Your own backend (Auth)
Xumm xApps yield a JWT that can be used to make subsequent calls from the user context to the Xumm API's. You can also use this JWT for your own backend.
If you want to identify a Xumm xApp user with your own backend, you can rely on the xApp JWT's issued by Xumm: the secret used to sign the JWT is your own Xumm application secret (HMAC, HS256).
This makes it really convenient to obtain three things at once, making calls to your own backend with an Autorization: Bearer {The Xumm JWT}
header:
You obtain basic user information, like the r-address and network the user is connected to, as this information is encoded in the JWT.
You can verify the authenticity of the JWT, as it is signed with your own Xumm API Secret.
You can make calls from the user context to the Xumm backend with this JWT (for as long as it is valid: 24h).
Every time when a user opens your xApp, a new JWT is issued, valid for 24h.
Please note: if you are using the OAuth2 flow instead of an xApp to obtain your JWT, you can verify the OAuth2 issued RS256 JWT using the certificate info publised as per OpenID specifications: https://oauth2.xumm.app/certs
How to validate a JWT
When using the JWT for authorization, you need to validate it before you can make sure that the user is who they say they are. This is a brief explanation in how to verify the JWT using a npm package called jsonwebtoken
and the bearer provided by the Xumm SDK.
You can obtain the JWT associated with the OTT by initiating the Xumm SDK:
Then get the bearer by awaiting the environment:
This bearer is the JWT. You must check if the JWT is valid.
First, run:
After this, use the code underneath to verify the JWT. You'll need the xApp API Secret to sign the JWT and check it's validity.
This xApp API Secret is found in the developer console at https://apps.xumm.dev.
Last updated