🔐
Authentication and Authorization
Wallet authentication and authorization
Picket enables Wallet-based authentication and authorization. In exchange for a signature and authorization requirements (e.g token balance requirements), Picket returns a JWT access token.
The JWT access token can be used to authorize requests to internal or public off-chain APIs. This enables wallet-centric application use-cases such as restricting access to private content and APIs to users who owns a specific token.
While often used interchangeably, authentication and authorization represent fundamentally different functions. Below, we compare and contrast the two to show how they protect applications in complementary ways.
In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.
Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity. Then, when you arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to the plane.
In Picket, authentication is verifying ownership of a wallet, while authorization is optionally verifying ownership of a specific number of a given token.
Here's a quick overview of the differences between authentication and authorization:
Authentication | Authorization |
Determines whether users are who they claim to be | Determines what users can and cannot access |
Verifies message signature corresponds to the user's wallet address | Verifies whether access is allowed through policies and rules |
Usually done before authorization | Usually done after successful authentication |
Generally, transmits info through an ID Token | Generally, transmits info through an Access Token |
In short, picket enables you to ensure access to a resource is protected by both authentication and authorization. If a user can't prove their identity, they won't be allowed into a resource. And even if they can prove their identity, if they are not authorized for that resource, they will still be denied access.
The
/auth
endpoint always performs authentication of a wallet and can optionally perform authorization by verifying token ownership when supplied with a contract address and a minimum token balance.post
https://picketapi.com/api/v1
/auth
Authenticate wallets and verify token ownership.
Last modified 1yr ago