# Authentications request

After reading the `auth_req_payload` and registering an account with the **HAS**, the **PKSA** will start to receive registered account authentication request with the  message:

### auth\_req

```
{
    cmd: "auth_req", 
    account: string,
    data: string,
    uuid: string, 
    expire: number
}
```

{% tabs %}
{% tab title="Properties" %}

* **account**: the Hive account name that an application wants to authenticate
* **`data`**: the Base64 representation of an encrypted `auth_req_data` object
* **`uuid`**: the request identifier
* **`expire`**: UNIX time when the request will expire
  {% endtab %}
  {% endtabs %}

The structure of the `auth_req_data` is:

### auth\_req\_data

```javascript
{
    app: {
        name: string
        description: string = undefined
        icon: string = undefined
    },
    challenge : object = undefined
    token: string = undefined // DEPRECATED - protocol < 1 only
}
```

{% tabs %}
{% tab title="Properties" %}

* **`app`**: an object describing the application
  * **`name`**: short name of the app (ex: "peakd")
  * **`description`**: *(optional)* description of the app (ex: "Peakd for Hive")
  * **`icon`**: *(optional)* URL to retrieve the application icon (ex: `"https://peakd.com/logo.png"`)
* **`challenge`**: *(optional)* a `challenge_data` object that the app can pass to the PKSA for signing (see [challenge-request](https://docs.hiveauth.com/developer-documentation/has-for-applications/challenge/challenge-request "mention")).<br>
* **`token`**: *(optional)* a valid session token previously received from the **PKSA -&#x20;*****Depecrated since protocol v1***
  {% endtab %}
  {% endtabs %}

The **PKSA** must decrypt the `auth_req_data` object using the encryption key previously shared with the **PKSA** (`auth_key`). By encrypting the `auth_req_data` object, the **HAS** will be unaware of what's going on between the app and the PKSA and unable to tamper with the authentication request process.

The **PKSA** should verify that the `uuid` found in the `auth_req` message matches the one from the `auth_req_payload` and ignore any message with a mismatching `uuid`

A PKSA which doesn't manage an account:

* will not be able to register that account to the HAS and therefore will not receive the related auth\_req requests
* should ignore and not reply to an auth\_req request it can't process with an 'auth\_err' (edge case where it registered the account but removed it from its managed accounts before getting the `auth_req` message)