Authentication Guide

Learn how to authenticate users with Solana wallet signatures

Overview

Axira AI uses Solana wallet-based authentication to provide a secure, decentralized way to authenticate users without requiring passwords or complex OAuth flows.

Authentication Flow

1. User Connects Wallet

The user connects their Solana wallet (Phantom, Solflare, etc.) to your application using the Wallet Adapter library.

2. Create Message

Your app creates a message to be signed that includes the wallet address and a timestamp to prevent replay attacks.

3. Request Signature

The wallet displays a prompt to the user asking them to sign the message. The user approves and the wallet returns the signature.

4. Verify Signature

Your backend verifies the signature using the wallet's public key and the original message.

5. Create Session

If the signature is valid, your app creates a user account or updates the existing one and returns a session token.

Security Best Practices

  • Always include a timestamp in the message to prevent replay attacks
  • Verify signatures on the backend using proper cryptographic libraries
  • Use HTTPS for all API calls to prevent man-in-the-middle attacks
  • Implement rate limiting on authentication endpoints
  • Store session tokens securely using httpOnly cookies or secure storage

Implementation Example

// React Component Example
import { useWallet } from '@solana/wallet-adapter-react';

export function LoginComponent() {
  const { publicKey, signMessage } = useWallet();

  const handleSignIn = async () => {
    if (!publicKey || !signMessage) return;

    // 1. Create message
    const message = `Sign in to Axira AI\n\nWallet: ${publicKey.toBase58()}\nTimestamp: ${Date.now()}`;
    const messageBytes = new TextEncoder().encode(message);

    // 2. Request signature
    const signature = await signMessage(messageBytes);
    
    // 3. Verify on backend
    const response = await fetch('/api/auth/wallet', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
        wallet: publicKey.toBase58(),
        signature: bs58.encode(signature),
        message
      })
    });

    const data = await response.json();
    console.log('Authenticated:', data);
  };

  return <button onClick={handleSignIn}>Sign In</button>;
}