Account proof

guest · November 27, 2022, 5:49pm

If my application backend has some wallet-associated API that should only be available for that wallet owner do I need to implement account proof? And why? My understanding is that I only need to authorize those endpoints (in traditional apps json web tokens, for example) but not sure about the best practices in dapps that only has wallet (blocto) authentication. Can you please advise?
In return for what the application backend should send nonce to the client? As in my case the user connects the wallet and if starts some transaction I want to keep that transaction id in the db which can be retrieved only by that user.

bluesign · November 28, 2022, 10:11am

Yes, account address and email from blocto can be faked, account proof is the way to ensure address belongs to user without running transaction or user signature
You can generate nonce from server side ( match with address, timestamp, your user record on your side ) when you get the proof you can check and rest is classic web2 session authentication ( cookie, token etc )

Topic		Replies	Views
Account Proof Flow with Signature Verification	0	359	January 13, 2022
Proving User Authentication using account-proof with fcl.appDomainTag	2	590	November 26, 2021
Is it possible to sign an arbitrary message with sdk? ⚙️ Flow SDKs	7	772	February 27, 2021
Need more clarity on authorization ⚙️ Flow SDKs	2	589	May 19, 2021
Request for best practices re: wallet / account creation server side ⚙️ Flow SDKs	3	1962	July 20, 2020