Space and Time operates on a decentralized network, so authenticating directly to that network allows developers the greatest amount of control, flexibility, and speed, without the need to trust any centralized intermediary. The trade-off is that you have to manage cryptographic keys locally and prove authentication and authorization for every request.
Access Tokens are the core connection type - all other connection types are simply wrappers or abstractions around the Access Token workflow.
These instructions explain how to connect and authenticate directly to the Space and Time network using our REST APIs.
While you can use the below workflow to manually authenticate to the Space and Time network, it is somewhat hard to do given the 30-second security time-out in which you have to sign and return all information required. We recommend going through the CLI workflow, which will provide the steps for creating a new UserID and keypair. The workflow below is best for users that have already registered and are looking to start building an application on SxT.
Always keep your private key somewhere safe. If you lose your private key, you cannot authenticate as that UserID. To be safe, you can add a new keypair to your UserID's keyring and store a second key as backup.
To complete this workflow, you will need:
- A Space and Time UserID, which is created with one or more ED25519 public keys. The easiest way to do this is by following the CLI workflow.
- A mechanism to cryptographically sign the challenge token with the matching ED25519 private key
The decentralized authentication model is built on a traditional challenge / response model, whereby the user or application requests and signs a challenge token with the local private key, and if the network can validate with the public key, an access token is issued. Below is a map of that call / challenge / response workflow, with the local cryptographic signature work in bold:
|Request a challenge token for a particular UserID
|Generates a challenge token, associated with the UserID's stored public key - valid for 30 seconds
|Sign the challenge token with the UserID's private key, and returns the signed challenge to the network
|Uses the UserID's public key to validate the local private key, and returns an Access Token (25 minute session) as well as a Refresh Token (30 minute time-out) for streamlined session refresh
|Any time before the Refresh Token times out, can request a refreshed Access Token, which again comes with a new Refresh Token
|Any session that has been active for 24 hours is terminated, forcing a full re-authentication
Access Tokens ARE your session to the network. Never share or lose control of your Access Token, as it would allow others to issue commands to Space and Time network as you.
You can request the session be terminated at any time by calling the simple logout API, which will immediately log you out of all sessions.
Updated 30 days ago