We are currently discussing the introduction of JWT-based authentication for ArenaService in Discussion #33.
The proposed method involves players signing JWTs with their secp256k1 private keys to authenticate API requests.
To move the discussion forward, I’d like to provide a concrete example implementation demonstrating the following:
Key Points:
-
JWT Generation:
- Clients generate JWTs signed with their private key.
- The payload includes claims like
aud (audience), sub (avatar address), pbk (public key), iat (issued at), and exp (expiry).
Example payload:
{
"aud": "arena-service",
"sub": "0xf392d97E~~",
"pbk": "bfcab7e8e0abac276b~~",
"iat": 1718561199,
"exp": 1718564799
}
-
Server-Side Validation:
- Verify the JWT signature using the provided
pbk.
- Derive the avatar address from the
pbk and ensure it matches the sub claim.
We are currently discussing the introduction of JWT-based authentication for
ArenaServicein Discussion #33.The proposed method involves players signing JWTs with their
secp256k1private keys to authenticate API requests.To move the discussion forward, I’d like to provide a concrete example implementation demonstrating the following:
Key Points:
JWT Generation:
aud(audience),sub(avatar address),pbk(public key),iat(issued at), andexp(expiry).Example payload:
{ "aud": "arena-service", "sub": "0xf392d97E~~", "pbk": "bfcab7e8e0abac276b~~", "iat": 1718561199, "exp": 1718564799 }Server-Side Validation:
pbk.pbkand ensure it matches thesubclaim.