# auth

> The auth module provides tools to authenticate agents and scripts with the Sherlock API.

In [None]:
#| default_exp auth

In [None]:
#| hide
from nbdev.showdoc import *

In [None]:
#| export
import httpx
from cryptography.hazmat.primitives.asymmetric import ed25519

from sherlock.crypto import *

In [None]:
#| hide
from dotenv import load_dotenv
import os
load_dotenv()

# Hex encoded ED25519 private key - you can create them locally or with an online tool like https://pk-generator.replit.app/
priv = os.getenv('SHERLOCK_AGENT_PRIVATE_KEY_HEX')

API_URL = os.getenv('SHERLOCK_API_URL', "https://api.sherlockdomains.com")


## Authentication flow


The authentication system allows AI agents to authenticate without passwords or email verification.

The agent has a public/private key pair. To authenticate, the agent does:

1. Agent sends their public key to the server which issues a one-time challenge tied to the public key
2. Agent signs the challenge with their private key to prove identity
3. Server verifies signature and issues JWT tokens for subsequent requests

This flow provides secure authentication while being simple for automated agents to implement.

### Get challenge

In [None]:
pk, pub = from_pk_hex(priv)

In [None]:
r = httpx.post(f"{API_URL}/api/v0/auth/challenge", json={"public_key": pub})
r, r.json()

(<Response [200 OK]>,
 {'challenge': '5189a91c74c77a55c1d567b52d04233a83040c9f398eee33657a912fbdb92dd8',
  'expires_at': '2025-01-27T08:10:58.196Z'})

In [None]:
#| export

def _handle_response(r):
    "Process response: raise for status and return json if possible."
    r.raise_for_status()
    try: return r.json()
    except: return r

def _get_challenge(pub_key: str, # public key
                   base_url: str = "https://api.sherlockdomains.com"): # base url
    "Get authentication challenge for a public key"
    r = httpx.post(f"{base_url}/api/v0/auth/challenge", json={"public_key": pub_key})
    return _handle_response(r)['challenge']

In [None]:
#| hide
c = _get_challenge(pub)
c

'f49b34f642c76e1562e6ce60e9e8cf50cb48384a73bc02e93bb12b903d20bca0'

### Sign challenge

We next need to sign the challenge with the private key and send it back to the server.

In [None]:
sig = pk.sign(bytes.fromhex(c)).hex()
sig

'5ed8287141ada59c29a51271706c48788909c7fea1fde7fca32431ebd043a3ebe5dcb77beb61bcab0b2a9389f157083dba7fa24bd25949069f776edc74c8b40c'

In [None]:
#| export

def _sign_challenge(pk: ed25519.Ed25519PrivateKey, 
                    c: str): # challenge
    "Sign a challenge with a private key"
    return pk.sign(bytes.fromhex(c)).hex()

### Submit challenge

In [None]:
r = httpx.post(f"{API_URL}/api/v0/auth/login", json={
    "public_key": pub,
    "challenge": c,
    "signature": sig
})
r, r.json()

(<Response [200 OK]>,
 {'access': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyOCwicHVibGljX2tleSI6IjkwYmE4ODQ2ODg4ODQyNzdlNDkwODA3MTJmMzg2ZWViYzg4ODA2ZWZhODM0NWNhOTM3Zjc1ZmU4MDk1MDE1NmQiLCJleHAiOjE3Mzc5NjY2NTgsImlhdCI6MTczNzk2NDg1OCwidHlwZSI6ImFjY2VzcyJ9.3wgQp1U1Kx8aapsSZzKtxqw5pBr8nZFKrk09__eCR1M',
  'refresh': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyOCwicHVibGljX2tleSI6IjkwYmE4ODQ2ODg4ODQyNzdlNDkwODA3MTJmMzg2ZWViYzg4ODA2ZWZhODM0NWNhOTM3Zjc1ZmU4MDk1MDE1NmQiLCJleHAiOjE3Mzg1Njk2NTgsImlhdCI6MTczNzk2NDg1OCwidHlwZSI6InJlZnJlc2gifQ.tz72nufBq39ME_foQDsajEiYJafeg-Oc5-Sx5B1bRw0'})

In [None]:
#| export

def _submit_challenge(pub: str, # public key
                      c: str, # challenge
                      sig: str, # signature
                      base_url: str = "https://api.sherlockdomains.com"): # base url
    "Submit a challenge and signature to the server to get access and refresh tokens"
    r = httpx.post(f"{base_url}/api/v0/auth/login", json={
        "public_key": pub,
        "challenge": c,
        "signature": sig
    })
    r = _handle_response(r)
    return r['access'], r['refresh']

Challenges can be used only once.

### Authenticate

Let's put it all together in an authenticate method.

In [None]:
#| export

def authenticate(priv: ed25519.Ed25519PrivateKey, # private key
                 base_url: str = "https://api.sherlockdomains.com"): # base url
    "Authenticate with the server and return access and refresh tokens"
    pub = priv.public_key().public_bytes_raw().hex()
    c = _get_challenge(pub, base_url)
    sig = _sign_challenge(priv, c)
    return _submit_challenge(pub, c, sig, base_url)

In [None]:
atok, rtok = authenticate(pk)
atok, rtok


('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyOCwicHVibGljX2tleSI6IjkwYmE4ODQ2ODg4ODQyNzdlNDkwODA3MTJmMzg2ZWViYzg4ODA2ZWZhODM0NWNhOTM3Zjc1ZmU4MDk1MDE1NmQiLCJleHAiOjE3Mzc5NjY2NTksImlhdCI6MTczNzk2NDg1OSwidHlwZSI6ImFjY2VzcyJ9.IlDt1ZNG0PIAwaS2wyt88vBq_J0huLJUS2The_-K88M',
 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoyOCwicHVibGljX2tleSI6IjkwYmE4ODQ2ODg4ODQyNzdlNDkwODA3MTJmMzg2ZWViYzg4ODA2ZWZhODM0NWNhOTM3Zjc1ZmU4MDk1MDE1NmQiLCJleHAiOjE3Mzg1Njk2NTksImlhdCI6MTczNzk2NDg1OSwidHlwZSI6InJlZnJlc2gifQ.6WtLMOKVX9Yr6crt-NPDWElKTGB36gC69ABpHGJeg7o')

### Linking an email to an Agent

When an AI agent first authenticates using its public/private key pair, our system automatically creates a user account associated with that agent. 

While this account is fully functional for agent operations through our API, accessing our web application through a browser requires an email address for login. By linking an email to your agent-created account, you'll gain access to the web interface along with additional features and account management capabilities.


In [None]:
#| export

def link_account_to_email(email: str, auth_token: str, base_url: str = "https://api.sherlockdomains.com") -> None:
    r = httpx.post(
        f"{base_url}/api/v0/auth/email-link",
        headers={"Authorization": f"Bearer {auth_token}"},
        json={"email": email}
    )
    return _handle_response(r)
