Skip to content

docs: verify user on backend #1647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 21 commits into from
Jun 19, 2025
Merged

docs: verify user on backend #1647

Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
6bedcbb
docs: verify user on backend
aashkrishnan May 29, 2025
1b17688
docs: verify user on backend
aashkrishnan May 29, 2025
c3cbddc
docs: verify user on backend
aashkrishnan Jun 16, 2025
05242df
Merge branch 'main' into ash/add-session-verify-docs
aashkrishnan Jun 17, 2025
de21cf6
feat: allow nonce key overrides by default for non-deployed accounts …
Zer0dot Jun 17, 2025
ecc6b68
docs: group new auth hooks (#1695)
jakehobbs Jun 17, 2025
3099772
docs: add user session verification faq
aashkrishnan Jun 17, 2025
fa2df33
docs: update docs Readme for local dev and API specs (#1693)
dslovinsky Jun 17, 2025
486e2db
feat: adds webauthn account support (#1678)
linnall Jun 17, 2025
3bb0f74
chore(release): publish v4.42.0 [skip-ci]
Jun 17, 2025
80527ad
feat: add webauthn-p256 to account-kit/smart-contracts + auto-generat…
Zer0dot Jun 18, 2025
7bb7eb3
chore(release): publish v4.43.0 [skip-ci]
Jun 18, 2025
2ba7fc8
docs: fix variable in docs (#1705)
blakecduncan Jun 18, 2025
71bad00
fix: upgrade TK iframe stamper to properly handle concurrent stamping…
jakehobbs Jun 18, 2025
cc39422
chore(release): publish v4.43.1 [skip-ci]
Jun 18, 2025
2f564da
docs: verify user session faq
aashkrishnan Jun 18, 2025
1925067
Merge branch 'main' into ash/add-session-verify-docs
aashkrishnan Jun 18, 2025
e3ac568
docs: verify user session faq
aashkrishnan Jun 18, 2025
ab660e8
Merge branch 'main' into ash/add-session-verify-docs
aashkrishnan Jun 19, 2025
47c7e52
Merge branch 'main' into ash/add-session-verify-docs
aashkrishnan Jun 19, 2025
2e66bf1
Merge branch 'main' into ash/add-session-verify-docs
aashkrishnan Jun 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions docs/pages/resources/faqs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,52 @@ We recommend adding error handling when sending a UO to handle potential gas and
[here](#TODO).
</Accordion>

### How to Authenticate Users and Verify User Sessions on the Backend?

<Accordion title="Answer">
After a user logs in with Account Kit on the frontend, you might want to verify their identity on your backend to authorize actions or access.

You can do this using one of two approaches:

---

### Option 1: SIWE [Sign-In With Ethereum](https://eips.ethereum.org/EIPS/eip-4361)

Use this flow when you just need to verify user sessions created by EOAs and Smart Contract Accounts (SCAs) via Account Kit.

For EOAs, Account Kit doesn’t create a session on the client side and `stampWhoAmI` isn’t available, so we can use SIWE. This can be used for verifying EOA and SCA flows.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kinda confusing bc this is both sca and eoas

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add some more context on when to use 1 vs. 2

You can create a [SIWE message](https://docs.login.xyz/sign-in-with-ethereum/quickstart-guide/creating-siwe-messages) with all the necessary info to get server side (address, chainId, etc).

1. The backend provides a nonce to the frontend.
2. The user signs a SIWE message with their wallet (EOA or SCA).
3. The frontend sends the signed message back to the backend.
4. The backend verifies the signature:
- EOAs: Standard signature recovery
- SCAs: Use EIP-1271 or EIP-6492 to verify the contract signature
5. The backend issues a session token.

**Note:**
- SIWE requires an explicit signature from the user, which [costs](https://www.alchemy.com/docs/reference/compute-unit-costs) more than calling `whoami`
- For verifying both EOA and SCA user sessions

---

### Option 2: `stampWhoAmI` + `whoami` (Only when using Alchemy signer)

Use this flow when you just need to verify user sessions created by SCAs via Account Kit.

1. The frontend generates a stamped request using [signer.inner.stampWhoAmI](https://www.alchemy.com/docs/wallets/reference/account-kit/signer/classes/BaseSignerClient/stampWhoami).
2. It sends the stamp to your backend.
3. The backend calls Alchemy's [/signer/v1/whoami](https://www.alchemy.com/docs/node/smart-wallets/signer-api-endpoints/signer-api-endpoints/auth-user) endpoint to verify the identity.
4. If you need to make subsequent requests, you can also avoid calling the whoami endpoint on every request. To do so, after verifying the `whoami`, the backend can issue its own session token (e.g. an HTTP-only cookie or access token). If the token is present, you can safely skip the `whoami` check.

**Why this approach?**
- No user signature required
- **Cheaper** than flows requiring a signed message
- Easily retrieve user's login info, such email and address if available

</Accordion>

## Common Errors

### Replacement underpriced: `"code":-32602,"message":"replacement underpriced","data"...`
Expand Down
Loading