From a363673fed1bb8db372867821649f22f33fb4057 Mon Sep 17 00:00:00 2001 From: sohey Date: Mon, 6 Oct 2025 19:16:31 +0200 Subject: [PATCH 01/14] added auth flow --- .../core-concepts/authentication.mdx | 197 +++++++++++++----- 1 file changed, 145 insertions(+), 52 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index c7e74eea..e04a9491 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -1,79 +1,172 @@ --- title: Authentication -description: Let users start fast and ask for a wallet only when needed +description: Authentication in mini apps is handled through Quick Auth, which provides a secure way to verify user identity using their Farcaster account. --- -## Authentication guidance from Base App +## Implementation + +### Step 1: Frontend Authentication + + ```jsx frontend +import { useState } from "react"; +import { sdk } from "@farcaster/frame-sdk"; + +export function App() { + const [token, setToken] = useState(null); + const [userData, setUserData] = useState<{ fid: number; address: string } | null>(null); + + async function signIn() { + try { + const { token } = await sdk.experimental.quickAuth(); + setToken(token); + + // Use the token to fetch user data + const response = await fetch('/api/me', { + headers: { "Authorization": `Bearer ${token}` } + }); + + const data = await response.json(); + setUserData(data); + } catch (error) { + console.error("Authentication failed:", error); + } + } + + function signOut() { + setToken(null); + setUserData(null); + } + + if (!token) { + return ; + } - -Save authentication that requires an interaction for interactions that require it (e.g., buying something, viewing personalized pages). - + return ( +
+

Authenticated as FID: {userData?.fid}

+ +
+ ); +} +``` -Supported approaches: +Use the token in API requests: - - -Base App natively supports SIWF in-app, enabling social identity without leaving the app. Quick Auth can issue a JWT to persist session state. -**User Experience in Base App:** -- **Create Account Users** (new Farcaster accounts created during Base App onboarding): Users see a "Login request" tray with the SIWF message and can sign it directly with their passkey -- **Connect Account Users** (existing Farcaster accounts connected during onboarding): Users are prompted to deeplink to Farcaster one-time only to register their wallet as an auth address, then enjoy seamless in-app sign-in thereafter - +```jsx +const response = await fetch('/api/me', { + headers: { "Authorization": `Bearer ${token}` } +}); +``` - -Base App provides an in‑app smart wallet that doesn't require app switching. Use wallet auth for a persisted session when necessary, but avoid gating initial exploration behind connect. - - -All hosts return context data (including user). Use it for analytics or lightweight session hints, but **do not treat as primary auth** since context data can be spoofed by developers who create their own mini app hosts. - - +### Step 2: Backend Verification +Install the Quick Auth client: -## Implementation Example -```tsx App.tsx -import { useMiniKit, useAuthenticate } from '@coinbase/onchainkit/minikit'; +```bash +npm install @farcaster/quick-auth +``` -function MyComponent() { - const { context } = useMiniKit(); - const { user } = useAuthenticate(); - // ✅ Safe: Use context for analytics only - const userFid = context.user.fid; // For analytics tracking - - // ✅ Safe: Use cryptographic verification for auth - const verifiedUser = user; // From SIWF or wallet auth - - // ❌ Unsafe: Don't rely on context for primary auth - // const isAuthenticated = !!context.user.fid; // Can be spoofed! - - return ( -
- {/* Use verified user data for secure operations */} -
- ); +Create an API route to verify JWTs: + + +```jsx route.ts +// app/api/me/route.ts +import { createClient, Errors } from '@farcaster/quick-auth'; +import { NextRequest, NextResponse } from 'next/server'; + +const domain = 'your-domain.com'; // Must match your mini app's deployment domain +const client = createClient(); + +// This endpoint returns the authenticated user's FID and address +// Use this pattern for all authenticated endpoints in your app +export async function GET(request: NextRequest) { + const authorization = request.headers.get('Authorization'); + if (!authorization?.startsWith('Bearer ')) { + return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }); + } + + const token = authorization.split(' ')[1]; + + try { + const payload = await client.verifyJwt({ token, domain }); + + return NextResponse.json({ + fid: payload.sub, + address: payload.address + }); + } catch (e) { + if (e instanceof Errors.InvalidTokenError) { + return