Minka Ledger Docs
How To Guides

How to authenticate with JWT

Ledger SDK allows users to authenticate to ledger by sending tokens.

The JWT options object (JwtConfig) has the following definition

type JwtConfig = {
  /**
   * Represents a client identifier.
   *
   */
  iss: string
 
  /**
   * Represents a user identifier of the token sender.
   *
   */
  sub: string
 
  /**
   * Represents a recipient for which a token is intended, ledger public key or handle
   *
   * */
  aud: string
 
  /**
   * Time after which a token expires, seconds since epoch.
   *
   */
  exp: number
 
  /**
   * Unique id of the token, can be used to prevent replay attacks
   *
   */
  jti?: string
 
  /**
   * Defines the request hash claim (hsh) must
   * be created and sent.
   *
   * Set as "true" if this value is not
   * given.
   */
  createHsh?: boolean
 
  /**
   * ED25519 Key pair for signing token
   *
   */
  keyPair: LedgerKeyPair
 
  /**
   * Token verification key identifier.
   * Accepts a public key or a ledger signer handle.
   */
  kid?: LedgerHandle | LedgerKeyPair['public']
}

JWT configuration can be set and mixed at three different levels - SDK, client and request.

SDK - Securing SDK instance

SDK can be secured when initializing a new object by using the property secure of SDK constructor options.

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
  server: '<your ledger URL>',
  signer: {
    format: 'ed25519-raw',
    public: '<your ledger public key>'
  },
  secure: {
    aud: '<token audience>',
    iss: '<token issuer>',
    keyPair: {
      public: '<signature public key>',
      format: '<signature key format>',
      secret: '<signature secret key>'
    },
    sub: '<token sub>',
    exp: 3600 // (1 hour)
    createHsh: true,
    kid: '<token verification key identifier>',
  }
})

This can also be set dynamically after creating a new instance with the method setAuthParams

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
  server: '<your ledger URL>',
  signer: {
    format: 'ed25519-raw',
    public: '<your ledger public key>'
  }
})
 
sdk.setAuthParams({
  aud: '<token audience>',
  iss: '<token issuer>',
  keyPair: {
	  public: '<signature public key>',
    format: '<signature key format>',
    secret: '<signature secret key>'
  },
  sub: '<token sub>',
  exp: 3600 // (1 hour)
  createHsh: true,
  kid: '<token verification key identifier>',
})

Client - Securing SDK Client

A client can be dynamically secured with the method setAuthParams

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
  server: '<your ledger URL>',
  signer: {
    format: 'ed25519-raw',
    public: '<your ledger public key>'
  }
})
 
// Securing wallet client
sdk.wallet.setAuthParams({
  aud: '<token audience>',
  iss: '<token issuer>',
  keyPair: {
    public: '<signature public key>',
    format: '<signature key format>',
    secret: '<signature secret key>'
  },
  sub: '<token sub>',
  exp: 3600 // (1 hour)
  createHsh: true,
  kid: '<token verification key identifier>',
})

Request - Securing a API call

A request can be dynamically secured with the method setAuthParams

import { LedgerSdk } from '@minka/ledger-sdk'
 
const sdk = new LedgerSdk({
  server: '<your ledger URL>',
  signer: {
		format: 'ed25519-raw',
		public: '<your ledger public key>'
	}
})
	
// Securing a search for a wallet 
const { wallet } = await sdk.wallet.read('wallet-handle', {
aud: '<token audience>',
  iss: '<token issuer>',
  keyPair: {
    public: '<signature public key>',
    format: '<signature key format>',
    secret: '<signature secret key>'
  },
  sub: '<token sub>',
  exp: 3600 // (1 hour)
  createHsh: true,
  kid: '<token verification key identifier>',
})

See About Authentication for more details.

Previous

How to set up record access rules

Next

How to assign a signer to a circle

On this page