import "github.com/bytemare/opaque"
This package implements OPAQUE (RFC 9807), the augmented password-authenticated key exchange (aPAKE) protocol that is secure against pre-computation attacks. It enables a client to authenticate to a server without ever revealing its password to the server.
This implementation is developed and maintained by one of the authors of the RFC. It has not been independently audited, and even though great care about security and performance has been taken, it comes with no warranty.
OPAQUE is an aPAKE that is secure against pre-computation attacks. OPAQUE provides forward secrecy with respect to password leakage while also hiding the password from the server, even during password registration. OPAQUE allows applications to increase the difficulty of offline dictionary attacks via iterated hashing or other key stretching schemes. OPAQUE is also extensible, allowing clients to safely store and retrieve arbitrary application data on servers using only their password.
You can find the documentation and usage examples in the package doc.
LoginFinish before using the session
secret.GetFakeRecord) to reduce
user-enumeration signals.ServerKeyMaterial securely. Treat secrets (e.g., private key and OPRF
seed) appropriately.Client.ClearState() is a best-effort to clear ephemeral material, but zeroization
has language/runtime limits.SemVer is used for versioning. For the versions available, see the tags on the repository.
Releases are built with the reusable bytemare/slsa workflow and ship the evidence required for SLSA Level 3 compliance:
curl -sSL https://raw.githubusercontent.com/bytemare/slsa/main/verify-release.sh -o verify-release.sh
chmod +x verify-release.sh
./verify-release.sh --repo <owner>/<repo> --tag <tag> --mode full --signer-repo bytemare/slsa
Run again with --mode reproduce to build in a container, or --mode vsa to validate just the verification summary.
Please read CONTRIBUTING.md for details on the code of conduct, and the process for submitting pull requests.
This project is licensed under the MIT License - see the LICENSE file for details.
$ claude mcp add opaque \
-- python -m otcore.mcp_server <graph>