NextResponse.json({ error: 'Invalid token' }, { status: 401 }); + } + throw e; + } } ``` - -For a complete example of using Quick Auth with MiniKit, see [here](https://github.com/coinbase/onchainkit/blob/main/examples/minikit-example/app/components/UserInfo.tsx). - -## Best practices +The `verifyJwt method verifies the JWT signature locally using the public key from the Quick Auth Server. No additional network calls are made. -- Gate wallet only at the point of onchain action -- Prefer SIWF/Quick Auth for low‑friction identity -- Use context for analytics; avoid using it as primary auth -- Handle Base App's different authentication flows gracefully -- Always use cryptographic verification for security-critical operations +## Schema -Further reading: +### JWT Payload + + +```json +{ + "sub": 6841, + "address": "0xf9D3D372D0097BF26cbf2444B34F5B9522AfaA4b", + "iss": "https://auth.farcaster.xyz", + "aud": "your-domain.com", + "iat": 1747764819, + "exp": 1747768419 +} +``` +Payload fields: + + + +User's Farcaster ID (FID) + + + +Ethereum address used to sign in + + + +Quick Auth Server that issued the JWT + + + +Your mini app's domain + + + +Issued at timestamp + + + +Expiration timestamp (1 hour from issuance) + + + +### Self-Hosting + +Specify a custom Quick Auth Server: + +```tsx +const { token } = await sdk.experimental.quickAuth({ + quickAuthServerOrigin: 'https://auth.example.com' +}); +``` + +The default server (https://auth.farcaster.xyz) is deployed globally on the edge for optimal performance. - - From d384cbb8ae1694cbef7a0af0deb69c9f1220dc61 Mon Sep 17 00:00:00 2001 From: sohey Date: Mon, 6 Oct 2025 19:21:43 +0200 Subject: [PATCH 02/14] added auth flow --- docs/mini-apps/core-concepts/authentication.mdx | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index e04a9491..19607d9e 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -166,7 +166,11 @@ const { token } = await sdk.experimental.quickAuth({ The default server (https://auth.farcaster.xyz) is deployed globally on the edge for optimal performance. - - + + use Minikit's useAuthenticate hook to authenticate users. + + + Understand how context is used in mini apps. + From ccc960f3913a0a52856a7364b19bf60b8cd58891 Mon Sep 17 00:00:00 2001 From: sohey Date: Mon, 6 Oct 2025 21:06:50 +0200 Subject: [PATCH 03/14] removed frames language --- docs/mini-apps/core-concepts/authentication.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index 19607d9e..18c65aa8 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -9,7 +9,7 @@ description: Authentication in mini apps is handled through Quick Auth, which pr ```jsx frontend import { useState } from "react"; -import { sdk } from "@farcaster/frame-sdk"; +import { sdk } from "@farcaster/miniapp-sdk"; export function App() { const [token, setToken] = useState(null); @@ -17,7 +17,7 @@ export function App() { async function signIn() { try { - const { token } = await sdk.experimental.quickAuth(); + const { token } = await sdk.actions.quickAuth(); setToken(token); // Use the token to fetch user data From df61055196bbdcb97ccc772c20290459b8bdbf44 Mon Sep 17 00:00:00 2001 From: sohey Date: Tue, 7 Oct 2025 14:39:13 +0200 Subject: [PATCH 04/14] addressed feedback --- .../core-concepts/authentication.mdx | 61 ++++++++++++++----- 1 file changed, 46 insertions(+), 15 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index 18c65aa8..dc120dd3 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -3,11 +3,48 @@ title: Authentication description: Authentication in mini apps is handled through Quick Auth, which provides a secure way to verify user identity using their Farcaster account. --- +Quick Auth provides instant authentication for mini apps by leveraging Farcaster's identity system. Users authenticate with a single signature, and your app receives a secure JWT for session management - no passwords, email verification, or complex OAuth flows required. + +## How It Works + +```mermaid +sequenceDiagram + participant App as Mini App + participant SDK as Mini App SDK + participant User as User's Wallet + participant Auth as Quick Auth Server + + App->>SDK: quickAuth() + SDK->>Auth: Request nonce + Auth->>SDK: Return nonce + SDK->>User: Request signature + User->>SDK: Sign SIWF message + SDK->>Auth: Verify SIWF message + Auth->>Auth: Verify signature + Auth->>SDK: Return signed JWT + SDK->>App: Return JWT token + App->>Backend: API request with JWT + Backend->>Backend: Verify JWT locally + Backend->>App: Return response +``` + +The authentication flow: + +1. Your mini app calls `sdk.actions.quickAuth()` +2. The SDK gets a nonce from Quick Auth Server +3. The user signs a SIWF message +4. Quick Auth Server verifies the signature and returns a signed JWT +5. Your app stores the JWT in memory +6. Your backend verifies the JWT locally using the public key + + ## Implementation ### Step 1: Frontend Authentication - ```jsx frontend +This code authenticates the user with Quick Auth, stores the JWT in memory, and uses it to verify the user's identity with your backend. + + ```jsx App.tsx import { useState } from "react"; import { sdk } from "@farcaster/miniapp-sdk"; @@ -50,15 +87,10 @@ export function App() { } ``` -Use the token in API requests: - - -```jsx -const response = await fetch('/api/me', { - headers: { "Authorization": `Bearer ${token}` } -}); -``` + +Quick Auth returns a JWT that proves the user authenticated. Your backend then verifies this JWT to confirm the user's identity and returns their verified Farcaster data (FID and address). This two-step process ensures secure authentication. + ### Step 2: Backend Verification @@ -69,11 +101,9 @@ Install the Quick Auth client: npm install @farcaster/quick-auth ``` +This API route verifies the JWT signature locally and returns the authenticated user's FID and address. The verification proves the user is who they claim to be and gives you their verified FID and address. -Create an API route to verify JWTs: - - -```jsx route.ts +```jsx route.tsx // app/api/me/route.ts import { createClient, Errors } from '@farcaster/quick-auth'; import { NextRequest, NextResponse } from 'next/server'; @@ -108,7 +138,8 @@ export async function GET(request: NextRequest) { ``` -The `verifyJwt method verifies the JWT signature locally using the public key from the Quick Auth Server. No additional network calls are made. +The `verifyJwt` method verifies the JWT signature locally using the public key from the Quick Auth Server. No additional network calls are made. + ## Schema @@ -158,7 +189,7 @@ Expiration timestamp (1 hour from issuance) Specify a custom Quick Auth Server: ```tsx -const { token } = await sdk.experimental.quickAuth({ +const { token } = await sdk.actions.quickAuth({ quickAuthServerOrigin: 'https://auth.example.com' }); ``` From 9df86c875c65c227d03d60d3b9920d18c549958b Mon Sep 17 00:00:00 2001 From: sohey Date: Tue, 7 Oct 2025 14:44:22 +0200 Subject: [PATCH 05/14] addressed feedback --- .../core-concepts/authentication.mdx | 43 +------------------ 1 file changed, 2 insertions(+), 41 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index dc120dd3..a88314ad 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -5,39 +5,6 @@ description: Authentication in mini apps is handled through Quick Auth, which pr Quick Auth provides instant authentication for mini apps by leveraging Farcaster's identity system. Users authenticate with a single signature, and your app receives a secure JWT for session management - no passwords, email verification, or complex OAuth flows required. -## How It Works - -```mermaid -sequenceDiagram - participant App as Mini App - participant SDK as Mini App SDK - participant User as User's Wallet - participant Auth as Quick Auth Server - - App->>SDK: quickAuth() - SDK->>Auth: Request nonce - Auth->>SDK: Return nonce - SDK->>User: Request signature - User->>SDK: Sign SIWF message - SDK->>Auth: Verify SIWF message - Auth->>Auth: Verify signature - Auth->>SDK: Return signed JWT - SDK->>App: Return JWT token - App->>Backend: API request with JWT - Backend->>Backend: Verify JWT locally - Backend->>App: Return response -``` - -The authentication flow: - -1. Your mini app calls `sdk.actions.quickAuth()` -2. The SDK gets a nonce from Quick Auth Server -3. The user signs a SIWF message -4. Quick Auth Server verifies the signature and returns a signed JWT -5. Your app stores the JWT in memory -6. Your backend verifies the JWT locally using the public key - - ## Implementation ### Step 1: Frontend Authentication @@ -96,12 +63,10 @@ Quick Auth returns a JWT that proves the user authenticated. Your backend then v Install the Quick Auth client: - ```bash npm install @farcaster/quick-auth ``` - -This API route verifies the JWT signature locally and returns the authenticated user's FID and address. The verification proves the user is who they claim to be and gives you their verified FID and address. +This API route verifies the JWT signature locally using the public key from the Quick Auth Server, proving the user is who they claim to be. No additional network calls are made. ```jsx route.tsx // app/api/me/route.ts @@ -137,10 +102,6 @@ export async function GET(request: NextRequest) { } ``` - -The `verifyJwt` method verifies the JWT signature locally