This section contains the full technical reference for the Moralis Auth API.
The swagger can be found here.
See this page for demos of this API in different tech stacks.
Authentication begins when a client application, connected to a Web3 wallet, calls your server application to request an authentication message, supplying wallet address, chain Id, and network.
- Your server application will accept the address, chain Id, and network and create an EIP-4361 compliant message that the client application will sign.
To make this possible you will need to provide some extra information in the ChallengeRequestDto request. Note: the network parameter defines which network type (e.g. EVM or Solana) is being used.
1. Address: [Supplied by the calling application] The Ethereum address performing the signing conformant to capitalization encoded checksum specified in EIP-55 where applicable.
2. ChainId: [Supplied by the calling application] The EIP-155 Chain ID to which the session is bound, and the network where Contract Accounts MUST be resolved.
3. Domain: The RFC 3986 authority that is requesting the signing, usually your own domain.
4. ExpirationTime: The ISO 8601 datetime string that, if present, indicates when the signed authentication message is no longer valid.
5. NotBefore: The ISO 8601 datetime string that, if present, indicates when the signed authentication message will become valid.
6. Resources: A list of information or references to information the user wishes to have resolved as part of authentication by the relying party. They are expressed as RFC 3986 URIs separated by "\n- " where \n is the byte 0x0a.
7. Timeout: Time is seconds at which point this request becomes invalid.
8. Statement: A human-readable ASCII assertion that the user will sign, and it must not contain '\n' (the byte 0x0a).
9. Uri: An RFC 3986 URI referring to the resource that is the subject of the signing (as in the subject of a claim). Usually the Uri of your application or website.
The ChallengeRequestDto and network values are used to call the Moralis SDK MoralisClient.AuthenticationApi.AuthEndpoint.Challenge operation. This operation will return a Moralis.AuthApi.Models.ChallengeResponseDto.
The ChallengeResponseDto response will contain an EIP-4361 compliant message that should be returned to the client application to be signed.
The client application should cryptographically sign the supplied message and then send the original message and the signature to your application.
Your server application receives the network, message and signature from the client application and uses these to create Moralis.AuthApi.Models.CompleteChallengeRequestDto and call the Moralis SDK MoralisClient.AuthenticationApi.AuthEndpoint.CompleteChallenge operation.
When the _CompleteChallenge _operation verifies the signature, your application should perform any server side authentication processes (saving information to databases, calling other applications, etc.) it needs to and then create and authnetication response, such as a JWT token, etc. to return to the client application.