a permanent cryptographic anchor for the account.

login_view.js
try {
  await VoidAuth.login(username);
  window.location.href = '/dashboard';
} catch (err) {
  alert("Auth Failed");
}

The Handshake

Login is a simple challenge-response proof. The server sends a random nonce, the client signs it with their private key, and the server verifies it. No passwords ever cross the wire.

recovery_view.js
await VoidAuth.recover(username, mnemonic);
// Private key restored to Vault

BIP-39 Restoration

If a user loses their device, they can restore their vault using their 12-word seed phrase. The private key is re-derived locally, ensuring total autonomy.

// FEATURES

Everything you need to secure apps

Ed25519 Proofs

Ultra-fast, high-security asymmetric signatures for every login. No passwords stored.

View Shield

Indentation-agnostic defense for registration views. Surgical patching for complex codebases.

BIP-39 Recovery

Users can recover accounts using human-readable 12-word mnemonics. No more 'Forgot Password' emails.

Local Vault

Private keys are stored in the browser's IndexedDB, protected from XSS and cookie theft.

// THE ORIGIN STORY

Why VoidAuth exists

In many ecosystems, secure authentication is complex and often relies on centralized providers. Django's built-in auth is solid, but it still stores secrets on your server. For many developers, the friction of implementing asymmetric auth was just high enough that it never got done.

Django deserved a zero-knowledge authentication story.
That's the gap.

So I built VoidAuth. Inspired by blockchain security and the principle of user autonomy: write secure apps where secrets stay with the user, and the server knows only how to verify them.

No new framework to adopt. No test suite to maintain alongside it. Just your existing Django controllers and a DSL that stays out of your way.

// HOW IT COMPARES

You've tried the alternatives.

Here's why they didn't stick — and what VoidAuth does differently.

Passwords ✘ Vulnerable to leaks

Standard password hashing is still vulnerable to offline brute-force attacks if your database is leaked. Cleartext never exists with VoidAuth.

VoidAuth: No secrets on server. Database leaks reveal nothing.

OAuth ✘ Centralized tracking

Relying on Google or GitHub means you're tied to their uptime and their data tracking. Your users lose autonomy.

VoidAuth: Fully decentralized. You own your identity.

WebAuthn ✘ Hard to implement

Standard WebAuthn is complex to implement and often lacks built-in recovery for lost devices.

VoidAuth: One-command setup with BIP-39 recovery included.

Standard 2FA ✘ Friction for users

TOTP codes and SMS add friction every time. Users hate typing in codes.

VoidAuth: Seamless asymmetric handshake. Zero friction.

// FAQ

Common questions

What happens if a user loses their device?
They can use their 12-word recovery mnemonic to restore their vault. This re-derives their private key locally without ever contacting the server.
Does the server store passwords?
No. The server only stores an Ed25519 Public Key. It knows how to verify you, but it doesn't know your secrets.
Is it compatible with Django Rest Framework?
Yes. VoidAuth includes a specialized backend that hooks into Django's standard auth system, making it compatible with DRF and standard views.
// CHANGELOG

What's new

v0.1.1 LATEST Jun 9, 2026
Added

View Shield: Indentation-agnostic defensive layer for registration views.

Added

Surgical Patching logic for complex Django view structures.

Fixed

Authentication backend multiplicity errors in multi-auth projects.

v0.1.0 Apr 22, 2026
Added

Void Architect AI setup assistant for automatic template patching.

Added

BIP-39 mnemonic recovery flow for lost devices.

Fixed

IndexedDB concurrency issue on rapid page refreshes.