This document describes the needed secrets to be set in order to operate the with CloudFlare Witness/Issuer service contained here. These secrets are most easily set using wrangler via the process described here.
NOTE: All secrets must be set, but setting them to an empty string will cause them to be passed over in configuration.
The REBASE_SK
secret should be the JSON stringified version of an ED25519 JWK Secret Key. Such a key can be generated following the instructions given here.
The DID_WEB
secret should be a did:web identifier following the format did:web:<URL_HOST_OF_REBASE_PUBLIC_KEY>
. This corresponds directly to REBASE_SK
being the public key DID document that pairs with the secret JWK.
For example, if the DID_WEB
were set to did:web:example.com
, it would be expected that visiting example.com/.well-known/did.json
would resolve to a DID Web JSON object usable with REBASE_SK
's JWK.
The instructions linked earlier show how to create this document after creating the secret key JWK.
There are no secrets required to configure the DNS flow.
The Email flow is currently limited to a SendGrid API based flow and has several required secretes to be set:
The SENDGRID_BEARER_TOKEN
secret is an API token for use with the SendGrid API, generated by using the SendGrid API Dashboard.
The SENDGRID_FROM_ADDRESS
secret is the email address from which the challenge will be sent, it should correspond to a controlled address/domain under the SendGrid account which generated the SENDGRID_BEARER_TOKEN
.
The SENDGRID_FROM_NAME
secret is the name that will appear as the owner of the SENDGRID_FROM_ADDRESS
in the UI of email clients.
The SENDGRID_SUBJECT_NAME
is the name of the service as displayed in the subject of the challenge email. This subject is generated as format!("Verifying ownership of {} {} for {}
, subject_type, subject_id, SENDGRID_SUBJECT_NAME)`.
The SENDGRID_MAX_ELAPSED_MINS
is a number set to something greater than 0. It represents how many minutes can ellapse from the email challenge being sent and the end-user pasting it back before the witness considers the challenge expired. If set to not a number, a negative number, or 0 it will error out.
The GITHUB_USER_AGENT
secret will be the user agent sent to GitHub when querying it's public API.
NOTE: The NFT Ownership route is not in a complete state and will encounter breaking changes before final release, use in production at your own peril!
The ALCHEMY_API_KEY
secret will be used to access the alchemy api for querying about NFT ownership. An API key can be gained by signing up here.
The ALCHEMY_MAX_ELAPSED_MINS
is a number set to something greater than 0. It represents how many minutes can ellapse from the email challenge being sent and the end-user pasting it back before the witness considers the challenge expired. If set to not a number, a negative number, or 0 it will error out.
The TWITTER_BEARER_TOKEN
is the bearer token given from Twitter to the application developer using the Twitter API and will be used (as described here) when querying the API.
No secrets are required to configure the Reddit flow.
No secrets are required to configure the Same flow.
The SOUNDCLOUD_CLIENT_ID
secret is the client id used in the SoundCloud v2 API, this can be discovered by any logged in SoundCloud user following the directions outlined here.
The SOUNDCLOUD_LIMIT
secret is the number of search results returned per query of the SoundCloud user search. Must be between an integer between 0 and 201 (exclusive, inclusive 1 through 200). Suggested to be set to 100.
The SOUNDCLOUD_MAX_OFFSET
number of search results to try before giving up (the total tested will be SOUNDCLOUD_MAX_OFFSET
+ SOUNDCLOUD_LIMIT
, since it starts at 0). SOUNDCLOUD_MAX_OFFSET
+ SOUNDCLOUD_LIMIT
must be less than or equal to 10k. Suggested to be set to 900.