using the public key from the Quick Auth Server. No additional network calls are made. - - ## Schema ### JWT Payload @@ -197,7 +158,7 @@ const { token } = await sdk.actions.quickAuth({ The default server (https://auth.farcaster.xyz) is deployed globally on the edge for optimal performance. - + use Minikit's useAuthenticate hook to authenticate users. From 7e894382ca93bf5f4cca4855d04a02943663c787 Mon Sep 17 00:00:00 2001 From: sohey Date: Tue, 7 Oct 2025 16:40:14 +0200 Subject: [PATCH 06/14] changed payload fields --- .../core-concepts/authentication.mdx | 23 ++++++++----------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index a88314ad..284ea499 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -17,7 +17,7 @@ import { sdk } from "@farcaster/miniapp-sdk"; export function App() { const [token, setToken] = useState(null); - const [userData, setUserData] = useState<{ fid: number; address: string } | null>(null); + const [userData, setUserData] = useState<{ fid: number} | null>(null); async function signIn() { try { @@ -120,31 +120,28 @@ export async function GET(request: NextRequest) { Payload fields: - -User's Farcaster ID (FID) - - - -Ethereum address used to sign in + +Issued at timestamp Quick Auth Server that issued the JWT - -Your mini app's domain + +Expiration timestamp (1 hour from issuance) - -Issued at timestamp + +User's Farcaster ID (FID) - -Expiration timestamp (1 hour from issuance) + +Your mini app's domain + ### Self-Hosting Specify a custom Quick Auth Server: From 066c8167250c0151c67536e501f7bfc6b40b4682 Mon Sep 17 00:00:00 2001 From: sohey Date: Tue, 7 Oct 2025 16:51:11 +0200 Subject: [PATCH 07/14] added backend query --- .../core-concepts/authentication.mdx | 23 ++++--------------- 1 file changed, 5 insertions(+), 18 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index 284ea499..0cfecaa2 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -25,7 +25,7 @@ export function App() { setToken(token); // Use the token to fetch user data - const response = await fetch('/api/me', { + const response = await sdk.quickAuth.fetch(`${BACKEND_ORIGIN}/me`, { headers: { "Authorization": `Bearer ${token}` } }); @@ -109,12 +109,11 @@ export async function GET(request: NextRequest) { ```json { - "sub": 6841, - "address": "0xf9D3D372D0097BF26cbf2444B34F5B9522AfaA4b", - "iss": "https://auth.farcaster.xyz", - "aud": "your-domain.com", "iat": 1747764819, - "exp": 1747768419 + "iss": "https://auth.farcaster.xyz", + "exp": 1747768419, + "sub": 6841, + "aud": "your-domain.com" } ``` Payload fields: @@ -142,18 +141,6 @@ Your mini app's domain -### Self-Hosting - -Specify a custom Quick Auth Server: - -```tsx -const { token } = await sdk.actions.quickAuth({ - quickAuthServerOrigin: 'https://auth.example.com' -}); -``` - -The default server (https://auth.farcaster.xyz) is deployed globally on the edge for optimal performance. - use Minikit's useAuthenticate hook to authenticate users. From c32dea6d81170b3c3269abf9ef86f2760c2c561e Mon Sep 17 00:00:00 2001 From: sohey Date: Tue, 7 Oct 2025 18:43:05 +0200 Subject: [PATCH 08/14] addressed quick auth intro comment --- .../core-concepts/authentication.mdx | 27 +++++++++---------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index 0cfecaa2..4fef4047 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -1,9 +1,11 @@ --- title: Authentication -description: Authentication in mini apps is handled through Quick Auth, which provides a secure way to verify user identity using their Farcaster account. +description: Quick Auth provides instant authentication by leveraging Farcaster's identity system no passwords, email verification, or complex OAuth flows required. --- -Quick Auth provides instant authentication for mini apps by leveraging Farcaster's identity system. Users authenticate with a single signature, and your app receives a secure JWT for session management - no passwords, email verification, or complex OAuth flows required. +When a user signs in with Quick Auth, they authenticate once with a signature. The SDK returns a JWT that your backend verifies to confirm the user's identity. Once verified, your backend returns trusted data (like the user's FID) that can be used for sensitive actions. + +This differs from the [Context API](/mini-apps/core-concepts/context), which provides instant access to user information without authentication but cannot be trusted for sensitive operations. ## Implementation @@ -24,7 +26,7 @@ export function App() { const { token } = await sdk.actions.quickAuth(); setToken(token); - // Use the token to fetch user data + // Use the token to authenticate the user and