Node.js Library - picket-node
Server side library for accessing picket endpoints.
Installation
npm install "@picketapi/picket-node"
Usage - Quick Start
The Picket constructor creates a new instance of the Picket class. It takes a secret API key as a parameter.
import Picket from "@picketapi/picket-node";
// Use your secret key when making calls from secure server
const picket = new Picket("YOUR_SECRET_KEY_HERE");
Weโve placed a placeholder secret API key in this example. Replace it with your actual api keys.
Nonce
A nonce
is random value generated by the Picket API to that user must sign to prove ownership a wallet address. The nonce
function can be used to implement your own wallet authentication flow.
A nonce
is unique to a project and wallet address. If a nonce
doesn't exist for the project and wallet address, Picket will generate a new nonce
; otherwise, Picket will return the existing nonce. A nonce
is valid for two minutes before self-destructing.
const { nonce, statement, locale } = await picket.nonce({
chain: "ethereum",
walletAddress: "0x_WALLET_ADDRESS"
});
Statement Localization
nonce
takes in an optional locale
parameter, which is used to localize the signing message statement in to the given locale
. When using the login
function from picket-js
or picket-react
, the user's browser locale will automatically be passed as the locale
for the signing message statement.
const { nonce, statement, format } = await picket.nonce({
chain: "ethereum",
walletAddress: "0x_WALLET_ADDRESS",
// translate the statement to Afrikaans
locale: "af",
});
Auth
auth
is the server-side equivalent of login
. auth
should only be used in a trusted server environment. The most common use-case for auth
is linking a wallet to an existing application account.
Wallet Authentication
await picket.auth({
// optionally omit, the default chain is Ethereum
walletAddress: "0x_WALLET_ADDRESS",
signature: "SIGNATURE"
});
// or specifiy it explicitly
await picket.auth({
chain: "ethereum",
walletAddress: "0x_WALLET_ADDRESS",
signature: "SIGNATURE"
});
Token Gating
await picket.auth({
// any supported EVM-compatible chain
// if omitted, defaults to "ethereum"
chain: "ethereum",
walletAddress: "0x_WALLET_ADDRESS",
signature: "SIGNATURE",
requirements: {
// restrict access to token holders
contractAddress: "0xCONTRACT_ADDRESS",
// omit if any number of tokens are acceptable
minTokenBalance: 1
}
});
Authz
authz
stands for authorization. Unlike Auth, which handles both authentication and authorization, Authz only handles authorization. Given an authenticated user's access token and authorization requirements, authz
will issue a new access token on success (user is authorized) or, on failure, it will return a 4xx HTTP error code.
await picket.authz({
// chain and wallet is stored within the access token
accessToken: "xxx.yyy.zzz",
requirements: {
// check ownership of a specific contract address
contractAddress: "0xCONTRACT_ADDRESS",
// omit if any number of tokens are acceptable
minTokenBalance: 1
}
});
Verify Token Ownership
If you only want to verify token ownership server side for a given wallet, tokenOwnership
allows you to do just that.
import Picket from "@picketapi/picket-node"
const picket = new Picket('YOUR_SECRET_KEY_HERE')
const requirements = {
// any supported EVM-compatible chain
// if omitted, defaults to "ethereum"
chain: "ethereum",
walletAddress: "WALLET_ADDRESS",
// Replace this example address with whichever contract you are verifying ownership for
contractAddress: '0x8a90cab2b38dba80c64b7734e58ee1db38b8992e',
// Replace with minimum balance you want to verify users' currently hold.
minTokenBalance: 1
}
const { allowed, contractAddress, numTokens } = await picket.tokenOwnership(requirements)
console.log(`Allowed == ${allowed} because ${request.walletAddress} has ${numTokens} for ${contractAddress}.`)
Validate
validate
validates an access token. validate
should be called, or manually access token validation should be done, server-side before trusting a request's access token. It's common to move access token validation and decoding logic to a shared middleware across API endpoints.
If the access token is valid, validate
returns the decoded claims of the access token.
const decoded = await picket.validate("ACCESS_TOKEN");
Last updated