Last updated
Last updated
Before sending its request, the APP must create an "authentication request data" object (auth_req_data
) it will send to the PKSA
app
: an object describing the application
name
: short name of the app (ex: "myapp")
description
: (optional) description of the app (ex: "My Hive Application")
icon
: (optional) URL to retrieve the application icon (ex: "https://myapp.com/logo.png")
challenge
: (optional) a challenge_data
object that the app can pass to the PKSA for signing (see )
token
: (optional) a valid session token previously received from the PKSA - Deprecated since protocol V1
Sending a challenge to the PKSA with an auth_req enables the APP to perform both an authentication and a challenge signing in one round trip.
Finally, the APP sends its authentication request (auth_req
) to the HAS using the following message:
account
: the Hive account name that the application wants to authenticate
data
: the Base64 representation of an encrypted auth_req_data
object
Providing an existing token
with the auth_req
simplifies the authentication process. Indeed, if a PKSA stores the token and confirms its validity, it is no longer required to scan a QR code because the PKSA already has the associated auth_key
.
The auth_key
must be encrypted with the encryption secret (auth_req_secret) it shares with the PKSA service.
example:
{
cmd: "auth_req",
account: "username",
data:
{{encrypted_data_base64}}
,
auth_key: CryptoJS.Encrypt(auth_key, auth_req_secret)
}
The HAS will reply with an auth_wait message
uuid
: a unique identifier given by the HAS to the request
expire
: UNIX timestamp when the authentication request will expire
account
: account doing the authentication request
The APP must then encrypt the auth_req_data
object using the auth_key
(see )
When using a PKSA running in , the APP must add the auth_key
property to the auh_req
it sends to the HAS server.