About challenges

What is a challenge?

Challenges are a message type that get sent from the backend to the client to authenticate. The challenge must be signed by the wallet owner and then sent to the backend for verification. By using the signature, the backend can check for the address and see the balance for authorization. This is the main element for the Proof of Key authentication.

The challenge is built in the following form:

{
  "assetId": "0c2f1cc1f71ccaa5822c30001",
  "timestamp": "1645176566",
  "nonce": "0e39cd4d-62d5-43f6-9141-6d3475760f85"
}

Following points are used in a challenge object:

  • assetId: Which asset should the balance be checked for.
  • timestamp: The current timestamp in UNIX time.
  • nonce: A randomly generated string. This can only be received by the backend

Security precautions

Following points have to be kept in mind:

  • Timestamp cannot be older than 5 minutes.
  • Nonce cannot be generated yourself. You must use one that has been sent by the Ambitorio server.
  • A challenge can only be used once. After a check, it gets discarded regardless if the challenge was successful or not.
← Introduction to Proof of Key
Integrating Proof of Key →