Auth

Authentication

Recover Account

PreviousAccount NextDevice

Last updated 1 year ago

Was this helpful?

Refresh Access Token

Refreshes the access token by the refresh token.

post

/auth/v1/refresh

Body

refreshTokenstringrequired

JWT

Example: eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://api.dev.hyphen.at//auth/v1/refresh' \
  --header 'Content-Type: application/json' \
  --data '{"refreshToken":"eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc"}'

200

{
  "credentials": {
    "accessToken": "eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc",
    "refreshToken": "eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc"
  }
}

Creates new account and register the current device's key as the initial user key. This involves deploying the account on the chain you've specified.

post

/auth/v1/signup

Body

methodenumrequired

The login channel the user is currently signing in/up.

Example: firebase

Options: firebase, test

tokenstringrequired

The access token / ID token / redirect code retrieved as a result of OAuth 2.0 Sign In. Server uses it to call the OAuth provider to verify that the client correctly finished OAuth flow, and fetches users' basic profile information such as email.

Its value differs by channel:

For apple, it's the ID token returned after finishing the SIWA process from the client.
For firebase, it's the redirect code from OAuth2 Redirect URI.

Example: eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc

chainNameenumrequired

Options: flow-mainnet, flow-testnet, ethereum-mainnet, ethereum-goerli, polygon-mainnet, polygon-mumbai

userKeyany ofrequired

The user key (usually device key / PassKey) created from the client SDK. Used as one of initial multi-sig keys for creating an account.

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://api.dev.hyphen.at//auth/v1/signup' \
  --header 'Content-Type: application/json' \
  --data '{"method":"firebase","token":"eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc","chainName":"flow-mainnet","userKey":{"type":"device","publicKey":"text","device":{"publicKey":"faceb00ccafebabedeadbeefbadf00defaceb00ccafebabedeadbeefbadf00de","pushToken":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...","name":"iPhone 14","osName":"iOS","osVersion":"16.2","deviceManufacturer":"Apple","deviceModel":"SM-265N","lang":"en","type":"mobile"}}}'

201

{
  "account": {
    "id": "text",
    "addresses": [
      {
        "address": "0xAb5801a7D398351b8bE11C439e05C5B3259aeC9B",
        "profileImageUrl": "text",
        "domainName": "vitalik.eth",
        "chainName": "flow-mainnet",
        "chainId": 80001,
        "chainType": "evm"
      }
    ],
    "parent": [
      {
        "address": "0xAb5801a7D398351b8bE11C439e05C5B3259aeC9B",
        "profileImageUrl": "text",
        "domainName": "vitalik.eth",
        "chainName": "flow-mainnet",
        "chainId": 80001,
        "chainType": "evm"
      }
    ],
    "createdAt": "2025-02-12T03:16:44.420Z",
    "updatedAt": "2025-02-12T03:16:44.420Z"
  },
  "transaction": {
    "id": "text",
    "chainName": "flow-mainnet",
    "refUrl": "text"
  },
  "credentials": {
    "accessToken": "eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc",
    "refreshToken": "eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc"
  }
}

Sign in with two-factor authentication from other device. This is required when the user is trying to sign on the new device.

post

/auth/v1/signin/2fa

Body

requestobjectrequired

userKeyobjectrequired

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://api.dev.hyphen.at//auth/v1/signin/2fa' \
  --header 'Content-Type: application/json' \
  --data '{"request":{"method":"firebase","token":"eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc","chainName":"flow-mainnet"},"userKey":{"type":"device","publicKey":"text","device":{"publicKey":"faceb00ccafebabedeadbeefbadf00defaceb00ccafebabedeadbeefbadf00de","pushToken":"bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...","name":"iPhone 14","osName":"iOS","osVersion":"16.2","deviceManufacturer":"Apple","deviceModel":"SM-265N","lang":"en","type":"mobile"}}}'

200

{
  "twoFactorAuth": {
    "id": "text",
    "accountId": "text",
    "request": {
      "id": "faceb00c-cafe-babe-badd-deadbeef1234",
      "app": {
        "appId": "swirl-dev",
        "appName": "Swirl"
      },
      "userOpInfo": {
        "type": "sign-in",
        "signIn": {
          "email": "john@acme.com",
          "ip": "127.0.0.1",
          "location": "Seoul, KR"
        }
      },
      "srcDevice": {
        "id": "deadbeef-dead-beef-cafe-deadbeefcafe",
        "publicKey": "faceb00ccafebabedeadbeefbadf00defaceb00ccafebabedeadbeefbadf00de",
        "sdkVersion": "1.0.0",
        "pushToken": "bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
        "name": "iPhone 14",
        "osName": "iOS",
        "osVersion": "16.2",
        "deviceManufacturer": "Apple",
        "deviceModel": "SM-265N",
        "lang": "en",
        "type": "mobile"
      },
      "destDevice": {
        "id": "deadbeef-dead-beef-cafe-deadbeefcafe",
        "publicKey": "faceb00ccafebabedeadbeefbadf00defaceb00ccafebabedeadbeefbadf00de",
        "sdkVersion": "1.0.0",
        "pushToken": "bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
        "name": "iPhone 14",
        "osName": "iOS",
        "osVersion": "16.2",
        "deviceManufacturer": "Apple",
        "deviceModel": "SM-265N",
        "lang": "en",
        "type": "mobile"
      },
      "message": "deadbeefdeadbeefdeadbeef",
      "requestedAt": "2021-01-01T00:00:00Z"
    },
    "status": "pending",
    "extra": null,
    "result": {
      "txId": "text"
    },
    "expiresAt": "2021-01-01T00:00:00Z"
  },
  "ephemeralAccessToken": "eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc"
}

Finish sign in after the user authorized the request on the other device. This API will return the API credentials and account information.

post

/auth/v1/signin/2fa/finish

Authorizations

Body

twoFactorAuthRequestIdstringrequired

The latest 2FA request ID.

