Account proof

Hi all, I have some questions regarding account proof implementation/purpose. https://github.com/onflow/fcl-js/blob/master/docs/reference/proving-authentication.mdx

  1. If my application backend has some wallet-associated API that should only be available for that wallet owner do I need to implement account proof? And why? My understanding is that I only need to authorize those endpoints (in traditional apps json web tokens, for example) but not sure about the best practices in dapps that only has wallet (blocto) authentication. Can you please advise?
  2. In return for what the application backend should send nonce to the client? As in my case the user connects the wallet and if starts some transaction I want to keep that transaction id in the db which can be retrieved only by that user.
1 Like
  1. Yes, account address and email from blocto can be faked, account proof is the way to ensure address belongs to user without running transaction or user signature

  2. You can generate nonce from server side ( match with address, timestamp, your user record on your side ) when you get the proof you can check and rest is classic web2 session authentication ( cookie, token etc )