-
Notifications
You must be signed in to change notification settings - Fork 73
Explanations‐API‐Authentication
Michael Collins edited this page Jan 11, 2024
·
1 revision
The Carbonmark API uses Challenge Response authentication (https://en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication)
The login/verify flow is as follows
- Users call /users/login and receives a random nonce
- We create a sentence the following way: Sign to authenticate ownership and edit your Carbonmark profile 💚\n\nSignature nonce: ${nonce}
- Users sign the sentence with the private key of the user (using ethers js)
- User sends the signature to the backend /users/login/verify endpoint
- Backend will verify the signature by using the sentence we created on the frontend and getting as a result the address of the signer if the address of the signer is the same as the one on the body payload, we generate a JWT token and send it to the frontend