Example: deadbeef-dead-beef-dead-beefdeadbeef

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://api.dev.hyphen.at//auth/v1/signin/2fa/finish' \
  --header 'Authorization: Bearer JWT' \
  --header 'Content-Type: application/json' \
  --data '{"twoFactorAuthRequestId":"deadbeef-dead-beef-dead-beefdeadbeef"}'

200

{
  "account": {
    "id": "text",
    "addresses": [
      {
        "address": "0xAb5801a7D398351b8bE11C439e05C5B3259aeC9B",
        "profileImageUrl": "text",
        "domainName": "vitalik.eth",
        "chainName": "flow-mainnet",
        "chainId": 80001,
        "chainType": "evm"
      }
    ],
    "parent": [
      {
        "address": "0xAb5801a7D398351b8bE11C439e05C5B3259aeC9B",
        "profileImageUrl": "text",
        "domainName": "vitalik.eth",
        "chainName": "flow-mainnet",
        "chainId": 80001,
        "chainType": "evm"
      }
    ],
    "createdAt": "2025-02-12T03:16:44.420Z",
    "updatedAt": "2025-02-12T03:16:44.420Z"
  },
  "transaction": {
    "id": "text",
    "chainName": "flow-mainnet",
    "refUrl": "text"
  },
  "credentials": {
    "accessToken": "eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc",
    "refreshToken": "eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc"
  }
}

Starts SignIn Challenge. This is required when the user is trying to sign in from the device already registered. The client should request with the public key of the device. If it's not registered, it will raise HTTP 400 with PleaseRegisterKey error.

Issues a random 32-byte challengeData to the client. The client should respond by signing the data with the device's key, within 5 minutes.

The challenge type should be specified with either passKey or deviceKey.

post

/auth/v1/signin/challenge

Body

challengeTypeenumrequired

Options: deviceKey, passKey

requestobjectrequired

publicKeystringrequired

The public key of the PassKey in client-side. Should be 64-byte hex string concatenated with [x: 32byte, y: 32byte].

passKeyobject

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://api.dev.hyphen.at//auth/v1/signin/challenge' \
  --header 'Content-Type: application/json' \
  --data '{"challengeType":"deviceKey","request":{"method":"firebase","token":"eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc","chainName":"flow-mainnet"},"publicKey":"text","passKey":{"username":"jun@meowauth.xyz"}}'

200

{
  "challengeData": "deadbeefdeadbeefdeadbeefdeadbeef",
  "expiresAt": "2023-08-01T00:00:00.000Z"
}

Finishes sign in challenge. The client should provide the signature of the challengeData issued by the server. If valid, it will return the API credentials and account information.

post

/auth/v1/signin/challenge/respond

Body

challengeTypeenumrequired

Options: deviceKey, passKey

challengeDatastringrequired

deviceKeyobject

passKeyobject

Responses

application/json

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://api.dev.hyphen.at//auth/v1/signin/challenge/respond' \
  --header 'Content-Type: application/json' \
  --data '{"challengeType":"deviceKey","challengeData":"text","deviceKey":{"signature":"text"},"passKey":{"clientDataJSON":"text","authenticatorData":"h4tyVoWj/Tc2Lzxtu79kl9kYtTtraUYwBbIV1ymJaugdAAAAAA==","signature":"MEUCI...p33Sz9c="}}'

200

{
  "account": {
    "id": "text",
    "addresses": [
      {
        "address": "0xAb5801a7D398351b8bE11C439e05C5B3259aeC9B",
        "profileImageUrl": "text",
        "domainName": "vitalik.eth",
        "chainName": "flow-mainnet",
        "chainId": 80001,
        "chainType": "evm"
      }
    ],
    "parent": [
      {
        "address": "0xAb5801a7D398351b8bE11C439e05C5B3259aeC9B",
        "profileImageUrl": "text",
        "domainName": "vitalik.eth",
        "chainName": "flow-mainnet",
        "chainId": 80001,
        "chainType": "evm"
      }
    ],
    "createdAt": "2025-02-12T03:16:44.420Z",
    "updatedAt": "2025-02-12T03:16:44.420Z"
  },
  "transaction": {
    "id": "text",
    "chainName": "flow-mainnet",
    "refUrl": "text"
  },
  "credentials": {
    "accessToken": "eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc",
    "refreshToken": "eyJhbGciOiJIUzI...Qedy-rosPJLzs3jArh6Vc"
  }
}

Request to recover the account.

post

/auth/v1/recover

Responses

cURL

JavaScript

Python

HTTP

curl -L \
  --request POST \
  --url 'https://api.dev.hyphen.at//auth/v1/recover'

204

No body

No content

Authentication

Sign Up

Sign In (with 2FA)

Sign In (with Challenge)

Recover Account

Authentication

Sign Up

Sign In (with 2FA)

Sign In (with Challenge)

Recover Account

Refresh Access Token

Create Account

Sign In with 2FA

Finish Sign In with 2FA

Starts SignIn Challenge

Finish SignIn Challenge