Authentication Flow
Prerequisites
Signing challenges and transactions requires@solana/web3.js and bs58:
Step 1: Request a Challenge
Request a challenge for your wallet. Thetype field selects how your wallet will sign, and accepts exactly two values:
Both prove wallet ownership and return the same JWT. Any other value returns a
400.
Challenges expire after 5 minutes. Request a new one if your challenge expires.
Step 2: Sign and Verify
Sign the challenge with your wallet, then submit the signature to receive a JWT token. For message signing:Using the JWT
Include the JWT in all authenticated requests:Token Lifecycle
When a token expires, repeat the challenge-response flow to obtain a new one. There is no refresh endpoint.
Security Notes
What Happens if a JWT is Leaked
The JWT grants limited access. An attacker with a leaked token can:- Cancel orders: This transitions the order from
opentoready_to_cancel, but does not withdraw funds. Withdrawal requires signing a transaction with the wallet private key. - Edit order parameters: Updating trigger prices or slippage does not require transaction signing.
- Withdraw funds: All withdrawal operations require the wallet owner to sign a transaction. The vault’s funds remain secure.
- Create new orders: Depositing tokens requires signing a deposit transaction with the wallet.