fetch authenticated user data const response = await sdk.quickAuth.fetch(`${BACKEND_ORIGIN}/me`, { headers: { "Authorization": `Bearer ${token}` } }); @@ -54,11 +56,6 @@ export function App() { } ``` - - -Quick Auth returns a JWT that proves the user authenticated. Your backend then verifies this JWT to confirm the user's identity and returns their verified Farcaster data (FID and address). This two-step process ensures secure authentication. - - ### Step 2: Backend Verification Install the Quick Auth client: @@ -66,7 +63,8 @@ Install the Quick Auth client: ```bash npm install @farcaster/quick-auth ``` -This API route verifies the JWT signature locally using the public key from the Quick Auth Server, proving the user is who they claim to be. No additional network calls are made. +The Quick Auth client verifies `JWTs` issued by the Quick Auth Server. By default, it uses the public Quick Auth Server at https://auth.farcaster.xyz - no configuration required. +This API route uses the client to verify the JWT signature locally with the server's public key, proving the user is who they claim to be. ```jsx route.tsx // app/api/me/route.ts @@ -77,7 +75,6 @@ const domain = 'your-domain.com'; // Must match your mini app's deployment domai const client = createClient(); // This endpoint returns the authenticated user's FID and address -// Use this pattern for all authenticated endpoints in your app export async function GET(request: NextRequest) { const authorization = request.headers.get('Authorization'); if (!authorization?.startsWith('Bearer ')) { @@ -119,23 +116,23 @@ export async function GET(request: NextRequest) { Payload fields: - + Issued at timestamp - + Quick Auth Server that issued the JWT - + Expiration timestamp (1 hour from issuance) - + User's Farcaster ID (FID) - + Your mini app's domain From 36424941a9b7634a3e1df7263500d39d4f042c67 Mon Sep 17 00:00:00 2001 From: sohey Date: Tue, 7 Oct 2025 18:50:06 +0200 Subject: [PATCH 09/14] addressed quick auth intro comment --- docs/mini-apps/core-concepts/authentication.mdx | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index 4fef4047..640c55ba 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -63,8 +63,7 @@ Install the Quick Auth client: ```bash npm install @farcaster/quick-auth ``` -The Quick Auth client verifies `JWTs` issued by the Quick Auth Server. By default, it uses the public Quick Auth Server at https://auth.farcaster.xyz - no configuration required. -This API route uses the client to verify the JWT signature locally with the server's public key, proving the user is who they claim to be. +When a user authenticates, the Quick Auth Server verifies their signature and issues a JWT. The Quick Auth client then verifies this JWT (default server: `https://auth.farcaster.xyz`). ```jsx route.tsx // app/api/me/route.ts @@ -74,7 +73,7 @@ import { NextRequest, NextResponse } from 'next/server'; const domain = 'your-domain.com'; // Must match your mini app's deployment domain const client = createClient(); -// This endpoint returns the authenticated user's FID and address +// This endpoint returns the authenticated user's FID export async function GET(request: NextRequest) { const authorization = request.headers.get('Authorization'); if (!authorization?.startsWith('Bearer ')) { @@ -88,7 +87,6 @@ export async function GET(request: NextRequest) { return NextResponse.json({ fid: payload.sub, - address: payload.address }); } catch (e) { if (e instanceof Errors.InvalidTokenError) { From 2bf86195b5f2f04c4957b4965c169a0396732d49 Mon Sep 17 00:00:00 2001 From: sohey Date: Tue, 7 Oct 2025 19:44:35 +0200 Subject: [PATCH 10/14] addressed quick auth intro comment --- docs/mini-apps/core-concepts/authentication.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index 640c55ba..cf942cab 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -63,7 +63,8 @@ Install the Quick Auth client: ```bash npm install @farcaster/quick-auth ``` -When a user authenticates, the Quick Auth Server verifies their signature and issues a JWT. The Quick Auth client then verifies this JWT (default server: `https://auth.farcaster.xyz`). + +When a user authenticates, Farcaster's Quick Auth Server verifies their signature and issues a JWT. Your backend verifies this JWT using the `@farcaster/quick-auth` package. ```jsx route.tsx // app/api/me/route.ts From ba805bf2915b9686bb92243e10636be94c2a8a30 Mon Sep 17 00:00:00 2001 From: sohey Date: Tue, 7 Oct 2025 20:22:55 +0200 Subject: [PATCH 11/14] changed route --- docs/mini-apps/core-concepts/authentication.