Picket Docs
  • ๐Ÿ‘‹Welcome to Picket
  • Quick Start Guides
    • ๐Ÿš€Quick Start Guides
      • โš™๏ธStart Here: Setup
      • ๐Ÿ”Wallet Login
      • ๐Ÿช™Token Gating (Ethereum / EVM)
      • ๐ŸคบToken Gating (Solana)
      • ๐Ÿคนโ€โ™‚๏ธIncremental Token Gating
      • โ›”Restrict Access to Specific Wallets
      • ๐Ÿ”‘Working with Access Tokens
  • Reference
    • ๐ŸŽ“Concepts
      • ๐ŸŒŠAuth Flow
      • ๐Ÿ—ƒ๏ธConnect
      • โœ๏ธSignatures
      • ๐Ÿ”Authentication and Authorization
      • ๐ŸคนIncremental Authorization
      • ๐Ÿช™Access Tokens
      • ๐ŸงชTesting
      • โ‰๏ธErrors
      • โ›“๏ธSupported Blockchains
      • ๐ŸŒSupported Languages (Localization)
      • ๐ŸŽจModal Themes
      • ๐Ÿ’ฟOpen Source Web3 Client Libraries
    • ๐Ÿ“šLibraries and SDKs
      • Javascript Library - picket-js
      • React SDK - picket-react
      • Node.js Library - picket-node
      • Go Library - picket-go
      • Python Library - picket-python
    • ๐Ÿ”ฅIntegrations
      • ๐ŸŒˆPicket Authentication with RainbowKit
      • โšกSupabase
      • โ˜๏ธAmazon Cognito
      • ๐Ÿ›๏ธPicket Shopify App - Merchant Documentation
      • ๐Ÿ›’Picket BigCommerce App - Merchant Documentation
    • ๐Ÿ“–API Reference
      • Projects & API Keys
      • Auth
      • Chains
      • Wallets
      • Contracts
      • OAuth 2.0
  • ๐Ÿ•น๏ธTutorials
    • ๐ŸŒŽSign-In with Wallet (React)
    • ๐ŸฐToken Gated Photo Board (React)
    • ๐Ÿ”—Link a Wallet to a Web 2.0 Account
    • ๐ŸคIncremental Authorization (React)
Powered by GitBook
On this page
  • Wallet-based Authentication and Authorization
  • Terminology
  • Authentication and Authorization
  • What are authentication and authorization?
  • Authentication vs. authorization
  • The Auth Endpoint
  • Authenticate wallets and verify token ownership.
  1. Reference
  2. Concepts

Authentication and Authorization

Wallet authentication and authorization

Wallet-based Authentication and Authorization

Picket enables Wallet-based authentication and authorization. In exchange for a signature and authorization requirements (e.g token balance requirements), Picket returns a JWT access token.

The JWT access token can be used to authorize requests to internal or public off-chain APIs. This enables wallet-centric application use-cases such as restricting access to private content and APIs to users who owns a specific token.

Terminology

Authentication and Authorization

While often used interchangeably, authentication and authorization represent fundamentally different functions. Below, we compare and contrast the two to show how they protect applications in complementary ways.

What are authentication and authorization?

In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.

Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity. Then, when you arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to the plane.

In Picket, authentication is verifying ownership of a wallet, while authorization is optionally verifying ownership of a specific number of a given token.

Authentication vs. authorization

Here's a quick overview of the differences between authentication and authorization:

Authentication

Authorization

Determines whether users are who they claim to be

Determines what users can and cannot access

Verifies message signature corresponds to the user's wallet address

Verifies whether access is allowed through policies and rules

Usually done before authorization

Usually done after successful authentication

Generally, transmits info through an ID Token

Generally, transmits info through an Access Token

In short, picket enables you to ensure access to a resource is protected by both authentication and authorization. If a user can't prove their identity, they won't be allowed into a resource. And even if they can prove their identity, if they are not authorized for that resource, they will still be denied access.

The Auth Endpoint

The /auth endpoint always performs authentication of a wallet and can optionally perform authorization by verifying token ownership when supplied with a contract address and a minimum token balance.

Authenticate wallets and verify token ownership.

POST https://picketapi.com/api/v1/auth

Returns an access token upon successful authentication and token ownership verification.

Request Body

Name
Type
Description

walletAddress

String

Wallet address of user to authenticate. Value should be represented as a string.

Ex. 0xAD5363fF13a1609a89E89C278898B32A038cC015

This string is not case sensitive.

signature*

contractAddress

String

Contract address for which to check whether a user has a token from.

minBalance

String

The minimum balance of tokens from the given contractAddress to check if a user holds

chain

String

{
    accessToken: "0xAccessToken",
    walletAddress: "0x..abc",
    displayAddress: "noahfradin.eth"
}
PreviousSignaturesNextIncremental Authorization

Last updated 3 years ago

A fetched via . Value should be represented as a string.

The that should be used for this operation. Defaults to ethereum-mainnet.

๐ŸŽ“
๐Ÿ”
signed nonce
connect
blockchain