Wallaby
  • Introduction
    • Welcome
    • Getting Started
    • Key Architecture Overview
    • SDK vs API
    • Authentication Overview
    • Security Overview
      • Wallaby System Security
      • Securing User Access Token
      • Securing API keys
      • Securing Device Auth Key
      • Securing the Seed Phrase
        • API only: Choosing encryption factors for the seed phrase
  • Capabilities
    • Core Wallet
      • Wallet Creation
      • Wallet Recovery
      • Wallet Export
      • Wallet Import
      • Seed Phrase Recovery (Beta)
    • Wallet Services
      • Asset Listings By Wallet Holders
      • Transfers
      • Spending Authorization
    • Wallet Data
      • View Assets, Addresses, & Balances
      • Transaction History & Status
      • Service Availability
  • Consumer Application SDK
    • SDK Quick Start
    • Authentication with the SDK
      • Account Creation
      • Login
      • Refresh Access
      • Update Client Public Key
    • Core Wallet SDK
      • Creating a wallet with the SDK
      • Recovering a wallet with the SDK
      • Exporting a wallet with the SDK
      • Importing a wallet with the SDK
    • Wallet Services SDK
      • Spending Authorization (Allowance) with the SDK
      • Transfers with the SDK
        • Use Case: Preparing a Transfer
    • Wallet Data SDK
      • Assets, Addresses, & Balance Fetching with the SDK
      • Transaction History with the SDK
      • Transaction Status with the SDK
      • Service Availability with the SDK
  • Consumer Application APIs
    • API Quick Start
    • API Authentication
      • Sign Up
      • Sign In
    • Core Wallet APIs
      • Creating a wallet with APIs
      • Recovering a wallet with APIs
      • Export a wallet with APIs
      • Import a wallet with APIs
    • Wallet Data APIs
      • Assets, Addresses, & Balance Fetching APIs
      • Transaction History APIs
      • Transaction Status APIs
    • Wallet Services APIs
      • Asset Listings By Wallet Holders API
      • Transfer API
      • Spending Authorization (Allowance) API
      • Algorand Opt In
    • Blockchain Specific APIs
      • Algorand Only APIs
      • EVM Only APIs
    • Error Codes
  • Wallet Administration
    • Admin Applications
      • Admin Authentication
      • Admin Security
      • Programmatically Listing Assets with the SDK
      • Programmatically Listing Assets as a Business
    • Admin Portal
      • Asset Listings By Your Business
        • Manually List Assets
        • Automate Listing Assets
Powered by GitBook
On this page
  • API Key
  • How to generate the client JWT
  1. Consumer Application SDK

Authentication with the SDK

PreviousSDK Quick StartNextAccount Creation

Last updated 10 months ago

Your system will need to authenticate with the Wallaby platform. In order to do so, you need a valid JWT from your system and Wallaby API key. In order to ensure security, your JWT should be secure with an MFA or equivalent mechanism.

API Key

API key will be provided by Wallaby team along with the RSA Key pair. You should store the API key and RSA private key as environment variables and pass them in the config when initializing the Wallaby client. Check for more info on the config object.

The private key will be used in generating the JWT to authorize the client when

How to generate the client JWT

  • This has to be done only when the Wallaby JWT has not been retrieved yet or when it is expired.

  • The JWT has to have a short expiration time (e.g., 5 minutes).

  • The JWT should be signed with RS256. That way the client will have the private key and Wallaby will only have the public key.

Note: These keys should be rotated on a regular basis or when a key is compromised. This rotation has to be part of the design, although it should not be that complicated.

For generating the JWT, you need to include the following in the payload:

Using the RSA Private Key pair that is paired along with the RSA Public Key pair that Wallaby provides, create an OpenSSL RSA configuration that will be used to encode the JWT. Encode the JWT with the RSA256 algorithm using the OpenSSL RSA configuration from before, and include in the payload:

  • The externalUserId param that includes the user's unique identifier in UUID format, this uuid has to be the same as the userId passed in the config object when initializing the Wallaby class.

    If the UUIDs do not match, the API will return an Unauthorized error.

  • An expiration param set for a short time, (e.g 5 minutes).

Example:

  const date = new Date()
  const jwtToken = jwt.sign(
    { externalUserId,
      expiration: date.setTime(date.getTime() + (5 * 60 * 1000))
    },
    privateKey,
    { algorithm: 'RS256' },
  );
Client Initialization