Sign in with Tezos (SIWT)

TLDR: Sign-in-with-Tezos (SIWT) is an open-source library that supports the development of your decentralized application first of all by proving the ownership of the private key to the address the user signs in with. This allows you to add permissions to use an API/backend based on a diverse set of access-control mechanisms, like owning a specific NFT or an address being part of a white/black list. After winning the Tezos x Encode hackathon and due to the positive feedback from the Tezos community, we decided to spend additional efforts to take our Proof-of-Concept to an easy-to-integrate library with an extended feature set with the help of the Tezos Foundation. We invite you to use SIWT in your dApp and contact us in our Discord if you have any questions!

The idea for SIWT was born while we thought about the access control to StakeNow.fi - the companion for your journey through the Tezos ecosystem. We had two prominent issues:

  1. How could we design a subscription model for premium features in a web3 application and
  2. how could we protect the data we aggregate and refine for the user? The data is available on a public ledger, but we did not want to serve it to everyone on a silver plate. We only want to show it to the rightful owner.

Using email addresses in combination with passwords and PayPal for paying subscriptions as the web2 standard felt wrong in many aspects. We were sure we were not the only ones with this problem in the Tezos ecosystem. The address or public key hash (pkh) should be the only decentralized identifier users need to interact with a dApp. Equally important, users should experience the same UX flow while traveling through the Tezos ecosystem. Thus we created an open-source Proof-of-Concept for the Tezos x Encode hackathon and won in the category “Disrupt all the Things”.

We integrated Sign In With Tezos (SIWT) in StakeNow.fi solving the problems above by

  • proving the user’s ownership of the private key to the address the user signs in with and
  • adding permissions to use our API based on the ownership of a Non-Fungible Token (NFT).

We felt the disruption as it was the birth of collectible subscriptions on Tezos and our users received the early access token designed by Yazid which we created on objkt.com.

Mentioning one of the NFT marketplaces Tezos is famous for we should pause for a second and answer the following question:

FounderJabba did answer it on point for us to paraphrase here. All current wallet connections are only client-side. This exposes a vulnerability to spoofing for an attacker to pose as someone else. This problem is usually not severe as the interactions in the dApp require the separate signing of transaction messages, but you could view personal dashboards and everything else that an API only intends to expose to the rightful owner.

SIWT allows for server-side authentication, which means developers can do private chats, games, personal services, exclusive streams, and much more with your tz address as the secure login. SIWT aims to become a ubiquitous SDK to be used in every Tezos web3 application letting development teams focus on delivering their service instead of solving the session management and authentication to their application repeatedly.

The project has been structured into four milestones (integration, smart contracts, adoption, and use case integration) until October 31, 2023. We will update the community after each milestone. For the first milestone (integration) we wanted to deliver a unique feature to the Tezos community next to React components, added options to the “create message” function to require users to explicitly agree to terms and conditions and/or privacy policy and expanded possibilities of the access control query (certain amount of a fungible token, certain amount of XTZ, being on a white-/blacklist):

SIWT Discord Integration

Developing a dApp for your users and leveraging e.g. the power of collectible subscriptions will leave you with certain obligations e.g., providing support to paying customers or just giving them access to restricted areas in your community. Communities are often managed through Discord servers with various channels for users to discuss topics. With SIWT you can now verify users and provide them with access to specific areas on your Discord server!

You can test this feature directly on the StakeNow Discord and verify yourself using your tz address as a secure login:

You will be redirected to your browser to Sign in with Tezos and complete the verification process. Afterward, you can return to Discord and check your status. Early access token owners are now able to access a private channel:

Use this opportunity to get in touch with us to help you integrate SIWT into your application.

We wish you all a happy new year!

7 Likes

On the verge of launching with the (now deprecated) code. Happy to be an early tester with the new implementation!

Although not in the control of the SIWT library I’m curious if wallets can more explicitly differentiate the login message signing modal from transaction signing?

We’ve deprecated our old repo in favor of a new monorepo managed by NX that will allow for easier contributing by the community, consistent code structure and formatting, and easier publishing. We used the opportunity to split up the main package into smaller ones based on early community feedback.

In the new version, you can add the documents that need to be agreed to, but the idea is to standardize it (similar to EIP-4361) eventually. We would love to have you as an early tester!

1 Like