Arianee Access Token

What is the Arianee Access Token?

An Arianee Access Token is an Ethereum Web Token or JSON Web Token using the Ethereum algorithm signature. It is very similar to an Arianee Proof, but it does not require a blockchain transaction, it is made off-chain.

The Arianee Access Token allows to prove that a user owns a wallet without sharing its private key.

header.playload.signature
eyJ0eXAiOiJKV1QiLCJhbGciOiJFVEgifQ==.eyJpc3MiOiIweDQ5NjdmOTZBOTUyMDk2Q2IxODAyRDM3NWNCNzAzMTRmODcyOUE5NzciLCJzY29wZSI6ImFsbCIsImV4cCI6MTU5NTkxMzMyNDk1OSwiaWF0IjoxNTk1OTEzMDI0OTYwLCJjaGFpbiI6InRlc3RuZXQiLCJzdWIiOiJjZXJ0aWZpY2F0ZSIsInN1YklkIjozNzAzNDU0fQ==.0x1a13a3f9f47b31212bfca68b67e17053c9a95d68d356bb540c7f7af77682699316a34fdb44c07a744e8584a41a5beea5b86ba92d97a4ab03ec5598f50a3f81f21c
HEADER
{
  "typ": "JWT",
  "alg": "ETH"
}
BODY
{
  "iss": "0x4967f96A952096Cb1802D375cB70314f8729A977",
  "scope": "all",
  "exp": 1595913324959,
  "iat": 1595913024960,
  "chain": "testnet",
  "sub": "certificate",
  "subId": 3703454
}

What is the Arianee Access Token for?

Arianee Access Token is similar to a JSON Web Token but signed by a wallet. They are widely used as a secure way of transmitting information between stakeholders in a web application environment. Find below some other advantages:

  • Off-chain: it does not require any blockchain transaction: so it is free to sign a JSON Web Token (no transaction cost) and it is instant.
  • Compact & efficient: lightweight and can be sent via HTTP headers, which makes them efficient for use in API authentication and authorization.
  • Stateless: does not require a database lookup to validate their authenticity. All the information required to validate the token is contained within the token itself, making it easy to use in a stateless architecture.
  • Cross-domain compatibility: can be easily passed between different domains, which is useful in a micro-services architecture where different services are running in different domains.
  • Secure: signed using a secret or a public/private key pair, which makes them tamper-proof.
  • Flexible: can carry a large amount of information in a compact format, making them flexible and useful for many use cases, including user authentication and authorization, as well as session management.

How to generate a valid Arianee Access Token?

{
  "iss": "0xWalletAddress",
  "exp": number,
  "scope": "read:products write:products"
}

Verify that the iss property in the payload matches the public key that was used to sign the JSON Web Token. If they do not match, the JSON Web Token is not valid.

An app considers this Arianee Access Token valid if:

  • iss public key to verify if the wallet that signs equals the issuer in the payload.
  • Arianee Access Token complies to the RFC7519. For example exp or nbf property.

The scope defines the permissions that the Arianee Access Token holder has, in the example above, the right to read and write products. This information can be used by the system to define whether a user is authorized to perform certain actions on the blockchain, actions based on the scope defined in the Arianee Access Token.

By design, an Arianee Access Token does not give any rights to perform a blockchain transaction.