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index cf942cab..dbfc22dd 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -27,7 +27,7 @@ export function App() { setToken(token); // Use the token to authenticate the user and fetch authenticated user data - const response = await sdk.quickAuth.fetch(`${BACKEND_ORIGIN}/me`, { + const response = await sdk.quickAuth.fetch(`${BACKEND_ORIGIN}/auth`, { headers: { "Authorization": `Bearer ${token}` } }); @@ -67,7 +67,7 @@ npm install @farcaster/quick-auth When a user authenticates, Farcaster's Quick Auth Server verifies their signature and issues a JWT. Your backend verifies this JWT using the `@farcaster/quick-auth` package. ```jsx route.tsx -// app/api/me/route.ts +// app/api/auth/route.ts import { createClient, Errors } from '@farcaster/quick-auth'; import { NextRequest, NextResponse } from 'next/server'; From 766c77a01ac648a20420133993f4fa060ebd62a3 Mon Sep 17 00:00:00 2001 From: sohey Date: Wed, 8 Oct 2025 17:04:18 +0200 Subject: [PATCH 12/14] added description for both qa server and sdk --- docs/mini-apps/core-concepts/authentication.mdx | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index dbfc22dd..5b127ab5 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -1,6 +1,6 @@ --- title: Authentication -description: Quick Auth provides instant authentication by leveraging Farcaster's identity system no passwords, email verification, or complex OAuth flows required. +description: Quick Auth provides instant authentication by leveraging Farcaster's identity system - no passwords, email verification, or complex OAuth flows required. --- When a user signs in with Quick Auth, they authenticate once with a signature. The SDK returns a JWT that your backend verifies to confirm the user's identity. Once verified, your backend returns trusted data (like the user's FID) that can be used for sensitive actions. @@ -64,7 +64,11 @@ Install the Quick Auth client: npm install @farcaster/quick-auth ``` -When a user authenticates, Farcaster's Quick Auth Server verifies their signature and issues a JWT. Your backend verifies this JWT using the `@farcaster/quick-auth` package. +**Quick Auth Client** is the SDK that initiates the authentication flow in your application. + +**Quick Auth Server** is Farcaster's service that handles signature verification and issues JWTs. + +When a user authenticates, the Quick Auth Server verifies their signature and issues a JWT. Your backend verifies this JWT using the `@farcaster/quick-auth` package. ```jsx route.tsx // app/api/auth/route.ts From 1976ed6c6ec4a663abe92ce1a4fa21f24897bf06 Mon Sep 17 00:00:00 2001 From: sohey Date: Wed, 8 Oct 2025 17:16:21 +0200 Subject: [PATCH 13/14] bullet points added --- docs/mini-apps/core-concepts/authentication.mdx | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index 5b127ab5..0cb2c7b6 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -3,7 +3,11 @@ title: Authentication description: Quick Auth provides instant authentication by leveraging Farcaster's identity system - no passwords, email verification, or complex OAuth flows required. --- -When a user signs in with Quick Auth, they authenticate once with a signature. The SDK returns a JWT that your backend verifies to confirm the user's identity. Once verified, your backend returns trusted data (like the user's FID) that can be used for sensitive actions. +When Quick Auth is called: + +* The user authenticates with a signature +* The SDK returns a JWT that your backend verifies to confirm the user's identity +* The backend returns trusted data that can be used for sensitive actions This differs from the [Context API](/mini-apps/core-concepts/context), which provides instant access to user information without authentication but cannot be trusted for sensitive operations. From 401702bd3053bf53673f577f2445e07cf891bb48 Mon Sep 17 00:00:00 2001 From: sohey Date: Wed, 8 Oct 2025 17:22:24 +0200 Subject: [PATCH 14/14] tip added --- docs/mini-apps/core-concepts/authentication.mdx | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/mini-apps/core-concepts/authentication.mdx b/docs/mini-apps/core-concepts/authentication.mdx index 0cb2c7b6..6857d3cc 100644 --- a/docs/mini-apps/core-concepts/authentication.mdx +++ b/docs/mini-apps/core-concepts/authentication.mdx @@ -9,7 +9,10 @@ When Quick Auth is called: * The SDK returns a JWT that your backend verifies to confirm the user's identity * The backend returns trusted data that can be used for sensitive actions + This differs from the [Context API](/mini-apps/core-concepts/context), which provides instant access to user information without authentication but cannot be trusted for sensitive operations. + + ## Implementation