Authentication
Last updated
Was this helpful?
Last updated
Was this helpful?
The following description is providing examples in http requests, but we strongly encourage you to use one of the SPV Wallet client libraries provided for different languages, which can be easily configured and handle authentication for you:
To authenticate against the SPV Wallet, one need to sign the request and provide the following headers:
x-auth-key -> xpub
x-auth-hash -> sha256 hash of the body string
x-auth-nonce -> random string
x-auth-time -> timestamp in milliseconds
x-auth-signature -> signature
The algorithm is presented below:
To sign a message you must possess an extended private key (xPriv).
Retrieve the extended public key (xPub) from the xPriv.
Set the xPub in x-auth-xpub header.
Generate a random and unique number and encode it as hex, this is the authentication nonce (AuthNonce).
Set the AuthNonce in x-auth-nonce header.
Hash request body with SHA-256 algorithm and
Set the hash of the body in x-auth-hash header.
Get the current timestamp in milliseconds and set it in x-auth-time header.
Derive a child extended key from the xPriv using AuthNonce.
Prepare message to sign by concatenating xPub, AuthHash, AuthNonce, and AuthTime.
Sign the message using Bitcoin Signed Message encoding, and the child extended private key.
Encode the signature in base64 and set it in x-auth-signature header.
To authenticate as user, first user and his xpub must be added by admin to SPV Wallet.
To register user, admin need to make a following request to SPV Wallet:
To authenticate within a SPV Wallet as a user, you simply need to use your xpub and sign the request with your xpriv.
Another way of authenticate as a user is by use of access key.
To authenticate as user with access key, first user must create an access key by making a request:
In response, you will receive a json with the following properties:
key - which is actually an additional private key and is not stored on the SPV Wallet side, so it is displayed to user only once and user is responsible for storing it
id - which actually can be used only on endpoints that can be used for checking the state of the access key (if it was revoked or when it was created)
When communicating with SPV Wallet,
Retrieve public key (PubKey) from the AccessKey (key property from the response of the create access key request).
Set the PubKey in x-auth-key header.
Generate a random and unique number and encode it as hex, this is the authentication nonce (AuthNonce).
Set the AuthNonce in x-auth-nonce header.
Hash request body with SHA-256 algorithm and
Set the hash of the body in x-auth-hash header.
Get the current timestamp in milliseconds and set it in x-auth-time header.
Prepare message to sign by concatenating AccessKey, AuthHash, AuthNonce, and AuthTime.
Sign the message using Bitcoin Signed Message encoding, and the AccessKey.
Encode the signature in base64 and set it in x-auth-signature header.
ℹ️ Possible further development path:
add access key scopes for example: READ, WRITE or even more granular
add expiration date/time
Whenever a user fills that access key is compromised, or it wouldn't be needed anymore, it is possible to revoke such access key, so it can't be used to authenticate.
To revoke an access key user need to make a request:
To authenticate within the SPV Wallet as an admin, you need to use admin HD key pair. At the SPV Wallet side the admin key pair is recognized by the admin xpub which need to be configured ().