# Authentication payload

To secure the communication between the application and the PKSA, they need to share some offline information NOT transmitted over the Internet that we will refer to as `auth_req_payload`. That information will not available to the **HAS**.

It can be provided to the **PKSA** through a QR code that is displayed by the app and manually scanned by the user, or by using a deep-link when on mobile.

The `auth_req_payload` has the following structure:

### auth\_req\_payload

```js
{
    account: string
    uuid: string,
    key: string,
    host: string
}
```

{% tabs %}
{% tab title="Properties" %}

* **`account`**: the username of the account performing the authentication.
* **`uuid`**: the request identifier received with the `auth_wait` reply.
* **`key`**: an app-generated encryption key (we recommend using an uuid)
* **`host`**: URL of the HAS server to connect to (ex: "wss\://has.hiveauth.com")
  {% endtab %}
  {% endtabs %}

With this information, the **PKSA** knows which `host` to connect to and which `account` it should register. It also knows it should receive an authentication request with a specific request identifier (`uuid`). Finally, it now owns a session encryption key (`auth_key`) that will be used to secure the authentication process and communication.

The PKSA should connect to the provided `host` and ask for the host encryption key