Authentications request

After reading the auth_req_payload and registering an account with the HAS, the PKSA will start to receive registered account authentication request with the message:


    cmd: "auth_req", 
    account: string,
    data: string,
    uuid: string, 
    expire: number
  • account: the Hive account name that an application wants to authenticate

  • data: the Base64 representation of an encrypted auth_req_data object

  • uuid: the request identifier

  • expire: UNIX time when the request will expire

The structure of the auth_req_data is:


    app: {
        name: string
        description: string = undefined
        icon: string = undefined
    challenge : object = undefined
    token: string = undefined // DEPRECATED - protocol < 1 only
  • app: an object describing the application

    • name: short name of the app (ex: "peakd")

    • description: (optional) description of the app (ex: "Peakd for Hive")

    • icon: (optional) URL to retrieve the application icon (ex: "")

  • challenge: (optional) a challenge_data object that the app can pass to the PKSA for signing (see Challenge request).

  • token: (optional) a valid session token previously received from the PKSA - Depecrated since protocol v1

The PKSA must decrypt the auth_req_data object using the encryption key previously shared with the PKSA (auth_key). By encrypting the auth_req_data object, the HAS will be unaware of what's going on between the app and the PKSA and unable to tamper with the authentication request process.

The PKSA should verify that the uuid found in the auth_req message matches the one from the auth_req_payload and ignore any message with a mismatching uuid

A PKSA which doesn't manage an account:

  • will not be able to register that account to the HAS and therefore will not receive the related auth_req requests

  • should ignore and not reply to an auth_req request it can't process with an 'auth_err' (edge case where it registered the account but removed it from its managed accounts before getting the auth_req message)

Last updated